// --------------------------------------------- // Internet Explorer URL Spoofing Security Patch // --------------------------------------------- // Developed by Opensoft Corporation, Vanuatu // --------------------------------------------- // Contact: opensoft@openwares.org // --------------------------------------------- // © Opensoft Corporation, Vanuatu // Copyright © 2003 All rights reserved. // --------------------------------------------- // --------------------------------------------- // Terms of Agreement: // --------------------------------------------- // // By using this source code, you agree to the // following terms: // // 1) You may use the source code, resource // files for educational purposes only. // 2) You MAY NOT redistribute this source code // without written permission. Failure to do // so is a violation of copyright laws. // 3) The author of this code may have retained // certain "additional copyright rights". // If so, this is indicated in the author's // description. // // --------------------------------------------- // Hacked on by Paul Hsieh. In the spirit of // concern for security trumping restrictive // EULAs and licensing, I have violated 2) // above. // IETray.cpp : Implementation of CIETray #include "stdafx.h" #include "IEMsg.h" #include "IETray.h" #include ///////////////////////////////////////////////////////////////////////////// // CIETray _ATL_FUNC_INFO BeforeNavigateInfo = {CC_STDCALL, VT_EMPTY, 7, {VT_DISPATCH, VT_VARIANT | VT_BYREF, VT_VARIANT | VT_BYREF, VT_VARIANT | VT_BYREF, VT_VARIANT | VT_BYREF, VT_VARIANT | VT_BYREF, VT_BOOL | VT_BYREF}}; _ATL_FUNC_INFO NewWindow2Info = {CC_STDCALL, VT_EMPTY, 2, {VT_DISPATCH | VT_BYREF, VT_VARIANT | VT_BYREF}}; _ATL_FUNC_INFO TitleChangedInfo = {CC_STDCALL, VT_EMPTY, 1, {VT_BSTR}}; BOOL RegReadKeyInt(LPCTSTR strKeyName, LPCTSTR strValName, DWORD &ret) { HKEY hKey = NULL; DWORD dwType = 0, dwCount = sizeof(DWORD); if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, strKeyName, 0, KEY_READ, &hKey) != ERROR_SUCCESS) goto _error_; if (RegQueryValueEx(hKey, strValName, NULL, &dwType, (LPBYTE)(&ret), &dwCount) != ERROR_SUCCESS) goto _error_; { if (dwType != REG_DWORD) goto _error_; } RegCloseKey(hKey); return TRUE; _error_: if (hKey) RegCloseKey(hKey); return FALSE; } BOOL RegWriteKeyInt(LPCTSTR strKeyName, LPCTSTR strValName, DWORD val) { HKEY hKey = NULL; if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, strKeyName, 0, KEY_WRITE, &hKey) != ERROR_SUCCESS) goto _error_; if (RegSetValueEx(hKey, strValName, 0, REG_DWORD, (LPBYTE)(&val), sizeof(DWORD)) != ERROR_SUCCESS) goto _error_; RegCloseKey(hKey); return TRUE; _error_: if (hKey) RegCloseKey(hKey); return FALSE; } STDMETHODIMP CIETray::SetSite(IUnknown *pUnkSite) { try { if (pUnkSite != NULL) { m_smtWB = pUnkSite; if (m_smtWB) { DispEventAdvise(m_smtWB); } } else { } } catch(_com_error &err) { err; }; return IObjectWithSiteImpl::SetSite(pUnkSite); } static void RemoveAtAnd (char *s) { char * t = s; do { *t = *s; if (!*s) break; s++; t += (*t == '@' || *t == '&') ? 0 : 1; } while (1); } void __stdcall CIETray::BeforeNavigateEvent(LPDISPATCH pDisp, VARIANT FAR *url, VARIANT FAR *Flags, VARIANT FAR *TargetFrameName, VARIANT FAR *PostData, VARIANT FAR *Headers, VARIANT_BOOL* Cancel) { /* Obtain the length of the Wide Character string. */ int len = WideCharToMultiByte (CP_ACP, 0, (BSTR)url->bstrVal, -1, NULL, 0, NULL, NULL ); if (len <= 0) len = 256; char *dest = (char *) malloc( len * sizeof(char) ); /* if (!dest) throw (...); */ /* Convert the Wide Character string to the multibyte character set. */ int destLen = WideCharToMultiByte( CP_ACP, 0, (BSTR)url->bstrVal, -1, dest, 256, NULL, NULL ); char * sFake, * sTrue; for (int i=0; dest[i]; i++) { switch (dest[i]) { case '\2': case '\1': strcpy (sFake = (char *) malloc (destLen * sizeof (char)), dest + i + 1); memcpy (sTrue = (char *) malloc (destLen * sizeof (char)), dest, i); sTrue[i] = '\0'; goto DoneFindingBadCharacters; case '\218': strcpy (sFake = (char *) malloc (destLen * sizeof (char)), "unknown"); strcpy (sTrue = (char *) malloc (destLen * sizeof (char)), "unknown"); goto DoneFindingBadCharacters; } } free (dest); return; DoneFindingBadCharacters:; free (dest); RemoveAtAnd (sTrue); RemoveAtAnd (sFake); // Can this be changed to something like file://$ENV(IEPatchDir)/errMsg.html ? char openwaresUrl[] = "http://www.openwares.org/cgi-bin/exploit.cgi?"; char * sUrl = (char *) malloc ((sizeof openwaresUrl) + 1 + strlen (sTrue) + strlen (sFake) + 1); strcpy (sUrl, openwaresUrl); strcat (sUrl, sFake); strcat (sUrl, "&"); strcat (sUrl, sTrue); int sUrlLen = strlen (sUrl); free (sFake); free (sTrue); WCHAR *newUrl = (WCHAR *) malloc ((2 + sUrlLen) * sizeof(WCHAR)); /* if (!newUrl) throw (...); */ MultiByteToWideChar( CP_ACP, 0, (char *) sUrl, -1, newUrl, 1 + sUrlLen ); free (sUrl); m_smtWB->Navigate (newUrl, 0, 0, 0, 0); free (newUrl); *Cancel = VARIANT_TRUE; }