iDefense announced a vulnerability today in Microsoft’s HTML Application Host (MSHTA).

Note: As of today, this issue has been addressed by MS Security Bulletin MS05-016 - Make sure you’ve updated!

MSHTA’s are a notorius problem and are still in use as a very convenient means of executing code on a target host. Since I have nothing better to do but clean up my place and pack all my belongings so I can move in a couple weeks, I figured I’d write up a little proof of concept.

The only difficult part was determining how the CLSID was stored in the file, as it is not formatted the same way it is in the registry. A little trial and error proved to be quicker than finding MS documentation.

Instructions are in the doc. This will not do anything malicious to your system. I would recommend saving this to your system. Double-clicking it to read the Word doc and then renaming it to some unknown extension “.bob” and double-clicking it again.

Enjoy: iDefense MSHTA PoC