I came across the following exploit due to a warning from my AV software. It originated from an adserver delivering banner ads on one of my sites.
I have retrieved the content with Wget and copied to pastebin.
[Warning: Link may contain malware - Do not visit from vulnerable PC.]
Please note that you have to scroll horizontally on pastebin as the code is all on one line.
Can anyone find out what the exploit actually does?
Thank you.
I came across the following exploit due to a warning from my AV software. It originated from an adserver delivering banner ads on one of my sites.
I have retrieved the content with Wget and copied to pastebin.
http://pastebin./m6fa38fac
[Warning: Link may contain malware - Do not visit from vulnerable PC.]
Please note that you have to scroll horizontally on pastebin as the code is all on one line.
Can anyone find out what the exploit actually does?
Thank you.
Share Improve this question edited Nov 27, 2009 at 10:39 Simon P Stevens 27.5k5 gold badges85 silver badges111 bronze badges asked Nov 27, 2009 at 10:33 mr-euromr-euro 2,7625 gold badges23 silver badges28 bronze badges 5- 1 Make sure your AV is up and running as I just visited pastebin and got the alert again. – mr-euro Commented Nov 27, 2009 at 10:34
- 1 name the variables some normal name, then decode characters as ASCII, not that big problem. asking someone else to do the work, that's just too much. – dusoft Commented Nov 27, 2009 at 10:43
- 1 I think you should probably consider extracting the text and providing in a textual form to protect other people from problems. – Simon P Stevens Commented Nov 27, 2009 at 10:44
- @dusoft If I was aware of how to do it, you would not be reading this right now. – mr-euro Commented Nov 27, 2009 at 11:17
- 1 @Simon P Stevens I think the anti-virus software gives you the alert anyhow, even though the code does not actually execute. As long as the AV finds a certain string and it matches its AV malware list, then the alert will be triggered including clear text. – mr-euro Commented Nov 27, 2009 at 11:19
2 Answers
Reset to default 11Not quite, as it includes (the equivalent of):
var mtime= new Date(document.lastModified).toUTCString().split(' ')[4].split(':');
it then uses the minutes and seconds of the last-modified time of the document containing it as a key to decode the array. If you can't still retrieve that javascript:alert(document.lastModified)
time we'd have to brute-force it.
ETA: ah, actually it only uses the first digit of the minutes, and from the way it uses it we can guess it's supposed to be 1
. That's leaves only sixty possibilities, and a quick loop reveals that meaningful javascript only es out for 16
seconds.
I've put the decoded script here; it will probably also ping your anti-virus. Summary: it runs exploits against the Java, Flash and Acrobat plugins, running a payload from googleservice which is (surprise surprise) a Russian attack site.
This ussualy works to print de-obfuscated code
eval = alert;
in firefox with firebug, i solved it like this:
var lpsy16=lpsy;
eval = console.log; // This line was added
eval(lpsy+parseInt(gouy[0]));
Output is here: --deleted due to zoidberg's ment--