eval() and document.write(), meet Execute and ExecuteGlobal

Be on the lookout for these two VBScript statements that can be used to achieve the same effect as eval() and document.write(): Execute and ExecuteGlobal. Jonathan Ness pointed me to an exploit sample that was using Execute, presumably to trip up any eval() or document.write() dependent detection logic or automatic de-obfuscation.  Thanks JNess!

0

Recursive Obfuscation

Thanks to Jonathan Ness for pointing me to an example of a new obfuscation technique that attempts to thwart the eval() à alert() trick.Take a look at the following obfuscation script: 1  <script> 2  function N(F,D) 3  { 4     if (!D) D = ‘ “#%()-./012348:;<=>@ACEGHILMOPRTVWY\\]_abcdefghijlmnopqrstuvwxyz’; 5   6     var f; 7     var V=”; 8   9     for (var c=0;c<F.length;c+=arguments.callee.toString().length-380)10     {11          …

0

High-bit ASCII obfuscation

Here’s another new obfuscation technique I’ve seen in use on malicious web sites recently.  Check out the following HTML:<html><meta http-equiv=content-type content=’text/html; charset=us-ascii’></head><body>¼óãòéðô¾áìåòô¨¢Ôèéó éó óïíå ïâæõóãáôåä óãòéðô¡¢©»¼¯óãòéðô¾</body></html> Those funny characters are actually standard ASCII characters with the high-bit of each byte set.  If the high-bit ASCII managed to get posted properly to this blog without getting mangled, you should be able…

1

Code length dependent obfuscation

Wow, it’s been a long time!  Hopefully I can find more time to blog over the next couple of months.In any event, my paper from last year really could use some updates.  Among other things there are a whole new slew of “Usual Suspect” vulnerabilities to document.  For this post I’ll focus on documenting an…

2