| From: | Erwin Paternotte [mailto:[EMAIL PROTECTED] |
| Sent: | Fri 11/14/2003 10:56 AM |
| To: | Michael Evanchik |
| Cc: | [EMAIL PROTECTED] |
| Subject: | Re: [Full-Disclosure] Re: Six Step IE Remote Compromise Cache Attack |
Michael Evanchik wrote:
> 1) take out the function
name and brackets and all code below
> </script> in default.htm and
save to make the start automatic
> 2) open MHT-ldy.mht and open it in
notepad.
> 3) edit the 2 links for the .exe and the shell.htm (read step 4
on how
> that file is created) file 4o be the exact location of your exe
and
> shell.htm on the server your hosting the pages(most likely you
will
> need full access to the server and freehosts wont work)
> 5)
change the base64 exe code to your own in MHT-ldy.mht and save
> 6) save
it as shell.htm to the same location you have noted in MHT-ldy.mht
> 7) of
course delete all the alert command lines in
ScriptBodyJsp.asp
>
Hi,
I've tested your modifications as described
above on a fully patched
Windows 2000 and IE. It seems the first step of the
Six Step is blocked
by the cumulative patch included with MS03-048. I'm not
sure if this is
due to the modifications you made or if this is the same for
the
original Six Step. Do you know which of the vulnerabilities described
in
MS03-048 are the same as the steps of the Six Step and are fixed by
this
MS bulletin?
Thanks in advance for your
time.
Regards,
Erwin.
