[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F509E6111989D311B63700805FA761DA07B609EB@dbde01.itg.ti.com>
From: motiwala at ti.com (Motiwala, Yusuf)
Subject: POS#1 Self-Executing HTML: Internet Explore
r 5.5 and6.0 Part III
I think this was discussed earlier also in full-disclosure, using
ADODB.stream object.
http://www.mail-archive.com/full-disclosure@lists.netsys.com/msg06791.html
Also, Quick serach on google found this
HOWTO: Use the ADODB.Stream Object to Send Binary Files to the Browser
through ASP
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:
80/support/kb/articles/q276/4/88.asp&NoWebContent=1
in this code, the actual exe is contain in javascript array named
'jelmersArray'. it is converted to string by tostring function.
Yusuf
> -----Original Message-----
> From: Compton, Rich [mailto:RCompton@...rtercom.com]
> Sent: Friday, November 07, 2003 12:06 AM
> To: 'Bart.Lansing@...ls.com'; full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] POS#1 Self-Executing HTML: Internet
> Explore r 5.5 and6.0 Part III
>
>
> How is this binary converted to the array in the source and
> then converted
> back to a binary???
> Anybody have information on how this is done?
>
> This makes me very worried! This could bypass all the
> antivirus filters
> that remove executables!
>
> -Rich Compton
>
> -----Original Message-----
> From: Bart.Lansing@...ls.com [mailto:Bart.Lansing@...ls.com]
> Sent: Thursday, November 06, 2003 9:26 AM
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] POS#1 Self-Executing HTML: Internet
> Explorer 5.5 and6.0 Part III
>
>
>
>
>
>
>
> Has the Win2kSP4/IE6.0 combination been confirmed as immune to this?
>
> full-disclosure-admin@...ts.netsys.com wrote on 11/05/2003
> 04:36:16 PM:
>
> > Doesn't appear to work on Win2kSP4 with IE6.
> >
> >
> > --- "http-equiv@...ite.com" <1@...ware.com> wrote:
> > >
> > >
> > > Wednesday, November 5, 2003
> > >
> > > In our never-ending quest for entertainment, we
> > > commece from
> > > this date forward to end-2004 our POS series of
> > > findings. That
> > > is the 'perfect operating system'. Today we debut
> > > and regurgitate
> > > new and not so new for fun as follows. A warm up for
> > > the New Year if
> > > you will !:
> > >
> > > The following file is an html file comprising both
> > > scripting and an
> > > executable [*.exe].
> > >
> > > We inject scripting and an executable into the html
> > > file which is
> > > designed to point back to the executable in the html
> > > file and execute
> > > it. Provided the html file is an html file, Internet
> > > Explorer 5.5 and
> > > 6.0 will execute it.
> > >
> > > Because it is an html file proper, Internet Explorer
> > > opens it. The
> > > scripting inside is then parsed and fired. That
> > > scripting is pointing
> > > back to the same executable file and because it is a
> > > self-executing
> > > html file, it executes !
> > >
> > > Fully self-contained harmless *.exe:
> > >
> > > CAUTION: back up notepad.exe before opening
> > >
> > > http://www.malware.com/self-exec.zip
> > >
> > > What a POS !
> > >
> > > Be aware of html files out there.
> > >
> > > --
> > > http://www.malware.com
> > >
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter:
> > http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Protect your identity with Yahoo! Mail AddressGuard
> > http://antispam.yahoo.com/whatsnewfree
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> CONFIDENTIALITY NOTICE:
> This is a transmission from Kohl's Department Stores, Inc.
> and may contain information which is confidential and proprietary.
> If you are not the addressee, any disclosure, copying or
> distribution or use
> of the contents of this message is expressly prohibited.
> If you have received this transmission in error, please destroy it and
> notify us immediately at 262-703-7000.
>
> CAUTION:
> Internet and e-mail communications are Kohl's property and
> Kohl's reserves
> the right to retrieve and read any message created, sent and received.
> Kohl's reserves the right to monitor messages by authorized Kohl's
> Associates at any time
> without any further consent.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists