During July 2007, I noticed some sites serving up pages that were trying to take advantage of the Windows Media Player Plug-In EMBED Overflow Universal Exploit (MS06-006). So I took some time to dig through one of the pages just to see what it was doing. I have waited a few months to post this, just to make sure everyone has had enough time to patch, update, and otherwise protect their systems. I figure 6 months should be enough time for even the most busy folks to get their stuff updated and that any addresses referenced here would be dead. Which at the time of this writing the address was not active.

[More:]

The first thing I did was look at the source of the offending page.

After a quick look at the source, it is easy to see why it is a good idea to surf the internet with javascript disabled. The only real thing this page does is use javascript to try to exploit any susceptible browsers.

The next thing I did was to take the javascript in the page and remove the NOOP sled code....do{s+=s;}while(s.length<0x900000);...and then I used the unescape function to see what the remaining code said and showed the result using alert. I wanted to see if there was anything useful displayed.

As you can see it looks like UNICODE characters, but when I tried to translate the result, it came back as gibberish. So, no dice there....onward and upward.

The next steps were really nothing more than discovery by trial and error. What I ended up with was a vbscript that allowed me to take the UNICODE hex values and convert them into a semi-readable state.

I ran this script, which generated enough information to satisfy my curiosity.

Based on the information that is highlighted in yellow, this exploit is trying to use urlmon.dll to download something that will be named U.exe from the IP address. Not a perfect translation, but good enough to know where to look for any offending local files and to find the source of the file on the internet.

You might wonder why I used windows script host and vbscript and not something else and the answer was just to see if I could do it.