Google

Windows OLE RCE Exploit MS14-060 (CVE-2014-4114) – Sandworm

Written on:October 22, 2014
Comments
Add One

This recent exploit (dubbed “Sandworm”) took advantage of a vulnerability in which a specially crafted OLE object could allow remote code execution. In the case of the live sample exploit PPSX file I examined, it automatically downloaded the payload from a remote SMB share. I won’t rehash much of the details that others have covered but if you want to read more, here are some resources:

I downloaded a live exploit example from the following:

ms14_060_1

Again, others have explained how it works in detail, but I’ll cover it briefly here.

First, the PPSX file contains two binary OLE object binary files (oleObject1.bin and oleObject2.bin) that (thanks to the vulnerability) are able to define content to retrieve from a remote share.

ms14_060_2

Each is responsible for downloading one of the following two files:

  1. A malicious executable, posing as a GIF (slide1.gif).
  2. An INF file (slides.inf) that, when retrieved and executed, will rename the retrieved GIF to EXE.

The INF file would look something like this:

After examining the PPSX file, I generated a python script to re-create the exploit. The script creates the INF file along with a blank PPSX file, that when launched, will automatically call back to an SMB share hosted on a remote IP (as defined by the user) and retrieve the INF and GIF (EXE) files to trigger the exploit. It also provides the option to create a meterpreter reverse TCP executable to use as the payload (or you can use a payload of your choosing).

The created blank PPSX file can be modified to add content if you choose. The script utilizes python-pptx to create the blank PPTX file that it then modifies with the exploit and converts to a PPSX file. You can obtain python-pptx from here: http://python-pptx.readthedocs.org/en/latest/user/install.html#install. There is also a Metasploit Module, though I haven’t tried it yet.

Beyond the obvious patching, mitigating controls include host-based AV to detect both the crafted PPSX and the downloaded executable (as always, hit or miss), email AV (in the case of a phishing attempt via attachment), and network level protections (IPS and in this particular example, restricting outbound SMB traffic).

A short video and the POC code follow:

 

13 Comments add one

  1. metacom says:

    Thanks Mike Excellent high quality work. 🙂

  2. KoF says:

    Good Work Bro 🙂

  3. leon says:

    hello ,I download the poc,when I run it ,the poc reports a error:

    SyntaxError: Non-ASCII character ‘\xc2’ in file ms14_060.py on line 2, but no encoding declared;

    please help me ,thank you

    • Mike Czumak says:

      It’s probably a non-breaking space or similar character. That can happen when you copy content from a web page. I recommend replacing anything on that line that looks like a space with an actual space and see if that gets rid of the error. If you use something like Notepad++ try using the View–>Show Symbol option to make it easier to see.

      • leon says:

        Thank you for your help, I download the code from the http://www.exploit-db.com/exploits/35055/,I already use the notepad++, but I don’t find the error ,would you send me the right code,Thank you very much.

        • Mike Czumak says:

          As stated earlier, the error is coming from the space inserted between “)” and “Sandworm” on line 2 of the script. You need to replace any spaces between “)” and “Sandworm” with actual spaces and it will work just fine (I just tested it).

  4. saeed says:

    python 35055.py -h
    Traceback (most recent call last):
    File “35055.py”, line 14, in
    from pptx import Presentation
    ImportError: No module named pptx

    Help me

  5. gaz says:

    Hey,

    Sorry for the noobish question…

    Does this have to be on the LAN, or can an SMB share be anywhere in the world?

    • Mike Czumak says:

      An SMB share can be external to the LAN as long as it can be reached via a routable address. However, many organizations block outbound SMB (ports 137, 445, etc) as there is typically no reason to have it routable outside of the local network and allowing it would introduce too much risk.

  6. For most of you complaining that the exploit code just do not work, python-pptx module is required for this to run. The traceback call is due to the lack of python-pptx module, move on! Kudos to the original exploit writer.

Leave a Comment

Your email address will not be published. Required fields are marked *