Skip to content

Instantly share code, notes, and snippets.

@rainiera
Created April 6, 2016 23:11
Show Gist options
  • Save rainiera/b5d396a9ef3236b96864b0707bf54940 to your computer and use it in GitHub Desktop.
Save rainiera/b5d396a9ef3236b96864b0707bf54940 to your computer and use it in GitHub Desktop.
var org_str = "j8ck72di";
var session_str = "4734a9fc27f7fee1aa58f66046af6c49";
var base_str = "https://ct-m-fbx.fbsbx.com/fp";
var page_id = "1";
var ip_addr_str = "820139e7306525d7";
var tarpitting_param = "";
var carrier_id_enabled = "false";
var flash_tags = "true";
var xx0=unescape('var%20thm_tags%3d%7binjectIframe%3afunction%28org_id%2csession_id%2cpage_id%29%7bvar%20dom%2cdoc%2cwhere%2ciframe%3ddocument%2ecreateElement%28%27iframe%27%29%3biframe%2esrc%3d%22javascript%3afalse%22%3b%28iframe%2eframeElement%7c%7ciframe%29%2estyle%2ecssText%3d%22width%3a100px%3bheight%3a100px%3bborder%3a0%3bposition%3aabsolute%3btop%3a%2d5000px%3b%22%3bwhere%3ddocument%2egetElementById%28%22thm_iframe_loc%22%29%3bif%28%21where%29%7bdocument%2ebody%2eappendChild%28iframe%29%3b%7delse%7bwhere%2eparentNode%2einsertBefore%28iframe%2cwhere%29%3b%7dtry%7bdoc%3diframe%2econtentWindow%2edocument%3b%7dcatch%28e%29%7bdom%3ddocument%2edomain%3biframe%2esrc%3d%22javascript%3avar%20d%3ddocument%2eopen%28%29%3bd%2edomain%3d%27%22%2bdom%2b%22%27%3bvoid%280%29%3b%22%3btry%7bdoc%3diframe%2econtentWindow%2edocument%3b%7dcatch%28e%29%7biframe%2esrc%3dbase_str%2b%22%2ftags%3fjs%3d1%26org_id%3d%22%2borg_id%2b%22%26session_id%3d%22%2bsession_id%2b%22%26pageid%3d%22%2bpage_id%3breturn%3b%7d%20%7ddoc%2eopen%28%29%2e_l%3dfunction%28%29%7bif%28typeof%20this%2ereadyState%3d%3d%3d%22undefined%22%7c%7ctypeof%20this%2ereadyState%3d%3d%3d%22unknown%22%29%7bthis%2ereadyState%3d%22complete%22%3b%20%7dif%28dom%29%7bthis%2edomain%3ddom%3b%7dvar%20divx%2cparam1%2cparam2%2cobj%2cswf_url%2cwin%2cimg%2cjs%2cu%2cp%2cdiv%3dthis%2ecreateElement%28%27p%27%29%3bthis%2ebody%2eappendChild%28div%29%3bdiv%2estyle%2ebackground%3d%22url%28%22%2bbase_str%2b%22%2fclear%2epng%3forg_id%3d%22%2borg_id%2b%22%26session_id%3d%22%2bsession_id%2b%22%26m%3d1%26w%3d%22%2bip_addr_str%2btarpitting_param%2b%22%29%22%3bimg%3dthis%2ecreateElement%28%22img%22%29%3bimg%2esrc%3dbase_str%2b%22%2fclear%2epng%3forg_id%3d%22%2borg_id%2b%22%26session_id%3d%22%2bsession_id%2b%22%26m%3d2%22%2btarpitting_param%3bthis%2ebody%2eappendChild%28img%29%3bjs%3dthis%2ecreateElement%28%22script%22%29%3bjs%2esrc%3dbase_str%2b%22%2fcheck%2ejs%3forg_id%3d%22%2borg_id%2b%22%26session_id%3d%22%2bsession_id%2btarpitting_param%2b%22%26pageid%3d%22%2bpage_id%3bthis%2ebody%2eappendChild%28js%29%3bif%28carrier_id_enabled%3d%3d%3d%22true%22%29%20%7bvar%20ciddoc%2ccidframe%3ddocument%2ecreateElement%28%22iframe%22%29%3bcidframe%2esrc%3d%22javascript%3afalse%22%3b%28cidframe%2eframeElement%7c%7ccidframe%29%2estyle%2ecssText%3d%22width%3a100px%3bheight%3a100px%3bborder%3a0%3bposition%3aabsolute%3btop%3a%2d5000px%3b%22%3bdocument%2ebody%2eappendChild%28cidframe%29%3btry%7bciddoc%3dcidframe%2econtentWindow%2edocument%3b%7dcatch%28e%29%7bcidframe%2esrc%3d%22javascript%3avar%20d%3ddocument%2eopen%28%29%3bd%2edomain%3d%27%22%2bdocument%2edomain%2b%22%27%3bvoid%280%29%3b%22%3bciddoc%3dcidframe%2econtentWindow%2edocument%3b%7dciddoc%2eopen%28%29%2e_l%3dfunction%28%29%7bvar%20cidscript%3dthis%2ecreateElement%28%22script%22%29%3bcidscript%2esrc%3dbase_str%2b%22%2fcheckcid%2ejs%3forg_id%3d%22%2borg_id%2b%22%26session_id%3d%22%2bsession_id%3bthis%2ebody%2eappendChild%28cidscript%29%3b%7d%3bciddoc%2ewrite%28%27%3cbody%20onload%3d%22document%2e_l%28%29%3b%22%3e%27%29%3bciddoc%2eclose%28%29%3b%7dif%28flash_tags%3d%3d%3d%22true%22%29%20%7bu%3dnavigator%2euserAgent%2etoLowerCase%28%29%3bp%3dnavigator%2eplatform%2etoLowerCase%28%29%3bwin%3dp%3f%2fwin%2f%2etest%28p%29%3a%20%2fwin%2f%2etesft%28u%29%3btry%7bie%3d%21%2b%22%5cv1%22%3bif%28%21ie%29%7bie%3d%2f%2a%40cc_on%21%40%2a%2ffalse%3b%7d%20%7dcatch%28e%29%7b%7dif%28%21ie%29%7bie%3d%28navigator%2euserAgent%2eindexOf%28%27MSIE%27%29%3e%20%2d1%29%3b%7dswf_url%3dbase_str%2b%22%2ffp%2eswf%3forg_id%3d%22%2borg_id%2b%22%26session_id%3d%22%2bsession_id%2btarpitting_param%3bif%28ie%26%26win%29%7bdivx%3dthis%2ecreateElement%28%22div%22%29%3bdivx%2einnerHTML%3d%27%3cobject%20type%3d%22application%2fx%2dshockwave%2dflash%22data%3d%22%27%2bswf_url%2b%27%22width%3d%221%22height%3d%221%22%3e%3cparam%20name%3d%22movie%22value%3d%22%27%2bswf_url%2b%27%22%2f%3e%3cparam%20name%3d%22wmode%22value%3d%22transparent%22%2f%3e%3c%2fobject%3e%27%3bthis%2ebody%2eappendChild%28divx%29%3b%7delse%7bobj%3dthis%2ecreateElement%28%27object%27%29%3bobj%2esetAttribute%28%22type%22%2c%22application%2fx%2dshockwave%2dflash%22%29%3bobj%2esetAttribute%28%22data%22%2cswf_url%29%3bobj%2esetAttribute%28%22width%22%2c%221%22%29%3bobj%2esetAttribute%28%22height%22%2c%221%22%29%3bparam1%3dthis%2ecreateElement%28%27param%27%29%3bparam1%2esetAttribute%28%22name%22%2c%22movie%22%29%3bparam1%2esetAttribute%28%22value%22%2cswf_url%29%3bparam2%3dthis%2ecreateElement%28%27param%27%29%3bparam2%2esetAttribute%28%22name%22%2c%22wmode%22%29%3bparam2%2esetAttribute%28%22value%22%2c%22transparent%22%29%3bobj%2eappendChild%28param1%29%3bobj%2eappendChild%28param2%29%3bthis%2ebody%2eappendChild%28obj%29%3b%7d%20%7d%7d%3bdoc%2ewrite%28%27%3cbody%20onload%3d%22document%2e_l%28%29%3b%22%3e%27%29%3bdoc%2eclose%28%29%3b%7d%2cgo%3afunction%28%29%7bif%28session_str%26%26org_str%29%7bvar%20isWebkit%3d%27WebkitAppearance%27in%20document%2edocumentElement%2estyle%3bif%28document%2ebody%26%26%28document%2ereadyState%3d%3d%3d%27complete%27%7c%7c%21isWebkit%29%29%7bthis%2einjectIframe%28org_str%2csession_str%2cpage_id%29%3breturn%3b%7dvar%20waittime%3d200%3bvar%20node%3bif%28typeof%20window%21%3d%3d%22undefined%22%26%26typeof%20window%21%3d%3d%22unknown%22%26%26window%21%3d%3dnull%29%7bnode%3dwindow%3b%7delse%7bnode%3ddocument%2ebody%3b%7dif%28node%2eaddEventListener%29%7bnode%2eaddEventListener%28%22load%22%2cfunction%28%29%7bthm_tags%2einjectIframe%28org_str%2csession_str%2cpage_id%29%3b%7d%2cfalse%29%3b%7delse%7bif%28node%2eattachEvent%29%7bnode%2eattachEvent%28%22onload%22%2cfunction%28%29%7bthm_tags%2einjectIframe%28org_str%2csession_str%2cpage_id%29%3b%7d%29%3b%7delse%7bvar%20oldonload%3dnode%2eonload%3bnode%2eonload%3dnew%20function%28%29%7bvar%20r%3dtrue%3bif%28oldonload%21%3d%3dnull%26%26typeof%20oldonload%3d%3d%3d%22function%22%29%7br%3doldonload%28%29%3b%7dsetTimeout%28function%28%29%7bthm_tags%2einjectIframe%28org_str%2csession_str%2cpage_id%29%3b%7d%2cwaittime%29%3bnode%2eonload%3doldonload%3breturn%20r%3b%7d%3b%7d%20%7d%7d%20%7d%7d%3bthm_tags%2ego%28%29%3b%20');eval(xx0);
@sausage123
Copy link

I see this in Google Chrome when using AddBlock and FBP. I do not see this in FireCrotch when using neither. Thoughts?

@markhamilton
Copy link

Safari using Adblock

@initiate6
Copy link

A friend of mine posted this to a IRC server asking the same thing. I only spent about 10-15min trying to decode it. Seems like its facebook trying to be nice and make sure your computer is on the up and up by getting all up in your business. Don't have facebook so couldn't confirm to many things. Anyways here are some quick notes.

Flash clear: https://ct-m-fbx.fbsbx.com/fp/fp.swf?org_id=j8ck72di&session_id=12c8f24c089c50edea6f829feafc00a1

very weird. Domain is own by Facebook. but when you try the other function

https://ct-m-fbx.fbsbx.com/fp/check.js?org_id=j8ck72di&session_id=12c8f24c089c50edea6f829feafc00a1

Code all nice like: http://pastebin.com/wHjkBF6b

it has some odd .js it checks for all sorts of plugins installed like vlc, adobe, etc. not sure what its doing but has a list of bank login sites as well. then some kind of check for VNC and ports. also saw some port scanner code too.

the "\x35\x33" crap you can decode using echo -e 'stuff' but so far it just decodes to hex and the hex is binary data.might be a way of comparing, because after they set that data looks like t hey are splitting it up. maybe using it as a signature to see if something matches like VNC:5900 or whatever.

if I had to guess. its facebook way of collecting data. at one point I know they were trying to be nice and scan peoples computers for problems and would let you know. Thought they got in trouble already for that.
https://www.facebook.com/notes/facebook-security/malware-checkpoint-for-facebook/10150902333195766/ Something on your computer must be breaking the javascript with either a noscript plugin or their code is broken.

Facebook purity seemed to cause the javascript to stop.

Edit: not sure if one of these is your public IP address: 82 01 39 e7 = 130.1.57.231 : 30 65 25 d7 = 48.101.37.215 <-- is the var ip_addr_str decoded. Maybe thats what they are scanning and/or send results to??

@sausage123
Copy link

initiate6 has a huge penis

@ryanohoro
Copy link

ryanohoro commented May 12, 2016

This script reports its results to online-metrix.net, it's a cookieless tracker. online-metrix.net belongs to https://www.threatmetrix.com/


// 42c36d7ad314c577
// j8ck72di
// 12c8f24c089c550edea6f829feafc00a1
// https://ct-m-fbx.fbsbx.com/fp
// 221d115719884e90967a9697a2fda390
// https://j8ck72di-7e4c910cabfce8f6b3b60689bf4f5666ec8cf2e1-sac.d.aa.online-metrix.net
var blobd = new td_0L("719a7be80f2542f48d92fdabb541ba5803035A52010652595455030157075103525C5A595156050B530757090453015B070900020252005C550704530C005F525D055F51565400530A414041115B1A175445140C1A0407401E005046564A485757091654165653530604050455500C000F055C58075B530F515F040C035354525C050A0B560C151612460E1E4D0B0D5B5C060B055E4F525D04050B04045107565E075C0A00520351000304075A58575E03570C570154005B0805540751034B47590717564805004C0D5B58580C04185552454B084F4C0B5D44");

@tclancy
Copy link

tclancy commented Apr 12, 2017

Just ran into this as well, running uBlock Origin on Chrome.

@ckindley
Copy link

Just had a client user see this. Appears not to target every FB session though.

@shanksauce
Copy link

Thought I'd jump in here. I did a little bit of clean up and renaming. I redacted and removed a lot of non-operative or obfuscated path code. It's a little more comprehensible, but not wonderful. I pointed the original Facebook and Online Metrix collection URLs to 127.0.0.1 and ran an echo web server to inspect the payloads (a little easier to just let it run, than to probe the code line-by-line).

https://pastebin.com/5wnVZHbK

Some fun stuff I noticed that most of you may have already:

  • The hex junk is more or less just obfuscated string data utilized by way of a method call parent.td_f(offset, numChars). It contains things like MIME type strings, some JavaScript keywords, and a s sprinkle of human readable error messages that are never logged (unless you define a logger callback where possible).

  • Neat obfuscation tricks:
    Number(890830).toString(31) === 'true'
    Number(103873).toString(18) === 'head'

  • Most payloads are hashed with MD5 before egress. MD5 was implemented in the raw in the original JavaScript code, and I extracted the implementation here:

    https://pastebin.com/0eFX7ba1

  • The WebSocket "port scanner" is really interesting! Appears to glean based on whether onError or onClose with reason was fired.

  • The system font signature is generated by looking for discrepancies in the Canvas 2D rendering context's metrics of the default mono and serif fonts with a giant list of possible system fonts for each of Windows, Linux, and OS X. Fonts that don't render with equal widths are added to a list that is eventually hashed.

@Plazmaz
Copy link

Plazmaz commented Aug 14, 2017

Contacted Facebook about this years ago, and received prebaked "We appreciate your feedback" response.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment