Users login

Create an account »


Users login

Home » Hacking News » SILLY BEHAVIOR : Internet Explorer 5.5 - 6.0

SILLY BEHAVIOR : Internet Explorer 5.5 - 6.0

by Nikola Strahija on August 16th, 2002 The following represents a trivial yet elaborate method of injecting arbitrary html into the "My Computer" zone on win98 using the Internet Explorer series of browsers.

Internet Explorer enjoys a unique component called the "Web Folder"
component. This is a selectable component install with the original
installation of the browser or can be added later on. This unique
component allows for an assortment of web publishing and authoring
conveniences, often touted as useful "feature".

But what it actually does, is create a nicely named file for us in a
known location.


The Internet Explorer series 5 through 6 enjoy a related behavior to
the so-called "Web Folder" component which allows us to point
directly to one of these web folders and traverse it directly.
However, should the folder not exist, an error message is generated
and conveniently placed for us in the temp folder:


This particular error message is nothing more than a server side 404
error message which can be modified to suit our needs as we require.


We first construct our trivial behavior to generate the error message
like so:

function malware(){

What this will do is "probe" the target site for a webfolder, and if
not found, create our error file in the temp folder as follows:

[screen shot: 4KB]

Because the error fie is nothing more than a text file, we need to
include our own html and allow Internet Explorer to 'read' it.
Previously numerous possibilities to allow for this existed,
including , databinding with
dataformatas="HTML", dotting file extensions etc. These now all
appear to be patched.


But because we can craft our own error message on the server and
point our trivial behavior to it, we simply construct our error
message like so:

MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit


What that will do is generate our simple text file in our temp
folder, and by merely mhtml'izing our url like so: open
("mhtml:file://C%3A%5CWINDOWS%5CTemp%5Cwecerr.txt"), Internet
Explorer will open our text file in full html splendor.

Inclusive of whatever other "objects" we so desire.

[screen shot: 8KB]

Working Example:

note: windows98 with temp folder default.
note: requires the 'web component'
note: simple text file only for demo purposes

[screen shot: 12KB]


1. None.

End Call


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »