Re: Rather large MSIE-hole
From: Slow2Show (sl2sho@yahoo.com)Date: 03/14/02
- Previous message: KF: "Re: Rather large MSIE-hole"
- Maybe in reply to: Magnus Bodin: "Rather large MSIE-hole"
- Next in thread: Slow2Show: "Re: Rather large MSIE-hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 14 Mar 2002 21:01:41 -0000 From: Slow2Show <sl2sho@yahoo.com> To: vuln-dev@securityfocus.com('binary' encoding is not supported, stored as-is)
In-Reply-To: <9956F8424795D411B03B0008C786E60D048D0A7B@DUBNTEX005.qwest.net>
::responses to multiple people bleow::
>Eric Brown Wrote
>Could you not create a batch file that housed the
commands you wanted to run
>(with args) and just run the batch file?
>I apologise if someone has already addressed this.
how would you make this batch file? the only way I
know would be to use "echo blah >> file.bat" and if
you do it that way you are still using parameters...so
we are right back to where we started.
Ryan Sweat mentioned using GG's script injection
ideas outlined in:
http://www.guninski.com/parsedat-desc.html
the only problem with this is that these techniques do
not work on IE6, they were in IE5.x...I just tested on
win2k/winXP.
So no go there...
> Felipe Franciosi wrote
> But I couldn't get to work something like:
> var prog...
> 'c:/command.com /c echo bin > c:/list.txt',
> 'c:/command.com /c echo GET something >>
c:/list.txt'
>
> this won't create 'list.txt'... Any ideas why? Or how
some could
> get around it?
read my last post Felipe for info on why this doesn't
work:
http://online.securityfocus.com/archive/82/261926
>Kevin Wall wrote
>On Win9x systems, rather than targeting FTP or a
>command shell, what about starting up something
>that simply causes a exploitable process to listen on
>some port # (will vary, depending on application)
>and then separately trying to exploit that.
PWS is not installed by default on win9x....and I don't
belive you can start IIS with one program on XPPro
box (assuming they have installed that component
and are just not using it)
>If the User-Agent corresponds to MSIE, then at
>some time late(perhaps wait t minutes later), gently
>port scan the remote IP address to see if the
>application was launched. If the port scan
>succeeds, then go into full exploit mode. (This
>assumes an exploitable application that is normally
>not running and no pesky personal firewalls, etc. to
>be sure. But certainly some combinations would be
>vulnerable given the cluelessness of the typical
>Windoze users and their disdain for ever updating
>their system with security patches.)
I don't have access to a 9x system to test this....but
this all relys on
1) I am using win9x with IE6(don't forget that is the
version we are discussing here)
2)that they have installed PWS before and it is
currently disabled
Then I assume one might be able to do what you are
describing.
The bottom line is, if you know the path to an exe on
the system, then you can open it up...the only ways
this could be an attack vector is if the exe was a
trojan, or some kind of buggy daemon.
lata,
-Slow2Show-
University of Florida
- Previous message: KF: "Re: Rather large MSIE-hole"
- Maybe in reply to: Magnus Bodin: "Rather large MSIE-hole"
- Next in thread: Slow2Show: "Re: Rather large MSIE-hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
