Thursday, June 15, 2006

Manually Execute Javascript from Terminal

I recently received some spam, or more accurately, a phishing email, claiming doom and gloom regarding a bank. It had an innocent-looking URL in the email to click on, to supposedly read the news.
I'm not about to post the URL here on my blog, but you can email me if you're interested in having a look at it.
Through using some cURL action to have a look at the various server responses, and see where it was being redirected to. Eventually, it ended up on a page containing "encrypted" JavaScript.
Banking on the fact that the JavaScript code, when decrypted, would do something funky with Internet Explorer, I wanted to see what the code contained. As the decryption routine was at the start of the JavaScript code, all I needed was a method to run JavaScript from the command line.
Enter the Rhino project from Mozilla. Simply put, Rhino is JavaScript for Java.
Downloading it gave me a zip, containing among other things, a js.jar file, which is what we need.
I put the js.jar file in my ~/Library/Java/Extensions - you can put it anywhere you want.
I then set up a CLASSPATH environment variable for bash, in my .bashrc file like so:
export CLASSPATH=$CLASSPATH:~/Library/Java/Extensions:~/Library/Java/Extensions/js.jar

and then closed and reopened the shell to use the new classpath.
Next, I used cURL to download the file, which was wrapped in <script> tags (which I removed) and saved it as test.js
Lastly, to execute it, I called the Rhino stuff like so:
java org.mozilla.javascript.tools.shell.Main demo.js
You can also define an alias in your .bashrc as well:
alias js='java org.mozilla.javascript.tools.shell.Main'
Which will make things easier if you plan to do a lot of JavaScript stuff.
When I executed the downloaded JavaScript, I had to manually edit it and change a reference from document.write() to print() so as the output from the decrypter was printed to standard output (ie, the Terminal)
The encrypted JavaScript then generated a bunch of regular-looking JavaScript that does a whole heap of browser detection (looking for IE or FireFox) and checking for some patches, before passing the detected version off to another CGI script, presumably with the payload in it, however when I checked it, the page was suspended =)



Update: The Australian IT has more details

posted by kai @ 9:29 AM   0 Comments  

0 Comments:

Post a Comment

<< Home