Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

IE Xploit


IE Xploit

By ghostghost | 10074 Reads |
0     0

-=IE Exploit=-

Ok, this exploit isn't exactly the newest in the book, but it's still valid and hasn't been

patched(thanks Microsoft.) So basically this exploit allows us to remotely run programs on

computers via a web page. So let's dig in.

We'll start with a bit of stuff you should know:

Open up IE and in the URL bar type "C:\" Wow, IE just turned into a windows explorer(sorta.) Isn't that intresting? Well, what if we could run other programs that way…what could we do? Think about anysite you've been to that allows you to open an aim window to someone. Ever

looked at the hyperlink text? It looks something like this: aim:goIm?screenname=tikprog&message=hello+world okay, lets break that up a bit. we've got 3 parts to this aim: goIm? screenname=tikprog&message=hello+world

ok, the aim part tells the browser what program to use, various programs have this, aim: yahoo: irc: ect….

next we have goIM? look like php to anyone but me? yeah….similar. it's the command. aim

has alot of these: goIm? goAway? and lots of others (google "aim:goIM?" and it should give you a nice list)

and finally, those of you who know php will know this already, the last bit are the

parameters…that will send it to me with "hello world" in it. I'm not going to explain aim

scripting(if you can even call it that, google is your friend, or if you beg maybe I'll write a

"scripting for various things" article).

Okay, to the important part here the "aim:" part. Now, if Aim has this, and as I've said so

does yahoo and IRC, what else may have it? Well, I know for a fact alot of things do…I'll

give some examples later, but first I want you to learn a bit…because that is what being a

hacker is about.

The reason this is good for IE and not other browsers(yay for FireFox!) is that IE doesn't

prompt you for confirmation that you want to run this script, FireFox prompts you with a nice

little box. Now, this become a dangerous exploit when you realize that some other

programs that are more dangerous than AIM or IRC have this property. Let's

say….oh….command, telnet, regedit. Now, for command and regedit I'm only going to show

howto access them, using them is much more difficult and I'm not giving that up so a bunch

of script kiddies can flood the next with destructive webpages. Those of you how actually

figure it out I'm hoping are not going to kill the world. These pages can do ALOT of damage

and I in no way advocate them for destructive, but there is a way(that I will show) to use

them to gain some nice access and play some fun tricks.

With that being said….let's move on to the next topic. So now you have half a clue what's

up with this exploit. If you've been paying attention you may be thinking to yourself "<insert

prefered name here> don't they have to click a hyperlink? Who's dumb enough to do that?"

Thankfully, the Samurai has put 2 and 2 together(and gotten 5….read 1984, seriously) and

made a nice little script to do that too. So, I'm not explaining how JScripts work, just going

to show you the code and give a brief explaination…if you don't know JScripts….GO LEARN

DAMNIT. so here's my code

So, what does this do? I redirects the page to that URL, which isn't a URL, just a nice little

command. Embed this in a webpage and noone will notice…no change is made…it just runs

nicely.

So….now your thinking "…but Samurai, who care about putting an AIM message script in."

and again ye of little faith, I am some fun with this. I'll give you a few nice ones.

For snooping: There is a nice little messaging program out there, skype (www.skype.com I would

recommend it. It's encrypted, allows VoIP, has rocking emoticons type "(finger)" for a

hidden one, and just kicks AIMs butt), most important is VoIP. So, let's say you get your

friend ( or whoever you want to snoop on.) Next go nab the source from a trusted site. I like

google. And build a webpage on it (make sure you change the picture source so they show

up) and place it in something like geocities with embedded code and use aim to hide the

link by putting fake text (html works nicely too) with the URL.

Skype's command works like this: skype: and you put the parmater where the command went and the command where the parameter

was…. username?call.
so embed this code:

And then answer the call. If they have a mic it will turn on and you can listen in.

Now, as promised the reason for this…intrusion!

Build a similar page and we're using our friend telnet. Your going to need my simple trojan

article, or build a socket reciever in VB or whatever you want. Now this only works if you

can get a REAL IP address for yourself. If your behind a router(or they are) it may not work.

So we all know our friend telnet. So your code needs to open telnet to your IP address on

the port you want. Telnet has a slightly different protocal to use here (think like command

line) and use that in the JScript code. I'm not giving you the whole thing…I want YOU to

learn and to make sure not everyone does this.

So just think…using command, regedit, *nix you could open ports, run other apps,

download trojans. And with a bit of creativity possibly gain some new access.

Enjoy.

Comments
ghost's avatar
ghost 18 years ago

thats 1 of the best articles ive read in quite some time. interesting and helpful. good job!

ghost's avatar
ghost 18 years ago

thanks mate. rate it high if you like it. pm me if ya'll have any questions or anything. im glad to help

ghost's avatar
ghost 18 years ago

Very nice article :) Making a .swf to execute the code could lead to lot of entertainment aswell (imagine people's pcs shutting down everytime they opened your myspace page…)

ghost's avatar
ghost 18 years ago

nice article man

ghost's avatar
ghost 18 years ago

Actually i dunno why you call this type of exploit IE only, some protocol such as "irc" don't ask you before it's execute, but for xml: it ask you first. Only depend of what protocole your using.

ghost's avatar
ghost 18 years ago

the IE only part means that FF and such dont have it. they still allow these things but they prompt a question first so you cant use it as hidden

ghost's avatar
ghost 18 years ago

I liked this one. Im going to dig more into this. Good job!

korg's avatar
korg 18 years ago

Great article for new people but this has been well known for a while and skype well for us elders LOL. Still good though 6/10

ghost's avatar
ghost 18 years ago

kiyoura what more do you want? want me to spell out how to take out files, edit the registry, send emails via this so all you skiddies can just jump on and "hack the planet?" This is saying what can be done and giving some examples. I'm not going to write code out that will just tell you what to do. GO LEARN SOMETHING.

ghost's avatar
ghost 17 years ago

a very nice article but one question … say your able to execute the "telnet://" open a connection to your tcpListener or some kind of socket listener. Use a streamWriter to upload data/trojan/whatever … you still can then execute the package remotely.

or can you? Maybe I'm missing something?

ghost's avatar
ghost 17 years ago

sorry, the above should be corrected: you still can't then execute

ghost's avatar
ghost 17 years ago

i dont think you can remotely execute it, unless you can use the IE exploit to do that. so have your connection software be automated and have the page that does the telnet redirect automatically after like 10 seconds to the page that calls "program://" or w/e,,, that might work

ghost's avatar
ghost 17 years ago

say you put aim://bladhvadhfKS in a frames tag, and they didn't have aim, would it give an error msg?

ghost's avatar
ghost 17 years ago

Very good article samurai, I'm definetly digging deeper into this too :D. And I'm glad you didn't just spoon feed skiddies how to do it. Very good job :P.

ghost's avatar
ghost 17 years ago

Great thank you! :P Really good! And great it stops skiddies! :)

ghost's avatar
ghost 17 years ago

Wow, thanks samurai! :D I have so many new, fun ideas! I'm guessing script kiddies rated this poor. :o