A Uniform Resource Identifier (URI) allows a user to identify a name or a resource on the Internet while specifying the delivery protocol.
Unpatched versions of Internet Explorer versions 6 through 9 do not specify the path of the executable used to load the telnet.exe handler when loading URIs. If an attacker can get a target to open an HTML document from a SMB share that redirects to a telnet URI, and supplies a malicious telnet.exe file in the same path as the HTML document, the executable will be run on the target's system.
Apply a patch. See Microsoft Security Bulletin MS11-057 for patch information.
This exploit has been tested against Microsoft Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). The executable
smbclient must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes (').
This exploit uploads files named 'report.html' and 'exploit.exe' to the supplied SMB share. The attack will succeed if a vulnerable user accesses the SMB share and double-clicks on the report.html file.
Please note that the exploit does not clean up these two files after executing and the user should delete them manually.