RE: [Full-Disclosure] Re: Six Step IE Remote Compromise Cache Attack
From: Michael Evanchik (mike_at_alanpickel.com)
To: "Erwin Paternotte" <firstname.lastname@example.org>, <email@example.com> Date: Fri, 14 Nov 2003 13:14:10 -0500
yes as i said at the top microsoft quickly patched it. The least they can do with their track record.
From: Erwin Paternotte [mailto:firstname.lastname@example.org]
Sent: Fri 11/14/2003 10:56 AM
To: Michael Evanchik
Subject: Re: [Full-Disclosure] Re: Six Step IE Remote Compromise Cache Attack
Michael Evanchik wrote:
> 1) take out the function name and brackets and all code below
> </script> in default.htm and save to make the start automatic
> 2) open MHT-ldy.mht and open it in notepad.
> 3) edit the 2 links for the .exe and the shell.htm (read step 4 on how
> that file is created) file 4o be the exact location of your exe and
> shell.htm on the server your hosting the pages(most likely you will
> need full access to the server and freehosts wont work)
> 5) change the base64 exe code to your own in MHT-ldy.mht and save
> 6) save it as shell.htm to the same location you have noted in MHT-ldy.mht
> 7) of course delete all the alert command lines in ScriptBodyJsp.asp
I've tested your modifications as described above on a fully patched
Windows 2000 and IE. It seems the first step of the Six Step is blocked
by the cumulative patch included with MS03-048. I'm not sure if this is
due to the modifications you made or if this is the same for the
original Six Step. Do you know which of the vulnerabilities described in
MS03-048 are the same as the steps of the Six Step and are fixed by this
Thanks in advance for your time.
Full-Disclosure - We believe in it.