Just found it...
very extensive in online Proof of Concepts:

http://umbrella.name/computer/originalvuln/

Check also:
http://umbrella.name/computer/0daymon/
In a sidenote,if you download and extract the PoC in this last page,
don't start complaining about your anti-virus screaming continuously,
that 's what it is supposed to.If not,you better replace it...

(Edit:Maybe this post should be moved in the "Other Security Issues" forum?)

This caught my eye today, from a link that member sowhat posted here

http://www.wilderssecurity.com/showthread.php?t=115880

He asks if the thread should be moved to Other Security Issues, but maybe privacy & other anti-malware software might be more suitable ?

I tried the example below in Usage. I pasted this ( mms://google.com/ ) no quotes, into IE and MS Media Player launched with ZA asking for permission out. mms = Multimedia System. What occurred to me, is that malware or some dodgy link somewhere, could use this principal to run others things too. Whether or not some people would always notice, depends i suppose on their security set up etc, and also what was attempting to be run !

Try it yourself with maybe a different prefix other that mms, and see what you can get to run. By the way it doesn't need to be Google in there, i tried others and they worked also.

. . .


WinBlox Intro

{QUOTE-> Usage

Here is one classic example:

If you input "mms://google.com/" in the latest build of win32 Mozilla, you will see a dialog like this:
An external application must be launched to handle mms: links. requested link:
mms://google.com/
If you were not expecting this request it may be an attempt to exploit a weakness in that other program. Cancel this request unless you are sure it is not malicious.
[Launch application] [Cancel]
It's some kind of mechanism preventing external programs from being executed - pretty simple and valuable. With the help of WinBlox, you can have the same type of mechanism in IE in a matter of seconds - just add the following line in the configuration file named WBLIST.TXT:
Internet application is about to launch external program in a non-RPC way. $record.confirm.^.*@execute_program:.*\\(iexplore\.exe|mozilla\.exe) > .* ==> .*
And run CONSOLE.EXE, then it's done. You don't need admin privilege to do this. And there is absolutely no change made to your system registry, and no file other than one log file within WinBlox directory will be written(of course this means CONSOLE.EXE needs to be executed again after logoff or reboot). Now, input "mms://google.com/" in IE, and you will see a dialog like this:
WinBlox has detected an operation that requires your confirmation. Press NO to cancel it.
Internet application is about to launch external program in a non-RPC way.
__________
c:\program files\internet explorer\iexplore.exe > "c:\program files\internet explorer\iexplore.exe"
__________
User Account: user
Request Type: execute_program
Parameters: c:\program files\windows media player\wmplayer.exe --> "c:\program files\windows media player\wmplayer.exe" "mms://google.com/"
[YES] [NO]
Press "NO" and Windows Media Player will not be executed. <-QUOTE}

http://umbrella.name/computer/winblox/readme/

{QUOTE-> WinBlox

User-mode WINAPI-level and open-source tool for controlling the behavior of applications running on Windows workstations.

You know the problem of today's anti-virus/malware/rootkit/penetration companies? They make unbelievable, extremely complicated and misdirecting s**t. They advertise their products as if they are selling cigarette - providing information useless enough to make researchers sick.

What I expect is not some magic solution solving all types of attacks(because such solution does not exist). I need tools that do one thing and do it well. So WinBlox is born. WinBlox is user-mode WINAPI-level and open-source tool for controlling the behavior of applications running on Windows workstations.

WinBlox is an ideal tool for hardening the security of Windows systems:
Simple: Based on mature results(PCRE and DETOURS), WinBlox source code is very small. And source code is so clear and short that you can review all in less than 2 hours.
Predictable: Great simplicity means no surprise.
Secure: Simplicity and open-source gives you secure software.
Flexible: Normal users will find great flexibility from regular expression, and developers will be able to easily change the behavior of WinBlox because of simplicity, structured design, document, and meaningful names.
Clean: no change to system registry; no file other than one log file within WinBlox directory will be written; don't need admin privilege. <-QUOTE}

http://umbrella.name/computer/winblox/


{QUOTE-> WHY NEED IT

WinBlox is designed to protect mission-critical WINNT systems. So it must be built in a dependable environment which is:
ISOLATED: no network connection
CLEAN: no malicious software
IF YOU ALREADY HAVE ...
Visual C 6.0 or higher
Windows 2000 or higher
Then you are able to build MSVC-based applications, and there is no need to download any more.

SET IT UP
We can set up such a dependable environment without paying one single dollar: <-QUOTE}

http://umbrella.name/computer/winblox/free_microsoft_visual_c_building_environment/

. . .

I havn't tried any of the above, except the mms test, so can't vouch for it. If anybody has or does, then please let us know how it performs.


StevieO

well I saw the links from sowhat last night, went to site, **tried** to dl the zips, KAV alerted me, refused to budge on the zips, that was good enough for me, I did not proceed any further, so obviously the fact I got alerts tells me there is trouble in paradise. :ouch:

Here is one of the alerts. Several different problems, first zip was 'HTML Drap Drop' infection...

TAS

When I try to download the zip´s with Firefox, I get this message: "Dir.zip.part could not be saved, because the source file could not be read. Try again later or contact the server administrator" Two files do get downloaded to my harddrive. The first is namned "dir.zip" and is 0 byte and the other is named "dir.zip.part different sizes depending on which zip I try to download.


When I download with IE NOD32 stops the access to the file complaining it is a trojan and nothing gets downloaded.

I guess these are IE based malware? or have it done something behind my back in with firefox? If so it passed Ghost security suite.

Ok i see we're all in here after all, but it's been moved to OSS which is good, so thanks for doing that !

I also had concerns about the other exploit tests, apart from the MSS one i tried. The thread starter ( sowhat ) did post this warning though.

"In a sidenote,if you download and extract the PoC in this last page, don't start complaining about your anti-virus screaming continuously, that's what it is supposed to. If not, you better replace it..."

Since i last posted i noticed a few of you had attempted to DL the test files, but understandably had problems due to your AV etc. So i scanned all the available tests at jottis.

Mismatched Content-Type launches HTA.zip

Msits Mhtml Redirection.zip

Msits Mhtml Redirection.zip

Media Bar Injection and Stream.zip

HHCTRL Injection II.zip

Drop to STARTUP Folder.zip

Drop to STARTUP Folder II.zip

http://img40.imageshack.us/img40/4900/umjottis15xf.png (http://imageshack.us)

But we have been pre warned by the OP that this could happen as they are exploit tests. I tried a few, but as expected they didnt work, as they are for a different OS to mine.

My main interest though, which i felt some of you might like to have a deeper look at, was WinBlox. This is a Free tool for hardening the security of Windows systems. I can't try it myself for the same OS reasons as above. I wonder if it's similar in some way to Samuri etc ?


StevieO

Sorry for not having replied earlier,but i just...
didn't expected so much interest in this post!
Actually,i was searching in SourceForge site for Sql injection testing utils,
when i saw this:http://genxe.sourceforge.net,
a proof-of-concept application for generating basic html-based exploits:
that 's where i found the "umbrella.name" site.
It caught my attention not because the exploits are ready to run,
without the need to search for required libraries,compile etc.,
but because almost all of them are browser-based,and,as their authors say,
a lot of them are actually supposed to have been resolved by Microsoft 's updates...

I just thought i should post it in here,
so that simple daily users stop having illusions about updated Internet Explorer versions,
or Mozilla-based browsers...
i think there's a lot of people who believe that by simply switching to firefox,
they pretty much solved their problems...
if you ask me,the Mozilla Foundation did a very good advertizement on this last year,
but this is just not the case...furthermore,the latest months we've pretty much seen that on action...

The problem with this site is that it doesn´t give any good info on what an exploit can exactly achieve and if the exploit worked or not. But I think with an hardened IE none of the exploits should work. :)

{QUOTE-> Just found it...
very extensive in online Proof of Concepts:

http://umbrella.name/computer/originalvuln/

Check also:
http://umbrella.name/computer/0daymon/
In a sidenote,if you download and extract the PoC in this last page,
don't start complaining about your anti-virus screaming continuously,
that 's what it is supposed to.If not,you better replace it...

(Edit:Maybe this post should be moved in the "Other Security Issues" forum?) <-QUOTE}
Hi All,

I have found the following website to be quite interesting about testing browsers if you want to know what can be found out from your browser online: Browser Spy: http://gemal.dk/browserspy/

Online tests only, i.e. no downloads.

-- Tom