# Exploit Title:  Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execution Vulnerability

# Google Dork: N/A

# Date: March, 13 2019

# Exploit Author:  Eduardo Braun Prado

# Vendor Homepage: http://www.microsoft.com/

# Software Link: http://www.microsoft.com/

# Version: Windows 7 SP1, Server 2008, Server 2012, Server 2012 R2, 8.0, 8.1, 10 (any) with full patches up to December 2018. both x86 and x64 architectures.

# Tested on: Windows 7 SP1, Server 2008, Server 2012, Server 2012 R2, 8.0, 8.1, 10 (any) with full patches up to December 2018. both x86 and x64 architectures.

# CVE : CVE-2019-0541

The Microsoft Windows MSHTML Engine is prone to a vulnerability that allows attackers to execute arbitrary code on vulnerable systems because of improper validation

of specially crafted web documents (html, xhtml, etc). The issue is triggered when users "Edit" specially crafted documents containing a 'meta' HTML tag set to 'ProgId' and its content set to a 'ProgId' of choice eg. 'HTAFILE', usually through MS IE browser or a MS Office

component (The Edit HTML app 'msohtmed.exe'). Some Office versions will add an "Edit" menu option to html and xhtml files, making it possible to exploit the vulnerability locally or remotely (usually through network shares)

This is the 'ProgId' exploit: Similar to the old Windows Shell / Internet Explorer ClassId vulnerabilit(ies) that haunted Windows 98/2000/XP in the past.'.

On patched systems, the PoC file will always open in Notepad.

Video demo: https://youtu.be/OdEwBY7rXMw

Download PoC (in ZIP archive) with full details from: https://onedrive.live.com/?id=AFCB9116C8C0AAF4%21366&cid=AFCB9116C8C0AAF4

Proof of Concept:

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46536.zip

[EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution的更多相关文章

  1. CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis

    目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 这次的CVE和 ...

  2. Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution

    Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution Trend Mi ...

  3. [EXP]Apache Superset < 0.23 - Remote Code Execution

    # Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...

  4. [EXP]ThinkPHP 5.0.23/5.1.31 - Remote Code Execution

    # Exploit Title: ThinkPHP .x < v5.0.23,v5.1.31 Remote Code Execution # Date: -- # Exploit Author: ...

  5. Home Web Server 1.9.1 build 164 - CGI Remote Code Execution复现

    一.  Home Web Server 1.9.1 build 164 - CGI Remote Code Execution复现 漏洞描述: Home Web Server允许调用CGI程序来通过P ...

  6. Tomcat put上传漏洞_CVE2017-12615( JSP Upload Bypass/Remote Code Execution)

    CVE2017-12615漏洞复现( tomcat JSP Upload Bypass /Remote Code Execution) 一.漏洞原理 在windows服务器下,将readonly参数设 ...

  7. MyBB \inc\class_core.php <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 MyBB's unset_globals() function ca ...

  8. Insecure default in Elasticsearch enables remote code execution

    Elasticsearch has a flaw in its default configuration which makes it possible for any webpage to exe ...

  9. Roundcube 1.2.2 - Remote Code Execution

    本文简要记述一下Roundcube 1.2.2远程代码执行漏洞的复现过程. 漏洞利用条件 Roundcube必须配置成使用PHP的mail()函数(如果没有指定SMTP,则是默认开启) PHP的mai ...

随机推荐

  1. mysql5.5升级到5.7

    一.首先把mysql服务停止,复制mysql5.5中的data文件夹中的内容(你需要的数据库),放在mysql5.7的data文件夹中; 二.启动切换mysql5.7版本,(我这用的是phpwamp, ...

  2. mysql命令行常用指令

    一. 启动mysql:service mysql start 停止mysql:service mysql stop 重启mysql:service mysql restart 查看mysql服务状态: ...

  3. SpringBoot集成Jasypt安全框架,配置文件内容加密

    我们在SpringBoot项目中的yml或者properties配置文件中都是明文的,相对而言安全性就低了很多.都知道配置文件中的都是一些数据库连接用户名密码啊.一些第三方密钥等信息.所以我们谨慎点, ...

  4. 451. Sort Characters By Frequency将单词中的字母按照从高频到低频的顺序输出

    [抄题]: Given a string, sort it in decreasing order based on the frequency of characters. Example 1: I ...

  5. 解决IE浏览器缓存导致AJAX请求数据异常

    IE10浏览器会把AJAX请求的数据都缓存下来,然后每次想去刷新数据时发现数据都是一样的,于是导致数据显示异常. 解决方法: 在页面<head>标签里,加上以下声明: <!-- 解决 ...

  6. Iris数据集实战

    本次主要围绕Iris数据集进行一个简单的数据分析, 另外在数据的可视化部分进行了重点介绍. 环境 win8, python3.7, jupyter notebook 目录 1. 项目背景 2. 数据概 ...

  7. CentOS No package nginx available.

    CentOS No package nginx available. yum install epel-release 如果不行 https://blog.csdn.net/u012965373/ar ...

  8. ie每次登陆出现:Windows安全性 iexplore.exe 正在连接到 记住我的凭证不起作用

    解决方案: ie浏览器--设置--Intenet选项--安全--Internet--自定义级别--用户身份验证--登陆 勾选自动使用当前用户名和密码登陆 确定--确定

  9. RobotFramework 模拟http接口登录自动化脚本

    RobotFramework 模拟自动化登录脚本思路: 先获取页面cookie值,然后根据cookie值加上请求体提交登录: 一.获取cookie: 以下脚本获取cookie值,并把改脚本封装为关键字 ...

  10. Spring MVC 的国际化和本地化

    国际化: i18n 本地化: l10n java.util.Locale 类表示一个语言区域.一个 Locale 对象包含 3 个主要元件:language.country.variant java. ...