Monday, May 19, 2008

de0bfuscating ne0spl01t manually ...

This advance exploit framework contains obfuscated script to make analysis harder.

Here is a way to bypass its obfuscation technique without tools.
(I am not providing the original script in here, I'm sure there are a lot of compromised websites out there ... ehheheh ... and this example is applicable just to this one I am working on)

VirusTotal result

Below is the screenshot of the script, in word wrap.

The script is dependent on arguments.callee.toString() and to the location.href. This means we need to have the original script function and the correct location.href (Referrer).

So how are we going to deobfuscate this script?

First, we need to check the original code. In my case I changed the format so I can understand what the program does.

I keep on highlighting "arguments.callee.toString() + location.href" because the program will depend on the value of these instructions. Another dependency is the parameter passed to the function.

Below is a screenshot of the script's original format, I highlighted the parameter used.

Based from my analysis of the script code, the parameter is the string we need to decrypt.

Below shows the part of the decryption process.

Ok ... now lets get to the part where we will deobfuscate the script.

What the program needs to execute properly?
1. The parameter passed to the function.
2. The calling function's code, untampered.
3. The location.href value
4. Our drop file or document.write.

Just a quick background

JavaScript Location Object
The JavaScript location object is a property of the window object. It can be used to control the web page displayed by the browser.

href - The entire URL.

Now ... it will look like this

We can get a copy of the code by adding the following at the end of the decryption process.

var fso = new ActiveXObject("Scripting.FileSystemObject");
var a = fso.CreateTextFile("c:\\testfile.txt", true);

or you can just add the instructioon below.


after this we will get the second obfuscated code, we just have to apply what we did here to the second code. Then from there you can get the deobfuscated code.

Hope this help ...

No comments: