This exploit was reported to Microsoft and I was acknowledged for doing so. The exploit has been patched on March 14th 2017 under names cve-2017-0065 and MS17-007 and will not work if related patches are applied. Sourcecode is provided for educational purposes only. ### General This exploit requires the victim has a forged file (exploit.html) on his file system on a known file location. Victim does not need to run it, just have it. The file can then be invoked by visiting a malicious website (malicious_server.php). With this exploit local files may be uploaded to visited malicious websites without users consent. **Here's how to reproduce:** ``` 1. Edit exploit.html to have your test webservers address as the form action. 2. Serve malicious_server.php on a PHP enabled webserver, so you can access it with: http://yourwebserver.com/malicious_server.php 3. Place exploit.html into following folder: c:\windows\system32\drivers\etc\ (read: protocol seems picky about the file location) 4....
This exploit was reported to Microsoft and I was acknowledged for doing so. The exploit has been patched on March 14th 2017 under names cve-2017-0065 and MS17-007 and will not work if related patches are applied. Sourcecode is provided for educational purposes only. ### General This exploit requires the victim has a forged file (exploit.html) on his file system on a known file location. Victim does not need to run it, just have it. The file can then be invoked by visiting a malicious website (malicious_server.php). With this exploit local files may be uploaded to visited malicious websites without users consent. **Here's how to reproduce:** ``` 1. Edit exploit.html to have your test webservers address as the form action. 2. Serve malicious_server.php on a PHP enabled webserver, so you can access it with: http://yourwebserver.com/malicious_server.php 3. Place exploit.html into following folder: c:\windows\system32\drivers\etc\ (read: protocol seems picky about the file location) 4. Navigate to http://yourwebserver.com/malicious_server.php with Edge. ``` **Here's what should happen:** ``` 1. Navigating to malicious_server.php should trigger browser redirect to: read:,c:\windows\system32\drivers\etc\exploit.html 2. exploit.html should then prompt user to click anywhere on the empty page. 3. After a click, exploit.html will create a window with url to: read:,c:\windows\system32\drivers\etc\hosts 4. If window creation succeeds, contents of opened window (hosts file) will be copied to a hidden form, window will be closed and the form submitted back to malicious_server.php on your webserver 5. malicious_server.php will display contents of the submitted file ```
