[Full-disclosure] PenTestIT.com RSS feed suspicius
Andrew Farmer
andfarm at gmail.com
Wed Jul 6 06:41:49 BST 2011
On 2011-07-05, at 20:55, Nick FitzGerald wrote:
> Andrew Farmer to ector dulac:
>>> Looks suspicious to me
>>
>> Very. That unescapes to:
>>
>> [something that trips a bunch of AVs]
>>
>> Which loads some amusingly obfuscated JS ...
>
> Really?
>
> That amused you?
>
> Maybe my irony detector is on the blink, but that was very ordinary
> several years ago.
Eh, I hadn't seen the with() { } trick before.
>> ... which looks like it's
>> *supposed* to be a plugin exploit of some sort, but which has no
>> real payload. At least, not when I looked.
>
> Ummmm -- not what I got at all.
Perhaps it's UA sniffing -- the copy I got looked almost identical to the copy seen at:
http://jsunpack.jeek.org/dec/go?report=c162b83bf99e26230f680b36ce63a215c1165334
including the empty redirect() function triggered by a chain of spl1/spl2/.../spl6 functions.
Full-Disclosure is hosted and sponsored by Secunia.