Crazy XP Sploit

**Euclid** · August 16th, 2002, 01:24 AM

This is scarry as ****. If you are using Windows XP check this out. Go to your C:\ drive and place a text file in C:\ called test.txt [make sure lowercase]. Close out of everything and then click on this link It is going to bring up help and support. Once it comes up wait a couple of seconds and then close or minimise it and then go back to your C:\ drive... test.txt is now gone.

This is the scarry part this is what was used to delete test.txt
hcp://system/DFS/uplddrvinfo.htm?file://c:\test.txt if you do this though
Im not going to post the whole thing because if this turns it to a link and someone clicks on it they will loose everything in C:\Windows but if you change the c:\test.txt to c:\windows\* Bye Bye everything in C:\windows. Point is you might want to right click and click properties just to see where the link you are clicking on goes to if you are using WinXp.

Crazy as **** isnt it.

Thanks to bugtraq for this

**Black-Mage21** · August 16th, 2002, 01:28 AM

Thanks for the warning...I use XP and i am glad that i know about this.

**imaginedsanity** · August 16th, 2002, 01:30 AM

That's the craziest thing I've ever seen. Congratulations to windows for making the biggest piles of **** computers have ever been able to use. Oh, and excellent find Euclid.

**Euclid** · August 16th, 2002, 01:30 AM

yea i screwed it up at first. The link is now working or you can just copy and paste the written out url and paste it in IE or Run

***Tedob1*** · August 16th, 2002, 01:40 AM

holy ****, i thought con\con was a pain in the butte! this makes a BSoD look innocent. Thanks for the heads up on that one.

**Euclid** · August 16th, 2002, 01:42 AM

no problem. Just checked my antis and thanks for balincing me out when I posted about that base64 decoded text that i was wondering what it was.

Damit i just thought about it. I just opened the door for all the kiddies on this site with webpages.

do you think i should delete this post? Well they all probably are subscribed to bugtraq anyways I dont know. Whatever

***Tedob1*** · August 16th, 2002, 01:48 AM

no prob there was nothing wrong with what you posted and i got a lot out of reasearcing the code, thanks again.

if its on bugtraq those who would use it have it all ready and the people here need to be made aware of it....you did good

***neel*** · August 16th, 2002, 01:54 AM

This is really the last thing I wanted to see today... Darn...
*Kwiep takes the dos boot floppy he found under his bed.
format c: d: e: f:
*Kwiep pops in the redhat install cd's
Just when I was thinking MS made something what at least didn't have any adress/link errors.
Thanks for saying this Euclid..
This kind off bugs I really hate. Now you have to check on every untrusty site if the link isn't something malicious even without all the cross site scripting madness and cookie stealing ****.

Well let's wait till MS made some patch again then.

**Euclid** · August 16th, 2002, 01:59 AM

yea the shitty part is that they arent going to patch it untill SP1. If you read the whole post it is a very good read and has some suggestions how to stop.

This is what does it : The file (32,463 bytes);
%windir%\PCHEALTH\HELPCTR\System\DFS\uplddrvinfo.htm contains the fraction of script

var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" );
try
{
oFSO.DeleteFile( sFile );
}

Anyways check the whole article here : http://online.securityfocus.com/arch...3/2002-08-19/0

**JCHostingAdmin** · August 16th, 2002, 06:55 AM

Thanks for the heads up man. All my friends use XP and some network computers do as well. Thanks!

Thread: Crazy XP Sploit

Thread Tools

Display

Crazy XP Sploit

Thanks

Posting Permissions