I've tried it on Windows 98 2nd Edition, the batch file just crashes (invalid exception), however I created a small com file with CD 20 inside it (Int 20, or terminate/quit for those who don't know assembly) and it ran it fine. Any machine with IE (PC of course) would probably run this. On new systems you could hide it as hidden, nobody would notice when they type in a popular URL or their homepage. Kaneda Akira Email: k_anedaat_private ICQ# 49107701 --- "There is mystery about this which stimulates the imagination; where there is no imagination there is no horror" - Sherlock Holmes --- ----- Original Message ----- From: Red Pantz <redpantzat_private> To: <vuln-devat_private> Sent: Thursday, August 09, 2001 7:17 AM Subject: Winnt/Win2k Vuln ? > Hello all, > > I have found that if you name a file (can be any data file) a certain URL, on your desktop, and then g0 to IE and type that url, the web site will not come up, only the program that was named the certain.confusing? > > i.e. > > - copy autoexec.bat to ..\desktop > - rename autoexec.bat to www.google.com (can be any url) > - then go to IE and type "www.google.com" > - your batch file is then ran > > a few issues i have w/ this is: > > - the prog will only run if it is on your desktop > - if you type "http://www.google.com", for example > it will not run(unless u name your file the same thing) > - it has only been tested on Win2k SP1, Winnt 4.0 SP6a w/ IE 5.5 > - it doesn't seem to have any privelage escalation (all progs are run as the current user logged on) > > Just want a few others to try it and see wut they think > > thanx alot > redpantz > > ------------------------------------------------------------ > [- Get your own free e-mail @ http://www.crackdealer.com -] _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 11:52:02 PDT