This is a new vulnerability that allows hackers to be ecstatic. Once this vulnerability is activated, a large number of computers will become bots in hackers' hands. Remote Control is inevitable ......
Microsoft's Windows operating system, after a short period of "breathing", has recently been worked tirelessly by attackers to identify several high-risk system security vulnerabilities, the Microsoft Windows MSHTA Script Execution vulnerability is an important component.
Security Bulletin Board
MSHTA is HTA. The MS here is mainly used to emphasize that this is Microsoft's vulnerability. HTA's full name is HTML Application, which is an HTML Application, in fact, if you simply use "hta" to save HTML pages for the extension, you can create an HTA file. A lot of malicious code has been used in the past, but with the increasing security awareness of users and the blacklist of security vendors, these files containing the HTA Code are not as destructive as before. However, the Windows MSHTA Script Execution vulnerability has enabled Pandora's magic box again, causing a nightmare to begin ......
Attackers can exploit this vulnerability to control the affected system, install malicious programs, manage system files, or create an administrator account with full control permissions.
Principle
Microsoft HTML Application Host (MSHTA) is part of the Microsoft Windows operating system and must be used to execute the HTA file. The remote code execution vulnerability exists in Windows Shell because the system cannot correctly identify the associated program of the file.
In fact, simply put, the Windows system encountered a problem when processing file-related programs. For example, if you want to use Winamp to open a file suffixed with "mp3", but you fail to call the Winamp program correctly and call another program to open this "mp3" file. This vulnerability occurs. After a user runs a malicious file, the system will call MSHTA to open the file. If the file contains HTA code, the system will immediately execute the code, this causes various security problems.
Configure the Trojan server
To successfully exploit this vulnerability for remote control, attackers must first configure a Trojan server program. With the trojan program, remote control can be performed in a graphical State, making the operation easier and more convenient.
After we successfully activate the Windows MSHTA Script Execution vulnerability on the attacked computer, the computer automatically downloads the server program we set and we can remotely control it.
Today, we can use the latest domestic Trojan "streaming". With its help, we can easily remotely control it through various buttons on the client.
Run the client program of the streaming Trojan. In the displayed operation interface, click "configure Server" on the toolbar. In the pop-up "configure Server" window, you can start configuring our server program
Because the trojan "streaming" adopts popular bounce connection technology, you must set the IP address used for server program bounce connection in "DNS domain name", that is, the current IP address of the local computer. Of course, attackers can also use other Trojans to rebound connections.
In "connection port", set the listening port used for data transmission between the server program and the client (that is, the attacked computer and the attacked computer. "Password identification" refers to the Password confirmed by the server program when it is launched. If the password is incorrectly identified, attackers cannot control the attacked computer.
Or the IEXPLORE. EXE process of IE browser to implement server-side hiding. In this way, not only can most personal firewalls be easily penetrated, but the process cannot be found in the Process Manager.
Now, all the settings are complete. Click "generate" to generate the server program we need. The generated server program is only 13 KB, which is very helpful for downloading attacked computers.
Exploitation of Vulnerabilities
The configuration of the Trojan server is complete, but a small part of the entire attack process is completed. Next, we will continue to do all the operations in order to have more bots.
Now let's take a look at how this vulnerability was exploited by attackers. First download the Windows MSHTA Script Execution Vulnerability exploitation tool from the Internet, then open the Command Prompt window, enter the folder where the vulnerability exploitation tool is located, and then view the usage of the tool.
"Usage: C: 2005016.exe htafilename savefilename ", this statement can be used to convert an HTA file into a file that can successfully exploit the Windows MSHTA Script Execution Vulnerability. (The file format is uncertain and can be retrieved as needed, but the file extension name must not be the same as the existing file extension name in the system), it seems that we need to write an HTA file first.
There are many languages capable of writing HTA files, including VBScript and Perl. You can select programming languages based on your hobbies and the characteristics of each language. The following uses VBScript as an example to compile an HTA file.
Open the Notepad program and enter a piece of VBScript code.
The meaning of this Code is to download the link file set in the code from the Internet. After the download is complete, run the file. In fact, this file is the Trojan server program uploaded to the network space after the configuration is complete. After the code is entered, name the file mm. hta.
Now try again to run the utility tool. input the command "2005016.exe mm. hta mm. mm" to generate a malicious file named "mm. mm. If you are afraid that the extension name of the file will be recognized by the other party, you can use a suffix name similar to "d0c.
After a vulnerability is generated using a malicious file, you can spread it in various ways, for example, it is stored in attachments of emails, sent to others through instant messaging software, and posted on forums.
As long as the attacked user double-click to run the file, the system of the attacked computer downloads and runs the set link file, which is then controlled by the remote computer.
Attackers can remotely control the attacked computers through various commands in the client program, including file management, Screen Management, and registry management.
Preventive Measure: to successfully prevent Windows MSHTA Script Execution Vulnerabilities, install Microsoft's security patch as soon as possible, in this way, the harm of this vulnerability to the system can be completely eliminated. Of course, you can also install anti-virus software to scan and kill malicious programs downloaded using this vulnerability to prevent it.