# source: https://www.securityfocus.com/bid/548/info
#
# A vulnerability affects Microsoft's Jet 3.51 and 4.0 driver (MSJET35.DLL and MSJET40.DLL).
#
# This vulnerability could allow an attacker to create malicious '.xls' or '.doc' files incorporating VBA shell commands. When the file is opened, the shell commands contained in the file will execute on the target system. Command execution will occur in the context of the user that is opening the file.
#
# The file could be distributed via email, the web (including in hidden frames), or any number of methods.
#
<HTML><HEAD><METAHTTP-EQUIV="Content-Type"CONTENT="text/html; charset=iso-8859-1"><METANAME="Author"CONTENT="yeahright"><METANAME="GENERATOR"CONTENT="edit.com"><TITLE>exshell jexploit</TITLE></HEAD><BODYTEXT="#330033"BGCOLOR="#FFFFFF"LINK="#0000EE"VLINK="#551A8B"ALINK="#FF0000"><FONTCOLOR="#993366"><FONTFACE="ElegaGarmnd BT"><FONTSIZE=+1>This
is a benign demonstration of the Jet 3.51 vulnerability documented by J.C.G.
Cuartango.</FONT></FONT></FONT><BR><FONTCOLOR="#993366"><FONTFACE="ElegaGarmnd BT"><FONTSIZE=+1>This
vulnerability affects users of Office95/97 with Jet database engine versions
around 3.5 (tested 3.51.1029.00)</FONT></FONT></FONT><P><FONTCOLOR="#993366"><FONTFACE="ElegaGarmnd BT"><FONTSIZE=+1>On the bottom of
this page is an invisible, embedded .xls file that will do a few things
if you double-click it:</FONT></FONT></FONT><BR><FONTCOLOR="#993366"><FONTFACE="ElegaGarmnd BT"><FONTSIZE=+1>1.
Get a welcome note from ftp.aol.com and write it to your hd as c:\ftptest.txt</FONT></FONT></FONT><BR><FONTCOLOR="#993366"><FONTFACE="ElegaGarmnd BT"><FONTSIZE=+1>2.
Write a log file of the ftp session to your hd as c:\jexploit.log</FONT></FONT></FONT><BR><FONTCOLOR="#993366"><FONTFACE="ElegaGarmnd BT"><FONTSIZE=+1>3.
Open regedit.exe on your computer.</FONT></FONT></FONT><P><FONTCOLOR="#993366"><FONTFACE="ElegaGarmnd BT"><FONTSIZE=+1>There
are no macros, so there are no macro warnings. There are currently
(8/3/99) no AV products to stop this.</FONT></FONT></FONT><BR><FONTCOLOR="#993366"><FONTFACE="ElegaGarmnd BT"><FONTSIZE=+1>This
could be changed slightly to format your hd without prompts or perform
several other devastating functions.</FONT></FONT></FONT><P><FONTCOLOR="#993366"><FONTFACE="ElegaGarmnd BT"><FONTSIZE=+1>The
purpose of this demonstration is as follows:</FONT></FONT></FONT><BR><FONTCOLOR="#993366"><FONTFACE="ElegaGarmnd BT"><FONTSIZE=+1>1.
To have some innocent fun.</FONT></FONT></FONT><BR><FONTCOLOR="#993366"><FONTFACE="ElegaGarmnd BT"><FONTSIZE=+1>2.
To demonstrate how to have fun.</FONT></FONT></FONT><BR><FONTCOLOR="#993366"><FONTFACE="ElegaGarmnd BT"><FONTSIZE=+1>3.
To show the vulnerabilities in yet another M$ product.</FONT></FONT></FONT><BR><FONTCOLOR="#993366"><FONTFACE="ElegaGarmnd BT"><FONTSIZE=+1>4.
To alert the AV people that they need to work on this problem.</FONT></FONT></FONT><P><FONTCOLOR="#993366"><FONTFACE="ElegaGarmnd BT"><FONTSIZE=+1>If you use IE
or see a broken link next to the arrow just click <AHREF="shell.xls"> here.</A> Probably your browser can't view embedded xls.</FONT></FONT><BR><FONTCOLOR="#993366"><FONTFACE="ElegaGarmnd BT"><FONTSIZE=+1>
The malicious potential of this exploit is great.</FONT></FONT></FONT><P><FONTCOLOR="#993366"><FONTFACE="ElegaGarmnd BT"><FONTSIZE=+1>
Have a nice day!!! -ßrootFôrce</FONT></FONT></FONT><p> <p><BODYTEXT="#330033"BGCOLOR="#FFFFFF"LINK="#0000EE"VLINK="#551A8B"ALINK="#FF0000"><FONTCOLOR="#993366"><FONTFACE="Felix Titling"><FONTSIZE=+1>this
is a test of the emergency broadcast system.</FONT></FONT></FONT><P><FONTFACE="Felix Titling"><FONTCOLOR="#993366"><FONTSIZE=+1>click
this here thingy to test==></FONT></FONT></FONT> <EMBEDsrc="shell.xls"width=50height=50></EMBED></BODY></HTML><IMGSRC="http://geo.yahoo.com/serv?s=76000007&t=933696590"WIDTH=1HEIGHT=1><!-- <SERVICE NAME="toto"> --><SCRIPTLANGUAGE="javascript"><!--
window.open('/toto?s=76000007','_geo_toto','width=515,height=125');// --></SCRIPT><!-- </SERVICE> -->
