Re: Force Feeding

[weld () L0PHT COM (Weld Pond)]

Regarding the mars exploit demo at
http://members.xoom.com/malware/mars.mhtml. There seems to be two seperate
problems being exploited here for the desired effect of downloading and
executing code.

You can get any local .exe to execute in IE by refering to it in the
CODEBASE parameter of an ActiveX object tag. The CLASSID can be anything
but all zeros.  Here is a code snippet, courtesy of Dildog, which will
execute calc.exe if it is in c:\windows\system32\

<HTML>
<HEAD>
</HEAD>
<BODY>
<OBJECT CLASSID='CLSID:10000000-0000-0000-0000-000000000000'
CODEBASE='c:\windows\system32\calc.exe'></OBJECT>
</BODY></HTML>

The other problem is the fact that .exe files can get downloaded to your
local system without you being able to cancel the operation.  I tested the
malware exploit on win98 with medium security settings (the default) and
it worked as promised.

But what was far worse was it worked at the high security setting also.  A
warning message came up saying "Due to your security settings you cannot
download that file." You press OK and the file is downloaded anyway. Then
it executes when used as the codebase of an ActiveX control.

The demo exploit won't work in W2K because the temp directory where the
.exe is downloaded to is  "c:\documents and
settings\'username'\local settings\temp".  If it is possible to get the
username through JavaScript and another ActiveX control it could possibly
be made to work there also.

-weld