Mshta vulnerabilities for hackers to open remote control of the door (map) _ Vulnerability Research
Source: Internet
Author: User
This is a hacker can be ecstatic new vulnerabilities, once the vulnerability is activated, there will be a large number of computer hackers in the hands of the chicken, the remote control is inevitable ...
After a brief "respite" from Microsoft's Windows operating system, it has been a major part of the Microsoft Windows Mshta scripting exploits that have been successfully identified in several high-risk system vulnerabilities recently, with the relentless effort of the attacking enthusiasts.
Security bulletin Board
Mshta, an HTA, where MS is mainly used to emphasize that this is a Microsoft vulnerability, the HTA full name is HTML application, is an HTML application, in fact, simply use "HTA" for the extension to save the HTML page even if you create an HTA file. There used to be a lot of malicious code that used it, but as users ' awareness of security increased and security vendors blacklisted it, the files that contained HTA code were less disruptive than before. However, the advent of the Windows Mshta script Execution vulnerability has made Pandora's Box open again, with nightmares beginning ...
An attacker could exploit this vulnerability to control an affected system, install a malicious program, administer a system file, or create an administrator account with full control.
Principle
Microsoft HTML Application Host (Mshta) is part of the Microsoft Windows operating system and must be used to execute HTA files. A remote code execution vulnerability exists in the Windows shell because the system does not correctly identify the associated program for the file.
In fact, the simple point is that the Windows system in the process of processing files associated with the problem occurred. For example, a user would have wanted to open a file with a file suffix of "MP3" with Winamp, but had failed to invoke the Winamp program correctly and called another program to open the "MP3" file. This vulnerability is the case, after the user runs a malicious file, the system will call Mshta open the file, if the file contains HTA code, then the system will immediately execute this code, which raises a variety of security issues.
Configure the Trojan server side
To successfully exploit this vulnerability for remote control, an attacker would first have to configure a Trojan server program. Through the Trojan program, can be in the graphical state of remote control, so that the operation is more simple and convenient.
When we successfully activate the Windows Mshta Script execution vulnerability on the attacked computer, the computer automatically downloads the server-side program we set up, and we can remotely control it.
Today, we can use the Trojan is the latest domestic trojan "Fireflies", with its help, we can very easily through the various buttons in the client remote control.
Run Fireflies Trojan client program, in the pop-up operating interface, click on the toolbar "Configure the Server" button. In the "Configure Server side" window that pops up, we can start to configure our server-side programs (see figure).
Javascript:if (this.width>screen.width-600) this.style.width=screen.width-600; "Border=0>
Because the Trojan "fireflies" uses the popular rebound connection technology, therefore wants in "the DNS domain name" to set up the IP address which uses in the server-side program bounce connection, namely the local computer current IP address. Of course, attackers can also use other Trojans to bounce connection operation.
Set up a listening port in connection port for data transfer between the server-side program and the client (that is, the attacked computer and the computer that is attacking). "Identification password" is the service-side program in the online confirmation password, if the identification password is incorrect, the attacker will not be able to control the attacked computer.
"Fireflies" on the server side of the hidden way to adopt the current popular thread insertion method, select the "whether to generate DLL process insert type" option, users can according to their own needs, Choose to insert the generated server-side process into the process of the Explorer program Explorer.exe or the IEXPLORE.EXE process in IE browser to implement the server-side shadowing. This not only makes it easy to penetrate most personal firewalls, but also does not track the process in the process manager.
Now that all the settings have been completed, the final click on the "Build" button will generate the server-side program we need. The generated server-side program is only 13KB, which is extremely beneficial to the compromised computer for downloading.
Exploit the vulnerability
The Trojan server is configured to complete only a small part of the entire attack process. Below, we will bang, complete all operations, the purpose is to have more broiler.
Now let's see how this vulnerability was exploited by attackers. First download the Use tool for Windows Mshta script execution vulnerabilities from the web, then open a command Prompt window, go to the folder where the exploit tool is located, and see how the tool is used.
"Usage:c:\2005016.exe htafilename savefilename", which means that you can convert an HTA file to a file that successfully exploits Windows Mshta script execution by using a tool (the file format is not determined, The user can arbitrarily take, but the file suffix name must not be the same as the existing file suffix name in the system, it seems that we first need to write an HTA file.
There are many languages that can write HTA files, including VBScript, Perl, and so on, and users can choose to write languages based on their hobbies and the characteristics of each language. Here's a sample of VBScript to write an HTA file.
Open the Notepad program and enter a section of VBScript code (download address: Http://www.mh.fy.cn/2005/2.rar).
The meaning of this code is the link file that is set up from the download code on the Web, and runs the file after the download is complete. In fact, this file is our configuration completed after uploading to the network Space Trojan server program. After the code entry is complete, name the file Mm.hta.
Now rerun the exploit tool and enter the command "2005016.exe Mm.hta mm.mm" so that a malicious file named "mm.mm" can be generated. If you are afraid that the suffix name of the file is recognized by the other side, you can use a suffix name similar to "d0c".
After a malicious file is generated with a vulnerability, you can spread it in a variety of ways, such as hiding in an e-mail attachment, sending it to someone via instant messaging, posting on a forum, and so on.
As soon as the hacked user double-clicks the file, the system of the attacked computer downloads and runs the linked files that have been set up and is controlled by the remote computer.
Attackers can remotely control the attacked computer through various commands in the client program, including file management, screen management, registry management, and so on.
Precaution: The easiest way for users to successfully prevent Windows Mshta script execution vulnerabilities is to install the security patches that Microsoft has launched as soon as possible, so that the vulnerability to the system can be completely eradicated. Of course, through the installation of anti-virus software to use the vulnerability to download the malicious program to kill, so as to prevent.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.