Microsoft Word - poc_script1.doc

Size: px

Start display at page:

Download "Microsoft Word - poc_script1.doc"

태수 뇌
5 years ago
Views:

1 POC Hacker s dream Script #1 US-ASCII 방식의악성스크립트분석 HACKING GROUP OVERTIME OVERTIME woos55 55< wooshack55@gmail.com>2008. >

2 1. US_ASCII 로인코딩된스크립트디코딩하기. [2] 사이트참조 ASCIIExploit.exe d index.html << decode.html decode.html 로디코드된스크립트를분석하다보면다음과같은의심가는부분을만날 수있다. unescape() 안의값을디코딩해보자. <SCRIPT LANGUAGE="JavaScript" id="minegame3"> // ******************************************************************************* // This is the script for the security of the game. // ******************************************************************************* document.write( unescape('%3c%73%63%72%69%70%74%3e% 66%75%6E%63%74%69 %6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75 %6E%65%73% 63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73% 2E%6C%65%6 E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%2 7%3B%66%6F %72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68 %3B%69%2B %2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43 %68%61%72% 43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41% 74%28%69%29 %2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74 %68%2D%31% 2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69% 74%65%28%7 5%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%6 3%72%69%70 %74%3E')); df('%2a8hxhwnuy%2a75qfslzflj%2a8iof%7bfxhwnuy%2a8jk zshynts%2a75q66666q% 2A7%3Dq6666qq%2A7%3E%2A%3CGyw%7E%2A%3CGqq666NN%2A7% 3Dqq66qq66q%... 2A77%2A7%3E%2A8H%2A7Kxhwnuy%2A8J5'); </SCRIPT>

3 2. unescape 이용해서디코딩하려고하는 () 안을값이무엇인지확인해보자. 디코딩해보면 df 함수를정의한부분이란것을알수있다. 그럼, df() 함수를돌릴수있 다. 결과를 unescape 되지않은순수 t 값을찍어서보자. function df(s) var s1=unescape(s.substr(0,s.length-1)); var t=''; for(i=0;i<s1.length;i++) t+=string.fromcharcode(s1.charcodeat(i)-s.substr(s.length-1,1)); document.write(t); //document.write(unescape(t)); 그럼, 다음과같이인코딩된스크립트를얻을수있다. %3Cscript%20language%3DJavaScript%3Efunction%20l111 11l%28l1111ll%29%7Btry%7 Bll111II%28ll11ll11l%29%3Bfor%28var%20IIIlIII%20%3D%200%3B%20IIIlIII%20%3C%2 0ll111ll.length%3B%20IIIlIII%2B%2B%29%20%7B%20IIIII II%20%2B%3D%20ll111ll.char CodeAt%28IIIlIII%29%20%7DIIIIIII%20%3D%20IIIIIII%20%25% %3Bvar%20lllIlll %20%3D%20new%20Array%3B%20lllIlll%20%3D%20l1111ll.s plit%28%22%2c%22%29% 3Bvar%20IIIIIll%20%3D%20%22%22%3B%20for%28var%20III liii%20%3d%200%3b%20i IIlIII%20%3C%20lllIlll.length%3B%20IIIlIII%2B%2B%29%20%7B%20IIIIIll%20%2B%3D% 20String.fromCharCode%28%28%28lllIlll%5BIIIlIII%5D% 29- IIIIIII%29%20%5E%20llIlIII.charCodeAt%28IIIlIII%25l liliii.length%29%29%3b%7dvar%20 IIIlllI%3DIIIIIll.length%2ClIlIlIl%2CIIlllII%2CIlllIll%2CIlIlIlI%3D%28512%2A2%29%2CllIlIIl %3D0%2CllIllll%3D0%2Clllllll%3D0%3Bfor%28llIIIII%3D%20Math.ceil%28IIIlllI%2FIlIlIlI %29%3BllIIIII%3E0%3BllIIIII-- %29%7BIlllIll%3D%27%27%3B%20for%28lIlIlIl%3DMath.mi n%28iiillli%2cililili%29%3bli lilil%3e0%3b%20%20lililil--%2ciiillli-- %29%7Blllllll%7C%3D%28IIIlIIl%5B%20IIIIIll.charCode At%28llIlIIl%2B%2B%29-48%5D%29%3C%3CllIllll%3Bif%28llIllll%29%7BIlllIll%2 B%3DString.fromCharCode%282 09%5Elllllll%26255%29%3Blllllll%3E%3E%3D8%3BllIllll- %3D2%7Delse%7BllIllll%3D6%7D%3B%7D%20ll111II%28Illl Ill%29%20%7D%20%7D%20 catch%28error%29%20%7b%7d%7d%3c%2fscript%3e%3cscrip t%20language%3djava Script%3Evar%20IIIlIIl%3DArray%2863%2C12%2C6%2C53%2 C0%2C48%2C43%2C54%

4 2C42%2C47%2C0%2C0%2C0%2C0%2C0%2C0%2C59%2C13%2C25%2C 30%2C50%2C60 %2C1%2C18%2C61%2C8%2C16%2C56%2C20%2C49%2C51%2C21%2C 45%2C28%2C22 %2C31%2C35%2C5%2C14%2C23%2C27%2C37%2C2%2C0%2C0%2C0% 2C0%2C55%2C 0%2C11%2C33%2C9%2C19%2C40%2C41%2C15%2C62%2C3%2C39%2 C10%2C32%2C1 7%2C44%2C36%2C24%2C7%2C52%2C26%2C29%2C58%2C57%2C46% 2C4%2C34%2C3 8%29%3Bl11111l%28% %2C71517%2C71488%2C71525%2 C71484%2C71487% 2C71467%2C71528%2C71541%2C71503%2C71531%2C71511%2C7 1530%2C71530%2C 71546%2C71482%2C71515%2C71499%2C71531%2C71511%2C714 42%2C71540%2C71 525%2C71497%2C71516%2C71474%2C71507%2C71464%2C71441 %2C71449%2C7152 5%2C71526%2C71542%2C71540%2C71546%2C71474%2C71443%2 C71543%2C71477 %2C71532%2C71506%2C71448%2C71448%2C71492%2C71546%2C 71542%2C71486% 2C71471%2C71455%2C71522%2C71455%2C71475%2C71565%2C7 1477%2C71459%2C 71467%2C71464%2C71473%2C71488%2C71478%2C71473%2C714 75%2C71452%2C71 453%2C71548%2C71527%2C71524%2C71558%2C71554%2C71531 %2C71450%2C7155 3%2C71502%2C71495%2C71450%2C71480%2C71445%2C71506%2 C71558%2C71553 %2C71481%2C71484%2C71509%2C71525%2C71563%2C71503%2C 71448%2C71463% 2C71474%2C71442%2C71454%2C71528%2C71473%2C71488%2C7 1454%2C71510%2C 71484%2C71501%2C71450%2C71526%2C71489%2C71455%2C714 58%2C71551%2C71 549%2C71551%2C71537%2C71507%2C71562%2C71455%2C71450 %2C71485%2C7156 7%2C71470%2C71553%2C71501%2C71554%2C71459%2C71565%2 C71464%2C71443 %2C71481%2C71562%2C71447%2C71537%2C71526%2C71486%2C 71466%2C71481% 2C71484%2C71498%2C71467%2C71455%2C71489%2C71523%2C7 1533%2C71446%2C 71487%2C71553%2C71488%2C71443%2C71501%2C71485%2C715 53%2C71562%2C71 476%2C71513%2C71519%2C71445%2C71492%2C71458%2C71453 %2C71480%2C7144 8%2C71451%2C71453%2C71464%2C71533%2C71512%2C71479%2 C71460%2C71455 %2C71488%2C71479%2C71567%2C71497%2C71512%2C71518%2C 71554%2C71452% 2C71554%2C71448%2C71449%2C71557%2C71561%2C71453%2C7 1447%2C71494%2C 71447%2C71510%2C71497%2C71462%2C71485%2C71553%2C714 94%2C71466%2C71 469%2C71510%2C71449%2C71516%2C71527%2C71441%2C71454 %2C71526%2C7144 2%2C71464%2C71506%2C71468%2C71471%2C71524%2C71465%2 C71475%2C71477 %2C71532%2C71498%2C71475%2C71448%2C71492%2C71561%2C 71546%2C71538% 2C71501%2C71562%2C71531%2C71531%2C71538%2C71502%2C7 1526%2C71552%2C 71509%2C71513%2C71481%2C71474%2C71508%2C71529%2C715 59%2C71550%2C71 517%2C71538%2C71565%2C71495%2C71445%2C71484%2C71531 %2C71553%2C7144 2%2C71468%2C71501%2C71568%2C71526%2C71536%2C71513%2 C71527%2C71542 %2C71552%2C71563%2C71534%2C71466%2C71484%2C71496%2C 71461%2C71458%

5 2C71508%2C71498%2C71462%2C71513%2C71554%2C71448%2C7 1442%2C71532%2C 71498%2C71448%2C71475%2C71568%2C71542%2C71514%22%29 %3C%2Fscript%3E 3. 패스워드스크립트디코딩하여패스워드알아내기. 위의스크립트를디코딩한결과이다. 여기서주목해야할부분은빨간색으로된함수와변수이다. 원문스크립트어느부분을찾아보아도이와관련된함수는찾아볼수없다. 그러나분명원문스크립트어딘가에있을것이므로디코드된원문을다시분석해보자. ( 다음설명에서부터는이스크립트를 패스워드스크립트 라명명하겠다.) <script language=javascript>function l11111l(l1111l l)tryll111ii(ll11ll11l); ll111ii(ll11ll11l); = 0; IIIlIII < ll111ll.length; IIIlIII++) IIIIIII IIIIIII += ll111ll ll111ii(ll11ll11l);for(var IIIlIII ll111ll.charcodeat(iiiliii) IIIIIII IIIIIII = IIIIIII % ;var lllilll = new Array; lllilll = l1111ll.split(",");var IIIIIll = ""; for(var IIIlIII = 0; IIIlIII < lllilll.length; IIIlIII++) IIIIIll += String.fromCharCode(((lllIlll[IIIlIII])- IIIIII IIIIIII) ^ lliliii.charcodeat(iiiliii%lliliii lliliii.length));var IIIlllI=IIIIIll.length,lIlIlIl,IIlllII,IlllIll,IlIlIlI=(512*2),llIlIIl=0,llIllll=0,lllllll=0;for(llIIIII= Math.ceil(IIIlllI/IlIlIlI);llIIIII>0;llIIIII--)IlllIll=''; for(lililil=math.min(iiillli,ililili);lililil>0; lililil--,iiillli--)lllllll =(IIIlIIl[ IIIIIll.charCodeAt(llIlIIl++)- 48])<<llIllll;if(llIllll)IlllIll+=String.fromCharCode(209^lllllll&255);lllllll>>=8;llIllll- =2elsellIllll=6; ll111ii(illlill) catch(error) </script><script language=javascript>var IIIlIIl=Array(63,12,6,53,0,48,43,54,42,47,0,0,0,0,0,0,59,13,25,30,50,60,1,18,61,8,16,56,2 0,49,51,21,45,28,22,31,35,5,14,23,27,37,2,0,0,0,0,55,0,11,33,9,19,40,41,15,62,3,39,10,3 2,17,44,36,24,7,52,26,29,58,57,46,4,34,38);l11111l("71496,71517,71488,71525,71484,7 1487,71467,71528,71541,71503,71531,71511,71530,7153 0,71546,71482,71515,71499,7 1531,71511,71442,71540,71525,71497,71516,71474,7150 7,71464,71441,71449,71525,7 1526,71542,71540,71546,71474,71443,71543,71477,7153 2,71506,71448,71448,71492,7 1546,71542,71486,71471,71455,71522,71455,71475,7156 5,71477,71459,71467,71464,7 1473,71488,71478,71473,71475,71452,71453,71548,7152 7,71524,71558,71554,71531,7 1450,71553,71502,71495,71450,71480,71445,71506,7155 8,71553,71481,71484,71509,7 1525,71563,71503,71448,71463,71474,71442,71454,7152 8,71473,71488,71454,71510,7 1484,71501,71450,71526,71489,71455,71458,71551,7154 9,71551,71537,71507,71562,7 1455,71450,71485,71567,71470,71553,71501,71554,7145 9,71565,71464,71443,71481,7 1562,71447,71537,71526,71486,71466,71481,71484,7149 8,71467,71455,71489,71523,7 1533,71446,71487,71553,71488,71443,71501,71485,7155 3,71562,71476,71513,71519,7 1445,71492,71458,71453,71480,71448,71451,71453,7146 4,71533,71512,71479,71460,7

6 1455,71488,71479,71567,71497,71512,71518,71554,7145 2,71554,71448,71449,71557,7 1561,71453,71447,71494,71447,71510,71497,71462,7148 5,71553,71494,71466,71469,7 1510,71449,71516,71527,71441,71454,71526,71442,7146 4,71506,71468,71471,71524,7 1465,71475,71477,71532,71498,71475,71448,71492,7156 1,71546,71538,71501,71562,7 1531,71531,71538,71502,71526,71552,71509,71513,7148 1,71474,71508,71529,71559,7 1550,71517,71538,71565,71495,71445,71484,71531,7155 3,71442,71468,71501,71568,7 1526,71536,71513,71527,71542,71552,71563,71534,7146 6,71484,71496,71461,71458,7 1508,71498,71462,71513,71554,71448,71442,71532,7149 8,71448,71475,71568,71542,7 1514")</script> 직감적으로이부분은뭔가미심쩍은느낌이들었다. 그러나직감으로만풀수는없다. 스크립트를분석할때 Microsoft Visual Web Developer 와같은디버거를이용한다면, 스크립트가어떻게동작하고있는지각변수에어떤값이들어가는지살펴보던중 minecount2 변수로부터실마리를찾을수있었다. minelist2=document.getelementbyid('minegame2').innerhtml.split('\r\n'); minecount2 = ""; for(c=4; c < (e+4); c++) minename2=minelist2[c]; for(f=0; f < d; f++) y = ((minename2.length - (8*d)) + (f*8)); v = 0; for(x = 0; x < 8; x++) if(minename2.charcodeat(x+y) > 9) v++; if(x!= 7) v = v << 1;

7 minecount2 += String.fromCharCode(v); document.write(minecount2); 디버깅결과다음과같은함수를얻을수있다. <script> var ll11ll11l = "var lliliii = arguments.callee.tostring(); var ll111ll = lliliii + \"asec\" + location.hostname; var IIIIIII = 0;"; ll111ii=eval; </script> 그러나이스크립트와위의패스워드스크립트를그대로실행하면패스워드를얻을수없다. 홈페이지는오류보고나다른특이사항없이정상적으로동작하기때문이다. 여기에는두가지이유가있다. 첫번째는 location.hostname 을제대로정해주어야한다. 이값에도정확한값을넣어야한다. 나는디코드된원문에서 <BASE HREF=" 이것에서힌트를얻어 hostname을 ahnlab-security.com으로지정해주었다. 여기서한가지주의해야할점은 location.hostname 객체를만들어서지정해주게되면예상치못한상황을맞게될것이다. 그러한이유로 var ll111ll = lliliii + "asecahnlab-security.com"; 이렇게수정해주었다. 두번째이유는패스워드를알아내야한다는것이다. 하지만, 패스워드스크립트를수정해서값을찍어본다던지하기위해훼손해서는안된다. 다른방법을적용해야한다. 왜냐하면원문자체로어떤값을계산하고있고원문의길이를이용하고있기때문이다. 그리고디버깅을통해서어떤값이찍히는지알아보려고해도중단점을아무리잘건다해도그값을알아보기가어려웠다. 그래서다음과같이패스워드스크립트는변경하지않고변수및함수정의스크립트를다음과같이변경하였다. <script> var ll11ll11l = ""; var lliliii = arguments.callee.tostring(); var ll111ll = lliliii + "asecahnlab-security.com"; var IIIIIII = 0; ll111ii=document.write; </script> 하지만또하나의난관에봉착하였다. arguments.callee.tostring(); 이값을제대로알아오 지못한다는것이다. 그래서윗부분에 <script id = js > 라고지정해주어패스워드스크립

8 트를정의해주고다음과같은방법을이용했다. <script> var ll11ll11l = ""; var test = document.getelementbyid('js').innerhtml.split('\r\n'); var lliliii = test[1]; var ll111ll = lliliii + "asecahnlab-security.com"; var IIIIIII = 0; ll111ii=document.write; </script> 4. 패스워드추출 수정내용을반영후실행하니드디어다음과같이패스워드를얻게되었다. [1] US-ASCII 방식의악성스크립트분석하기 [2] ASCII exploit 에서사용하는문자열인코딩 / 디코딩프로그램