Rapid7 Vulnerability & Exploit Database

Microsoft Help Center XSS and Command Execution

Back to Search

Microsoft Help Center XSS and Command Execution

Disclosed
06/09/2010
Created
05/30/2018

Description

Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme "hcp". Due to an error in validation of input to hcp:// combined with a local cross site scripting vulnerability and a specialized mechanism to launch the XSS trigger, arbitrary command execution can be achieved. On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it can be used to launch the exploit automatically. If IE8 and WMP11, either can be used to launch the attack, but both pop dialog boxes asking the user if execution should continue. This exploit detects if non-intrusive mechanisms are available and will use one if possible. In the case of both IE8 and WMP11, the exploit defaults to using an iframe on IE8, but is configurable by setting the DIALOGMECH option to "none" or "player". This module creates a WebDAV service from which the payload is copied to the victim machine.

Author(s)

  • Tavis Ormandy
  • natron <natron@metasploit.com>

Platform

Windows

Development

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec
msf exploit(ms10_042_helpctr_xss_cmd_exec) > show targets
    ...targets...
msf exploit(ms10_042_helpctr_xss_cmd_exec) > set TARGET < target-id >
msf exploit(ms10_042_helpctr_xss_cmd_exec) > show options
    ...show and set options...
msf exploit(ms10_042_helpctr_xss_cmd_exec) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;