Wednesday, August 14, 2002
The following represents a trivial yet elaborate method of injecting
arbitrary html into the "My Computer" zone on win98 using the
Internet Explorer series of browsers.
Internet Explorer enjoys a unique component called the "Web Folder"
component. This is a selectable component install with the original
installation of the browser or can be added later on. This unique
component allows for an assortment of web publishing and authoring
conveniences, often touted as useful "feature".
But what it actually does, is create a nicely named file for us in a
known location.
Where:
The Internet Explorer series 5 through 6 enjoy a related behavior to
the so-called "Web Folder" component which allows us to point
directly to one of these web folders and traverse it directly.
However, should the folder not exist, an error message is generated
and conveniently placed for us in the temp folder:
So:
This particular error message is nothing more than a server side 404
error message which can be modified to suit our needs as we require.
Commence:
We first construct our trivial behavior to generate the error message
like so:
<body onload=malware() style="behavior: url(#default#httpFolder);">
<script>
function malware(){
document.body.navigate("http://www.microsoft.com";);alert
("malware");open("file://C%3A%5CWINDOWS%5CTemp%5Cwecerr.txt")
}
</script>>
What this will do is "probe" the target site for a webfolder, and if
not found, create our error file in the temp folder as follows:
[screen shot: http://www.malware.com/behave.png 4KB]
Because the error fie is nothing more than a text file, we need to
include our own html and allow Internet Explorer to 'read' it.
Previously numerous possibilities to allow for this existed,
including <object data="" type="text/html>, databinding with
dataformatas="HTML", dotting file extensions etc. These now all
appear to be patched.
Good:
But because we can craft our own error message on the server and
point our trivial behavior to it, we simply construct our error
message like so:
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
<br><br>
<body bgcolor=black>
<center><font size="24" color="red"
face="arial">malware</font></center>
What that will do is generate our simple text file in our temp
folder, and by merely mhtml'izing our url like so: open
("mhtml:file://C%3A%5CWINDOWS%5CTemp%5Cwecerr.txt"), Internet
Explorer will open our text file in full html splendor.
Inclusive of whatever other "objects" we so desire.
[screen shot: http://www.malware.com/your.png 8KB]
Working Example:
note: windows98 with temp folder default.
note: requires the 'web component'
note: simple text file only for demo purposes
http://www.malware.com/behave.html
[screen shot: http://www.malware.com/self.png 12KB]
Notes:
1. None.
End Call
--
http://www.malware.com
*yawn*
