API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 21st, 2017
727
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.44 KB | None | 0 0
raw download clone embed print report
  1.  
  2. 2017-06-20 21:03:35 +gyroninja Didac: You want a partial RE I did of it?
  3. 2017-06-20 21:05:06 +gyroninja Let's see if I can get a hastebin up in here
  4. 2017-06-20 21:05:18 +gyroninja Didac: https://hastebin.com/nimajugumo.js
  5. 2017-06-20 21:05:37 +gyroninja Important stuff to look at are the strings
  6. 2017-06-20 21:06:27 <-- POJO (~quassel@PO.JO) has quit (Read error: Connection reset by peer)
  7. 2017-06-20 21:06:45 +gyroninja outer10 function is imortant
  8. 2017-06-20 21:06:51 +gyroninja it shows the different paylods for phoning home
  9. 2017-06-20 21:06:55 +gyroninja it uses
  10. 2017-06-20 21:07:12 +gyroninja WebSockets, WebRTC, XHR, and JSEP
  11. 2017-06-20 21:08:12 +gyroninja It also has the ability to eval remote js
  12. 2017-06-20 21:08:48 +gyroninja though IIRC it does so over https (if you are currently browsing over https)
  13. 2017-06-20 21:08:52 +gyroninja so you wouldn't be able to mitm
  14. 2017-06-20 21:10:14 +gyroninja I don't believe it leaks any of your information like what you are browsing
  15. 2017-06-20 21:10:24 +gyroninja just sends a request I believ
  16. 2017-06-20 21:10:41 +gyroninja (for webrtc payload it also sends your user agent)
  17. 2017-06-20 21:11:41 +gyroninja I could be wrong about it not leaking what you are looking at
  18. 2017-06-20 21:11:56 +gyroninja but I only spent a few hours RE'ing it
  19. 2017-06-20 21:12:47 +gyroninja 1 thing which I didn't really finish looking into was its use of sessionStorage / localStorage
  20. 2017-06-20 21:15:28 +gyroninja quick look over that code
  21. 2017-06-20 21:15:40 +gyroninja makes it looks like it looks through it
  22. 2017-06-20 21:15:54 +gyroninja and checks if there is a key that starts with VX8OUm
  23. 2017-06-20 21:17:49 +gyroninja It takes what's in there and extracts a timestamp and a url
  24. 2017-06-20 21:18:03 +gyroninja the timestamp is used to emulate a cookie which expires after 24 Hours
  25. 2017-06-20 21:18:38 +gyroninja *the url is actually a piece of js code
  26. 2017-06-20 21:18:41 +gyroninja which gets eval'd
  27. 2017-06-20 21:19:22 +gyroninja and that code looks to be related to the javascript loader framework it has
  28. 2017-06-20 21:20:07 +gyroninja hopefully that should be enough information to feed your interest
  29. 2017-06-20 21:37:49 +gyroninja actually the stuff in localstorage looks juicy
  30. 2017-06-20 21:37:54 +gyroninja going to decode some of it
  31. 2017-06-20 21:41:24 +gyroninja could only get 1
  32. 2017-06-20 21:42:53 +gyroninja https://hastebin.com/digeturiha.tex
  33. 2017-06-20 21:43:20 +gyroninja looks like some analytics for ad clicking
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!