Re: IE 5.0 allows executing programs - how to do it under NT

[ollie () DELPHISPLC COM (Ollie Whitehouse)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

My self and Eric Stevens today worked on an idea that allowed this
vulnerability to be executed reliably in default installations on the
following operating systems.

[Tested]
Windows NT v4 Terminal Server (SP3)
Windows 98

[Background]
Url to original Exploit: http://www.nat.bg/~joro/scrtlb.html

Russ Cooper (of NT Bug Traq) brought up the problem of the default
path entered in to the exploit would only allow reliable exploitation
under Windows 9x. After an exchange of mails over the course of
Thursday with Eric using one of Russ's theories to use the %windir%
and the %username% variables to exploit user specific paths it was
shown this was not possible (due to the lack of functionality under
JScript.

[What has changed]
It was found that the default working directory of the src Active X
control is the Windows Desktop of the current user. So to exploit this
the following line of code would need to be changed:

scr.Path="c:..\\Start Menu\\Programs\\StartUp\\thisisnew.hta";

this should allow the reliable exploitation.

[Credits]
Greg (Original Exploit)
Russ Cooper (Raising the issue's under WindowsNT)
Eric Stevens (for putting up with my ranting all day and testing
his/my own theories on this subject)

rgds

rgds

Ollie
<%
Ollie Whitehouse
I.T Co-Ordinator - Delphis Consulting
VOX: +44 (0)207 916 0200 (Switchboard)
FAX: +44 (0)207 916 1620 (Main)
FAX: +44 (0)870 0881837 (FAX - E-Mail)
PGP: http://www.ombs.demon.co.uk/pgp.txt
Tag: Who needs Windows2000 when you have OS/2?
%>

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i

iQA/AwUBN8ZIbiCxMriiZXHfEQLfswCgtsutOGNTMkv3MPRL6PIrghf1U6gAnRhB
aY6rOHuh4wBO1N+cdfGqQl/Y
=v062
-----END PGP SIGNATURE-----