This is a new vulnerability that can make hackers ecstatic. Once the vulnerability is activated, a large number of computers will become broilers in the hands of hackers, and it is inevitable that they will be controlled remotely...
After a brief "respite", Microsoft's Windows operating system has been successfully identified with unremitting efforts by attack enthusiasts recently, and the Microsoft Windows MSHTA script execution vulnerability is an important part of it.
Safety billboard
MSHTA is HTA. The MS here is mainly used to emphasize that this is a Microsoft vulnerability. The full name of HTA is HTML Application, which is an HTML application. In fact, just simply using "hta" to save the HTML page as the extension is considered to create an HTA file. There have been a lot of malicious codes that have exploited it before, but with the improvement of user security awareness and the blacklist of security vendors, these HTA code-containing files have played a much worse role than before. However, the emergence of the Windows MSHTA script execution vulnerability caused Pandora's magic box to be opened again, and the nightmare began...
An attacker can use this vulnerability to control the affected system, install malicious programs, manage system files, etc., or create an administrator account with full control permissions.
principle
Microsoft HTML Application Host (MSHTA) is part of the Microsoft Windows operating system and must be used to execute HTA files. There is a remote code execution vulnerability in Windows Shell, and the cause is that the system cannot correctly identify the associated programs of the file.
To put it simply, there is a problem with the Windows system when processing file-associated programs. For example, a user originally wanted to use Winamp to open a file with the file suffix "mp3", but failed to call the Winamp program correctly and called another program to open the "mp3" file. This is the vulnerability. After the user runs a malicious file, the system will call MSHTA to open the file. If the file contains HTA code, the system will immediately execute the code, causing various security issues.
Configure * server
If an attacker wants to successfully use the vulnerability for remote control, he must first configure a * server program. Through the * program, remote control can be performed in a graphical state, which makes operation easier and more convenient.
When we successfully activate the Windows MSHTA script execution vulnerability on the attacked computer, the computer will automatically download the server program we set, and we can remotely control it.
Today, the * we can use is the latest domestic * "Liuying". With its help, we can easily remotely control it through various buttons in the client.
Run the client program of the * horse and click the "Configure Server" button on the toolbar in the pop-up operation interface. In the "Configure Server" window that pops up, you can start configuring our server program (see the picture).
javascript:if(>-600)=-600;" border=0>
Since the * "Liuying" adopts the popular rebound connection technology, the IP address for server program rebound connection should be set in the "DNS domain name", that is, the current IP address of the local computer. Of course, attackers can also use other *s to bounce and connect.
Set up a listening port for data transmission of server programs and clients (i.e., computers being attacked and computers that are subject to attack) in the "Connection Port". "Identification password" is the confirmation password of the server program when it is online. If the identification password is incorrect, the attacker will not be able to control the attacked computer.
"Liuying" uses the popular thread insertion method in the server hiding method. After selecting the "Whether to generate a dll process insertion type" option, users can choose to insert the generated server program process into the process of the resource manager program or the IE browser process to implement server hiding according to their needs. This not only allows you to easily penetrate most personal firewalls, but also cannot find the process in the process manager.
Now that all settings have been completed, click the "Generate" button to generate the server program we need. The generated server program is only 13KB, which is extremely conducive to the attacked computer to download.
Vulnerability exploitation
The configuration of the * server is completed, but only a small part of the entire attack process is completed. Next, we must do our best to complete all the operations, with the purpose of having more broilers.
Now let's see how this vulnerability was exploited by the attacker. First, download the Windows MSHTA script execution vulnerability exploit tool from the Internet, then open the command prompt window, enter the folder where the vulnerability exploit tool is located, and then check the use of the tool.
"Usage:C:\ htafilename savefilename". The meaning of this statement is that by using tools, we can convert an HTA file into a file that can successfully exploit the Windows MSHTA script execution vulnerability (the file format is uncertain, the user can take it arbitrarily, but the suffix name of the file must not be the same as the existing file suffix name in the system). It seems that we need to write an HTA file first.
There are many languages that can write HTA files, including VBscript, Perl, etc. Users can choose the writing language based on their own hobbies and the characteristics of each language. Let’s write an HTA file using VBscript as an example.
Open the Notepad program and enter a VBscript code (download address:/2005/).
The meaning of this code is to download the link file set in the code from the Internet, and run the file after the download is completed. In fact, this file is the * server program that we upload to the network space after the configuration is completed. After the code is entered, just name the file.
Now rerun the exploit and enter the command " " to generate a malicious file named ". If you are afraid that the suffix name of the file will be discovered by the other party, you can use a suffix name similar to "d0c".
After exploiting the malicious file of the vulnerability is generated, you can spread it through various methods, such as hiding it in an email attachment, sending it to others through instant messaging software, posting on forums, etc.
As long as the attacked user double-clicks to run the file, the system of the attacked computer will download and run the already set link file, which will be controlled by the remote computer.
An attacker can remotely control the attacked computer through various commands in the client program, including file management, screen management, registry management, etc.
Preventive measures: If users want to successfully prevent Windows MSHTA script execution vulnerabilities, the easiest way is to install the security patch launched by Microsoft as soon as possible, so that the vulnerability can completely eradicate the harm to the system. Of course, you can also install antivirus software to detect and kill malicious programs downloaded using this vulnerability to prevent them.
After a brief "respite", Microsoft's Windows operating system has been successfully identified with unremitting efforts by attack enthusiasts recently, and the Microsoft Windows MSHTA script execution vulnerability is an important part of it.
Safety billboard
MSHTA is HTA. The MS here is mainly used to emphasize that this is a Microsoft vulnerability. The full name of HTA is HTML Application, which is an HTML application. In fact, just simply using "hta" to save the HTML page as the extension is considered to create an HTA file. There have been a lot of malicious codes that have exploited it before, but with the improvement of user security awareness and the blacklist of security vendors, these HTA code-containing files have played a much worse role than before. However, the emergence of the Windows MSHTA script execution vulnerability caused Pandora's magic box to be opened again, and the nightmare began...
An attacker can use this vulnerability to control the affected system, install malicious programs, manage system files, etc., or create an administrator account with full control permissions.
principle
Microsoft HTML Application Host (MSHTA) is part of the Microsoft Windows operating system and must be used to execute HTA files. There is a remote code execution vulnerability in Windows Shell, and the cause is that the system cannot correctly identify the associated programs of the file.
To put it simply, there is a problem with the Windows system when processing file-associated programs. For example, a user originally wanted to use Winamp to open a file with the file suffix "mp3", but failed to call the Winamp program correctly and called another program to open the "mp3" file. This is the vulnerability. After the user runs a malicious file, the system will call MSHTA to open the file. If the file contains HTA code, the system will immediately execute the code, causing various security issues.
Configure * server
If an attacker wants to successfully use the vulnerability for remote control, he must first configure a * server program. Through the * program, remote control can be performed in a graphical state, which makes operation easier and more convenient.
When we successfully activate the Windows MSHTA script execution vulnerability on the attacked computer, the computer will automatically download the server program we set, and we can remotely control it.
Today, the * we can use is the latest domestic * "Liuying". With its help, we can easily remotely control it through various buttons in the client.
Run the client program of the * horse and click the "Configure Server" button on the toolbar in the pop-up operation interface. In the "Configure Server" window that pops up, you can start configuring our server program (see the picture).
javascript:if(>-600)=-600;" border=0>
Since the * "Liuying" adopts the popular rebound connection technology, the IP address for server program rebound connection should be set in the "DNS domain name", that is, the current IP address of the local computer. Of course, attackers can also use other *s to bounce and connect.
Set up a listening port for data transmission of server programs and clients (i.e., computers being attacked and computers that are subject to attack) in the "Connection Port". "Identification password" is the confirmation password of the server program when it is online. If the identification password is incorrect, the attacker will not be able to control the attacked computer.
"Liuying" uses the popular thread insertion method in the server hiding method. After selecting the "Whether to generate a dll process insertion type" option, users can choose to insert the generated server program process into the process of the resource manager program or the IE browser process to implement server hiding according to their needs. This not only allows you to easily penetrate most personal firewalls, but also cannot find the process in the process manager.
Now that all settings have been completed, click the "Generate" button to generate the server program we need. The generated server program is only 13KB, which is extremely conducive to the attacked computer to download.
Vulnerability exploitation
The configuration of the * server is completed, but only a small part of the entire attack process is completed. Next, we must do our best to complete all the operations, with the purpose of having more broilers.
Now let's see how this vulnerability was exploited by the attacker. First, download the Windows MSHTA script execution vulnerability exploit tool from the Internet, then open the command prompt window, enter the folder where the vulnerability exploit tool is located, and then check the use of the tool.
"Usage:C:\ htafilename savefilename". The meaning of this statement is that by using tools, we can convert an HTA file into a file that can successfully exploit the Windows MSHTA script execution vulnerability (the file format is uncertain, the user can take it arbitrarily, but the suffix name of the file must not be the same as the existing file suffix name in the system). It seems that we need to write an HTA file first.
There are many languages that can write HTA files, including VBscript, Perl, etc. Users can choose the writing language based on their own hobbies and the characteristics of each language. Let’s write an HTA file using VBscript as an example.
Open the Notepad program and enter a VBscript code (download address:/2005/).
The meaning of this code is to download the link file set in the code from the Internet, and run the file after the download is completed. In fact, this file is the * server program that we upload to the network space after the configuration is completed. After the code is entered, just name the file.
Now rerun the exploit and enter the command " " to generate a malicious file named ". If you are afraid that the suffix name of the file will be discovered by the other party, you can use a suffix name similar to "d0c".
After exploiting the malicious file of the vulnerability is generated, you can spread it through various methods, such as hiding it in an email attachment, sending it to others through instant messaging software, posting on forums, etc.
As long as the attacked user double-clicks to run the file, the system of the attacked computer will download and run the already set link file, which will be controlled by the remote computer.
An attacker can remotely control the attacked computer through various commands in the client program, including file management, screen management, registry management, etc.
Preventive measures: If users want to successfully prevent Windows MSHTA script execution vulnerabilities, the easiest way is to install the security patch launched by Microsoft as soon as possible, so that the vulnerability can completely eradicate the harm to the system. Of course, you can also install antivirus software to detect and kill malicious programs downloaded using this vulnerability to prevent them.