eval() and document.write(), meet Execute and ExecuteGlobal

Be on the lookout for these two VBScript statements that can be used to achieve the same effect as eval() and document.write(): Execute and ExecuteGlobal. Jonathan Ness pointed me to an exploit sample that was using Execute, presumably to trip up any eval() or document.write() dependent detection logic or automatic de-obfuscation.  Thanks JNess!


Recursive Obfuscation

Thanks to Jonathan Ness for pointing me to an example of a new obfuscation technique that attempts to thwart the eval() à alert() trick.Take a look at the following obfuscation script: 1  <script> 2  function N(F,D) 3  { 4     if (!D) D = ‘ “#%()-./012348:;<=>@ACEGHILMOPRTVWY\\]_abcdefghijlmnopqrstuvwxyz’; 5   6     var f; 7     var V=”; 8   9     for (var c=0;c<F.length;c+=arguments.callee.toString().length-380)10     {11          …


High-bit ASCII obfuscation

Here’s another new obfuscation technique I’ve seen in use on malicious web sites recently.  Check out the following HTML:<html><meta http-equiv=content-type content=’text/html; charset=us-ascii’></head><body>¼óãòéðô¾áìåòô¨¢Ôèéó éó óïíå ïâæõóãáôåä óãòéðô¡¢©»¼¯óãòéðô¾</body></html> Those funny characters are actually standard ASCII characters with the high-bit of each byte set.  If the high-bit ASCII managed to get posted properly to this blog without getting mangled, you should be able…

1

Code length dependent obfuscation

Wow, it’s been a long time!  Hopefully I can find more time to blog over the next couple of months.In any event, my paper from last year really could use some updates.  Among other things there are a whole new slew of “Usual Suspect” vulnerabilities to document.  For this post I’ll focus on documenting an…

2

Analyzing Browser Based Vulnerability Exploitation Incidents

I’ve written up a paper that describes some useful tools/techniques for deconstructing web based exploits: Analyzing Browser Based Vulnerability Exploitation Incidents The paper started as a blog entry and it remains a blog entry at its core.  But since really huge blog entries are uncool (so I hear), and for other logistical reasons, the paper itself is…


Hello!

Hi!  I’m David Ross and this is my work blog.  As an engineer on the Microsoft Secure Windows Initiative at Microsoft I specialize in browser and web application security.