From 89a22dfd387d8394d9b418b1377389c5e016fb43 Mon Sep 17 00:00:00 2001 From: Brad Parbs Date: Thu, 25 Jan 2024 00:03:37 -0600 Subject: [PATCH 1/2] Fix typos --- content/post/whiteops-data.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/post/whiteops-data.md b/content/post/whiteops-data.md index a6a0968..b16c7ff 100644 --- a/content/post/whiteops-data.md +++ b/content/post/whiteops-data.md @@ -52,7 +52,7 @@ This very obfuscated script does many things, including (this is an incomplete l return String.fromCharCode(e.charCodeAt(0) - o--) }) ``` - - this evaluates to `res://ieframe.dll/acr.js`, but only on IE. This string has only one purpose, exploiting the fact that you can put arbitrary HTML in the hash part of the URL and have it get evaluated, I beleive in a privledged context of some sort. This file actually resolves in IE to a internal Windows system file, which is only accessible in JS due to a bug. + - this evaluates to `res://ieframe.dll/acr.js`, but only on IE. This string has only one purpose, exploiting the fact that you can put arbitrary HTML in the hash part of the URL and have it get evaluated, I believe in a privileged context of some sort. This file actually resolves in IE to a internal Windows system file, which is only accessible in JS due to a bug. - tries to run VBScript: ```js execScript("e71012934811a=false::On Error Resume Next::" + e + "::if Err.Number=-2147024891 or Err.Number=5002 then e71012934811a=true::Err.Clear", "VBScript"), t = "e71012934811a" in window ? window.e71012934811a ? o.EXISTS : o.MISSING : o.UNKNOWN From 608b417150ff99605f23e49bfa16c60cb6ba2130 Mon Sep 17 00:00:00 2001 From: Brad Parbs Date: Thu, 25 Jan 2024 00:05:36 -0600 Subject: [PATCH 2/2] Fix typo --- content/post/whiteops-data.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/post/whiteops-data.md b/content/post/whiteops-data.md index b16c7ff..eac8d64 100644 --- a/content/post/whiteops-data.md +++ b/content/post/whiteops-data.md @@ -60,7 +60,7 @@ execScript("e71012934811a=false::On Error Resume Next::" + e + "::if Err.Number= - checks for these strings on window (de-obfuscated, I also have the original obfuscated ones in case you are also looking through the source): - `boltsWebViewAppLinkResolverResult`, `GoogleJsInterface`, `googleAdsJsInterface`, `accessibilityTraversal`, `accessibility`, `FbPlayableAd`, `__REACT_WEB_VIEW_BRIDGE` - obfuscated in code as `obygfJroIvrjNccYvaxErfbyireErfhyg`, `TbbtyrWfVagresnpr`, `tbbtyrNqfWfVagresnpr`, `npprffvovyvglGenirefny`, `npprffvovyvgl`, `SoCynlnoyrNq`, `__ERNPG_JRO_IVRJ_OEVQTR` -- checks the screen's `availHeight`, `availWidth`, `width`, and `height +- checks the screen's `availHeight`, `availWidth`, `width`, and `height` - checks the screen's `colorDepth`, `pixelDepth`, and `devicePixelRatio` - checks for these automation-related properties on `window`: `domAutomation`, `domAutomationController`, `_WEBDRIVER_ELEM_CACHE`, `_phantom`, `callPhantom`, `window.chrome._commandLineAPI`, `window.Debug.debuggerEnabled`, `__BROWSERTOOLS_CONSOLE`, `window._FirebugCommandLine`, and also if `document.documentElement.hasAttribute("webdriver")` is true - checks if `"function () { return Function.apply.call(x.log, x, arguments); }" == window.console.log.toString()` (also to check for browser automation I guess