Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free.
By ////// at 2007-02-17 23:26
If you are interested about malware and exploits like me this little tutorial could be some "value" for you.
What I'm trying to show here is how you can decode obfuscated javascript that might contain some exploit(s) against web users.
But remember this, do not use your number one box when doing this, use wmware image or something similar, it would be good idea to disconnect from net too and monitor possible outgoing - incoming connection attempts.
Step 1.
Lets say that you have found some site that has obfuscated javascript in its source.
Just wget or curl that page, its safer that way, those programs do not execute javascript.
Or if you already have visited that page just copy that source.
Step 2.
Copy paste that javascript from page source so you do not have anything else than javascript in your html file, like this: Javascript
Step 3.
Add html headers et cetera.
Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><head><title>Random</title></head>
<script language=JavaScript>function decrypt_p(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,7,41,45,9,1,33,58,39,8,0,0,0,0,0,0,0,62,36,34,49,12,32,50,43,6,2,46,38,24,26,11,25,53,13,21,60,4,15,28,17,18,14,0,0,0,0,27,0,31,48,55,59,37,20,19,61,3,30,54,40,51,56,5,57,47,35,16,10,23,42,44,52,22,29);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decrypt_p("EXPLOITCODE REMOVED"")</script>
</html>
HtmlHeaders
Look for "document.write" or "eval" in that exploit script and change it to "alert", what it does is that instead of running that exploit it shows only alert dialog which contains clear text javascript/html/exploit code: Dialog1 Dialog2
And BINGO, look at that line:
Code:
VAR CGI_Script="http://www.[ERASED]/cgi-bin/ie0609.cgi";
That is a part of web-attacker toolkit, most popular tool of malicious web sites.
It serves multiple exploits against IE & Firefox including 0-days.
That was a very simple way of decoding javascript.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
