Author Topic: Shaman's Dream  (Read 4483 times)

0 Members and 1 Guest are viewing this topic.

January 01, 2010, 04:27:54 pm
Read 4483 times

BADMAN

  • Newbie

  • Offline
  • *

  • 5
New exploit kit

Code: [Select]
inter-solutions.cn/ImNYbH63/auth.php Control panel
Code: [Select]
inter-solutions.cn/ImNYbH63/exe.php?exp=pdf PDF exploit
Code: [Select]
inter-solutions.cn/ImNYbH63/index.php?exp=2[3,4]other exploits
Who know something more about it ?!
I try to replace new Date() to  the lastmodified property from http header but script doesn't compile....
So how to decode this exploits ?

January 02, 2010, 11:33:41 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
This one is a bit tricky to decode in Malzilla ,but you don't need "lastmodified" property.

I recommend a Javascript debugger like Google Chromes' integrated debugger. It's much easier than decoding in Malzilla
in this case.

This sample is tricky because you may not modify the code. Lines of decoding code are part of the algorithm.
You get a rubbish result if you modify the function "bMVFunc". But you have to modify this function ,because
Malzilla doesn't accept the original code ("qOGet is not a function").

Solution for Malzilla:
-Make a copy of the main function "bMVFunc",paste it and rename it to "bMVFunc2"
-modify function "bMVFunc2",replace "var qOGet = nInM["uEn6eJsEcEadpJeJ".replace(/[J68Ed]/g, new String)];" by "var qOGet = unescape;"
-modify "bMVFunc(arrayWGetD);" to "bMVFunc2(arrayWGetD);"
-run the script and you'll get the exploit code for a single exploit
-download the next exploit from url at the end of the page (e.g.index.php?exp=2) and repeat all the steps above until you have decoded all exploits

modified version of your sample attached
Ruining the bad guy's day

January 03, 2010, 07:51:30 pm
Reply #2

BADMAN

  • Newbie

  • Offline
  • *

  • 5

January 04, 2010, 10:36:13 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day