github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-11-05 14:57:30 +01:00
Code Releases Activity

Update description

Browse Source
This commit is contained in:
sinn3r 2014-10-17 00:46:17 -05:00
parent 3a63fa12b8
commit 4c0048f26a
1 changed files with 25 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
modules/exploits/windows/fileformat/ms14_060_sandworm.rb
View File

@ -15,11 +15,31 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => "MS14-060 Microsoft Windows OLE Package Manager Code Execution",
'Description' => %q{
This module exploits a vulnerability Microsoft Windows from Vista SP2 to Windows 8,
including Windows Server 2008 and 2012. The vulnerability exists in the OLE package
magager, which allows to download and execute remote INF files silently. This module
triggers the vulnerability through a malicious PPSX file, as exploited in the wild on
October 2014.
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
allowing arbitrary code execution, publicly known as "Sandworm". Platforms such as Windows
Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be
vulnerable. However, based on our testing, the most reliable setup is on Windows platforms
running Office 2013. But please keep in mind that some other setups such as using Office
2010 might be less stable, and sometimes may end up with a crash due to a failure in the
CPackage::CreateTempFileName function.
In detail, the vulnerability has to do with how the Object Packager 2 component
(packager.dll) handles an INF file that contains malicious registry changes, which may be
leveraged for code execution. First of all, Packager does not load the INF file directly.
But as an attacker, you can trick it to load your INF anyway by embedding the file path as
a remote share in an OLE object. The packager will then treat it as a type of media file,
and load it with the packager!CPackage::OLE2MPlayerReadFromStream, which will download it
with a CopyFileW call, save it in a temp folder, and pass that information for later. The
exploit will do this loading process twice: first for a fake gif file that's actually the
payload, and the second for the INF file.
The packager will also look at each OLE object's XML Presentation Command, specifically the
type and cmd property. In the exploit, "verb" media command type is used, and this triggers
the packager!CPackage::DoVerb function. Also, "-3" is used as the fake gif file's cmd
property, and "3" is used for the INF. When the cmd is "-3", DoVerb will bail. But when "3"
is used (again, for the INF file), it will cause the packager to try to find appropriate
handler for it, which will end up with C:\Windows\System32\infDefaultInstall.exe, and that
will install/run the malicious file, and finally give us arbitrary code execution.
},
'License' => MSF_LICENSE,
'Author' =>