lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 29 Mar 2004 20:52:17 +0200
From: "Ron Stiemer" <r.stiemer@...-worldwide.tv>
To: "Jelmer" <jkuperus@...net.nl>, <full-disclosure@...ts.netsys.com>,
   <bugtraq@...urityfocus.com>
Subject: AW: new internet explorer exploit  (was new worm)


Hi,

mhhh...McAfee said: VBS/Psyme Trojan

so it might not be *new*, just my thoughts...

Regards,
-Ron

-----Ursprüngliche Nachricht-----
Von: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]Im Auftrag von Jelmer
Gesendet: Montag, 29. März 2004 16:36
An: full-disclosure@...ts.netsys.com; bugtraq@...urityfocus.com
Betreff: [Full-Disclosure] new internet explorer exploit (was new worm)


The code used by this worm to exploit it's users at least partly  is (i
think) new , the vulnerability it abused has afaik not been published on
eighter bugtraq or full-disclosure. possibly making it (one of?) the first
worm to totally catch people offguard.

It allows a mallicious person to take any action on an unsuspecting user who
view's a specially prepared page's pc

The known ingredient it uses is :
http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-08/1758.html
that has gone unpatched for over 5 months now

The remainder of the exploit manages to confuse this same adodb.stream
object enough to make it think it's being run from a local location

You can protect yourself against it by running
http://ip3e83566f.speed.planet.nl/hacked-by-chinese/fix.reg


I attached sample code myself to illustrate the problem, because
http-equiv's was messy :)
This one should be more straightforward to use

Instructions :

1. unzip
2. overwrite exploit.exe with the executable you wish to run, or leave it
untoched if you want to see some nice texturemapped rotation
3. upload the files to a webserver
4. view exploit.htm

Tested on winxp pro all patches

for the lazy ones among you can also view a demonstration here :

http://ip3e83566f.speed.planet.nl/security/newone/exploit.htm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists