Created
April 6, 2016 23:11
-
-
Save rainiera/b5d396a9ef3236b96864b0707bf54940 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var org_str = "j8ck72di"; | |
| var session_str = "4734a9fc27f7fee1aa58f66046af6c49"; | |
| var base_str = "https://ct-m-fbx.fbsbx.com/fp"; | |
| var page_id = "1"; | |
| var ip_addr_str = "820139e7306525d7"; | |
| var tarpitting_param = ""; | |
| var carrier_id_enabled = "false"; | |
| var flash_tags = "true"; | |
| var xx0=unescape('var%20thm_tags%3d%7binjectIframe%3afunction%28org_id%2csession_id%2cpage_id%29%7bvar%20dom%2cdoc%2cwhere%2ciframe%3ddocument%2ecreateElement%28%27iframe%27%29%3biframe%2esrc%3d%22javascript%3afalse%22%3b%28iframe%2eframeElement%7c%7ciframe%29%2estyle%2ecssText%3d%22width%3a100px%3bheight%3a100px%3bborder%3a0%3bposition%3aabsolute%3btop%3a%2d5000px%3b%22%3bwhere%3ddocument%2egetElementById%28%22thm_iframe_loc%22%29%3bif%28%21where%29%7bdocument%2ebody%2eappendChild%28iframe%29%3b%7delse%7bwhere%2eparentNode%2einsertBefore%28iframe%2cwhere%29%3b%7dtry%7bdoc%3diframe%2econtentWindow%2edocument%3b%7dcatch%28e%29%7bdom%3ddocument%2edomain%3biframe%2esrc%3d%22javascript%3avar%20d%3ddocument%2eopen%28%29%3bd%2edomain%3d%27%22%2bdom%2b%22%27%3bvoid%280%29%3b%22%3btry%7bdoc%3diframe%2econtentWindow%2edocument%3b%7dcatch%28e%29%7biframe%2esrc%3dbase_str%2b%22%2ftags%3fjs%3d1%26org_id%3d%22%2borg_id%2b%22%26session_id%3d%22%2bsession_id%2b%22%26pageid%3d%22%2bpage_id%3breturn%3b%7d%20%7ddoc%2eopen%28%29%2e_l%3dfunction%28%29%7bif%28typeof%20this%2ereadyState%3d%3d%3d%22undefined%22%7c%7ctypeof%20this%2ereadyState%3d%3d%3d%22unknown%22%29%7bthis%2ereadyState%3d%22complete%22%3b%20%7dif%28dom%29%7bthis%2edomain%3ddom%3b%7dvar%20divx%2cparam1%2cparam2%2cobj%2cswf_url%2cwin%2cimg%2cjs%2cu%2cp%2cdiv%3dthis%2ecreateElement%28%27p%27%29%3bthis%2ebody%2eappendChild%28div%29%3bdiv%2estyle%2ebackground%3d%22url%28%22%2bbase_str%2b%22%2fclear%2epng%3forg_id%3d%22%2borg_id%2b%22%26session_id%3d%22%2bsession_id%2b%22%26m%3d1%26w%3d%22%2bip_addr_str%2btarpitting_param%2b%22%29%22%3bimg%3dthis%2ecreateElement%28%22img%22%29%3bimg%2esrc%3dbase_str%2b%22%2fclear%2epng%3forg_id%3d%22%2borg_id%2b%22%26session_id%3d%22%2bsession_id%2b%22%26m%3d2%22%2btarpitting_param%3bthis%2ebody%2eappendChild%28img%29%3bjs%3dthis%2ecreateElement%28%22script%22%29%3bjs%2esrc%3dbase_str%2b%22%2fcheck%2ejs%3forg_id%3d%22%2borg_id%2b%22%26session_id%3d%22%2bsession_id%2btarpitting_param%2b%22%26pageid%3d%22%2bpage_id%3bthis%2ebody%2eappendChild%28js%29%3bif%28carrier_id_enabled%3d%3d%3d%22true%22%29%20%7bvar%20ciddoc%2ccidframe%3ddocument%2ecreateElement%28%22iframe%22%29%3bcidframe%2esrc%3d%22javascript%3afalse%22%3b%28cidframe%2eframeElement%7c%7ccidframe%29%2estyle%2ecssText%3d%22width%3a100px%3bheight%3a100px%3bborder%3a0%3bposition%3aabsolute%3btop%3a%2d5000px%3b%22%3bdocument%2ebody%2eappendChild%28cidframe%29%3btry%7bciddoc%3dcidframe%2econtentWindow%2edocument%3b%7dcatch%28e%29%7bcidframe%2esrc%3d%22javascript%3avar%20d%3ddocument%2eopen%28%29%3bd%2edomain%3d%27%22%2bdocument%2edomain%2b%22%27%3bvoid%280%29%3b%22%3bciddoc%3dcidframe%2econtentWindow%2edocument%3b%7dciddoc%2eopen%28%29%2e_l%3dfunction%28%29%7bvar%20cidscript%3dthis%2ecreateElement%28%22script%22%29%3bcidscript%2esrc%3dbase_str%2b%22%2fcheckcid%2ejs%3forg_id%3d%22%2borg_id%2b%22%26session_id%3d%22%2bsession_id%3bthis%2ebody%2eappendChild%28cidscript%29%3b%7d%3bciddoc%2ewrite%28%27%3cbody%20onload%3d%22document%2e_l%28%29%3b%22%3e%27%29%3bciddoc%2eclose%28%29%3b%7dif%28flash_tags%3d%3d%3d%22true%22%29%20%7bu%3dnavigator%2euserAgent%2etoLowerCase%28%29%3bp%3dnavigator%2eplatform%2etoLowerCase%28%29%3bwin%3dp%3f%2fwin%2f%2etest%28p%29%3a%20%2fwin%2f%2etesft%28u%29%3btry%7bie%3d%21%2b%22%5cv1%22%3bif%28%21ie%29%7bie%3d%2f%2a%40cc_on%21%40%2a%2ffalse%3b%7d%20%7dcatch%28e%29%7b%7dif%28%21ie%29%7bie%3d%28navigator%2euserAgent%2eindexOf%28%27MSIE%27%29%3e%20%2d1%29%3b%7dswf_url%3dbase_str%2b%22%2ffp%2eswf%3forg_id%3d%22%2borg_id%2b%22%26session_id%3d%22%2bsession_id%2btarpitting_param%3bif%28ie%26%26win%29%7bdivx%3dthis%2ecreateElement%28%22div%22%29%3bdivx%2einnerHTML%3d%27%3cobject%20type%3d%22application%2fx%2dshockwave%2dflash%22data%3d%22%27%2bswf_url%2b%27%22width%3d%221%22height%3d%221%22%3e%3cparam%20name%3d%22movie%22value%3d%22%27%2bswf_url%2b%27%22%2f%3e%3cparam%20name%3d%22wmode%22value%3d%22transparent%22%2f%3e%3c%2fobject%3e%27%3bthis%2ebody%2eappendChild%28divx%29%3b%7delse%7bobj%3dthis%2ecreateElement%28%27object%27%29%3bobj%2esetAttribute%28%22type%22%2c%22application%2fx%2dshockwave%2dflash%22%29%3bobj%2esetAttribute%28%22data%22%2cswf_url%29%3bobj%2esetAttribute%28%22width%22%2c%221%22%29%3bobj%2esetAttribute%28%22height%22%2c%221%22%29%3bparam1%3dthis%2ecreateElement%28%27param%27%29%3bparam1%2esetAttribute%28%22name%22%2c%22movie%22%29%3bparam1%2esetAttribute%28%22value%22%2cswf_url%29%3bparam2%3dthis%2ecreateElement%28%27param%27%29%3bparam2%2esetAttribute%28%22name%22%2c%22wmode%22%29%3bparam2%2esetAttribute%28%22value%22%2c%22transparent%22%29%3bobj%2eappendChild%28param1%29%3bobj%2eappendChild%28param2%29%3bthis%2ebody%2eappendChild%28obj%29%3b%7d%20%7d%7d%3bdoc%2ewrite%28%27%3cbody%20onload%3d%22document%2e_l%28%29%3b%22%3e%27%29%3bdoc%2eclose%28%29%3b%7d%2cgo%3afunction%28%29%7bif%28session_str%26%26org_str%29%7bvar%20isWebkit%3d%27WebkitAppearance%27in%20document%2edocumentElement%2estyle%3bif%28document%2ebody%26%26%28document%2ereadyState%3d%3d%3d%27complete%27%7c%7c%21isWebkit%29%29%7bthis%2einjectIframe%28org_str%2csession_str%2cpage_id%29%3breturn%3b%7dvar%20waittime%3d200%3bvar%20node%3bif%28typeof%20window%21%3d%3d%22undefined%22%26%26typeof%20window%21%3d%3d%22unknown%22%26%26window%21%3d%3dnull%29%7bnode%3dwindow%3b%7delse%7bnode%3ddocument%2ebody%3b%7dif%28node%2eaddEventListener%29%7bnode%2eaddEventListener%28%22load%22%2cfunction%28%29%7bthm_tags%2einjectIframe%28org_str%2csession_str%2cpage_id%29%3b%7d%2cfalse%29%3b%7delse%7bif%28node%2eattachEvent%29%7bnode%2eattachEvent%28%22onload%22%2cfunction%28%29%7bthm_tags%2einjectIframe%28org_str%2csession_str%2cpage_id%29%3b%7d%29%3b%7delse%7bvar%20oldonload%3dnode%2eonload%3bnode%2eonload%3dnew%20function%28%29%7bvar%20r%3dtrue%3bif%28oldonload%21%3d%3dnull%26%26typeof%20oldonload%3d%3d%3d%22function%22%29%7br%3doldonload%28%29%3b%7dsetTimeout%28function%28%29%7bthm_tags%2einjectIframe%28org_str%2csession_str%2cpage_id%29%3b%7d%2cwaittime%29%3bnode%2eonload%3doldonload%3breturn%20r%3b%7d%3b%7d%20%7d%7d%20%7d%7d%3bthm_tags%2ego%28%29%3b%20');eval(xx0); |
This script reports its results to online-metrix.net, it's a cookieless tracker. online-metrix.net belongs to https://www.threatmetrix.com/
// 42c36d7ad314c577
// j8ck72di
// 12c8f24c089c550edea6f829feafc00a1
// https://ct-m-fbx.fbsbx.com/fp
// 221d115719884e90967a9697a2fda390
// https://j8ck72di-7e4c910cabfce8f6b3b60689bf4f5666ec8cf2e1-sac.d.aa.online-metrix.net
var blobd = new td_0L("719a7be80f2542f48d92fdabb541ba5803035A52010652595455030157075103525C5A595156050B530757090453015B070900020252005C550704530C005F525D055F51565400530A414041115B1A175445140C1A0407401E005046564A485757091654165653530604050455500C000F055C58075B530F515F040C035354525C050A0B560C151612460E1E4D0B0D5B5C060B055E4F525D04050B04045107565E075C0A00520351000304075A58575E03570C570154005B0805540751034B47590717564805004C0D5B58580C04185552454B084F4C0B5D44");
Just ran into this as well, running uBlock Origin on Chrome.
Just had a client user see this. Appears not to target every FB session though.
Thought I'd jump in here. I did a little bit of clean up and renaming. I redacted and removed a lot of non-operative or obfuscated path code. It's a little more comprehensible, but not wonderful. I pointed the original Facebook and Online Metrix collection URLs to 127.0.0.1 and ran an echo web server to inspect the payloads (a little easier to just let it run, than to probe the code line-by-line).
Some fun stuff I noticed that most of you may have already:
-
The hex junk is more or less just obfuscated string data utilized by way of a method call
parent.td_f(offset, numChars). It contains things like MIME type strings, some JavaScript keywords, and a s sprinkle of human readable error messages that are never logged (unless you define a logger callback where possible). -
Neat obfuscation tricks:
Number(890830).toString(31) === 'true'
Number(103873).toString(18) === 'head' -
Most payloads are hashed with MD5 before egress. MD5 was implemented in the raw in the original JavaScript code, and I extracted the implementation here:
-
The WebSocket "port scanner" is really interesting! Appears to glean based on whether onError or onClose with reason was fired.
-
The system font signature is generated by looking for discrepancies in the Canvas 2D rendering context's metrics of the default mono and serif fonts with a giant list of possible system fonts for each of Windows, Linux, and OS X. Fonts that don't render with equal widths are added to a list that is eventually hashed.
Contacted Facebook about this years ago, and received prebaked "We appreciate your feedback" response.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
initiate6 has a huge penis