New (but really - old) Windows .lnk vulnerability
in [Viruses]
|
Prev: Anti-Virus Best one
Next: Win32/RAMNIT.A Anyone?
From: Virus Guy on 18 Jul 2010 18:18 Ant wrote: > > What should happen on a vulnerable system with this POC? > > OutputDebugStringA("SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!"); > In any case, the DLL won't be able to load on a Win9x system > because of these flags in the PE header: > > MajorOSVersion = 5 > MajorSubsystemVersion = 5 > > That means the lowest Windows version allowed is 5 (Win2k). Can the .lnk example file be modified - to do something more visible (and not OS-specific) ? Like launch calc.exe?
From: Ant on 18 Jul 2010 19:57 "Virus Guy" wrote: > Can the .lnk example file be modified - to do something more visible > (and not OS-specific) ? Yes. > Like launch calc.exe? No. It will only work with a DLL. I just built a new dll.dll and in the DllMain entry case of DLL_PROCESS_ATTACH called MessageBox to get an alert. This works on Win2k but I don't know about 9x. BTW, the suckme.lnk expects the DLL to be in the root of C:\.
From: Bullwinkle on 19 Jul 2010 13:58 Go away hacker! Looks like you lied about reporting davey boy. "Dustin" <bughunter.dustin(a)gmail.com> wrote in message news:Xns9DB9A9E1A465EHHI2948AJD832(a)69.16.185.247... Geoff <geoff(a)invalid.invalid> wrote in news:1gg646hr9lv7tdv1b3vhvou75nfou9o7l8(a)4ax.com: > On Sun, 18 Jul 2010 09:55:45 -0400, Virus Guy <Virus(a)Guy.com> wrote: > >>http://www.microsoft.com/technet/security/advisory/2286198.mspx >>http://www.computerworld.com/s/article/9179299/Microsoft_confirms_nas >>ty_Windows_zero_day_bug?taxonomyId=17&pageNumber=1 >> >>Example POC code: >> >>http://www.exploit-db.com/exploits/14403/ >> >>I downloaded "suckme.rar" and renamed "suckme.lnk_" to "suckme.lnk" >>on my Windows 98 system. The icon turned into a shortcut, but >>nothing else happened. >> >>What should happen on a vulnerable system with this POC? >> > > You didn't follow the directions given with the exploit POC. > > What does the POC author claim will happen? > Is it really a POC or a Trojan? > What does the dll.dll do? > Did you disassemble the dll? > Did the author provide source for the DLL? > Is it benign or actually malicious? > Why do you think a Win98 system would not be vulnerable? > Do you have KD installed on your test system? > > If you cannot answer these questions correctly I suggest you leave > it alone. > Hehe.. Virus Guy isn't a coder... So.. he's just waiting to get himself in trouble I guess. -- There's no worse feeling than that millisecond you're sure you are going to die after leaning your chair back a little too far.
From: Dustin on 19 Jul 2010 18:24 "Bullwinkle" <BDTJ(a)loa.mo> wrote in news:4c449236$1(a)news.x-privat.org: > Go away hacker! Who are you to tell me to go anyplace? You top posting fuckwit. -- Too cold to start a fire. I'm burning diesel burning dinosaur bones. I'll take the river down to still water and ride a pack of dogs! But I'm gonna break. I'm gonna break my... I'm gonna break my rusty cage and run.. Yea i'm gonna break.. I'm gonna break my... I'm gonna break my rusty cage... and run!
From: Bullwinkle on 21 Jul 2010 07:56
LOL I see your now part of boaterdave's inner circle. Looks like you lied about reporting davey boy! "Dustin" <bughunter.dustin(a)gmail.com> wrote in message news:Xns9DBABB7E73EAFHHI2948AJD832(a)69.16.185.250... "Bullwinkle" <BDTJ(a)loa.mo> wrote in news:4c449236$1(a)news.x-privat.org: > Go away hacker! >Looks like you lied about reporting davey boy. Who are you to tell me to go anyplace? You top posting fuckwit. -- Too cold to start a fire. I'm burning diesel burning dinosaur bones. I'll take the river down to still water and ride a pack of dogs! But I'm gonna break. I'm gonna break my... I'm gonna break my rusty cage and run.. Yea i'm gonna break.. I'm gonna break my... I'm gonna break my rusty cage... and run! |