lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: motiwala at ti.com (Motiwala, Yusuf)
Subject: POS#1 Self-Executing HTML: Internet Explore
	 r  5.5 and6.0 Part III

I think this was discussed earlier also in full-disclosure, using
ADODB.stream object. 

http://www.mail-archive.com/full-disclosure@lists.netsys.com/msg06791.html

Also, Quick serach on google found this

HOWTO: Use the ADODB.Stream Object to Send Binary Files to the Browser
through ASP

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:
80/support/kb/articles/q276/4/88.asp&NoWebContent=1


in this code, the actual exe is contain in javascript array named
'jelmersArray'. it is converted to string by tostring function.

Yusuf




> -----Original Message-----
> From: Compton, Rich [mailto:RCompton@...rtercom.com]
> Sent: Friday, November 07, 2003 12:06 AM
> To: 'Bart.Lansing@...ls.com'; full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] POS#1 Self-Executing HTML: Internet
> Explore r 5.5 and6.0 Part III
> 
> 
> How is this binary converted to the array in the source and 
> then converted
> back to a binary???
> Anybody have information on how this is done?  
> 
> This makes me very worried!  This could bypass all the 
> antivirus filters
> that remove executables!
> 
> -Rich Compton
> 
> -----Original Message-----
> From: Bart.Lansing@...ls.com [mailto:Bart.Lansing@...ls.com]
> Sent: Thursday, November 06, 2003 9:26 AM
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] POS#1 Self-Executing HTML: Internet
> Explorer 5.5 and6.0 Part III
> 
> 
> 
> 
> 
> 
> 
> Has the Win2kSP4/IE6.0 combination been confirmed as immune to this?
> 
> full-disclosure-admin@...ts.netsys.com wrote on 11/05/2003 
> 04:36:16 PM:
> 
> > Doesn't appear to work on Win2kSP4 with IE6.
> >
> >
> > --- "http-equiv@...ite.com" <1@...ware.com> wrote:
> > >
> > >
> > > Wednesday, November 5, 2003
> > >
> > > In our never-ending quest for entertainment, we
> > > commece from
> > > this date forward to end-2004 our POS series of
> > > findings. That
> > > is the 'perfect operating system'. Today we debut
> > > and regurgitate
> > > new and not so new for fun as follows. A warm up for
> > > the New Year if
> > > you will !:
> > >
> > > The following file is an html file comprising both
> > > scripting and an
> > > executable [*.exe].
> > >
> > > We inject scripting and an executable into the html
> > > file which is
> > > designed to point back to the executable in the html
> > > file and execute
> > > it. Provided the html file is an html file, Internet
> > > Explorer 5.5 and
> > > 6.0 will execute it.
> > >
> > > Because it is an html file proper, Internet Explorer
> > > opens it. The
> > > scripting inside is then parsed and fired. That
> > > scripting is pointing
> > > back to the same executable file and because it is a
> > > self-executing
> > > html file, it executes !
> > >
> > > Fully self-contained harmless *.exe:
> > >
> > > CAUTION: back up notepad.exe before opening
> > >
> > > http://www.malware.com/self-exec.zip
> > >
> > > What a POS !
> > >
> > > Be aware of html files out there.
> > >
> > > --
> > > http://www.malware.com
> > >
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter:
> > http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Protect your identity with Yahoo! Mail AddressGuard
> > http://antispam.yahoo.com/whatsnewfree
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 
> CONFIDENTIALITY NOTICE: 
> This is a transmission from Kohl's Department Stores, Inc.
> and may contain information which is confidential and proprietary.
> If you are not the addressee, any disclosure, copying or 
> distribution or use
> of the contents of this message is expressly prohibited.
> If you have received this transmission in error, please destroy it and
> notify us immediately at 262-703-7000.
> 
> CAUTION:
> Internet and e-mail communications are Kohl's property and 
> Kohl's reserves
> the right to retrieve and read any message created, sent and received.
> Kohl's reserves the right to monitor messages by authorized Kohl's
> Associates at any time
> without any further consent.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ