Re: [Full-Disclosure] how do they do it???

From: S Menard (smenard_at_nbnet.nb.ca)
Date: 07/11/03

  • Next message: Gareth Blades: "RE: [Full-Disclosure] RE: Attack profiling tool?"
    To: <full-disclosure@lists.netsys.com>
    Date: Fri, 11 Jul 2003 07:42:54 -0300
    
    

    At least I got a DIALOG with a request to run a script marked safe for
    scripting. [note to self; dumb user; clicks aren't for kids]

    When I clicked the yes button, lo and behold,
    a brand new freaking cup holder emerged :-)
    I always though it was an nestle ice cream drumstick holder great for when
    i'm searching for a winning plasmatv wrapper :-) at least in Canada, EH!

    I am running windows media player 9.00.00.9280
    Windows 2000 Pro 5.00.2195 SP3
    missing the following patches: 823559, 822679,817606,819639 aka wmp-fix ,SP4
    I'll fix & re-test this weekend. More PCs to test as well as different
    winOSs

    {Actually, I had to click three accept dialogs since I <Prompt> or disallow
    malicious types of stuff [activeX, java], but may wish to use those
    functions after perusing the source.} Gotta stop them pop-ups somehow
    [free]

    smenard
    canadian who needs air conditioners in summer; not heaters in the winter

    ----- Original Message -----
    you said:
    >http://www.albinoblacksheep.com/text/cupholder.php
    >how do you think they do it in PHP?
    >

    It's easy.

    foo.html:
    <script src="cd.vbs" language="VBScript"></script>

    cd.vbs:
    <!--

    Set oWMP = CreateObject("WMPlayer.OCX.7" )
    Set colCDROMs = oWMP.cdromCollection

    if colCDROMs.Count >= 1 then
    For i = 0 to colCDROMs.Count - 1
    colCDROMs.Item(i).Eject
    Next ' cdrom
    End If

    -->
    ----------
    > From: "Thor Larholm" <lists.netsys.com@jscript.dk>
    > http://www.albinoblacksheep.com/text/cupholder.php
    > how do you think they do it in PHP?

     Thank you for confirming that you have NOT installed the MS03-021 patch [1]
    for Windows Media Player, which among others removes the ability to eject CD
    drives using the WMP ActiveX control. I can now safely assume that you are
    vulnerable to several vulnerabilities.

     http://www.microsoft.com/technet/security/bulletin/ms03-021.asp
    AKA 819639

    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.498 / Virus Database: 297 - Release Date: 7/10/2003
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Gareth Blades: "RE: [Full-Disclosure] RE: Attack profiling tool?"