Add module for CVE-2014-0257 #3404
Conversation
|
Just so you know, the repro steps and verifications for this PR actually match the code for #3403, and vice versa. I'm going to fix them up. |
|
Fixed. |
|
Ditto for this, why go via mshta -> web server -> powershell when you could have the DCOM call powershell directly? :) Extra style points awared to use the reflection to grab all the methods necessary for injection of the shellcode without calling a separate process. |
|
Struggling to get this one past the At the I'm using the same testing approach as I did with #3403, which worked just fine. @jvazquez-r7 am I doing anything stupid? |
|
@Meatballs1 because the mshta uses to live under the windows system directory, and had the feeling powershell can live in different locations depending on the version. Maybe I'm wrong because I suck on powershell :(. So was a little bit easier to write with mshta because of that. Since its an escape for the browser's sandbox I've the feeling is okey assuming you have output access from the browser. |
|
@OJ, not really, just retested for jvazquez-r7@ffbcbe8 and worked fine. Maybe you want to increase DELAY just in case.... |
|
@jvazquez-r7 still no dice mate. Increased up to 40 secs and it made no diff. Not sure what's going on there. |
|
Tried again with the latest change and still doesn't work mate. |
|
@OJ mmm it's abusing the .NET Deployment Service (dfsvc.exe) policy to bypass the sandbox. It's using the service with .NET 4. Indeed trying to launch C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe Do you mind to check if have .NET 4 installed and, if it's the case, check if the path exists and share feedback here? thanks! |
|
if it's the reason of the exploit failing in your case, will a check in the ruby module to check for the dfsvc.exe service before launching the exploit :) |
|
@OJ I know the verification says no patches but you can cherry pick that windows update to see if that fixes the issue, if so then as @jvazquez-r7 said he can add a check to make sure it exists which will hopefully stop this issue it is worth trying dont you think? |
|
@OJ, modified to use check the dfsvc service, and using %windir% instead of static |
|
@OJ just retested successfully on Win7 SP1 / IE8 / .NET 4.0 and Win7 SP1 / IE10 / .NET 4.5 (out of date). Let me know if the last changes help, thanks for testing! |
|
I have not actually tested it but was trying to think of ways of resolving oj issue, however if you give me a noobs guide how to pull this branch and the other required branch I would be happy to |
|
@L1ghtn1ng you just need to compile meterpreter for windows from this branch: rapid7/meterpreter#84 and use its resulting meterpreter. |
|
Guessing that I would need visual express ? And I have never compiled anything on windows before |
|
J, you do need VS, but OJ made it super easy after that. Even I can do it. There's a wiki or blog somewhere. When OJ wakes up he can probably link to it. Hit me up, or others, on IRC if u do want to give it a go. I'm kernelsmith on IRC
|
|
Thanks Josh I would prefer to give it a whirl when it has landed then take it for a spin and if for any reason it did not work would then get on irc to get help to debug it |
|
Hey all, Blog post with video here: http://buffered.io/posts/building-meterpreter-is-easy/ Hit me with questions if you get stuck! |
|
Hooray, she fails with an error message this time: |
|
With .NET 4.0 installed I'm now back to the failure scenario that I was having before. It gets to the same line and hangs. I can see that he required exe is running behind the scenes though:
|
|
Added a Meterpreter label. |
|
@OJ Are you installing an old .NET 4 installer or a fresh one? I assume the fresh ones have the fix applied? |
|
From doing a bit of googling maybe this is the issue? http://social.msdn.microsoft.com/Forums/windows/en-US/78bff413-5770-4d1a-86af-ba9fe3750a9e/dfsvcexe-has-encountered-a-problem-and-needs-to-close?forum=winformssetup |
|
Yeah it's a fresh one so probably has the fix applied. If that's the case can it be part of the check so that the user knows? |
|
Hooray for snapshots. OK, I'm lazy and stupid, so can someone please point me at a download for 4.0 or 4.5 that we know is vuln? |
|
Maybe this one? http://www.microsoft.com/en-gb/download/details.aspx?id=17851 |
|
That's the one I just used. |
|
Then the only way I think you will be able to do it to my knowledge is via windows update |
|
Managed to get it working with the .NET 4.5 installer instead: |
|
@OJ the file versions can probably be extracted from https://support.microsoft.com/kb/2916607 But you need to grab them for each framework version (4.5.1, 4.5, 4, 3.5, 2, 1.1, 1). I assume mscorlib.dll is the changed file for this fix, some of the KBs listed on that page are for different .NET vulns all patched under MS14-009 |
|
OK so I have it working now. Not sure if you guys agree, but perhaps we should put some file version checks in place as well? Or is that in the "too hard" basket? |
|
I would agree, guessing that the best place would be registry to get this information from? |
|
okey, so will review the patches and add check for the file versions before going ahead, will work on it along the weekend or maybe on monday! Will update! btw, a session is a better indicator of vulnerability =) |
|
Thanks @jvazquez-r7, yeah I agree :) <3 shells. |
|
Added support to check vulnerable installations of .NET. At the moment checking for vulnerable .NET 4.5 and 4.5.1 installations, which are the versions working with the current exploits. I write down to check older versions of .NET. Probably worths to add support for older .NET versions. But I won't do in this pull request. In the near future I would like to work on the other sandbox bypasses if anyone else does before. Probably will revisit this exploit to check older versions too. If I've checked correctly patches, now the module should detect correctly if the machine is running a vulnerable .NET installation before proceeding: .NET 4.5 .NET 4.5.1 |
|
|
||
| print_status("Searching .NET Deployment Service (dfsvc.exe)...") | ||
|
|
||
| unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe") |
There was a problem hiding this comment.
This should be a check ?
There was a problem hiding this comment.
I didn't like a lot because I plan just to work with .NET 4.5 and 4.5.1 here. But yes, I can add check for .NET 4.5 and 4.5.1 and return Unknown otherwise. Ok, adding.
|
|
||
| mscorlib_version = get_mscorlib_version | ||
|
|
||
| unless mscorlib_version < NET_VERSIONS[net_version]["mscorlib"] |
There was a problem hiding this comment.
Does this comparison work reliably against a string? I would assume you would want to check against the individual integer values major, minor, build, revision, branch returned by file_version?
|
Since it's still open I guess everyone is more comfortable with powershell method directly. See #3403. So switching here to psh too. |
| max_version.reverse! | ||
|
|
||
| i = 0 | ||
| mscorlib.each do |v| |
There was a problem hiding this comment.
If you are comparing two arrays via [i] then it makes more sense to do:
0.upto(mscorlib.length-1) do |i|
if mscorlib[i].to_i < max_version[i].to_i
I'm not 100% confident this logic will work for the full range of file versions but need more to work it out. Currently on site so dont have much time to test!
There was a problem hiding this comment.
Better to use Gem::Version:
> Gem::Version.new('0.4.1') < Gem::Version.new('0.10.1.2')
=> true
There was a problem hiding this comment.
Cool! thanks @jvennix-r7 using your method! You rock!
|
ping @Meatballs1 @OJ, any of you interested on landing it? Any other stopper? thanks! |
|
Requirements
rapid7/meterpreter#84
#3402
Verification
Easy verification steps: