Archive for August, 2008

 

It’s hard to find what you can’t see

Aug 20, 2008 in Security

Been a while since my last post, but a lots happened since the last time. I went to BlackHat and DefCon and they lived up to the hype.

Something that caught my eye was a new java obfuscation technique. Instead of crazy ascii, encryption, XOR, and etc types of encoding, they used a totally out of box approach.

Both discussed by Billy Hoffman and Kolisar at BH/DC, a new different approach is to use WhiteSpace.

Let’s say you have just compromised a webserver and want to spread your goodies (malicious files) to everyone who visits that site. Well old school techniques used encoded javascript to launch the attack. If you check out the source code, you could quickly see that there was something wrong with this page as lots of obfuscation was being used.

A new technique used white space to encode the malicious code. How it works is like this. Using Binary Encoded ASCII values:

Tab = 0
Space = 1

So using 1’s and 0’s in space and tab form, you could compile all the java exploit code you needed.

Of course you still have to include the code to decode the encoded binary, but imagine if the code you saw on your own page was like this:

//start

//Stop

Between the start and the stop is your exploit code. Now try to decode that! 🙂

Here is another example of Kolisar’s attack:

http://www.securepla.net/download/WhiteSpaceEncode.html

After you click Encode, check the spaces and tabs after the lines of code in the bottom screen.

_CheeTz