| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3F739B6E.1080608@nbnet.nb.ca> From: smenard at nbnet.nb.ca (Steve Menard) Subject: Re: AIM Password theft windows 2000 professional all patches kaboom: not only was wmplayer overwritten..with text.. but IE 6 DIED .. then launched a command window command prompt labelled 'C:\PROGRA~1\WINDOW~1\wmplayer.exe' followed quickly by ... --dialog box-- 16-bit MS-DOS Subsystem C:\PROGRA~1\WINDOW~1\wmplayer.exe the NTVDM CPU has encountered an illegal instruction. CS:0544 IP:01CC OP:63 68 65 2F 31 Choose 'Close' to terminate the application. [close] [ignore] yikes http-equiv@...ite.com wrote: <!-- Out of curiosity I followed that link which loaded start.html (attached). --> Caution: off-site archives will and have already stored this as: text/plain attachment: start.txt Tested on neohapsis [http://archives.neohapsis.com/archives/bugtraq/2003-09/0375.html] Due to the 'never-addressed-mime-issue' of Internet Explorer reading even dog poo as html, opening start.txt will effect the exploit partialy. Namely: C:\Program Files\Windows Media Player\wmplayer.exe will be overwritten by simply viewing the attached text file. It is apparent the original intended payload .exe is no longer at the location, but the wmplayer.exe is still overwritten with a 1KB wmplayer.exe containing the following: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>404 Not Found</TITLE> </HEAD><BODY> <H1>Not Found</H1> The requested URL /eg/1.exe was not found on this server.<P> <HR> <ADDRESS>Apache/1.3.26 Server at onway.net Port 80</ADDRESS> </BODY></HTML>
Powered by blists - more mailing lists