From 53774fed567badef5b2e0d932c07e425ea286ecd Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Wed, 27 May 2015 18:01:40 -0500 Subject: [PATCH 1/5] Be more strict with Win 7 for MS14-064 The Powershell prompt can cause BAP to hang so we need to be more strict about that. --- .../windows/browser/ms14_064_ole_code_execution.rb | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb index f865093f34..aa0dd4bdd8 100644 --- a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb +++ b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb @@ -56,9 +56,9 @@ class Metasploit4 < Msf::Exploit::Remote } ], [ - 'Other Windows x86', + 'Windows 7 SP1', { - 'os_name' => OperatingSystems::Match::WINDOWS, + 'os_name' => OperatingSystems::Match::WINDOWS_7 } ] ], @@ -358,6 +358,11 @@ end function end def on_request_exploit(cli, request, target_info) + if get_target.name.match(OperatingSystems::Match::WINDOWS_7) && !datastore['AllowPowershellPrompt'] + send_not_found(cli) + return + end + case request.uri when /\.gif/ if get_target.name =~ OperatingSystems::Match::WINDOWS_XP From d43706b65e986e124fb938f3dc5c7aa5daaf8098 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Wed, 27 May 2015 18:04:35 -0500 Subject: [PATCH 2/5] It doesn't look like Vista shows the powershell prompt --- .../windows/browser/ms14_064_ole_code_execution.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb index aa0dd4bdd8..3558ab2bda 100644 --- a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb +++ b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb @@ -56,7 +56,13 @@ class Metasploit4 < Msf::Exploit::Remote } ], [ - 'Windows 7 SP1', + 'Windows Vista', + { + 'os_name' => OperatingSystems::Match::WINDOWS_VISTA + } + ], + [ + 'Windows 7', { 'os_name' => OperatingSystems::Match::WINDOWS_7 } From 4f0e908c8b3f2ff3a0e54b683e7e1793f69d216c Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Wed, 27 May 2015 18:08:58 -0500 Subject: [PATCH 3/5] Never mind, Vista doesn't have powershell. --- .../exploits/windows/browser/ms14_064_ole_code_execution.rb | 6 ------ 1 file changed, 6 deletions(-) diff --git a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb index 3558ab2bda..248f1b8f53 100644 --- a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb +++ b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb @@ -55,12 +55,6 @@ class Metasploit4 < Msf::Exploit::Remote 'os_name' => OperatingSystems::Match::WINDOWS_XP } ], - [ - 'Windows Vista', - { - 'os_name' => OperatingSystems::Match::WINDOWS_VISTA - } - ], [ 'Windows 7', { From bcdae5fa1a067c8646022a809cdfde5990c21662 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Wed, 27 May 2015 18:12:38 -0500 Subject: [PATCH 4/5] Forgot to add the datastore option --- modules/exploits/windows/browser/ms14_064_ole_code_execution.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb index 248f1b8f53..3d2685d75a 100644 --- a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb +++ b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb @@ -84,6 +84,7 @@ class Metasploit4 < Msf::Exploit::Remote register_options( [ OptBool.new('TRYUAC', [true, 'Ask victim to start as Administrator', false]), + OptBool.new('AllowPowershellPrompt', [true, 'Allow exploit to try Powershell', false]) ], self.class ) end From c3fa52f443a0b807c9c40e110889f020d7e6a764 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Fri, 29 May 2015 13:47:20 -0500 Subject: [PATCH 5/5] Update description --- .../exploits/windows/browser/ms14_064_ole_code_execution.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb index 3d2685d75a..833e4383d2 100644 --- a/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb +++ b/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb @@ -19,8 +19,9 @@ class Metasploit4 < Msf::Exploit::Remote 'Name' => "MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution", 'Description' => %q{ This module exploits the Windows OLE Automation array vulnerability, CVE-2014-6332. - The vulnerability affects Internet Explorer 3.0 until version 11 within Windows 95 up to - Windows 10, and there is no patch for Windows XP or older. + The vulnerability is known to affect Internet Explorer 3.0 until version 11 within + Windows 95 up to Windows 10, and no patch for Windows XP. However, this exploit will + only target Windows XP and Windows 7 box due to the Powershell limitation. Windows XP by defaults supports VBS, therefore it is used as the attack vector. On other newer Windows systems, the exploit will try using Powershell instead.