Microsoft Word - poc_script1.doc

Similar documents

텀블러514

Secure Programming Lecture1 : Introduction

Microsoft Word - Static analysis of Shellcode.doc

Microsoft PowerPoint - web-part01-ch05-함수.pptx

SKINFOSEC_TECH_005_China Bot_가칭_ 악성코드 분석_v0.3.doc

XSS Attack - Real-World XSS Attacks, Chaining XSS and Other Attacks, Payloads for XSS Attacks


로거 자료실

슬라이드 1

제이쿼리 (JQuery) 정의 자바스크립트함수를쉽게사용하기위해만든자바스크립트라이브러리. 웹페이지를즉석에서변경하는기능에특화된자바스크립트라이브러리. 사용법 $( 제이쿼리객체 ) 혹은 $( 엘리먼트 ) 참고 ) $() 이기호를제이쿼리래퍼라고한다. 즉, 제이쿼리를호출하는기호

Visual Studio online Limited preview 간략하게살펴보기

(지도6)_(7단원 202~221)

이 장에서 사용되는 MATLAB 명령어들은 비교적 복잡하므로 MATLAB 창에서 명령어를 직접 입력하지 않고 확장자가 m 인 text 파일을 작성하여 실행을 한다

Microsoft Word - logic2005.doc

µµÅ¥¸àÆ®1

Black Hole Exploit Kit PDF Exploit $selectedexploit =? 3 or 4 /games/pdf.php /games/pdf2.php CVE , CVE , CVE , CVE

PowerPoint Template

HWP Document

var answer = confirm(" 확인이나취소를누르세요."); // 확인창은사용자의의사를묻는데사용합니다. if(answer == true){ document.write(" 확인을눌렀습니다."); else { document.write(" 취소를눌렀습니다.");

개요 최근사용자들이인터넷을사용하던중에 CVE (Java), CVE (IE), CVE (Flash), CVE (IE) 취약점을이용한 sweet orange exploit kit 가전파되어이를연구하였으 며,

C++ Programming

Vehicular Communications

ÀÎÅÍ³Ý ÁøÈï¿ø 3¿ù ÀúÇØ»ó

SOFTBASE XFRAME DEVELOPMENT GUIDE SERIES HTML 연동가이드 서울특별시구로구구로 3 동한신 IT 타워 1215 호 Phone Fax Co


ApeosPort-V 7080/6080, DocuCentre-V 7080/6080 User Guide (For AirPrint)

HTML5

Microsoft PowerPoint 세션.ppt

Microsoft PowerPoint - ch07 - 포인터 pm0415

2002 Game White paper 2002 Game White paper

10 강. 쉘스크립트 l 쉘스크립트 Ÿ 쉘은명령어들을연속적으로실행하는인터프리터환경을제공 Ÿ 쉘스크립트는제어문과변수선언등이가능하며프로그래밍언어와유사 Ÿ 프로그래밍언어와스크립트언어 -프로그래밍언어를사용하는경우소스코드를컴파일하여실행가능한파일로만들어야함 -일반적으로실행파일은다

Javascript.pages

학습목표 메뉴를추가하는방법을이해하고실습할수있다. 프로그램의기본설정 (settings) 을정의하는방법을알고실습할수있다. 대화상자를여는방법을알고실습할수있다. 로그메시지로디버깅하는방법을이해한다. 디버거로디버깅하는방법을이해한다.

17장 클래스와 메소드

Cookie Spoofing.hwp

2

<4D F736F F D B5B6C0DABDC5BFEBB5EEB1DE20B5B5C0D4B0FA20B1E2BEF720BDC5BFEBC0A7C7E820BBF3BDC320C6F2B0A120B5EEC0C720BFB5C7E2C0BA2E646F63>

PowerPoint 프레젠테이션

< E20C6DFBFFEBEEE20C0DBBCBAC0BB20C0A7C7D12043BEF0BEEE20492E707074>

금오공대 컴퓨터공학전공 강의자료

WINDOW FUNCTION 의이해와활용방법 엑셈컨설팅본부 / DB 컨설팅팀정동기 개요 Window Function 이란행과행간의관계를쉽게정의할수있도록만든함수이다. 윈도우함수를활용하면복잡한 SQL 들을하나의 SQL 문장으로변경할수있으며반복적으로 ACCESS 하는비효율역

< F33BFF920C0CEC5CDB3DD20C4A7C7D8BBE7B0ED20B5BFC7E220B9D720BAD0BCAEBFF9BAB828C3D6C1BEBABB292E687770>

chap 5: Trees

PowerPoint Presentation

1 1. INTRODUCTION 2 2. DOWNLOAD Windows Desktop & Server Max OS X, Linux, Windows CE 2 3. API REFERENCE CAN_OpenVcp CAN_Op

Microsoft PowerPoint UNIX Shell.ppt

Eclipse 와 Firefox 를이용한 Javascript 개발 발표자 : 문경대 11 년 10 월 26 일수요일

Microsoft PowerPoint 자바스크립트(1).pptx

Security Trend ASEC Report VOL.55 July, 2014

게시판 스팸 실시간 차단 시스템

쉽게 풀어쓴 C 프로그래밍

Microsoft Word - Crackme 15 from Simples 문제 풀이_by JohnGang.docx

금안13(10)01-도비라및목차1~13

슬라이드 1

ASEC REPORT VOL.79 July, 2016 ASEC(AhnLab Security Emergency response Center) 은악성코드및보안위협으로부터고객을안전하게지키기위하여보안전문가로구성된 글로벌보안조직입니다. 이리포트는주식회사안랩의 ASEC 에서작성하


슬라이드 1

PHPoC vs PHP > 개요 개요 PHPoC 는솔내시스템 이자체개발한프로그래밍언어입니다. 당사의모든 PHPoC 제품들의펌웨어에는 PHPoC 인터프리터가내장되어있습니다. PHPoC 는범용스크립트언어인 PHP 를기반으로제작되었습니다. PHPoC 는매우간단하여 C 언어등

PowerPoint 프레젠테이션

DDoS 공격, 게임계정유출해커, 비트코인등가상화폐노린다 - 13 년 10 월부터 DDoS, 원격제어, 게임계정유출하더니최근암호화폐채굴 - 개요지난 13 년 10 월,Microsoft 社의인터넷익스플로러취약점 (CVE ) 을통해유포되는악성코드가 DDoS

Microsoft PowerPoint - web-part02-ch15-문서객체조작.pptx

USB2CAN USB2CAN-UART USB2CAN-FIFO API Reference Manual Copyright NTREXLAB

HTML5 웹프로그래밍 입문-개정판

예제와 함께 배워보는 OllyDbg사용법

Microsoft PowerPoint - chap06-5 [호환 모드]

歯2019

FGB-P 학번수학과권혁준 2008 년 5 월 19 일 Lemma 1 p 를 C([0, 1]) 에속하는음수가되지않는함수라하자. 이때 y C 2 (0, 1) C([0, 1]) 가미분방정식 y (t) + p(t)y(t) = 0, t (0, 1), y(0)

쉽게 풀어쓴 C 프로그래밍

<4D F736F F F696E74202D20C1A632C0E520C7C1B7CEB1D7B7A5B0B3B9DFB0FAC1A4>

Hackthepacket WriteUp ##DoubleB## LQ. telnet 은다보여 LEQ : telnet Hint : Key is telent Password FILE : 3.Q_2(Leopardan) Sol) Idea : 힌트에따라 TELNET 프로토콜을필터링

Spring Data JPA Many To Many 양방향 관계 예제

2006_8_14 (8_17 updated) ms ¿ú(wgareg.exe) ºÐ¼® º¸°í¼�.hwp

Microsoft PowerPoint - web-part03-ch20-XMLHttpRequest기본.pptx

(Microsoft PowerPoint - 2\300\345.ppt)

Microsoft PowerPoint - web-part03-ch19-node.js기본.pptx

장연립방정식을풀기위한반복법 12.1 선형시스템 : Gauss-Seidel 12.2 비선형시스템 12.1 선형시스템 : Gauss-Seidel (1/10) 반복법은초기근을가정한후에더좋은근의값을추정하는체계적인절차를이용한다. G-S 방법은선형대수방정

쉽게 풀어쓴 C 프로그래밍

5장. JSP와 Servlet 프로그래밍을 위한 기본 문법(완성-0421).hwp

슬라이드 1

[상반기 결산] ①아파트

<41736D6C6F D20B9AEBCADBEE7BDC42E687770>

Microsoft Word - ANI 취약점.doc

C 프로그래밊 개요

[ 마이크로프로세서 1] 2 주차 3 차시. 포인터와구조체 2 주차 3 차시포인터와구조체 학습목표 1. C 언어에서가장어려운포인터와구조체를설명할수있다. 2. Call By Value 와 Call By Reference 를구분할수있다. 학습내용 1 : 함수 (Functi

취약점분석보고서 = MS =

POC "Power of Community" 이민우 (lwmr)

쉽게 풀어쓴 C 프로그래밍

Microsoft Word - Blind Sql Injection.doc

Microsoft PowerPoint - web-part01-ch10-문서객체모델.pptx

2힉년미술

<C6F7C6AEB6F5B1B3C0E72E687770>

SOFTBASE XFRAME DEVELOPMENT GUIDE SERIES ActiveX 컴포넌트가이드 서울특별시구로구구로 3 동한신 IT 타워 1215 호 Phone Fax

커알못의 커널 탐방기 이 세상의 모든 커알못을 위해서

PowerPoint Presentation

초보자를 위한 ASP.NET 2.0

Poison null byte Excuse the ads! We need some help to keep our site up. List 1 Conditions 2 Exploit plan 2.1 chunksize(p)!= prev_size (next_chunk(p) 3

파워포인트

슬라이드 1

212.

Transcription:

POC Hacker s dream Script #1 US-ASCII 방식의악성스크립트분석 HACKING GROUP OVERTIME OVERTIME woos55 55< wooshack55@gmail.com>2008. >2008.10 10.2.27

1. US_ASCII 로인코딩된스크립트디코딩하기. [2] 사이트참조 ASCIIExploit.exe d index.html << decode.html decode.html 로디코드된스크립트를분석하다보면다음과같은의심가는부분을만날 수있다. unescape() 안의값을디코딩해보자. <SCRIPT LANGUAGE="JavaScript" id="minegame3"> // ******************************************************************************* // This is the script for the security of the game. // ******************************************************************************* document.write( unescape('%3c%73%63%72%69%70%74%3e% 66%75%6E%63%74%69 %6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75 %6E%65%73% 63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73% 2E%6C%65%6 E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%2 7%3B%66%6F %72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68 %3B%69%2B %2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43 %68%61%72% 43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41% 74%28%69%29 %2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74 %68%2D%31% 2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69% 74%65%28%7 5%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%6 3%72%69%70 %74%3E')); df('%2a8hxhwnuy%2a75qfslzflj%2a8iof%7bfxhwnuy%2a8jk zshynts%2a75q66666q% 2A7%3Dq6666qq%2A7%3E%2A%3CGyw%7E%2A%3CGqq666NN%2A7% 3Dqq66qq66q%... 2A77%2A7%3E%2A8H%2A7Kxhwnuy%2A8J5'); </SCRIPT>

2. unescape 이용해서디코딩하려고하는 () 안을값이무엇인지확인해보자. 디코딩해보면 df 함수를정의한부분이란것을알수있다. 그럼, df() 함수를돌릴수있 다. 결과를 unescape 되지않은순수 t 값을찍어서보자. function df(s) var s1=unescape(s.substr(0,s.length-1)); var t=''; for(i=0;i<s1.length;i++) t+=string.fromcharcode(s1.charcodeat(i)-s.substr(s.length-1,1)); document.write(t); //document.write(unescape(t)); 그럼, 다음과같이인코딩된스크립트를얻을수있다. %3Cscript%20language%3DJavaScript%3Efunction%20l111 11l%28l1111ll%29%7Btry%7 Bll111II%28ll11ll11l%29%3Bfor%28var%20IIIlIII%20%3D%200%3B%20IIIlIII%20%3C%2 0ll111ll.length%3B%20IIIlIII%2B%2B%29%20%7B%20IIIII II%20%2B%3D%20ll111ll.char CodeAt%28IIIlIII%29%20%7DIIIIIII%20%3D%20IIIIIII%20%25%20200000%3Bvar%20lllIlll %20%3D%20new%20Array%3B%20lllIlll%20%3D%20l1111ll.s plit%28%22%2c%22%29% 3Bvar%20IIIIIll%20%3D%20%22%22%3B%20for%28var%20III liii%20%3d%200%3b%20i IIlIII%20%3C%20lllIlll.length%3B%20IIIlIII%2B%2B%29%20%7B%20IIIIIll%20%2B%3D% 20String.fromCharCode%28%28%28lllIlll%5BIIIlIII%5D% 29- IIIIIII%29%20%5E%20llIlIII.charCodeAt%28IIIlIII%25l liliii.length%29%29%3b%7dvar%20 IIIlllI%3DIIIIIll.length%2ClIlIlIl%2CIIlllII%2CIlllIll%2CIlIlIlI%3D%28512%2A2%29%2CllIlIIl %3D0%2CllIllll%3D0%2Clllllll%3D0%3Bfor%28llIIIII%3D%20Math.ceil%28IIIlllI%2FIlIlIlI %29%3BllIIIII%3E0%3BllIIIII-- %29%7BIlllIll%3D%27%27%3B%20for%28lIlIlIl%3DMath.mi n%28iiillli%2cililili%29%3bli lilil%3e0%3b%20%20lililil--%2ciiillli-- %29%7Blllllll%7C%3D%28IIIlIIl%5B%20IIIIIll.charCode At%28llIlIIl%2B%2B%29-48%5D%29%3C%3CllIllll%3Bif%28llIllll%29%7BIlllIll%2 B%3DString.fromCharCode%282 09%5Elllllll%26255%29%3Blllllll%3E%3E%3D8%3BllIllll- %3D2%7Delse%7BllIllll%3D6%7D%3B%7D%20ll111II%28Illl Ill%29%20%7D%20%7D%20 catch%28error%29%20%7b%7d%7d%3c%2fscript%3e%3cscrip t%20language%3djava Script%3Evar%20IIIlIIl%3DArray%2863%2C12%2C6%2C53%2 C0%2C48%2C43%2C54%

2C42%2C47%2C0%2C0%2C0%2C0%2C0%2C0%2C59%2C13%2C25%2C 30%2C50%2C60 %2C1%2C18%2C61%2C8%2C16%2C56%2C20%2C49%2C51%2C21%2C 45%2C28%2C22 %2C31%2C35%2C5%2C14%2C23%2C27%2C37%2C2%2C0%2C0%2C0% 2C0%2C55%2C 0%2C11%2C33%2C9%2C19%2C40%2C41%2C15%2C62%2C3%2C39%2 C10%2C32%2C1 7%2C44%2C36%2C24%2C7%2C52%2C26%2C29%2C58%2C57%2C46% 2C4%2C34%2C3 8%29%3Bl11111l%28%2271496%2C71517%2C71488%2C71525%2 C71484%2C71487% 2C71467%2C71528%2C71541%2C71503%2C71531%2C71511%2C7 1530%2C71530%2C 71546%2C71482%2C71515%2C71499%2C71531%2C71511%2C714 42%2C71540%2C71 525%2C71497%2C71516%2C71474%2C71507%2C71464%2C71441 %2C71449%2C7152 5%2C71526%2C71542%2C71540%2C71546%2C71474%2C71443%2 C71543%2C71477 %2C71532%2C71506%2C71448%2C71448%2C71492%2C71546%2C 71542%2C71486% 2C71471%2C71455%2C71522%2C71455%2C71475%2C71565%2C7 1477%2C71459%2C 71467%2C71464%2C71473%2C71488%2C71478%2C71473%2C714 75%2C71452%2C71 453%2C71548%2C71527%2C71524%2C71558%2C71554%2C71531 %2C71450%2C7155 3%2C71502%2C71495%2C71450%2C71480%2C71445%2C71506%2 C71558%2C71553 %2C71481%2C71484%2C71509%2C71525%2C71563%2C71503%2C 71448%2C71463% 2C71474%2C71442%2C71454%2C71528%2C71473%2C71488%2C7 1454%2C71510%2C 71484%2C71501%2C71450%2C71526%2C71489%2C71455%2C714 58%2C71551%2C71 549%2C71551%2C71537%2C71507%2C71562%2C71455%2C71450 %2C71485%2C7156 7%2C71470%2C71553%2C71501%2C71554%2C71459%2C71565%2 C71464%2C71443 %2C71481%2C71562%2C71447%2C71537%2C71526%2C71486%2C 71466%2C71481% 2C71484%2C71498%2C71467%2C71455%2C71489%2C71523%2C7 1533%2C71446%2C 71487%2C71553%2C71488%2C71443%2C71501%2C71485%2C715 53%2C71562%2C71 476%2C71513%2C71519%2C71445%2C71492%2C71458%2C71453 %2C71480%2C7144 8%2C71451%2C71453%2C71464%2C71533%2C71512%2C71479%2 C71460%2C71455 %2C71488%2C71479%2C71567%2C71497%2C71512%2C71518%2C 71554%2C71452% 2C71554%2C71448%2C71449%2C71557%2C71561%2C71453%2C7 1447%2C71494%2C 71447%2C71510%2C71497%2C71462%2C71485%2C71553%2C714 94%2C71466%2C71 469%2C71510%2C71449%2C71516%2C71527%2C71441%2C71454 %2C71526%2C7144 2%2C71464%2C71506%2C71468%2C71471%2C71524%2C71465%2 C71475%2C71477 %2C71532%2C71498%2C71475%2C71448%2C71492%2C71561%2C 71546%2C71538% 2C71501%2C71562%2C71531%2C71531%2C71538%2C71502%2C7 1526%2C71552%2C 71509%2C71513%2C71481%2C71474%2C71508%2C71529%2C715 59%2C71550%2C71 517%2C71538%2C71565%2C71495%2C71445%2C71484%2C71531 %2C71553%2C7144 2%2C71468%2C71501%2C71568%2C71526%2C71536%2C71513%2 C71527%2C71542 %2C71552%2C71563%2C71534%2C71466%2C71484%2C71496%2C 71461%2C71458%

2C71508%2C71498%2C71462%2C71513%2C71554%2C71448%2C7 1442%2C71532%2C 71498%2C71448%2C71475%2C71568%2C71542%2C71514%22%29 %3C%2Fscript%3E 3. 패스워드스크립트디코딩하여패스워드알아내기. 위의스크립트를디코딩한결과이다. 여기서주목해야할부분은빨간색으로된함수와변수이다. 원문스크립트어느부분을찾아보아도이와관련된함수는찾아볼수없다. 그러나분명원문스크립트어딘가에있을것이므로디코드된원문을다시분석해보자. ( 다음설명에서부터는이스크립트를 패스워드스크립트 라명명하겠다.) <script language=javascript>function l11111l(l1111l l)tryll111ii(ll11ll11l); ll111ii(ll11ll11l); = 0; IIIlIII < ll111ll.length; IIIlIII++) IIIIIII IIIIIII += ll111ll ll111ii(ll11ll11l);for(var IIIlIII ll111ll.charcodeat(iiiliii) IIIIIII IIIIIII = IIIIIII % 200000;var lllilll = new Array; lllilll = l1111ll.split(",");var IIIIIll = ""; for(var IIIlIII = 0; IIIlIII < lllilll.length; IIIlIII++) IIIIIll += String.fromCharCode(((lllIlll[IIIlIII])- IIIIII IIIIIII) ^ lliliii.charcodeat(iiiliii%lliliii lliliii.length));var IIIlllI=IIIIIll.length,lIlIlIl,IIlllII,IlllIll,IlIlIlI=(512*2),llIlIIl=0,llIllll=0,lllllll=0;for(llIIIII= Math.ceil(IIIlllI/IlIlIlI);llIIIII>0;llIIIII--)IlllIll=''; for(lililil=math.min(iiillli,ililili);lililil>0; lililil--,iiillli--)lllllll =(IIIlIIl[ IIIIIll.charCodeAt(llIlIIl++)- 48])<<llIllll;if(llIllll)IlllIll+=String.fromCharCode(209^lllllll&255);lllllll>>=8;llIllll- =2elsellIllll=6; ll111ii(illlill) catch(error) </script><script language=javascript>var IIIlIIl=Array(63,12,6,53,0,48,43,54,42,47,0,0,0,0,0,0,59,13,25,30,50,60,1,18,61,8,16,56,2 0,49,51,21,45,28,22,31,35,5,14,23,27,37,2,0,0,0,0,55,0,11,33,9,19,40,41,15,62,3,39,10,3 2,17,44,36,24,7,52,26,29,58,57,46,4,34,38);l11111l("71496,71517,71488,71525,71484,7 1487,71467,71528,71541,71503,71531,71511,71530,7153 0,71546,71482,71515,71499,7 1531,71511,71442,71540,71525,71497,71516,71474,7150 7,71464,71441,71449,71525,7 1526,71542,71540,71546,71474,71443,71543,71477,7153 2,71506,71448,71448,71492,7 1546,71542,71486,71471,71455,71522,71455,71475,7156 5,71477,71459,71467,71464,7 1473,71488,71478,71473,71475,71452,71453,71548,7152 7,71524,71558,71554,71531,7 1450,71553,71502,71495,71450,71480,71445,71506,7155 8,71553,71481,71484,71509,7 1525,71563,71503,71448,71463,71474,71442,71454,7152 8,71473,71488,71454,71510,7 1484,71501,71450,71526,71489,71455,71458,71551,7154 9,71551,71537,71507,71562,7 1455,71450,71485,71567,71470,71553,71501,71554,7145 9,71565,71464,71443,71481,7 1562,71447,71537,71526,71486,71466,71481,71484,7149 8,71467,71455,71489,71523,7 1533,71446,71487,71553,71488,71443,71501,71485,7155 3,71562,71476,71513,71519,7 1445,71492,71458,71453,71480,71448,71451,71453,7146 4,71533,71512,71479,71460,7

1455,71488,71479,71567,71497,71512,71518,71554,7145 2,71554,71448,71449,71557,7 1561,71453,71447,71494,71447,71510,71497,71462,7148 5,71553,71494,71466,71469,7 1510,71449,71516,71527,71441,71454,71526,71442,7146 4,71506,71468,71471,71524,7 1465,71475,71477,71532,71498,71475,71448,71492,7156 1,71546,71538,71501,71562,7 1531,71531,71538,71502,71526,71552,71509,71513,7148 1,71474,71508,71529,71559,7 1550,71517,71538,71565,71495,71445,71484,71531,7155 3,71442,71468,71501,71568,7 1526,71536,71513,71527,71542,71552,71563,71534,7146 6,71484,71496,71461,71458,7 1508,71498,71462,71513,71554,71448,71442,71532,7149 8,71448,71475,71568,71542,7 1514")</script> 직감적으로이부분은뭔가미심쩍은느낌이들었다. 그러나직감으로만풀수는없다. 스크립트를분석할때 Microsoft Visual Web Developer 와같은디버거를이용한다면, 스크립트가어떻게동작하고있는지각변수에어떤값이들어가는지살펴보던중 minecount2 변수로부터실마리를찾을수있었다. minelist2=document.getelementbyid('minegame2').innerhtml.split('\r\n'); minecount2 = ""; for(c=4; c < (e+4); c++) minename2=minelist2[c]; for(f=0; f < d; f++) y = ((minename2.length - (8*d)) + (f*8)); v = 0; for(x = 0; x < 8; x++) if(minename2.charcodeat(x+y) > 9) v++; if(x!= 7) v = v << 1;

minecount2 += String.fromCharCode(v); document.write(minecount2); 디버깅결과다음과같은함수를얻을수있다. <script> var ll11ll11l = "var lliliii = arguments.callee.tostring(); var ll111ll = lliliii + \"asec\" + location.hostname; var IIIIIII = 0;"; ll111ii=eval; </script> 그러나이스크립트와위의패스워드스크립트를그대로실행하면패스워드를얻을수없다. 홈페이지는오류보고나다른특이사항없이정상적으로동작하기때문이다. 여기에는두가지이유가있다. 첫번째는 location.hostname 을제대로정해주어야한다. 이값에도정확한값을넣어야한다. 나는디코드된원문에서 <BASE HREF="http://ahnlab-security.com/game/"> 이것에서힌트를얻어 hostname을 ahnlab-security.com으로지정해주었다. 여기서한가지주의해야할점은 location.hostname 객체를만들어서지정해주게되면예상치못한상황을맞게될것이다. 그러한이유로 var ll111ll = lliliii + "asecahnlab-security.com"; 이렇게수정해주었다. 두번째이유는패스워드를알아내야한다는것이다. 하지만, 패스워드스크립트를수정해서값을찍어본다던지하기위해훼손해서는안된다. 다른방법을적용해야한다. 왜냐하면원문자체로어떤값을계산하고있고원문의길이를이용하고있기때문이다. 그리고디버깅을통해서어떤값이찍히는지알아보려고해도중단점을아무리잘건다해도그값을알아보기가어려웠다. 그래서다음과같이패스워드스크립트는변경하지않고변수및함수정의스크립트를다음과같이변경하였다. <script> var ll11ll11l = ""; var lliliii = arguments.callee.tostring(); var ll111ll = lliliii + "asecahnlab-security.com"; var IIIIIII = 0; ll111ii=document.write; </script> 하지만또하나의난관에봉착하였다. arguments.callee.tostring(); 이값을제대로알아오 지못한다는것이다. 그래서윗부분에 <script id = js > 라고지정해주어패스워드스크립

트를정의해주고다음과같은방법을이용했다. <script> var ll11ll11l = ""; var test = document.getelementbyid('js').innerhtml.split('\r\n'); var lliliii = test[1]; var ll111ll = lliliii + "asecahnlab-security.com"; var IIIIIII = 0; ll111ii=document.write; </script> 4. 패스워드추출 수정내용을반영후실행하니드디어다음과같이패스워드를얻게되었다. [1] US-ASCII 방식의악성스크립트분석하기 http://totoriver.egloos.com/562258 [2] ASCII exploit 에서사용하는문자열인코딩 / 디코딩프로그램 http://mireenae.com/entry/

2024 © docsplayer.org 개인정보보호 | 약관 | 지원