Had a mistake in my code o well. Works now
PoC: http://www.michaelevanchik.com/security/microsoft/ie/xss/index.html
http://www.michaelevanchik.com/security/microsoft/ie/xss/writehta.txt <--
avp's should add this
Here is some new adodb code AVP's should add. No longer needed to connect
to external source. Malicious recordset can be built locally.
www.michaelevanchik.com
-----Original Message-----
From: Michael Evanchik [mailto:mevanchik@relationship1.com]
Sent: Saturday, December 25, 2004 9:11 PM
To: Aviv Raff; full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] YEY AGAIN Automatic remote compromise
ofInternetExplorer Service Pack 2 XP SP2
Hi Aviv,
Not sure what your issue is. This has been tested on many people, and it
works on everyone. Maybe its your pop up blocker? Maybe its your AVP?
This exploit is on Securityfocus and k-otik as they tested as well. Http
equiv verified before any post was made to FD.
In either case we did not code around pop up blockers nor around known
virus strings. This PoC is not for blackhats kiddies.
Mike
www.michaelevanchik.com
-----Original Message-----
From: full-disclosure-bounces@lists.netsys.com
[mailto:full-disclosure-bounces@lists.netsys.com]On Behalf Of Aviv Raff
Sent: Saturday, December 25, 2004 7:47 AM
To: full-disclosure@lists.netsys.com; 'Michael Evanchik'
Subject: RE: [Full-Disclosure] YEY AGAIN Automatic remote compromise
ofInternetExplorer Service Pack 2 XP SP2
Hi,
Somehow the POC does not work on both of my WinXPSP2 pro boxes.
Both are fully patched, but one is hardened and the other is after a
clean install.
After running the POC, the IE opens the Help window, but then freezes
for a couple of minutes.
After IE stops freezing, there is no Microsoft Office.hta on the startup
folder.
And yes, I'm running this on an Administrator account.
Can anyone else confirm this?
-- Aviv Raff
From "Zen and the Art of Why Linux Sucks": "Ahh.. Can you smell the
'open source' zealots in the morning?".
----------------------------------------------------------------------------
From: full-disclosure-bounces@lists.netsys.com
[mailto:full-disclosure-bounces@lists.netsys.com] On Behalf Of Michael
Evanchik
Sent: Friday, December 24, 2004 6:11 PM
To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com;
NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM; vuln@vulnwatch.org
Subject: [Full-Disclosure] YEY AGAIN Automatic remote compromise of
InternetExplorer Service Pack 2 XP SP2
http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm
Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise
Dec, 21 2004
Vulnerable
----------
- Microsoft Internet Explorer 6.0
- Microsoft Windows XP Pro SP2
- Microsoft Windows XP Home SP2
Not Tested
------------------------
- Microsoft Windows 98
- Microsoft Internet Explorer 5.x
- Microsoft Windows 2003 Server
Severity
---------
Critical - Remote code execution, no user intervention
Proof of Concept?
------------------
- http://freehost07.websamba.com/greyhats/sp2rc.htm
- If an error is shown, press OK. This is normal.
- Notice in your startup menu a new file called Microsoft Office.hta.
When run, this file will download and launch a harmless executable (which
includes a pretty neat fire animation)
Michael Evanchik
Relationship1
p: 914-921-4400
f: 914-921-6007
mailto:mevanchik@relationship1.com
web: http://www.relationship1.com
############################################################################
#########
This Mail Was Scanned by 012.net Anti Virus Service - Powered by
TrendMicro Interscan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
