Vulnerability Development mailing list archives
RE: Win32hlp exploit for : ":LINK overflow"
From: "Josh Gilmour" <jgilmour () attbi com>
Date: Thu, 13 Mar 2003 12:29:35 -0500
Ahhhh, I gotcha now... Yeah that makes sense about what your were saying before. Thanks for clearing that up! - Josh -----Original Message----- From: Rob Shein [mailto:shoten () starpower net] Sent: Thursday, March 13, 2003 12:10 PM To: 'Josh Gilmour'; 'descript'; vuln-dev () securityfocus com; bugtraq () securityfocus com Subject: RE: Win32hlp exploit for : ":LINK overflow" I don't think you understand...a .cnt file won't do anything if you click on it. It's the same as if I were to create a file named "testfile.ooongaboonga". Windows will essentially ask, "what the hell do you want me to do with this?" and of course the user won't have any idea either, so nothing will happen. YOU CANNOT RUN A .CNT FILE. It gets called from a help file; it's the index of the help file.
-----Original Message----- From: Josh Gilmour [mailto:jgilmour () attbi com] Sent: Thursday, March 13, 2003 7:13 AM To: 'Rob Shein'; 'descript'; vuln-dev () securityfocus com; bugtraq () securityfocus com Subject: RE: Win32hlp exploit for : ":LINK overflow" Personally, I know people who know that they shouldn't download or open .exe's due to viruses, yet they would have no clue about .cnt or .hlp files. That being said it could be a risk for them, yet people with some experience would noticed that something isn't right and ignore it... But that's just me.... I could have it wrong also, but does the risk happen because the .cnt can be emailed to someone/sent to them, and they could download and run it? That's how I see it working anyways, just like running an executable from an email. - Josh -----Original Message----- From: Rob Shein [mailto:shoten () starpower net] Sent: Tuesday, March 11, 2003 8:59 AM To: 'descript'; vuln-dev () securityfocus com; bugtraq () securityfocus com Subject: RE: Win32hlp exploit for : ":LINK overflow" I'm not entirely sure I get how serious this is. If I understand correctly, you're modifying a .cnt file so that when it's called (by using it's corresponding .hlp file) it will go out and download/execute a program from a predetermined site. When you're at the stage where you can modify files on the target machine, how much of a difference does it make to be able to get a .cnt file to do your bidding, as opposed to any executable that could have another executable bound to it, for example? Perhaps I'm missing something...-----Original Message----- From: descript [mailto:descript () sv98 s0h cc] Sent: Saturday, March 08, 2003 7:38 PM To: vuln-dev () securityfocus com; bugtraq () securityfocus com Subject: Win32hlp exploit for : ":LINK overflow" hi list, In date Sunday, 9 March, 2003 1:00 AM s0h released an exploit : Win32hlp exploit for : ":LINK overflow" Source : http://s0h.cc/exploit/s0h_Win32hlp.c Binary : http://s0h.cc/exploit/s0h_Win32hlp.exe Discovered by ThreaT <threat () s0h cc>. Coded by ThreaT <threat () s0h cc> Hompage : http://s0h.cc/~threat/ This exploit can trap a .CNT file (file with .HLP files) with the arbitrary code who can download and execute a trojan without user ask. This exploit was tested on : - Windows 2000 PRO/SERVER (fr) SP0 - Windows 2000 PRO/SERVER (fr) SP1 - Windows 2000 PRO/SERVER (fr) SP2 Best regards, descript <descript () s0h cc> s0h - Skin of humanity http://s0h.cc
Current thread:
- Win32hlp exploit for : ":LINK overflow" descript (Mar 10)
- RE: Win32hlp exploit for : ":LINK overflow" Rob Shein (Mar 11)
- RE: Win32hlp exploit for : ":LINK overflow" Josh Gilmour (Mar 13)
- RE: Win32hlp exploit for : ":LINK overflow" Rob Shein (Mar 13)
- RE: Win32hlp exploit for : ":LINK overflow" Rob Shein (Mar 13)
- RE: Win32hlp exploit for : ":LINK overflow" Josh Gilmour (Mar 13)
- RE: Win32hlp exploit for : ":LINK overflow" Josh Gilmour (Mar 13)
- RE: Win32hlp exploit for : ":LINK overflow" Rob Shein (Mar 11)