最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客

javascript - Can anyone de-obfuscate this exploit? - Stack Overflow

programmeradmin6浏览0评论

I came across the following exploit due to a warning from my AV software. It originated from an adserver delivering banner ads on one of my sites.

I have retrieved the content with Wget and copied to pastebin.


[Warning: Link may contain malware - Do not visit from vulnerable PC.]

Please note that you have to scroll horizontally on pastebin as the code is all on one line.

Can anyone find out what the exploit actually does?

Thank you.

I came across the following exploit due to a warning from my AV software. It originated from an adserver delivering banner ads on one of my sites.

I have retrieved the content with Wget and copied to pastebin.

http://pastebin./m6fa38fac
[Warning: Link may contain malware - Do not visit from vulnerable PC.]

Please note that you have to scroll horizontally on pastebin as the code is all on one line.

Can anyone find out what the exploit actually does?

Thank you.

Share Improve this question edited Nov 27, 2009 at 10:39 Simon P Stevens 27.5k5 gold badges85 silver badges111 bronze badges asked Nov 27, 2009 at 10:33 mr-euromr-euro 2,7625 gold badges23 silver badges28 bronze badges 5
  • 1 Make sure your AV is up and running as I just visited pastebin and got the alert again. – mr-euro Commented Nov 27, 2009 at 10:34
  • 1 name the variables some normal name, then decode characters as ASCII, not that big problem. asking someone else to do the work, that's just too much. – dusoft Commented Nov 27, 2009 at 10:43
  • 1 I think you should probably consider extracting the text and providing in a textual form to protect other people from problems. – Simon P Stevens Commented Nov 27, 2009 at 10:44
  • @dusoft If I was aware of how to do it, you would not be reading this right now. – mr-euro Commented Nov 27, 2009 at 11:17
  • 1 @Simon P Stevens I think the anti-virus software gives you the alert anyhow, even though the code does not actually execute. As long as the AV finds a certain string and it matches its AV malware list, then the alert will be triggered including clear text. – mr-euro Commented Nov 27, 2009 at 11:19
Add a ment  | 

2 Answers 2

Reset to default 11

Not quite, as it includes (the equivalent of):

var mtime= new Date(document.lastModified).toUTCString().split(' ')[4].split(':');

it then uses the minutes and seconds of the last-modified time of the document containing it as a key to decode the array. If you can't still retrieve that javascript:alert(document.lastModified) time we'd have to brute-force it.

ETA: ah, actually it only uses the first digit of the minutes, and from the way it uses it we can guess it's supposed to be 1. That's leaves only sixty possibilities, and a quick loop reveals that meaningful javascript only es out for 16 seconds.

I've put the decoded script here; it will probably also ping your anti-virus. Summary: it runs exploits against the Java, Flash and Acrobat plugins, running a payload from googleservice which is (surprise surprise) a Russian attack site.

This ussualy works to print de-obfuscated code

eval = alert;

in firefox with firebug, i solved it like this:

var lpsy16=lpsy;
eval = console.log; // This line was added
eval(lpsy+parseInt(gouy[0]));

Output is here: --deleted due to zoidberg's ment--

发布评论

评论列表(0)

  1. 暂无评论