# Exploit Title:  Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execution Vulnerability

# Google Dork: N/A

# Date: March, 13 2019

# Exploit Author:  Eduardo Braun Prado

# Vendor Homepage: http://www.microsoft.com/

# Software Link: http://www.microsoft.com/

# Version: Windows 7 SP1, Server 2008, Server 2012, Server 2012 R2, 8.0, 8.1, 10 (any) with full patches up to December 2018. both x86 and x64 architectures.

# Tested on: Windows 7 SP1, Server 2008, Server 2012, Server 2012 R2, 8.0, 8.1, 10 (any) with full patches up to December 2018. both x86 and x64 architectures.

# CVE : CVE-2019-0541

The Microsoft Windows MSHTML Engine is prone to a vulnerability that allows attackers to execute arbitrary code on vulnerable systems because of improper validation

of specially crafted web documents (html, xhtml, etc). The issue is triggered when users "Edit" specially crafted documents containing a 'meta' HTML tag set to 'ProgId' and its content set to a 'ProgId' of choice eg. 'HTAFILE', usually through MS IE browser or a MS Office

component (The Edit HTML app 'msohtmed.exe'). Some Office versions will add an "Edit" menu option to html and xhtml files, making it possible to exploit the vulnerability locally or remotely (usually through network shares)

This is the 'ProgId' exploit: Similar to the old Windows Shell / Internet Explorer ClassId vulnerabilit(ies) that haunted Windows 98/2000/XP in the past.'.

On patched systems, the PoC file will always open in Notepad.

Video demo: https://youtu.be/OdEwBY7rXMw

Download PoC (in ZIP archive) with full details from: https://onedrive.live.com/?id=AFCB9116C8C0AAF4%21366&cid=AFCB9116C8C0AAF4

Proof of Concept:

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46536.zip

[EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution的更多相关文章

  1. CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 这次的CVE和 ...

  2. Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution

    Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution Trend Mi ...

  3. [EXP]Apache Superset < 0.23 - Remote Code Execution

    # Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...

  4. [EXP]ThinkPHP 5.0.23/5.1.31 - Remote Code Execution

    # Exploit Title: ThinkPHP .x < v5.0.23,v5.1.31 Remote Code Execution # Date: -- # Exploit Author: ...

  5. Home Web Server 1.9.1 build 164 - CGI Remote Code Execution复现

    一.  Home Web Server 1.9.1 build 164 - CGI Remote Code Execution复现 漏洞描述: Home Web Server允许调用CGI程序来通过P ...

  6. Tomcat put上传漏洞_CVE2017-12615( JSP Upload Bypass/Remote Code Execution)

    CVE2017-12615漏洞复现( tomcat JSP Upload Bypass /Remote Code Execution) 一.漏洞原理 在windows服务器下,将readonly参数设 ...

  7. MyBB \inc\class_core.php <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 MyBB's unset_globals() function ca ...

  8. Insecure default in Elasticsearch enables remote code execution

    Elasticsearch has a flaw in its default configuration which makes it possible for any webpage to exe ...

  9. Roundcube 1.2.2 - Remote Code Execution

    本文简要记述一下Roundcube 1.2.2远程代码执行漏洞的复现过程. 漏洞利用条件 Roundcube必须配置成使用PHP的mail()函数(如果没有指定SMTP,则是默认开启) PHP的mai ...

随机推荐

  1. HTML 元素大小

    1.元素的偏移量 元素的可见大小是由其高度.宽度决定,包括所有的内边距.滚动条和边框大小(不包括外边距). offsetHeight :元素在垂直方向上占用的空间大小,以像素计算.包括元素的高度,水平 ...

  2. 测试Linux下tcp最大连接数限制

    现在做服务器开发不加上高并发根本没脸出门,所以为了以后吹水被别人怼“天天提高并发,你自己实现的最高并发是多少”的时候能义正言辞的怼回去,趁着元旦在家没事决定自己写个demo搞一搞. 这个测试主要是想搞 ...

  3. ES6的let和const的不同点

    详细的异同点请点击:https://blog.csdn.net/zhouziyu2011/article/details/71366078

  4. 图片识别文字, OCR

    文章引用自: https://www.cnblogs.com/stone_w/archive/2011/10/08/2202397.html 方式一.Asprise-OCR的使用. Asprise-O ...

  5. Android抓取log日志过滤

    前提:Android SDK已安装并配置环境变量 1.手机USB调试模式打开,连接PC 2.cmd窗口,执行adb logcat >log.log   // 输出日志到一个log文件 或者执行a ...

  6. 服务器重新启动,oracle数据库重新连接问题

    最近服务器使用期限到了,用户无法登陆,联系了网络的同事,重新开启了服务器,用户可以重新登陆了,但是在使用oracle数据库的时候,发现报了以下的错误: 很明显是数据库服务没有启动,解决这个问题分两步: ...

  7. leveldb 学习记录(四) skiplist补与变长数字

    在leveldb 学习记录(一) skiplist 已经将skiplist的插入 查找等操作流程用图示说明 这里在介绍 下skiplist的代码 里面有几个模块 template<typenam ...

  8. cpp 区块链模拟示例(二)工程代码解析

    /* 作 者: itdef 欢迎转帖 请保持文本完整并注明出处 技术博客 http://www.cnblogs.com/itdef/ 技术交流群 群号码:432336863欢迎c c++ window ...

  9. java8新特性forEach在Map和List的应用

    转自:https://www.cnblogs.com/go-onxp/p/jdk8.html java8 forEach 在Map和List中的使用 原始的使用 Map<String, Inte ...

  10. Java 浮点数相加

    刚刚遇到个需求,需要对金额求和,上线的时候才知道这时个,这个字段是个小数. 随手就改了个Double ,然后,跑下,没啥问题,直接上线了 然后,就fuck 了 加出一大堆的小数,大概是这样的 pack ...