Re: possible new "e-mail virus" concept ? + bypassing IE settings

[zoa_chien () INAME COM (Zoa_Chien)]

Just tested:

Changing cache dirs does NOT seem to work with
<img src="pw () server com/../filename.txt">ftp://user:pw () server com/../filename.txt</A>"
or
<img src="http://www.server.com/../filename.txt";
both were tested with hex codes too...

On both server types Files will be created with the name you give to
download them, not the name the server replies when uploading you the
file.  (as Jim stated before.)

How about using other (less known) server types supported in IE ?
(probalby doesn't work either, but I just can't seem to get enough :-))
Does any1 know all server types supported in IE, with the correct string
(like ftp:// http:// ...)

Maybe we could try the idea on "trusted" third party software like realplayer ?

Any servertype known to give back a default file if no filename was passed ?

the .url file as an attachement won't work indeed.

Zoa_chien.

> Alternative approach for writing e-mail virusses.??
> --------------------------------------------------------------------
>
> Disclaimer:
> -----------
>
> Not of this got tested, and chances are big that not everything will function.
> Everything i wrote is purely hypothetical, but i guess some ideas might be
> usefull to know.
> (Please e-mail me if you did some testing on this, i don't have the time to
> test this myself.... (exams))
>
> Background: (Skip this if you don't have the time)
> -----------------
>
> While looking for a way to bypass the Internet Explorer (I.E.) Security
> setting that disables all downloads a while ago, i noticed that I.E.
> automatically downloads image files, (unless you have images disabled)
> and stores them in the "temporary internet files" folder.
>
> I did some testing on how I.E.(IE5, win98) handles those image files and found
> that it downloads the  first few bytes, checks for a valid image file header
> and if the header is present, it will download the rest of the file.
> And when the complete file is downloaded it will try to show the image.
>
> So, I took a Executable file, and changed the first 2 bytes
> (MZ) to BM with a hex editor (or edit.com /b) and then inserted this filename
> (renamed to file.bmp) as image source in a HTML page.
>
> When opening this page in I.E., the complete file got downloaded (I.E. assumed
> this was a .BMP file), however it showed a red cross in I.E. like the ones
> you get with image not found.
> If i changed the BM back to MZ and renamed it back to file.exe I was able to
> run this program, i even did a binary file compare and it  was exactly the
> same as the original one. (so no stripping occured.)
>
> (I noticed that in NT4 things are different, since the temporary internet
> files
> located in /winnt/profiles/admin/Local settings/ is a special directory type,
> could someone give me more info on this type of dir ?)
> I guess similar things will occur in other web browsers.
>
> --
>
> Virus concept:  (not tested)
> --------------
>
> Meanwhile, i noticed that the image files for I.E. don't need to have a valid
> image file extension, anything will work fine. (and IE uses temporary files
> with
> the same name as the original files.)
>
> So, why not send someone a virus.bat file, as image in a HTML mail. The first
> 2 bytes in the .bat file should be BM (or any other image file header).
> We all know that when an error occures in a .bat file all it will do is say:
> bad command or file name and will continu with the next line, so writing this
> BM in the beginning won't hurt.
>
> Hmmm.. lets see: what can i do with .bat files... pretty much, but i prefer
> .exe files.
> Not a problem: with debug.exe i can dump executable files as hex in an
> ascii file, and back to .exe.
> So, in the .bat file i will use some ECHO commands >> filehex.txt to create
> the hex file.
> Next line in the .bat file should contain the command line parameters for
> debug to create this .exe file.
> And the last line should execute this .exe file.
>
> Example of how the .bat file should look:
>
> -BOF-
> BMdfjlqskdfjlksjdflksqjdflksjcvlvksjd (this will cause error, but who cares)
> ECHO 22 EF SD E3 FE AD >> filehex.txt (should append not overwrite)
> ECHO 1D A6 E6 ....     >> filehex.txt
> ...
> debug -xxxxx filehex.txt file.exe (i don't remember the correct parameters)
> file.exe
> -EOF-
>
> Of course, we would like this batch file to get executed automatically.
>
> This was not tested, but i think it might be possible to make a custom
> HTTP server that thinks "/../../../../../../file.bat" (or maybe "c:\file.bat")
> is valid, and when asked to send this file, it will not try to look in lower
> dirs to find the file, but simply will upload the file to the client.
>
> (I could use some %codes in the filename in the .html to scramble the dir and
> fool I.E.)
> That way, we might be able to save the temporary files in other dirs then
> "the temporary internet files" folder.
>
> If we are able to save the filename as c:\autoexec.bat we could let the  file
> execute on the next bootup.
>
> Enjoy!
>
> final note: maybe it is possible to create valid .com files with a valid
> image file header.
> (from good ol' times, i remember it was possible to give a .com file a "PK"
> as first 2 bytes  of the file, thus avoiding getting scanned, just check
> the ASM meaning of the image file headers.)
>
>
>
> Zoa_Chien (zoa_chien () iname com)
>
> -
> Vanheuverzwijn Joachim
> www.securax.org
> -