module
Microsoft Help Center XSS and Command Execution
| Disclosed | Created |
|---|---|
| 2010-06-09 | 2018-05-30 |
Disclosed
2010-06-09
Created
2018-05-30
Description
Help and Support Center is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp". Due to
an error in validation of input to hcp:// combined with a local cross site
scripting vulnerability and a specialized mechanism to launch the XSS trigger,
arbitrary command execution can be achieved.
On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it
can be used to launch the exploit automatically. If IE8 and WMP11, either can
be used to launch the attack, but both pop dialog boxes asking the user if
execution should continue. This exploit detects if non-intrusive mechanisms are
available and will use one if possible. In the case of both IE8 and WMP11, the
exploit defaults to using an iframe on IE8, but is configurable by setting the
DIALOGMECH option to "none" or "player".
This module creates a WebDAV service from which the payload is copied to the
victim machine.
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp". Due to
an error in validation of input to hcp:// combined with a local cross site
scripting vulnerability and a specialized mechanism to launch the XSS trigger,
arbitrary command execution can be achieved.
On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it
can be used to launch the exploit automatically. If IE8 and WMP11, either can
be used to launch the attack, but both pop dialog boxes asking the user if
execution should continue. This exploit detects if non-intrusive mechanisms are
available and will use one if possible. In the case of both IE8 and WMP11, the
exploit defaults to using an iframe on IE8, but is configurable by setting the
DIALOGMECH option to "none" or "player".
This module creates a WebDAV service from which the payload is copied to the
victim machine.
Authors
Tavis Ormandy
natron natron@metasploit.com
natron natron@metasploit.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.