If it's a trusted .vbs then how would you drop a .dll in the same directory? If you have write permissions it's easier to just modify the .vbs.
You might as well claim the added value is to backdoor a .vbs file subrepticiously so it doesn't show when inspecting the source code. But it doesn't add that much, really, since a new and misterious .dll file would also draw the attention, so it's probably easier to hide malicious intent into the source code by obfuscating it. On Fri, Sep 2, 2011 at 11:53 PM, Nahuel Grisolia <nah...@bonsai-sec.com>wrote: > List, > > On 09/02/2011 06:45 PM, root wrote: > > You don't get the worst part: unsuccessful exploitation also leads to > > code execution. > > Scary stuff. > > > > On 09/02/2011 05:05 PM, Mario Vilas wrote: > >> Are you guys seriously reporting that double clicking on a malicious > .vbs > >> file could lead to remote code execution? :P > >> > >> Either I'm missing something (and I'd welcome a rebuttal here!) or you > might > >> as well add .exe to that list. All those extensions are already > executable. > > I think that they're talking about that executing a trusted vbs could > lead to the execution of malicious code. > > :S > > regards, > -- > Nahuel Grisolia - C|EH > Information Security Consultant > Bonsai Information Security Project Leader > http://www.bonsai-sec.com/ > (+54-11) 4777-3107 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.”
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
