English 中文(简体)
Can anyone de-obfuscate this exploit?
原标题:

I came across the following exploit due to a warning from my AV software. It originated from an adserver delivering banner ads on one of my sites.

I have retrieved the content with Wget and copied to pastebin.

http://pastebin.com/m6fa38fac
[Warning: Link may contain malware - Do not visit from vulnerable PC.]

Please note that you have to scroll horizontally on pastebin as the code is all on one line.

Can anyone find out what the exploit actually does?

Thank you.

最佳回答

Not quite, as it includes (the equivalent of):

var mtime= new Date(document.lastModified).toUTCString().split(   )[4].split( : );

it then uses the minutes and seconds of the last-modified time of the document containing it as a key to decode the array. If you can t still retrieve that javascript:alert(document.lastModified) time we d have to brute-force it.

ETA: ah, actually it only uses the first digit of the minutes, and from the way it uses it we can guess it s supposed to be 1. That s leaves only sixty possibilities, and a quick loop reveals that meaningful javascript only comes out for 16 seconds.

I ve put the decoded script here; it will probably also ping your anti-virus. Summary: it runs exploits against the Java, Flash and Acrobat plugins, running a payload from googleservice.net which is (surprise surprise) a Russian attack site.

问题回答

This ussualy works to print de-obfuscated code

eval = alert;

in firefox with firebug, i solved it like this:

var lpsy16=lpsy;
eval = console.log; // This line was added
eval(lpsy+parseInt(gouy[0]));

Output is here: --deleted due to zoidberg s comment--





相关问题
selected text in iframe

How to get a selected text inside a iframe. I my page i m having a iframe which is editable true. So how can i get the selected text in that iframe.

How to fire event handlers on the link using javascript

I would like to click a link in my page using javascript. I would like to Fire event handlers on the link without navigating. How can this be done? This has to work both in firefox and Internet ...

How to Add script codes before the </body> tag ASP.NET

Heres the problem, In Masterpage, the google analytics code were pasted before the end of body tag. In ASPX page, I need to generate a script (google addItem tracker) using codebehind ClientScript ...

Clipboard access using Javascript - sans Flash?

Is there a reliable way to access the client machine s clipboard using Javascript? I continue to run into permissions issues when attempting to do this. How does Google Docs do this? Do they use ...

javascript debugging question

I have a large javascript which I didn t write but I need to use it and I m slowely going trough it trying to figure out what does it do and how, I m using alert to print out what it does but now I ...

Parsing date like twitter

I ve made a little forum and I want parse the date on newest posts like twitter, you know "posted 40 minutes ago ","posted 1 hour ago"... What s the best way ? Thanx.

热门标签