IE Xploit
IE Xploit
ghost | 10059 Reads | -=IE Exploit=-
Ok, this exploit isn't exactly the newest in the book, but it's still valid and hasn't been
patched(thanks Microsoft.) So basically this exploit allows us to remotely run programs on
computers via a web page. So let's dig in.
We'll start with a bit of stuff you should know:
Open up IE and in the URL bar type "C:\" Wow, IE just turned into a windows explorer(sorta.) Isn't that intresting? Well, what if we could run other programs that way…what could we do? Think about anysite you've been to that allows you to open an aim window to someone. Ever
looked at the hyperlink text? It looks something like this: aim:goIm?screenname=tikprog&message=hello+world okay, lets break that up a bit. we've got 3 parts to this aim: goIm? screenname=tikprog&message=hello+world
ok, the aim part tells the browser what program to use, various programs have this, aim: yahoo: irc: ect….
next we have goIM? look like php to anyone but me? yeah….similar. it's the command. aim
has alot of these: goIm? goAway? and lots of others (google "aim:goIM?" and it should give you a nice list)
and finally, those of you who know php will know this already, the last bit are the
parameters…that will send it to me with "hello world" in it. I'm not going to explain aim
scripting(if you can even call it that, google is your friend, or if you beg maybe I'll write a
"scripting for various things" article).
Okay, to the important part here the "aim:" part. Now, if Aim has this, and as I've said so
does yahoo and IRC, what else may have it? Well, I know for a fact alot of things do…I'll
give some examples later, but first I want you to learn a bit…because that is what being a
hacker is about.
The reason this is good for IE and not other browsers(yay for FireFox!) is that IE doesn't
prompt you for confirmation that you want to run this script, FireFox prompts you with a nice
little box. Now, this become a dangerous exploit when you realize that some other
programs that are more dangerous than AIM or IRC have this property. Let's
say….oh….command, telnet, regedit. Now, for command and regedit I'm only going to show
howto access them, using them is much more difficult and I'm not giving that up so a bunch
of script kiddies can flood the next with destructive webpages. Those of you how actually
figure it out I'm hoping are not going to kill the world. These pages can do ALOT of damage
and I in no way advocate them for destructive, but there is a way(that I will show) to use
them to gain some nice access and play some fun tricks.
With that being said….let's move on to the next topic. So now you have half a clue what's
up with this exploit. If you've been paying attention you may be thinking to yourself "<insert
prefered name here> don't they have to click a hyperlink? Who's dumb enough to do that?"
Thankfully, the Samurai has put 2 and 2 together(and gotten 5….read 1984, seriously) and
made a nice little script to do that too. So, I'm not explaining how JScripts work, just going
to show you the code and give a brief explaination…if you don't know JScripts….GO LEARN
DAMNIT. so here's my code
So, what does this do? I redirects the page to that URL, which isn't a URL, just a nice little
command. Embed this in a webpage and noone will notice…no change is made…it just runs
nicely.
So….now your thinking "…but Samurai, who care about putting an AIM message script in."
and again ye of little faith, I am some fun with this. I'll give you a few nice ones.
For snooping: There is a nice little messaging program out there, skype (www.skype.com I would
recommend it. It's encrypted, allows VoIP, has rocking emoticons type "(finger)" for a
hidden one, and just kicks AIMs butt), most important is VoIP. So, let's say you get your
friend ( or whoever you want to snoop on.) Next go nab the source from a trusted site. I like
google. And build a webpage on it (make sure you change the picture source so they show
up) and place it in something like geocities with embedded code and use aim to hide the
link by putting fake text (html works nicely too) with the URL.
Skype's command works like this: skype: and you put the parmater where the command went and the command where the parameter
was…. username?call.
so embed this code:
And then answer the call. If they have a mic it will turn on and you can listen in.
Now, as promised the reason for this…intrusion!
Build a similar page and we're using our friend telnet. Your going to need my simple trojan
article, or build a socket reciever in VB or whatever you want. Now this only works if you
can get a REAL IP address for yourself. If your behind a router(or they are) it may not work.
So we all know our friend telnet. So your code needs to open telnet to your IP address on
the port you want. Telnet has a slightly different protocal to use here (think like command
line) and use that in the JScript code. I'm not giving you the whole thing…I want YOU to
learn and to make sure not everyone does this.
So just think…using command, regedit, *nix you could open ports, run other apps,
download trojans. And with a bit of creativity possibly gain some new access.
Enjoy.
ghost 18 years ago
thats 1 of the best articles ive read in quite some time. interesting and helpful. good job!
ghost 18 years ago
thanks mate. rate it high if you like it. pm me if ya'll have any questions or anything. im glad to help
ghost 18 years ago
Very nice article :) Making a .swf to execute the code could lead to lot of entertainment aswell (imagine people's pcs shutting down everytime they opened your myspace page…)
ghost 18 years ago
Actually i dunno why you call this type of exploit IE only, some protocol such as "irc" don't ask you before it's execute, but for xml: it ask you first. Only depend of what protocole your using.
ghost 18 years ago
the IE only part means that FF and such dont have it. they still allow these things but they prompt a question first so you cant use it as hidden
korg 18 years ago
Great article for new people but this has been well known for a while and skype well for us elders LOL. Still good though 6/10
ghost 18 years ago
kiyoura what more do you want? want me to spell out how to take out files, edit the registry, send emails via this so all you skiddies can just jump on and "hack the planet?" This is saying what can be done and giving some examples. I'm not going to write code out that will just tell you what to do. GO LEARN SOMETHING.
ghost 17 years ago
a very nice article but one question … say your able to execute the "telnet://" open a connection to your tcpListener or some kind of socket listener. Use a streamWriter to upload data/trojan/whatever … you still can then execute the package remotely.
or can you? Maybe I'm missing something?
ghost 17 years ago
i dont think you can remotely execute it, unless you can use the IE exploit to do that. so have your connection software be automated and have the page that does the telnet redirect automatically after like 10 seconds to the page that calls "program://" or w/e,,, that might work
ghost 17 years ago
say you put aim://bladhvadhfKS in a frames tag, and they didn't have aim, would it give an error msg?
ghost 17 years ago
Very good article samurai, I'm definetly digging deeper into this too :D. And I'm glad you didn't just spoon feed skiddies how to do it. Very good job :P.
ghost 17 years ago
Wow, thanks samurai! :D I have so many new, fun ideas! I'm guessing script kiddies rated this poor. :o