lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3F739B6E.1080608@nbnet.nb.ca>
From: smenard at nbnet.nb.ca (Steve Menard)
Subject: Re: AIM Password theft

windows 2000 professional  all patches
kaboom:

not only was wmplayer overwritten..with text..
but  IE 6  DIED   ..   then launched a command window

command prompt labelled 'C:\PROGRA~1\WINDOW~1\wmplayer.exe'
followed quickly by ...
--dialog box--
16-bit MS-DOS Subsystem
C:\PROGRA~1\WINDOW~1\wmplayer.exe
the NTVDM CPU has encountered an illegal instruction.
CS:0544 IP:01CC OP:63 68 65 2F 31 Choose 'Close' to terminate the 
application.
[close] [ignore]

yikes



http-equiv@...ite.com wrote:
<!--
  Out of curiosity I followed that link which loaded start.html (attached).
  -->

Caution: off-site archives will and have already stored this as:

text/plain attachment: start.txt
Tested on neohapsis
[http://archives.neohapsis.com/archives/bugtraq/2003-09/0375.html]

Due to the 'never-addressed-mime-issue' of Internet Explorer reading 
even dog poo as html, opening start.txt will effect the exploit partialy.
Namely:

  C:\Program Files\Windows Media Player\wmplayer.exe
will be overwritten by simply viewing the attached text file.

It is apparent the original intended payload .exe is no longer at the 
location, but the wmplayer.exe is still overwritten with a 1KB 
wmplayer.exe containing the following:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /eg/1.exe was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.26 Server at onway.net Port 80</ADDRESS>
</BODY></HTML>









Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ