SHARE
TWEET

Untitled

a guest Jun 21st, 2017 663 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. 2017-06-20 21:03:35 +gyroninja  Didac: You want a partial RE I did of it?
  3. 2017-06-20 21:05:06 +gyroninja  Let's see if I can get a hastebin up in here
  4. 2017-06-20 21:05:18 +gyroninja  Didac: https://hastebin.com/nimajugumo.js
  5. 2017-06-20 21:05:37 +gyroninja  Important stuff to look at are the strings
  6. 2017-06-20 21:06:27 <-- POJO (~quassel@PO.JO) has quit (Read error: Connection reset by peer)
  7. 2017-06-20 21:06:45 +gyroninja  outer10 function is imortant
  8. 2017-06-20 21:06:51 +gyroninja  it shows the different paylods for phoning home
  9. 2017-06-20 21:06:55 +gyroninja  it uses
  10. 2017-06-20 21:07:12 +gyroninja  WebSockets, WebRTC, XHR, and JSEP
  11. 2017-06-20 21:08:12 +gyroninja  It also has the ability to eval remote js
  12. 2017-06-20 21:08:48 +gyroninja  though IIRC it does so over https (if you are currently browsing over https)
  13. 2017-06-20 21:08:52 +gyroninja  so you wouldn't be able to mitm
  14. 2017-06-20 21:10:14 +gyroninja  I don't believe it leaks any of your information like what you are browsing
  15. 2017-06-20 21:10:24 +gyroninja  just sends a request I believ
  16. 2017-06-20 21:10:41 +gyroninja  (for webrtc payload it also sends your user agent)
  17. 2017-06-20 21:11:41 +gyroninja  I could be wrong about it not leaking what you are looking at
  18. 2017-06-20 21:11:56 +gyroninja  but I only spent a few hours RE'ing it
  19. 2017-06-20 21:12:47 +gyroninja  1 thing which I didn't really finish looking into was its use of sessionStorage / localStorage
  20. 2017-06-20 21:15:28 +gyroninja  quick look over that code
  21. 2017-06-20 21:15:40 +gyroninja  makes it looks like it looks through it
  22. 2017-06-20 21:15:54 +gyroninja  and checks if there is a key that starts with VX8OUm
  23. 2017-06-20 21:17:49 +gyroninja  It takes what's in there and extracts a timestamp and a url
  24. 2017-06-20 21:18:03 +gyroninja  the timestamp is used to emulate a cookie which expires after 24 Hours
  25. 2017-06-20 21:18:38 +gyroninja  *the url is actually a piece of js code
  26. 2017-06-20 21:18:41 +gyroninja  which gets eval'd
  27. 2017-06-20 21:19:22 +gyroninja  and that code looks to be related to the javascript loader framework it has
  28. 2017-06-20 21:20:07 +gyroninja  hopefully that should be enough information to feed your interest
  29. 2017-06-20 21:37:49 +gyroninja  actually the stuff in localstorage looks juicy
  30. 2017-06-20 21:37:54 +gyroninja  going to decode some of it
  31. 2017-06-20 21:41:24 +gyroninja  could only get 1
  32. 2017-06-20 21:42:53 +gyroninja  https://hastebin.com/digeturiha.tex
  33. 2017-06-20 21:43:20 +gyroninja  looks like some analytics for ad clicking
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top