I need Test Scripts

Discussion in 'other security issues & news' started by EASTER, Nov 15, 2008.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Hi again folks:

    Google is finally cracking down hard on malicious sites like i never seen them do before. :thumb:

    But i'm researching script exploits that either disrupt or drop other files and was wondering if anyone knows a safe site that doesn't offer malware per say of course, but some VBScripts to better test my script defenses.

    Thanks EASTER
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, Easter,

    If you mean VBScripts that are embedded in a web page, then the defense is the browser--IE specifically--which interprets the script directly.

    To test for a Zero-day exploit (unpatched browser or OS) then the defense is something which will block the payload, which in most cases is a trojan executable. I had people test their defenses earlier this year by using a VBScript exploit for IE6, and posted the results here.

    http://www.urs2.net/rsj/computing/tests/remote

    If you want to test, I'll give you the URL to my website. It uses a non-malicious executable file which I was sure that no one had already installed (White Listed).

    If you are referring to stand-alone VBScript files, there are two ways they are executed,

    • by the user clicking on the file

    • by remote code execution
    In planning for a defense, one needs to ask,

    1) how would a malicious .vbs file come in to my computer, and,

    2) under what circumstances would I open such a file?

    The most common method of entry is by email -- the notorious love.vbs worm, for example. I sent you a while back the old finjan.vbs test file. You can send it to yourself via email. If you attempt to open it, the ScripTrap program I see in your signature will intercept the call to open.

    However, should you attempt to open the file from a command line, ScripTrap will not block.

    Another method of opening a .vbs file would be downloading from the internet. Depending on the browser configuration, it might open directly in the browser as a text file, and of course, do nothing.

    If it downloaded directly to the cache, it would require the user to open by one of the two methods above.

    Of course, as with the email exploit, the best defense is not to open unknown, untrusted .vbs files in any case.

    Remote code execution is another matter. The most common is by means of an AutoRun.inf file. By not blocking AutoRun, you can test your defenses as follows, with an AutoRun.inf file and the finjan.vbs test file on a USB drive.

    1) AutoRun.inf as follows:

    Code:
    [AutoRun]
    Open=finjan.vbs
    
    Your ScripTrap program will intercept the call to open.


    2) AutoRun.inf file as follows:

    Code:
    [AutoRun]
    open=wscript.exe finjan.vbs
    
    Here, ScripTrap will not intercept. A different means of defense is required.

    ______________________________________________________________________________​

    Those are the most common scenarios. You might think of other ways a user might be victimized by a .vbs file.

    I don't know of any sites that test for VBScripts but it is easy to make up your own tests!

    ----
    rich
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Thanks Rich

    With the onset and popularity of IE fading into the sunset, script test viruses/exploits are near a thing of the past.

    Thank goodnesss you still keep a little something to research with as regards scripting and IE given the overwhelming support and transition of most of today's users over to alternative browsers and such.

    Thanks Again
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Remember, you are speaking of VBScripts.

    There are scripts that affect the other browsers, and XSS affects all browsers. Example of javascript:

    New SQL Injection Attacks and New Malware
    http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080507
    (links no longer work)

    ----
    rich
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Thanks Rmus

    Contrary to popular belief there is still plenty of global service of IE and thats prime material for makers of such exploits to interrupt either their businesses or all the home PC's as well as countless laptops
     
Loading...
Thread Status:
Not open for further replies.