what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Jun 29, 2000
Site malware.com

Microsoft Internet Explorer 5 and accompanying mail and news clients on win95, win98 and win2000 enjoy a unique status in that they choose to ignore user input. This document will show you how to manually force a file onto the target computer despite all prompts and warnings. Demonstration available here.

tags | exploit
systems | windows
SHA-256 | 7ee1f183e67576845d5933f7a7c1c7ed4d66b3108afe965dc0696834b71ac633


Change Mirror Download
Saturday, 24 June 2000

Microsoft Internet Explorer 5 and accompanying mail and news clients
on win95, win98 and win2000 enjoy a unique status in that they
choose to ignore user input. Specifically, we are able to manually
force a file onto the target computer despite all prompts and warnings.


1. How so?

We again create a very simple html frameset and embed in base 64 our

<frameset rows=3D"10%,*">
<frame src=3D"mars.exe" >

2. What will happen?

We create a simple html mail or news file and send it to the target
computer. Upon receipt and opening, the recipient will be prompted
whether they wish to 'save' or 'open' or 'cancel' - neither of these
work. While the recipient contemplates the choices, the file is
injected into the temp folder. Selecting any one of the three
choices proves useless. The file is still delivered to the temp folder. In
addition setting the so-called Security Zone settings to: DISABLE generates
a different prompt that is: "...your security settings do not allow file
downloads...[something to this effect]" with the only option being: OK.
Again selecting this proves useless.
The file is still delivered to the temp folder.

3. And?

Whe then create a second file containing a different new ActiveX
control(CLSID:15589FA1-C456-11CE-BF01-00AA0055595A) which allows us to
execute files locally. We embed the simple JavaScripting that runs
this together with the ActiveX control in base64 and embed that in a
second html frame:

<frameset rows=3D"10%,*">
<frame src=3D"mars.exe" >
<frame src=3D"lunar.mhtml" >

We again apply the very simple HTTP-EQUIV meta tag known as refresh.

<meta http-equiv=3D"refresh"content=3D"5;

and repack once again in base64.

4. Results being?

On the following generic and diluted web-based working example the
link is clicked, the file mars.mhtml will deposit both the *.exe and
second *.mhtml files into the temp. The client will be prompted as
to either 'save' 'open' or 'cancel' regardless of the choice as soon
as the prompt has been closed down, the meta refresh will bounce to
the *.mhtml in the temp, open it and execute the JavaScript and
ActiveX control and run the *.exe.

Again, because we are working locally (from C:\WINDOWS\TEMP) none of
the so-called Security Zone settings apply.

Working Example:

Note: to be executed off the web. Harmless *.exe incorporated. 5-second
delay after clearing the prompt



5. Can we do this from email?

Yes. However, with greater likelihood of failure. Consider the

Create two sets of html messages:

(a) one comprising the file to be delivered:

<frameset rows=3D"10%,*">
<frame src=3D"refresh.bat" >

Working Example:

Note: to be executed from mail client. Simple *.bat containing @exit


(b) the second comprising a fraudulent, manufactured *.url:

Content-Type: application/octet-stream;
name=3D"Microsoft TechNet Security.url"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=3D"Microsoft TechNet Security.url"


We include a fake link: <font color=3Dblue style=3D"cursor:hand">....

The recipient will then be forced to entertain the fraudulent *.url

Working Example:

Note: to be executed from mail client.


6. Far Fetched Scenario?

Yes indeed. Send the first mail message to the target computer
followed by the second. The recipient will open the first mail
message, be advised that a file is attempting to download and
what would they like to do: 'save' or 'open' or 'cancel' while this
is being contemplated, the file is delivered to the temp folder. The
recipient then continues with their morning activities of reading
their email and opens the second mail message. Certainly innocent
enough looking and of course Urgent and from a Trusted Source=99.
Through the false link, they are then forced open the attached *.url
which points to the C:\WINDOWS\TEMP\ where the delivered file waits.

This scenario can be incorporated into one single self-contained
mail message. However the likelihood of the recipient after noting
an attempted file download warning and then continuing with opening
the *.url would (or should) be even slimmer. However, you never


1. Tested on default installs of win95, win98 and win2000 and IE5.0
and IE5.1 with accompanying mail and news clients. All up-to-date with
security patches and all with the so-called Security Zone set to: DISABLE
where possible.

2. The Outlook Patch should effectively contain or disallow the
*.url attachment. There is a workaround for that.

3. The files are still delivered to the default temp folder.
Relocate the default temp folder.

4. Submitted to CERT 6/23/00 VU#26654


Regarding the mars exploit demo at
http://members.xoom.com/malware/mars.mhtml. There seems to be two seperate
problems being exploited here for the desired effect of downloading and
executing code.

You can get any local .exe to execute in IE by refering to it in the
CODEBASE parameter of an ActiveX object tag. The CLASSID can be anything
but all zeros. Here is a code snippet, courtesy of Dildog, which will
execute calc.exe if it is in c:\windows\system32\

<OBJECT CLASSID='CLSID:10000000-0000-0000-0000-000000000000'

The other problem is the fact that .exe files can get downloaded to your
local system without you being able to cancel the operation. I tested the
malware exploit on win98 with medium security settings (the default) and
it worked as promised.

But what was far worse was it worked at the high security setting also. A
warning message came up saying "Due to your security settings you cannot
download that file." You press OK and the file is downloaded anyway. Then
it executes when used as the codebase of an ActiveX control.

The demo exploit won't work in W2K because the temp directory where the
.exe is downloaded to is "c:\documents and
settings\'username'\local settings\temp". If it is possible to get the
username through JavaScript and another ActiveX control it could possibly
be made to work there also.

Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By