pure IE code injection

[heyhey_ <heyhey_ () iname com>]

hi al,

I have successfully injected, executable code through .mhtml
page on on my own development machine. pretty scary stuff.

it seems that IE decodes all 'html attachments' inside Windows
temporary folder (TEMP environment variable) so one can easily
'attach' executable code and all that he needs to do is to guess the
temporary directory.

Tested environment WinNT4 WS sp6+hotfixes, IE 6.0.2600.0000

attached is my ugly test code (zipped .mhtml page). Extract the page,
put it on some web server and access it from IE.

IMPORTANT !
.mhtml page contains Base64 encoded executable file (NT calc.exe) that
may be executed on your local machine if your temporary directory is
c:\temp or d:\temp


P.S. Several friends made quick tests with following results:
(I was unable top monitor tests, so results may be wrong)

WinXP machine - unable to find extracted files on local HDD ??
Win2K machine - unable to find extracted files on local HDD ??
WinNT + IE 5.5 - file can be found inside
C:/WINNT/Profiles/..../Local Settings/Temporary Internet Files/Content.IE5/QRAPUDEX/
but is not automatically executed.

-- 
Best regards,
 Ivan                          mailto:heyhey_ () iname com

Attachment: 4.zip
Description: