LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Linux Answers > Security
User Name
Password

Notices

By ////// at 2007-02-17 23:26
If you are interested about malware and exploits like me this little tutorial could be some "value" for you.
What I'm trying to show here is how you can decode obfuscated javascript that might contain some exploit(s) against web users.

But remember this, do not use your number one box when doing this, use wmware image or something similar, it would be good idea to disconnect from net too and monitor possible outgoing - incoming connection attempts.

Step 1.
Lets say that you have found some site that has obfuscated javascript in its source.
Just wget or curl that page, its safer that way, those programs do not execute javascript.
Or if you already have visited that page just copy that source.

Step 2.
Copy paste that javascript from page source so you do not have anything else than javascript in your html file, like this:
Javascript

Step 3.
Add html headers et cetera.
Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><head><title>Random</title></head>
<script language=JavaScript>function decrypt_p(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,7,41,45,9,1,33,58,39,8,0,0,0,0,0,0,0,62,36,34,49,12,32,50,43,6,2,46,38,24,26,11,25,53,13,21,60,4,15,28,17,18,14,0,0,0,0,27,0,31,48,55,59,37,20,19,61,3,30,54,40,51,56,5,57,47,35,16,10,23,42,44,52,22,29);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decrypt_p("EXPLOITCODE REMOVED"")</script>
</html>
HtmlHeaders
Look for "document.write" or "eval" in that exploit script and change it to "alert", what it does is that instead of running that exploit it shows only alert dialog which contains clear text javascript/html/exploit code:
Dialog1
Dialog2
And BINGO, look at that line:
Code:
VAR CGI_Script="http://www.[ERASED]/cgi-bin/ie0609.cgi";
That is a part of web-attacker toolkit, most popular tool of malicious web sites.
It serves multiple exploits against IE & Firefox including 0-days.

That was a very simple way of decoding javascript.

I got my idea for this tut from here :
http://handlers.sans.org/dwesemann/decode/index.html

Few words: I didn't copy paste exploit code here for obvious reasons and that is why I had to use pictures, code would have been better ;-)


  



All times are GMT -5. The time now is 03:57 PM.

Main Menu

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration