StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
651636
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
7
CommunityOwnedDate
2009-03-16T19:39:38.007
CreationDate
2009-03-16T18:36:34.583
FavoriteCount
0
LastActivityDate
2010-07-23T13:57:16.450
LastEditDate
2017-05-23T10:27:42.860
LastEditorUserId
-1
OwnerUserId
76673
ParentId
651590
PostTypeId
2
Score
26
ViewCount
0
LastEditorDisplayName
Wadih M.
text
Body
It's a javascript snippet trying to exploit a security vulnerability related to Facebook, more specifically to its image uploader client side ActiveX control. The <code>cobj</code> part tries to create an object of ClassID <code>{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}</code> which happens to be an ActiveX photo uploader control. The ExtractIptc and ExtractExif functions belong to that specific ActiveX control. The core of the code is really memory address manipulation, shifting, using masks to separate high and low bits. For example, <code>hex((addr>>16)&0xFFFF,4))</code> takes an address, shifts it 16 bits to the right, clears up the lower part and converts it to a hex number. To actually understand most of this code, you should have the right debugging tools. Googling the <code>{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}</code> ClassID gave some interesting results you should look into: <a href="http://www.kb.cert.org/vuls/id/776931" rel="nofollow noreferrer">http://www.kb.cert.org/vuls/id/776931</a> <a href="http://seclists.org/fulldisclosure/2008/Feb/0023.html" rel="nofollow noreferrer">http://seclists.org/fulldisclosure/2008/Feb/0023.html</a> <a href="http://securitytracker.com/alerts/2008/Feb/1019297.html" rel="nofollow noreferrer">http://securitytracker.com/alerts/2008/Feb/1019297.html</a> Please note, this is not PHP. It's javascript. More details... cobj is probably translated into a CreateObject() call. Every registered ActiveX control has its own Class ID, and they have the form <code>{0000000000-0000-0000-0000-000000000000}</code>. When you want to refer to the registered library, and create an instance of it, you can use either its name or its Class ID. The ActiveX control itself should be an .OCX or .DLL file on your computer. If you can find this file and debug it, you'll get most specific details about the ExtractIptc and ExtractExif functions. Again, those two functions seem to have vulnerabilities when called in a specific way, and this is what that script is trying to exploit. The <code>var hsta=0x0c0c0c0c</code> part defines a variable hsta, equal to the hexadecimal number 0c0c0c0c. It's the same as writing <code>var hsta = 202116108</code>. In computer engineering, it's easier to deal with hexadecimal addresses than decimal numbers since addresses and data inside the computer's memory is binary and can be directly represented as a hex number. More details about hexadecimal there: <a href="http://en.wikipedia.org/wiki/Hexadecimal" rel="nofollow noreferrer">http://en.wikipedia.org/wiki/Hexadecimal</a>. The variable name hsta seems to be in hungarian notation (first letter represents the variable type - h for hex). I would therefore assume it means hexadecimal start address (hsta). Following the same train of thought, my guess would be that <code>pl</code> means payload and <code>plc</code> means payload code. The payload code is the code the computer will execute if the exploit was successful, and it's what you see at the beginning of the script <code>(\x43\x43\x43\x43\n....\xEF)</code>. It's encoded as <a href="https://stackoverflow.com/questions/1469559/help-me-understand-this-c-code-void-scode">shell code</a> for a particular CPU architecture and operating system. That means code that's already compiled, standalone, and can be piped to the CPU directly. If you decode this, you'll probably find something close to machine code. It's probably nothing positive. The <code>hex(num,width)</code> function converts a decimal number to its hexadecimal form. I've tested the function separately, and it returned 3E8 when feeding it 1000. The width variable is simply used to exit the script if the resulting hexadecimal number is bigger than specified. About this part: <pre><code>var buf = addr(0x0c0c0c0c); buf = buf.substring(0,400); obj.ExtractIptc = buf; obj.ExtractExif = buf; </code></pre> The buf variable is a buffer. A buffer is nothing more than data in memory. It can be interfaced as a string, as shown in this code. My guess is that a buffer of 400 bytes is created from whatever contents is in memory at 0x0c0c0c0c, and then fed into two functions. There are several function definitions missing in here. Namely, the hav() function.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POI don't understand this Code
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USCommunity
UserOwnerUserId
1. USWadih M.
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POI don't understand this Code
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.