Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Magic strings
Date: September 01, 2010 03:30AM

I wanted to research this a bit further before making it public, but since Yosuke twittered about it yesterday http://twitter.com/hasegawayosuke/status/22594430351, I might as well share it.

It turns out that the function:: namespace is no more than a magic string. It's not entirely undocumented http://eligrey.com/blog/post/namespacing-properties-in-javascript, http://d.hatena.ne.jp/teramako/20100815, but it hasn't gotten the attention it deserves. I've been discussing this with mario over the last couple of days and we both find it really interesting, hope you enjoy it as well! Makes you wonder what other magic strings there are.

x = '@mozilla.org/js/function'
x::['alert'](1)

default xml namespace = '@mozilla.org/js/function'
x = undefined
x::alert(1)

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: Magic strings
Posted by: Anonymous User
Date: September 01, 2010 06:08AM

As MXR shows there are some more possible candidates like '@mozilla.org/js/jsd', '@mozilla.org/js/xpc'.

Options: ReplyQuote
Re: Magic strings
Posted by: Gareth Heyes
Date: September 01, 2010 07:34AM

Which version? It doesn't work for me :(

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Magic strings
Date: September 01, 2010 09:49AM

FF 3.6.8 using firebug

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: Magic strings
Posted by: Anonymous User
Date: September 01, 2010 10:53AM

@Gareth I am having the same problem - it sometimes works - and sometimes it doesn't. I can definitely confirm it on FF 3.6.8 Ubuntu 10.04 and Win XP SP3 - but I haven't figures out yet what makes it happen.

Options: ReplyQuote
Re: Magic strings
Date: September 02, 2010 03:41AM

Yes, sometimes works but sometimes not works.

Once you execute the code like as following,

javascript:_="alert";function::[_](1)

after execute above, the code I tweet will be work.

javascript:$="@mozilla.org/js/function";_="alert";$::[_](1)

--
Yosuke HASEGAWA
http://utf-8.jp/

Options: ReplyQuote
Re: Magic strings
Posted by: Gareth Heyes
Date: September 02, 2010 10:47AM

Odd confirmed it working after Yosuke's code sample. Wonder why???
They are separate yet seem to enable the vector. BTW this would be pretty damn awesome for breaking sandboxes if we could figure a way of executing the vector using only a magic string

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Magic strings
Posted by: Gareth Heyes
Date: September 02, 2010 11:01AM

You need to access ::function with anything first, once done it lasts in the browser session lifetime without further need to access even upon refresh

<script>
<></>.function::['x'];
$="@mozilla.org/js/function";_="alert";$::[_](1)
</script>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.