Crazy XP Sploit

Printable View

August 16th, 2002, 01:24 AM
Euclid

Crazy XP Sploit

This is scarry as ****. If you are using Windows XP check this out. Go to your C:\ drive and place a text file in C:\ called test.txt [make sure lowercase]. Close out of everything and then click on this link It is going to bring up help and support. Once it comes up wait a couple of seconds and then close or minimise it and then go back to your C:\ drive... test.txt is now gone.

This is the scarry part this is what was used to delete test.txt
hcp://system/DFS/uplddrvinfo.htm?file://c:\test.txt if you do this though
Im not going to post the whole thing because if this turns it to a link and someone clicks on it they will loose everything in C:\Windows but if you change the c:\test.txt to c:\windows\* Bye Bye everything in C:\windows. Point is you might want to right click and click properties just to see where the link you are clicking on goes to if you are using WinXp.

Crazy as **** isnt it.

Thanks to bugtraq for this
August 16th, 2002, 01:28 AM
Black-Mage21

Thanks

Thanks for the warning...I use XP and i am glad that i know about this.
August 16th, 2002, 01:30 AM
imaginedsanity

That's the craziest thing I've ever seen. Congratulations to windows for making the biggest piles of **** computers have ever been able to use. Oh, and excellent find Euclid.
August 16th, 2002, 01:30 AM
Euclid

yea i screwed it up at first. The link is now working or you can just copy and paste the written out url and paste it in IE or Run
August 16th, 2002, 01:40 AM
Tedob1

holy ****, i thought con\con was a pain in the butte! this makes a BSoD look innocent. Thanks for the heads up on that one.
August 16th, 2002, 01:42 AM
Euclid

no problem. Just checked my antis and thanks for balincing me out when I posted about that base64 decoded text that i was wondering what it was.

Damit i just thought about it. I just opened the door for all the kiddies on this site with webpages.

do you think i should delete this post? Well they all probably are subscribed to bugtraq anyways I dont know. Whatever
August 16th, 2002, 01:48 AM
Tedob1

no prob there was nothing wrong with what you posted and i got a lot out of reasearcing the code, thanks again.

if its on bugtraq those who would use it have it all ready and the people here need to be made aware of it....you did good
August 16th, 2002, 01:54 AM
neel

This is really the last thing I wanted to see today... Darn...
*Kwiep takes the dos boot floppy he found under his bed.
format c: d: e: f:
*Kwiep pops in the redhat install cd's
Just when I was thinking MS made something what at least didn't have any adress/link errors.
Thanks for saying this Euclid..
This kind off bugs I really hate. Now you have to check on every untrusty site if the link isn't something malicious even without all the cross site scripting madness and cookie stealing ****.

Well let's wait till MS made some patch again then.
August 16th, 2002, 01:59 AM
Euclid

yea the shitty part is that they arent going to patch it untill SP1. If you read the whole post it is a very good read and has some suggestions how to stop.

This is what does it : The file (32,463 bytes);
%windir%\PCHEALTH\HELPCTR\System\DFS\uplddrvinfo.htm contains the fraction of script

var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" );
try
{
oFSO.DeleteFile( sFile );
}

Anyways check the whole article here : http://online.securityfocus.com/arch...3/2002-08-19/0
August 16th, 2002, 06:55 AM
JCHostingAdmin

Thanks for the heads up man. All my friends use XP and some network computers do as well. Thanks! :)
August 16th, 2002, 07:40 AM
ragmyn

Thanx Euclid,

A very useful warning.

Hi Eculid.

I had a scary problem which made me to reinstall XP. It a **** really. The thing is.... at login screen which asks for password, my keyboard and mouse got struck up. Thats the end. I need to restart. Again the story repeats.... At last i reinstall XP.

Do you have any about the reason.
August 16th, 2002, 07:33 PM
StealthQAQ

Omg I just deleted my ****in windows.thanks man . I"ve being trying to do that a long time .the pc won't allow me to format and change to winme
August 16th, 2002, 07:34 PM
Euclid

I dont know for sure but it sounds to me like something happened to your ntoskrnl file. Do you have it set up for a custom boot screen or a custom username / password screen?
August 16th, 2002, 07:50 PM
bowlfreak

Does this "feature" work in other operating systems or only in XP? I guess Gates and company missed this one as part of their "secure computer code" effort...
August 16th, 2002, 09:10 PM
avenger_jcc

The more I play with this the more scared I get. Some kiddie can turn this into a VERY nasty massmailer or trojan. This will have a bad end. Ive been experimenting, and Im not going to post some of the OTHER things you can do with this, as it will help the simple minded kiddies into what they will do sooner or later anyway, but I know I can take out remote machines with it....
August 16th, 2002, 10:21 PM
cheesegoduk

Yicks! Thats really scary, Someone could trick someone into doing that on there windows directory and opss there goes there pc
August 16th, 2002, 10:22 PM
titanmike

Thanks Euclid!
Now i am glad i never got XP
3800 Rand is a lot of money to pay for a wanabe o/s ;)
Regards
Mike
August 16th, 2002, 11:40 PM
zigar

Quote:

Originally posted here by bowlfreak
Does this "feature" work in other operating systems or only in XP? I guess Gates and company missed this one as part of their "secure computer code" effort...

this doesn't appear to work in 2k (thankfully!)...good post euclid...
August 17th, 2002, 05:16 AM
cwk9

Doesn't work on 98SE (unpatched) using mozzilla.
Suddenly I don't feel like upgrading to XP
August 17th, 2002, 05:36 AM
bquine

Great post Euclid, this is the kind of stuff I come here for.

I tried this out on a few browsers on my machine and these are the results.
IE 6 >> Yeah the file is gone, the help support came up about new hardware
Mozilla 1.0 >> Yeah the file is gone, the help support came up about new hardware
Netscape 6.2 >> No the file is still there, help support did come up but with an error "The page you are trying to view has an incorrect address and cannot be displayed. Please try another page"
Opera 6.04 >> No the file is still there, Opera catches it and says "The address type is unkown or unsupported"

Can anyone confirm any of this?
August 17th, 2002, 07:37 AM
gamemaster6502

nice find, thanks for this warning
August 17th, 2002, 03:27 PM
Noia

Sweet thanx, Once again, M$ has show of their shity coding to the world.....This could have REALLY bad impact on security, all you'll have to do is change it into hash and send it so some dope, *pooof* there go's you comp....

- Noia
August 17th, 2002, 03:40 PM
Matty_Cross

Well, if the PC is used interactively, it does have an effect... but if the PC is used as just a server, strange I know (but I've seen it), there isn't a problem.... I mean, while this could cause problem, you've got to go to a site which is hosting the malicious link for this to be of even the slightest effect... unless you could trick the PC to think you are the MS troubleshooting site.... but no PC that you really 'want' to get into would be running on XP... so, if your a lil kiddy, this could be useful, but otherwise, this is just a standard, modification of a script that a system uses.....

Disclaimer... Please refer to previous disclaimers.. I drunk, so I could be talking rubbish.. or I couldn't... or rioter could be a big whore bag...
August 21st, 2002, 01:50 AM
Kromatic

thanx.....my heart stop for a second when i tried the link out.....very good news.....
August 21st, 2002, 02:01 AM
Dome

u also forget that certain e-mail programs allow the ability to put in scripts to make a window popup (with the link to delete your windows)
August 21st, 2002, 07:46 AM
mrleachy

hmmm, almost like doing deltree or del from anywhere in the world or locally and not even having to do anything but put a link to it somewhere

another reason to use any browser other than internet explorer (i tried it with opera and it didnt work)

/me removes anything to do with IE so i wont 'accidentally' run it
August 21st, 2002, 02:43 PM
Dome

actually it works w. certain versions of Mozilla as well, its not just IE... it has to do with windows trying to add a help center like that but for some reason, god only knows why, it deletes files...

oh well, i wanted to buy the Acer TravelMate100 TabletPC with WindowsXP Tablet PC Version, but i guess im not going to until this bug is fixed.... im staying with Linux for a little bit now.
August 24th, 2002, 10:28 PM
Dr Toker

TOTALY OFF TOPIC

Quote:

Originally posted here by Noia
Sweet , ............change it into hash and .........some dope, *pooof* there go's - Noia

LOL, sorry i had to point that out....
August 24th, 2002, 11:13 PM
th3>kLuTz

Thanks for the heads up....I use xp pro at home, mainly for training purposes, but i also game on it and surf the web.....my real pc has rh 7.1 on it :) /me decides to tread lightly on pages i don't know :)
August 26th, 2002, 04:12 PM
Koll

with absoutly no skills i could make something that could do that. Damn.
August 26th, 2002, 06:13 PM
m!thr!l

ragmyn

Windows XP did the same to me when I installed a new GeForce 2 video card. I ended up going with a different card.

Cheers,
m!thr!l
August 26th, 2002, 06:59 PM
lucktsm

I have not tried this little test yet, but will it still happen if I have disabled the help and support service?

I disable more services in XP - seems to run better =)
August 28th, 2002, 04:07 PM
DBEAUCHAMP

Very great post ! Tks for this one, now I'll wait before deploying XP in my network !
August 28th, 2002, 10:00 PM
Euclid

When I tried to disable the help and support and ran this using the above test example it just started the service again (maybe i screwed up, i dont know ) what my soluton was for this was to do a search for uplddrvinfo.htm and then open it. Say no to running the activeX and then view source. Then do a search for var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" ); and it will bring you to the line that says:

var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" );
try
{
oFSO.DeleteFile( sFile );
}

I Just removed : try
{
oFSO.DeleteFile( sFile );
}
and then saved it ( Dont close it yet just minimise) and then refreshed the page. When you do this if you get the script error icon at lower left hand just maximise the source again and remove the } or { ( i forget which one ) right below what you deleted and save and refresh again. The error should be gone and you will no longer be affected by this. I dont have the information in front of me but this is the steps that I did. If you want right when deleting that line go ahead and delete the other { or } that I said to do in the next step because I am almost positive it has to be delete or it will cause that script error. And as far as I can tell even if theere is the script error it does no harm. Help and support will now still work and if you have the direct link that you want it to open (IE hcp:// bla bla bla ) it will still work and if anyone tries this exploit against you the Hardware Config help message will still come up but you can close it without any worries ( if you want to verify this after you made the change to the script just come back to this post make the test.txt file on c drive and click the link and close the window. Go back to C and test.txt will still be there. Problem Solved!