IEXPLORE.EXE file version 6.0.2900.2180
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP Home SP2
The example shows the picture of a garden which includes a carrot. Dragging the carrot to the bottom frame in the browser (set up to be the outside of the garden) will copy a file to PCHealth directory in C:\windows, which will then be launched, creating another file in the same directory called Greyhats.hta, which must be launched manually. The directory could easily be changed to shell:startup, however this is not necissary for this example. This is the same payload as given in NoCeegar on malware.com because my server doesn't have the capabilities to host the payload file like malware.com does :).
Also in http://www.securityfocus.com/archive/1/382513
Microsoft WINS Memory Overwrite Lets Remote Users Execute Arbitary Code
A vulnerability was reported in Microsoft Windows in 'wins.exe'. A remote user can execute arbitrary code on the target system.
Nicolas Waisman from Immunity reported that a remote user can send a specially crafted WINS packet to the target server on TCP port 42 to modify a memory pointer and write arbitrary contents to arbitrary memory locations. A remote user can execute arbitrary code on the target system.
The original advisory is available at:
Impact: A remote user can execute arbitrary code on the target system.
Solution: No solution was available at the time of this entry.
Underlying OS: Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000), Windows (2003), Windows (XP)
OS Comments: Tested on Windows 2000 SP2, SP3, SP4
Reported By: Nicolas Waisman