RE: Win32hlp exploit for : ":LINK overflow"

From: Josh Gilmour (jgilmourat_private)
Date: Thu Mar 13 2003 - 04:12:42 PST

Next message: Rob Shein: "RE: Win32hlp exploit for : ":LINK overflow""

Previous message: gr00vy: "Re: gtali Segmentation fault"
In reply to: Rob Shein: "RE: Win32hlp exploit for : ":LINK overflow""
Next in thread: Rob Shein: "RE: Win32hlp exploit for : ":LINK overflow""
Reply: Rob Shein: "RE: Win32hlp exploit for : ":LINK overflow""
Reply: Rob Shein: "RE: Win32hlp exploit for : ":LINK overflow""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Personally, I know people who know that they shouldn't download or open
.exe's due to viruses, yet they would have no clue about .cnt or .hlp
files. That being said it could be a risk for them, yet people with some
experience would noticed that something isn't right and ignore it...
But that's just me....

I could have it wrong also, but does the risk happen because the .cnt
can be emailed to someone/sent to them, and they could download and run
it? That's how I see it working anyways, just like running an executable
from an email. 

- Josh

-----Original Message-----
From: Rob Shein [mailto:shotenat_private] 
Sent: Tuesday, March 11, 2003 8:59 AM
To: 'descript'; vuln-devat_private; bugtraqat_private
Subject: RE: Win32hlp exploit for : ":LINK overflow"

I'm not entirely sure I get how serious this is.  If I understand
correctly,
you're modifying a .cnt file so that when it's called (by using it's
corresponding .hlp file) it will go out and download/execute a program
from
a predetermined site.  When you're at the stage where you can modify
files
on the target machine, how much of a difference does it make to be able
to
get a .cnt file to do your bidding, as opposed to any executable that
could
have another executable bound to it, for example?  Perhaps I'm missing
something...

> -----Original Message-----
> From: descript [mailto:descriptat_private] 
> Sent: Saturday, March 08, 2003 7:38 PM
> To: vuln-devat_private; bugtraqat_private
> Subject: Win32hlp exploit for : ":LINK overflow"
> 
> 
> hi list,
> 
> In date Sunday, 9 March, 2003 1:00 AM s0h released an exploit 
> : Win32hlp exploit for : ":LINK overflow"
> 
> Source : http://s0h.cc/exploit/s0h_Win32hlp.c
> Binary : http://s0h.cc/exploit/s0h_Win32hlp.exe
> 
> Discovered by ThreaT <threatat_private>.
> Coded by ThreaT <threatat_private>
> Hompage : http://s0h.cc/~threat/
> 
> This exploit can trap a .CNT file (file with .HLP files) with 
> the arbitrary code who can download and execute a trojan 
> without user ask.
> 
> This exploit was tested on :
> 	- Windows 2000 PRO/SERVER (fr) SP0
> 	- Windows 2000 PRO/SERVER (fr) SP1
> 	- Windows 2000 PRO/SERVER (fr) SP2
> 
> 
> Best regards,
> descript <descriptat_private>
> s0h - Skin of humanity
> http://s0h.cc
>

Next message: Rob Shein: "RE: Win32hlp exploit for : ":LINK overflow""
Previous message: gr00vy: "Re: gtali Segmentation fault"
In reply to: Rob Shein: "RE: Win32hlp exploit for : ":LINK overflow""
Next in thread: Rob Shein: "RE: Win32hlp exploit for : ":LINK overflow""
Reply: Rob Shein: "RE: Win32hlp exploit for : ":LINK overflow""
Reply: Rob Shein: "RE: Win32hlp exploit for : ":LINK overflow""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 09:04:39 PST