This PoC will take your browser through the following steps:
1) Trigger some SMB requests against our evil server, to obtain the victim's username
this webserver will dinamically generate files containing an HTTP response redirecting to \\127.0.0.1\Documents and settings\USERNAME\Local settings\History\History.IE5\index.dat to be invoked later on.
Then you will be redirected to a specially crafted URL containing HTML code defining an HTML <FORM> that will be of use later on to send stolen data back to our evil server
2) Redirect you to a specially crafted URL containing the HTML code to load a script named STEALCOOKIES.VBS that (still) doesn't exist. It will be created (and loaded) later
3) This page will redirect you (again) to a specially crafted URL containing the HTML code to load a script named SCRIPTY.VBS (which will be explained later)
4) Redirect you to a page defining frames where another page containing the HTML <OBJECT> tags trying to load the victim's index.dat file through the redirecting files created in STEP 1 should be loaded into
5) At this point the user's history file, containing the HTML code required to load both SCRIPTS and to send data back to our server, will be loaded. The script SCRIPTY.VBS will be invoked in order to:
steal the cookies' index.dat file (to obtain the exact names of every single cookie the victim has set)
trigger the generation of the script STEALCOOKIES.VBS to be loaded in a subsequent call
invoke that subsequent call
6) This time the script named STEALCOOKIES.VBS will be loaded. It will steal every single cookie the user has set. Then, a text file will be created in our evil server cointaining these stolen cookies, and you will be redirected to that text file as a final step.