| This page was put together to accompany my SANS ISC diary entry on "Javascript Decoding" (see https://isc2.sans.org/diary.html?storyid=2268) and the corresponding example page. If you haven't done so yet, please read the diary first.
Warning! The links on this page contain exploit code. Mind you, exploit code which has been changed very slightly and should not be harmful anymore, but it *is* exploit code, and as such it might possibly trigger your anti-virus. What I'm aiming at: Work through the examples on this page from a LAB PC which is not connected to your production network. And don't complain to me or SANS ISC if clicking on anything on this page makes your computer turn out scrambled instead of sunny side up.
|
| The Starting Point |
The original, encoded exploit page was found after unraveling a long set of exploits and IFRAMES. I picked this one as example because it shows an encoding technique that is not in all that widespread use:
Download the original file if you want to reproduce the next steps on your own! Do a right-click "save link as", or you'll end up with an empty page. The "function" calls within the file were renamed to "funkyon", and the two "eval" statements were renamed into a more fitting "evil" to keep them from triggering by accident. Note:You'll have to change "funkyon" back to "function", and "evil" back to "eval" in the file (once downloaded) if you want to play with the file! |
| Step #1 - Applying the "Monkey Wrench" |
The above code is clearly too messy to try to use the Perl-Fu method. Not knowing really what is hidden inside, and leery of the many bad guys who have started to seed their spoits with a </textarea> tag to break out of the "Liston Method" textarea jail, this leaves the "Monkey Wrench" as a good try. A quick edit replaces the first "eval" with a "print", and then: daniel@debian:~$ js 0614.txt > stage1.txtwhich results in something like this:  |
| Step #2 - Unwrapping the Octal code" |
The resulting block shown above is still encoded, but in a far easier format. You might notice that the code only uses figures between 0 and 7, which is a tell-tale indicator that the numbers are encoded in the octal numbering system. To unwrap this block you can easily use the "Monkey Wrench" again, all you have to do is replace the initial "eval" with a "print" and feed the code block into "js".For didactical :) purposes, I'm going to use the Perl-Fu method on this stage, though: daniel@debian:~$ cat stage1.txt | perl -pe 's/\\(\d+)/chr(oct($1))/ge'does the trick. oct() converts the octal number to decimal, and chr() turns the decimal ascii code into a printable character. The result is something like this:  The exploit obviously tries to download and run "down.exe" off the same site. |
출 처 : http://handlers.sans.org/dwesemann/decode/exercise.html
