LOL

I send a smile, not a frown.

@@Anti-i25 Microsoft does this in many products, including Office

Firefox had the smile feature for a long time...

windows users too, noone opens IE on purpose :D

man, I was thinking exactly the same thing!!

stop WINEing

@Alfie Yes, though it's just a program, not an apt package (apt does package it though).

:eyes:

Lol

Vouch

a bit late, but check out his binary exploitation videos. this should get you started.

All new addons have to use the WebExtensionsApi now, which is quite limiting in some ways, so they probably wrote the addon on the old api

For some reason, the malware prevents itself from running if firefox is newer than version 55. Probably, the developers wanted to make the challenge more difficult.

Ty😠 LEECHERS!!!!!

This not that complicated look at his other stuff

Sadly, he's right. Adults ain't got time for solving problems and enjoying the challenge of it; we've got stuff to get done!

I have no clue 🤷‍♀️

@@LiveOverflow SPOILER ALERT: blog.attify.com/flare-on-5-writeup-part2/ "This method adds browserassist.dll to the AppInit_DLLs registry key. The AppInit_DLLs are a set of Dynamic Linked Libraries (DLL) that are loaded upon startup into the address space of every executable that links with user32.dll. Essentially, this means everytime a GUI application is run, browserassist.dll"

It's like LD_PRELOAD on Linux, just using the registry :)

@Richard Vaughn I was saying that it's the same principle. It both instructs the dynamic linker to load certain modules, no matter the scope

@Richard Vaughn There is a similar feature on Linux that works globally-- /etc/ld.so.preload -- I've seen Linux malware utilize this to hide themselves from process and file listings.

The registry key is used by all windows software. (iirc user32.dll injects these dlls from the registry) the dll simply checks the firefox version

how can you people check a whole pe file statically? :/ I give up if it is longer than two screen-fulls. teach me, sensei!!

Ye I think I saw it in Excel as well. It kind of tickled my virey-sense but apparently it belongs there.

Right since every infection has a condition to meet.

Yes but su can switch to other user too. It doesn't need to be root

Also, su stands for substitute user

PS ~ F

Same here.

Google for solutions?

overthewire.org, hackthebox.eu

root-me.org is also great

o

1001000 1101111 1110100 1100101 1101100 111111 100000 1010100 1110010 1101001 1110110 1100001 1100111 1101111

modelling this in z3 would have taken the at elast the sameamount or longer ;) Also: kzbin.info/www/bejne/iqHHdaRra7B7Z6s

@@LiveOverflow ok, i was practicing z3 this week, totally forgot about that video, thanks again

1001000 1101111 1110100 1100101 1101100 111111 100000 1010100 1110010 1101001 1110110 1100001 1100111 1101111

I think IE just likes to hook up to different browsers, or different browsers just use IE's stuff.. not 100% sure. but using windows you can see these things quite often.

vulnhub.com hackthebox.eu are good places to start. Helps to know basic linux commands and a little kali knowledge.

In programming languges ^ is often XOR. It doesn’t follow the mathematical logic notation. An AND would be &&

It depends on the programming language - in JavaScript ^ is the XOR operator (as it's in many other languages). XOR is just another logical operator like AND/OR/NOT and is the "either/or"-function. Look up the truth table for it. ^^ It is a very intersting function, because its inverse is XOR too. So, if you XOR two bits and get a third one, you can XOR this third one with any of the other two to retrieve the third one. This concept is very useful and used for RAIDs to duplicate data.

but there is still Adobe Flash capability back then .. so how does that work?

but there is still Adobe Flash capability back then .. so how does that work?

Nvm probably not

no, it's a malware.

Well, I think it would be possible todo this on other platforms too, however, its not very likely to happen: 1. It was a Windows only Software 2. Its not that easy (for an application, ofcourse there are the PRELOAD variables on Mac and Linux) to inject some code into firefox 3. Looks like that has been patched in firefox or at least the injection doesn't work anymore. Still, it is possible

There is nothing firefox can do to prevent this. The reason why it doesn’t work in a newer firefox versions are certainly just compatibility issues. The malware was not written to support these changes.

@@LiveOverflow exactly. Firefox still loads user32.dll which is the injection point

It is a regular number, or what do you mean? Also I have 0x80 in there, because 0x7F is the last valid ascii number

@@LiveOverflow I just dont understand the format of 0x80. What value does it represent and what is the benefit of using it rather than having plain number like 80?

Ah. It's a hex number. So 0x80 in hex is 128 in decimal. It's much nicer to represent byte values as hex numbers than decimal, but you have to get used to it first. The maximum byte number is 0xff, which is so much cleaner than 255. I have a video about "hex numbers" in my binary exploitation playlist. kzbin.info/www/bejne/o4WUh2p_gZd5frs

How does it work? There's a library called user32.dll, a very basic windows library that is used in GUI programs. There's a registry key in charge of what libraries get loaded with user32.dll and the malware injects browserassist.dll into that registry to be called when a program uses user32.dll. The reason why it affects older version of firefox because the malicious software is specifically checking every software that uses user32.dll and if that program is firefox.exe it'll check what version it is and if it's version 55 or below it'll run the rest of the code. Most likely it only affects those version because they programmed the exploit to only effect those because it was fixed after version 55 or firefox became too different for their code to work after 55 or 55 was the latest version when the malware was made. At this point the malware was modified to have custom injection exclusively for flare-on.

So theoretically it could also attack new versions or other browsers?

well the malware in this case seems pretty harmless- it doesnt steal your bank or anything..

Lol

He is missing the multiple layers of effects and transitions and his screen looks much cleaner.

Good idea. I wonder it has any mechanism to prevent this. Because if you could just write your js into the cache, no exploit is needed.