test telnet.exe
test msimsg.dll
test xcopy.exe
test wuauserv.dll
test testasdfasdf.dll (shouldn't exist)
test test12345678.dll (shouldn't exist)
test testfdsafdsa.dll (shouldn't exist)
test test87654321.dll (shouldn't exist)

This is a hybrid of two different techniques for the purpose of finding files on the file system using IE7.0. The first technique is to use a timing attack (first found by David Byrne) and the second is using the blocking META refresh with link tags technique found by Jeremiah Grossman although this uses images instead of link tags. By enumerating through 10,000 images, we can see a fairly major and measurable difference in the amount of time it takes for a valid file on the file system verses a file that doesn't exist.

The demo only works in IE7.0 (as tested) and it's a little funky as normally it would set a cookie and continue iterating, but to save time I just made it a series of links you could click on. It also has an interesting behavior of locking up IE while it's loading - this was made worse with an earlier version that used iframes instead of images, but each link typically only lasts 20-30 seconds at the longest and often as little as 8-20 seconds.

- By RSnake