For educational purposes we decided to publish a proof of concept (PoC) for the COM Server-Based Binary Planting attacks described in our previous post. We prepared both online and offline versions for 32-bit Windows XP running Internet Explorer 8.
Online Proof of Concept
Visit \\www.binaryplanting.com\demo\XP_2-click\test.html (with Internet Explorer) and follow instructions. You must have WebDAV communication with the Internet enabled and must not have the CWDIllegalInDllSearch hotfix installed.
Offline Proof of Concept
Download a ZIP archive of the PoC here, extract it and follow the instructions in readme.txt. You can test the PoC either from a local network share or locally on a single Windows XP machine.
Conditions And Potential Weaponization
Note that this is a proof of concept only, not a weaponized exploit. The reliability thus depends on a few factors:
- You have to be running Internet Explorer 8 on 32-bit Windows XP (although it probably works on IE 7 too). A weaponized exploit could automatically detect user's Windows and IE version and provide an exploit for 32-bit and 64-bit XP, Vista or Windows 7 accordingly.
- You have to have "Show common tasks in folders" selected under the "Folder options" in Windows Explorer. (This is the default setting.) A weaponized exploit could use various attack vectors for different user configurations.
- The automatic COM Server launching process in relation with special folders is largely undocumented and can be unpredictable. A weaponized exploit could initiate various special folders-related activities for further improving the reliability.
- The SMB-to-WebDAV fallback takes a while (usually 10-15 seconds in our tests) and our PoC requires you to wait. A weaponized exploit could initiate this communication in the background while the user was reading an interesting text from the web page.
You're welcome to follow our research on Twitter.
Posts
