Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Re: new internet explorer exploit (was new worm)

from [Jelmer] Network Security [Permanent Link]
Subject: [Full-Disclosure] Re: new internet explorer exploit (was new worm)
Date: Tue, 30 Mar 2004 13:00:29 +0200 
And even that small measure of warning is trivially defeated

if I change the url in my exploit.htm from

ms-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm

to

&#109;s-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm

It gives no warning whatsoever, proofing once again that you  shouldn't
solely rely on virus scanners, though others might do a better job, I can't
imagine anyone doing it worse



----- Original Message ----- 
From: "Void" <void@sect.net>
To: "Jelmer" <jkuperus@planet.nl>; <full-disclosure@lists.netsys.com>;
<bugtraq@securityfocus.com>
Sent: Monday, March 29, 2004 9:15 PM
Subject: Re: new internet explorer exploit (was new worm)



Just wanted to add that Norton Anti-Virus 2004 will detect this exploit

and

pop up a warning, but also fails to halt its execution or protect the user
in any way.

Here is what it thinks it is:



http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html


So there is some measure of warning, but no real protection.


At 04:35 PM 3/29/2004 +0200, Jelmer wrote:

The code used by this worm to exploit it's users at least partly  is (i
think) new , the vulnerability it abused has afaik not been published on
eighter bugtraq or full-disclosure. possibly making it (one of?) the

first

worm to totally catch people offguard.

It allows a mallicious person to take any action on an unsuspecting user

who

view's a specially prepared page's pc

The known ingredient it uses is :
http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-08/1758.html
that has gone unpatched for over 5 months now

The remainder of the exploit manages to confuse this same adodb.stream
object enough to make it think it's being run from a local location

You can protect yourself against it by running
http://ip3e83566f.speed.planet.nl/hacked-by-chinese/fix.reg


I attached sample code myself to illustrate the problem, because
http-equiv's was messy :)
This one should be more straightforward to use

Instructions :

1. unzip
2. overwrite exploit.exe with the executable you wish to run, or leave it
untoched if you want to see some nice texturemapped rotation
3. upload the files to a webserver
4. view exploit.htm

Tested on winxp pro all patches

for the lazy ones among you can also view a demonstration here :

http://ip3e83566f.speed.planet.nl/security/newone/exploit.htm
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-Disclosure] Re: new internet explorer exploit (was new worm), Nick FitzGerald
Next by Date:  [Full-Disclosure] Re: new internet explorer exploit (was new worm), - -
Previous by Thread:  Re: [Full-Disclosure] RE: new internet explorer exploit (was new worm), Tim
Next by Thread:  [Full-Disclosure] Re: new internet explorer exploit (was new worm), - -
Indexes:  [Date] [Thread] [Top] [All Lists]