Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Microsoft Help ActiveX Control Related Topics Local Content Accessing Vulnerability
From: Paul (paulgreyhats.cjb.net)
Date: Sat Nov 27 2004 - 17:22:48 CST
Greyhats Security Group is back and we're ready to kick the crap out of sp2 :). Looks like all the vulnerabilities previously posted by us have been patched. Good work, Microsoft. We're not through yet, though. Here's proof that no matter how many millions of dollors you spend on security, there will always be things you missed.
Btw, I codenamed this LongNameVuln because its a lot easier to remember then Help ActiveX Control Related Topics Local Content Accessing Vulnerability :)
IEXPLORE.EXE file version 6.0.2900.2180
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP Home SP2
The example shows the picture of a garden which includes a carrot. Dragging the carrot to the bottom frame in the browser (set up to be the outside of the garden) will copy a file to PCHealth directory in C:\windows, which will then be launched, creating another file in the same directory called Greyhats.hta, which must be launched manually. The directory could easily be changed to shell:startup, however this is not necissary for this example. This is the same payload as given in NoCeegar on malware.com because my server doesn't have the capabilities to host the payload file like malware.com does :).
View the example at http://freehost07.websamba.com/greyhats/longnamevuln.htm