One problem with your scenario: any person sophisticated enough to know what nmap is (much less use it) is going to be just a little suspicious about running nmap on some random "data file" that you send them.
--Rohit Patnaik On Wed, Sep 8, 2010 at 8:29 PM, <paul.sz...@sydney.edu.au> wrote: > jf <j...@ownco.net> wrote: > > > ... my understanding of the issue was not the default library search > > path, but rather that people are using SearchPath() or similar to locate > > DLLs which they then pass to LoadLibrary() ... > > And, people loading DLLs they do not need, for OS version detection. > (Maybe others?) > > > ... I can't see anyone opening a URL with nmap itself ... > > An "exploit scenario" for nmap: send a ZIP (or somesuch) archive to > the victim, containing a data file and a "hidden" DLL, with message: > Hey, these seem infected with conficker, check with nmap > and the victim using "nmap -iL datafile" from current dir. > > Cheers, Paul > > Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of Sydney Australia > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
