Run a program on other computers using HTTP and IE vulnerabilities.

Author: Orbit)
E_mail: inte2000@163.com

Every day, we use the Internet to browse the colorful and dynamic web pages and query the required information. Have you ever thought that these are the merits of embedded script code? Without the script code, the web page is just a combination of static images and text. It looks tasteless and the charm of the network is lost. However, like anything else, the script code embedded into the web page has two sides: on the one hand, Web engineers can use script programming to bring a lot of incredible results to the web page, make a beautiful and powerful web page. On the other hand, people with ulterior motives can also use this code to bring harm to your system. Some websites intentionally embed such malicious code into webpages, collect visitor information, set the website to IE's default open page, and even lock the visitor's registry, implant trojans on the visitor's computer. These malicious script code is often concealed and executed without the visitor's awareness, so it is very harmful.
Destructive malicious script code is also known as the script virus. The script virus is not an executable program. It is only a code sequence of a program, usually VB script, because VB script is powerful and supported by the script debugger of the Windows operating system, the malicious script code compiled using it is often destructive. Script viruses can be divided into two types. One type is simple script code. All its functions are implemented in script code and are destroyed by directly executing script code on the host computer. This type of virus is usually embedded in a web page to spoof the host computer to execute or send HTML-format emails to the host computer, and then spoof the host computer's users to open the emails and execute the virus code. Another type of script virus is a combination of script code and executable files. The main body of the destruction of execution is executable files, and script code only plays a role in propagation and implantation. This type of script virus mainly sends an email to the host computer, spoofs the user of the host computer to open the email, and executes the hidden virus body in the attachment by embedding the script code in the HTML format mail. However, it can also be embedded into a webpage and executed on the browser's computer by exploiting the HTTP protocol and Internet Explorer vulnerabilities. This article describes this method.
To execute a program on the host computer, first implant the program file into the host computer. Under normal circumstances, the script code does not have the permission to access the host computer, but this can be done by exploiting the HTTP protocol and Internet Explorer vulnerabilities. HTTP allows you to embed media files into webpages and expand the media file type. However, you can only determine the media file type based on the extension name of the file, the validity of media files is not verified (whether it is such a type of media files, this gives us the opportunity to disguise our executable programs as legitimate media files to fool the HTTP protocol so that the HTTP protocol can transmit them as media files. But how can we use this? Specifically, how can I find the file that has been downloaded to the host computer? This requires an Internet Explorer vulnerability. When ie browses a webpage, it downloads all the media files embedded in the webpage to a temporary directory. The location of this temporary directory is fixed, when saving a file, the original name of the file specified on the webpage is used. If a file with the same name already exists in the directory, add "[1]" and "[2]" after the file name to show the difference. Based on these "rules", we can write script code embedded in the web page to find our program in the cache directory of the browser.
Although the principle is simple, there are still many problems to consider. The first is how to cheat the virus software. It is not difficult to change the extension of executable program files to the extension of BMP, JPG, GIF, and other media files, but it is difficult to escape the reconnaissance of anti-virus software, many anti-virus software checks the file type by checking the file header structure. Therefore, it is easy to recognize a simple change to the name. However, we can forge a header structure to cheat such anti-virus software. We usually use BMP bitmap files to disguise the known program, forge a valid bitmap file header structure, and embed executable files as bitmap data into bitmap files. The reason for choosing to disguise as a BMP bitmap file is that the structure of the BMP bitmap file header is simple and easy to forge. Many software uses the BMP file to disguise itself or hide information. A bitmap file has a 14-Byte File Header structure and a 40-byte bitmap information header structure, which can be described as follows in C ++:

Typedef struct tagbmp fileheader // bitmap file header Structure
{
Char bfsign [2]; // file feature, which generally indicates "BM"
Unsigned long bfsize;
Unsigned short bfreserved1;
Unsigned short bfreserved2;
Unsigned long bfoffbits;
} BMP fileheader;

Typedef struct tagbmp infoheader // bitmap information header structure (Windows style)
{
Unsigned long bisize; // the size of the information structure, 40. This field must be filled in correctly
Long biwidth; // The width of the bitmap.
Long biheight; // The height of the bitmap.
Unsigned short biplanes;
Unsigned short bibitcount; // color depth
Unsigned long bicompression;
Unsigned long bisizeimage; // bitmap data size
Long bixpelspermeter;
Long biypelspermeter;
Unsigned long biclrused;
Unsigned long biclrimportant;
} BMP infoheader;

The bfsign of the file header structure must be "BM", and the bfsize is the size of the entire bitmap file. bfoffbits is the size of the file header structure plus the Bitmap header structure for the 24-Bit Bitmap, for bitmap files that use the color palette, you can enter this field as needed. The anti-virus software usually does not check this field. bfreserved1 and bfreserved2 must be 0. The bisize value of the bitmap information header must be 40, and the bigitcount value is usually 24, because the size of the 24-Bit Bitmap is relatively simple. Bisizeimage is determined by the biwidth, biheight, and bibitcount fields. You can enter the values based on the size of the executable file, but ensure that biwidth * biheight * bibitcount/8 is slightly larger than the size of the executable file, when calculating the bisizeimage, pay attention to the 4-byte alignment of the data in the bitmap file. Select biwidth and biheight to make the calculated bisizeimage slightly larger than the size of the executable file, the extra parts can be filled with random numbers.
After you cheat your browser and anti-virus software, you need to find our fake BMP bitmap file, restore and execute the executable file from the bitmap file. When ie browses the webpage, it downloads the media files embedded in the webpage to a cache directory, which can be obtained from the Registry. The location is:
Hkcu/software/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders/Cache
Use the script object wscript. shell's regread method can easily obtain this directory, so that we can find our fake bitmap file. Of course, to prevent the problem of duplicate files in the cache directory, we can properly obtain a longer and more strange name for our fake bitmap file. After finding the false bitmap file automatically downloaded by the browser, we can restore our executable program from the false bitmap file, however, operating files directly in the cache directory of IE will cause a Windows system warning. Therefore, you must copy the disguised bitmap file to the temporary directory of the system for restoration. Directly operating a binary file is not a special feature of VB script, and you can use scripting. fileSystemObject operations on binary files can alert anti-virus software, but use scripting. fileSystemObject operations on text files do not attract the attention of anti-virus software, so we can combine win-DOS batch processing files and debug commands to cleverly solve this problem. A Windows-DOS batch processing file is a text file consisting of DOS commands. It is similar to a Unix/Linux Shell program and its file extension is. BAT, the batch processing file we generated must complete the following tasks: copy the fake bitmap file from the IE cache directory to the temporary directory of windows, restores an executable file from a false bitmap file, deletes a temporary file, and copies the restored executable program to the Windows System directory, delete the fake bitmap file in the temporary directory and run the restored executable program. It is only troublesome to restore executable files. Other operations can be completed using the copy and del commands, so I will explain in the next section how to avoid using scripting. the FileSystemObject object restores executable files from a false bitmap file.
To restore an executable file, another doscommand is required: Debug. debug is a powerful debugging tool. It has many sub-commands that can map binary files to the memory, you can also write data in the memory to a file, so that we can use this feature to restore executable program files. The W sub-command of the DEBUG command can write part or all of the ing of the binary file in the memory back to the file. When the W sub-command is used, the Bx register stores the 16-bit high data size to be written, the CX register stores the 16-bit low size of the written data. The size of the written data is the size of the executable file that we embed into a false bitmap file. Use the sub-command W to specify the offset at the start of Data Writing, that is, to skip the header structure of the false bitmap file and the bitmap information header structure. For example, if the size of the executable file embedded with a false bitmap file is 143562 bytes and the hexadecimal format is 230c9h, the Bitmap header structure and the Bitmap header structure contain 54 bytes, the hexadecimal format is 36 h. In this case, the DEBUG command sequence can be written as follows:
Debug ../location of the false bitmap file/fakefile.bmp // mount the false bitmap file
-RBx
-2 // display the value of the Bx register and modify it to 2
-RcX
-30c9 // display the Cx register value and modify it to 30c9
-W136 // write back the file from 36h
-Q // exit the DEBUG command
The size of the screenshot file fakefile.bmp is 143562. the file contains executable files, which are renamed fakefile.exe and copied to the system directory for execution.
The above is a complete description of this method. It can be seen that this is a very dangerous method. Web producers can execute illegal programs on the visitor's computer without permission, or even use Del, doscommands such as deltree and format destroy the user's file system. Although the design of this method is clever, it seems very powerful to be able to cheat anti-virus software, but it is also easy to prevent. This method focuses on the script code. You only need to uninstall the Windows Script debugger to block the execution of the script code, if it is Windows 95/98. me users can change the file names of the deltree.comjavasformat.com?debug.com=fdisk.exe command programs in the commanddirectory of windows to prevent script code from executing these commands through the win-DOS batch file.