Vulnerability Development mailing list archives
Re: Outlook HTML VBS (demo)
From: mkennedy () SYMANTEC COM (Mark Kennedy)
Date: Thu, 25 May 2000 16:52:57 -0000
-----BEGIN PGP SIGNED MESSAGE----- Dave, VBS does not have disk functions. It accesses the FileSystemObject to do this. JScript can access the same object. To embed in HTML it is the same as JScript only you specify a different language: <script language="VBScript"> Mark Kennedy Architect, Symantec Hash: SHA1 So I take it one can embed VBS in html <script> tags in the same way that one may do so with javascript? Does javascript have the similar functions for disk I/O that VBS has? Dave Hull, Senior Information Technology Analyst LAN Support Services, University of Kansas gpg key-> <A TARGET=nonlocal HREF="/external/http://insipid.cc.ukans.edu/dphull/pubkey.ht ml"><A HREF="http://insipid.cc.ukans.edu/dphull/pubkey.html</A">http://insipid.cc.ukans.edu/dphull/pubkey.html</A</A>> - -----Original Message----- From: Playle, Greg [mailto:<A HREF="mailto:GPlayle () stai com">GPlayle () stai com</A>] Sent: Monday, May 22, 2000 10:54 AM To: 'Hull, Dave' Subject: RE: Outlook HTML VBS (demo) RTFN. (Read The Fantastic News). VBS is the scripting language behind: Melissa, LoveBug, Cholera, variants of LoveBug, etc. Do a search on evil html. - -----Original Message----- From: Hull, Dave [mailto:<A HREF="mailto:dphull () MAIL UKANS EDU">dphull () MAIL UKANS EDU</A
]
Sent: Monday, May 22, 2000 9:21 AM To: <A HREF="mailto:VULN-DEV () SECURITYFOCUS COM">VULN- DEV () SECURITYFOCUS COM</A> Subject: Re: Outlook HTML VBS (demo) - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pardon my ignorance, but is it really possible to include dangerous exploits in messages using VBS, Javascript and the like? Popup messages are one thing, but I/O to disk is quite another. Is this really a VBS call? It looks suspiciously like the alert() function found in Javascript. I was working several months ago on a project and thought I might be able to use Javascript via a web page to pull stats from a user's computer like size of HDD, amount of available disk space, etc. and my admittedly shallow research led me to believe that it was not possible to use Javascript for such tasks. Granted, I don't know the language so could someone set me straight. Thanks. Dave Hull, Senior Information Technology Analyst LAN Support Services, University of Kansas gpg key-> <A TARGET=nonlocal HREF="/external/http://insipid.cc.ukans.edu/dphull/pubkey.ht ml"><A HREF="http://insipid.cc.ukans.edu/dphull/pubkey.html</A">http://insipid.cc.ukans.edu/dphull/pubkey.html</A</A>> <<A TARGET=nonlocal HREF="/external/http://insipid.cc.ukans.edu/dphull/pubkey.ht ml>">http://insipid.cc.ukans.edu/dphull/pubkey.html></A> - - -----Original Message----- From: Masial [ mailto:<A HREF="mailto:mrousseau () SECURED ORG">mrousseau () SECURED ORG</A
<mailto:<A HREF="mailto:mrousseau () SECURED ORG">mrousseau () SECURED ORG</A
]
Sent: Sunday, May 21, 2000 5:42 PM To: <A HREF="mailto:VULN-DEV () SECURITYFOCUS COM">VULN- DEV () SECURITYFOCUS COM</A> Subject: Re: Outlook HTML VBS (demo) The easy way is to build the HTML in notepad with the scripts in it then open the html doc with Word and send the eMail using the little eMail button in word. As you can see, this eMail message would pop a box on a vulnerable outlook and not on those who don't allow scripting. The only function in this demo is an alert() box but it could be pretty much anything. M. <FONT COLOR="#222255">> -----Original Message-----</FONT> <FONT COLOR="#222255">> From: VULN-DEV List [ mailto:<A HREF="mailto:VULN-DEV () SECURITYFOCUS COM">VULN- DEV () SECURITYFOCUS COM</A></FONT> <mailto:<A HREF="mailto:VULN-DEV () SECURITYFOCUS COM">VULN- DEV () SECURITYFOCUS COM</A>> ]On Behalf <FONT COLOR="#222255">> Of Joerg Weber</FONT> <FONT COLOR="#222255">> Sent: Sunday, May 21, 2000 12:28 PM</FONT> <FONT COLOR="#222255">> To: <A HREF="mailto:VULN- DEV () SECURITYFOCUS COM">VULN-DEV () SECURITYFOCUS COM</A></FONT> <FONT COLOR="#222255">> Subject: Outlook, HTML & VBS</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">> BB, Everyone,</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">> this certainly is a lame question but Outlook isn't exactly my</FONT> <FONT COLOR="#222255">> speciality :)</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">> I'm trying to embedd a script into a mail that pops up a MsgBox</FONT> <FONT COLOR="#222255">> telling the user (s)he is vulnerable to vbs-scripting virii. Now,</FONT> <FONT COLOR="#222255">> attaching this is sorta lame. So I'm trying to have Outlook execute</FONT> <FONT COLOR="#222255">> the script when the message is read.</FONT> <FONT COLOR="#222255">> Could someone explain how you create arbitrary HTML code so Outlook</FONT> <FONT COLOR="#222255">> renders/executes it? I've that far just been able to use Outlooks</FONT> <FONT COLOR="#222255">> build-in formating features.</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">> Thanks everyone!</FONT> <FONT COLOR="#222255">></FONT> <FONT COLOR="#222255">> Joerg</FONT> <FONT COLOR="#222255">></FONT> - -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use < <A TARGET=nonlocal HREF="/external/http://www.pgp.com"><A HREF="http://www.pgp.com</A">http://www.pgp.com</A</A>> <<A TARGET=nonlocal HREF="/external/http://www.pgp.com>">http://www.pgp.com></A>
iQA/AwUBOSlRbhTf9Weyc+/pEQJFxwCgz4e9x+yrwQc++6b/eV/qei9deSwA oOMB WToxfLBEE6tTvi2mY+ehZsZD =WPIt - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <<A TARGET=nonlocal HREF="/external/http://www.pgp.com>">http://www.pgp.com></A> iQA/AwUBOSlbQhTf9Weyc+/pEQIPkACg77222B2BgAO7loVpnG9YYfm5XOoA nibx kbhL4nTzykVGH4f/RrgD/brK =a9oo -----END PGP SIGNATURE-----
Current thread:
- Vs: Re: Outlook HTML VBS (demo), (continued)
- Vs: Re: Outlook HTML VBS (demo) Marko Ernvall (May 22)
- Re: Outlook HTML VBS (demo) Bluefish (May 22)
- Re: Outlook HTML VBS (demo) Hull, Dave (May 22)
- Re: Outlook HTML VBS (demo) Hull, Dave (May 22)
- Windows DoS code (jolt2.c) Phonix Monkey (May 25)
- Re: Windows DoS code (jolt2.c) Matthew S. Hallacy (May 27)
- Re: Windows DoS code (jolt2.c) Brian S. DuRoss (May 27)
- Re: Windows DoS code (jolt2.c) Matthew S. Hallacy (May 27)
- Re: Windows DoS code (jolt2.c) Brad Spengler (May 29)
- Windows DoS code (jolt2.c) Phonix Monkey (May 25)
- Re: Windows DoS code (jolt2.c) Mikael Olsson (May 28)