Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: [Full-Disclosure] RE: Full-disclosure digest, Vol 1 #1955 - 19 msgs
From: GuidoZ <uberguidoz () gmail com>
Date: Fri, 8 Oct 2004 01:22:50 -0500

Didn't mean to have you apologize, it did it's job. It showed
That I was not vulnerable. I just found it interesting that my
AV called it something that could not be found through search.

No worries Randall. =) I really should of warned about the possible AV
warnings, as some might not understand what;s actually going on. (I've
gotten a few emails like "Ha! My antivirus stopped your ploy to infect
me".) =P I can't explain it much better then I have.

I figured that most people on this list would understand what was
REALLY happening, but I should plan for as many scenarios as possible.
This includes those that wouldn't understand what the virus warnings
mean. Thanks for your clarification though Randall. Appreciate it. ;)

--
Peace. ~G


On Thu, 7 Oct 2004 06:02:02 -0500, RandallM <randallm () fidmail com> wrote:
GuidoZ
Didn't mean to have you apologize, it did it's job. It showed
That I was not vulnerable. I just found it interesting that my
AV called it something that could not be found through search.

thank you
Randall M

<|>-----Original Message-----
<|>From: GuidoZ [mailto:uberguidoz () gmail com]
<|>Sent: Thursday, October 07, 2004 1:16 AM
<|>To: RandallM
<|>Cc: full-disclosure () lists netsys com
<|>Subject: Re: [Full-Disclosure] RE: Full-disclosure digest,
<|>Vol 1 #1955 - 19 msgs
<|>
<|>It might be detected as Trojan.Moo or any other variant of


<|>the JPEG exploit. As I said, it attempts to exploit the
<|>system to see if it's vulnerable, using an "infected" JPG.
<|>The file I provided is simply a SFX with a batch file and
<|>the "infecte" JPG (named exploit.bak). No attempt has been
<|>made at all to mask what's inside.
<|>
<|>I figured those that would want to use it would either not
<|>worry about the virus warnings, or not get them at all and
<|>REALLY need the fix it helps provide. =) Email me at the
<|>address provided in my original email (exploit _AT_ guidoz
<|>_DOT_ com) and I'll provide a link to the batch files and
<|>such so you may modify them as you wish.
<|>
<|>Sorry for any confusion with the AV. I should of warned
<|>about that in the original email. (Others have written me
<|>asking the same question.) I only provided it to possibly
<|>help others who have lots of friends asking them for help to
<|>patch their systems. This simply sees if they are
<|>vulnerable, then leads them through the steps to patch the
<|>system if they are. (You may have to tell them to ignore AV
<|>warnings, or disable the AV scanner. Again, I urge you to
<|>test this on a NON-PRODUCTION machine first. See what it
<|>contains, read the batch files, see what it downloads, etc.)
<|>
<|>Please feel free to ask me any questions. Hope it helps someone else.
<|>
<|>--
<|>Peace. ~G
<|>
<|>
<|>On Wed, 6 Oct 2004 20:59:28 -0500, RandallM
<|><randallm () fidmail com> wrote:
<|>>
<|>> <|>--__--__--
<|>> <|>
<|>> <|>Message: 14
<|>> <|>Date: Wed, 6 Oct 2004 15:53:32 -0700
<|>> <|>From: GuidoZ <uberguidoz () gmail com>
<|>> <|>Reply-To: GuidoZ <uberguidoz () gmail com>
<|>> <|>To: full-disclosure () lists netsys com
<|>> <|>Subject: [Full-disclosure] Quick JPEG/GDI test & fix
<|>(timesaver)
<|>> <|> <|>Hello list, <|> <|>I wrote a very simple program/batch file
<|>> that tests for the JPEG <|>exploit, then if affected, provides
<|>> instructions on how to patch the <|>exploit. It has been
<|>tested on my
<|>> own lil happy lab network, as well <|>as one one network
<|>where I'm a
<|>> sysadmin. (Tested on Windows XP Home <|>and Pro, SP1a and
<|>SP2.) <|>
<|>> <|>It DOES test for the exploit by attempting to use an
<|>"infected" JPG
<|>> <|>which downloads the instructions for fixing it, if
<|>exploited. By
<|>> <|>viewing the strings in the JPG, you can see the file it
<|>downloads
<|>> and <|>check it out for yourself. It's clean. =) Just
<|>contains a batch
<|>> file <|>and a program to launch the batch file. (The file
<|>that gets
<|>> <|>downloaded <|>is a simple SFX.) Links are below. It contains a
<|>> warning saying it's <|>about to try to exploit the system
<|>and to save
<|>> data in open programs.
<|>> <|>(It also warns that Explorer may crash.) <|> <|>I wrote
<|>this merely
<|>> to save myself time and allow friends/family to <|>test their own
<|>> systems, then patch them without having to call me for
<|><|>help. It's
<|>> not been tested in every environment and in every <|>scenario.
<|>> <|>If you find a problem, feel free to email me (exploit
<|>_AT_ guidoz
<|>> <|>_DOT_ com) Obviously I'm not responsible if it's abused
<|><|>somehow,
<|>> or if <|>it breaks something, etc. Feel free to modify it
<|>to suit your
<|>> own <|>needs, but use it at your own risk.
<|>> <|>
<|>> <|>Test can be downloaded from here:
<|>> <|>http://www.guidoz.com/exploit-test.exe
<|>> <|>
<|>> <|>Again, it's just an SFX archive with a batch file. Hopefully it
<|>> will <|>save someone else some time. I've used it to have
<|>> friends/family (and <|>a few clients) patch a total of
<|>around 30 machines without problems.
<|>> <|>
<|>> <|>--
<|>> <|>Peace. ~G
<|>> <|>
<|>> <|>
<|>> <|>--__--__--
<|>> <|>
<|>> <|>End of Full-Disclosure Digest
<|>> <|>
<|>>
<|>> Well, guess I'm safe. McAfee saw it as
<|>"Exploit-MntRedir.gen" and said...NO!
<|>> I googled it and it found nothing though. Thought it would atleast
<|>> lead me to McAfee. McAfee search said:
<|>>
<|>> "We found no records matching the following criteria:
<|>> Virus name containing "MntRedir.gen".
<|>> Please try narrowing your search by using fewer characters".
<|>>
<|>> What gives?
<|>>
<|>> thank you
<|>> Randall M
<|>>
<|>> _______________________________________________
<|>> Full-Disclosure - We believe in it.
<|>> Charter: http://lists.netsys.com/full-disclosure-charter.html
<|>>
<|>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault