Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
By ////// at 2007-02-17 23:26
If you are interested about malware and exploits like me this little tutorial could be some "value" for you.
What I'm trying to show here is how you can decode obfuscated javascript that might contain some exploit(s) against web users.
But remember this, do not use your number one box when doing this, use wmware image or something similar, it would be good idea to disconnect from net too and monitor possible outgoing - incoming connection attempts.
Step 1.
Lets say that you have found some site that has obfuscated javascript in its source.
Just wget or curl that page, its safer that way, those programs do not execute javascript.
Or if you already have visited that page just copy that source.
Step 2.
Copy paste that javascript from page source so you do not have anything else than javascript in your html file, like this: Javascript
Step 3.
Add html headers et cetera.
Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><head><title>Random</title></head>
<script language=JavaScript>function decrypt_p(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,7,41,45,9,1,33,58,39,8,0,0,0,0,0,0,0,62,36,34,49,12,32,50,43,6,2,46,38,24,26,11,25,53,13,21,60,4,15,28,17,18,14,0,0,0,0,27,0,31,48,55,59,37,20,19,61,3,30,54,40,51,56,5,57,47,35,16,10,23,42,44,52,22,29);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decrypt_p("EXPLOITCODE REMOVED"")</script>
</html>
HtmlHeaders
Look for "document.write" or "eval" in that exploit script and change it to "alert", what it does is that instead of running that exploit it shows only alert dialog which contains clear text javascript/html/exploit code: Dialog1 Dialog2
And BINGO, look at that line:
Code:
VAR CGI_Script="http://www.[ERASED]/cgi-bin/ie0609.cgi";
That is a part of web-attacker toolkit, most popular tool of malicious web sites.
It serves multiple exploits against IE & Firefox including 0-days.
That was a very simple way of decoding javascript.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.