-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, My self and Eric Stevens today worked on an idea that allowed this vulnerability to be executed reliably in default installations on the following operating systems. [Tested] Windows NT v4 Terminal Server (SP3) Windows 98 [Background] Url to original Exploit: http://www.nat.bg/~joro/scrtlb.html Russ Cooper (of NT Bug Traq) brought up the problem of the default path entered in to the exploit would only allow reliable exploitation under Windows 9x. After an exchange of mails over the course of Thursday with Eric using one of Russ's theories to use the %windir% and the %username% variables to exploit user specific paths it was shown this was not possible (due to the lack of functionality under JScript. [What has changed] It was found that the default working directory of the src Active X control is the Windows Desktop of the current user. So to exploit this the following line of code would need to be changed: scr.Path="c:..\\Start Menu\\Programs\\StartUp\\thisisnew.hta"; this should allow the reliable exploitation. [Credits] Greg (Original Exploit) Russ Cooper (Raising the issue's under WindowsNT) Eric Stevens (for putting up with my ranting all day and testing his/my own theories on this subject) rgds rgds Ollie <% Ollie Whitehouse I.T Co-Ordinator - Delphis Consulting VOX : +44 (0)207 916 0200 (Switchboard) FAX : +44 (0)207 916 1620 (Main) FAX : +44 (0)870 0881837 (FAX - E-Mail) PGP : http://www.ombs.demon.co.uk/pgp.txt Tag : Who needs Windows2000 when you have OS/2? %> -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i iQA/AwUBN8ZIbiCxMriiZXHfEQLfswCgtsutOGNTMkv3MPRL6PIrghf1U6gAnRhB aY6rOHuh4wBO1N+cdfGqQl/Y =v062 -----END PGP SIGNATURE-----