Targets Firefox version 17 and lower. This is the version (17.0.7) that you're required to use for TOR on Windows.[1]
It would take a long time to walk through what's being done, and even that isn't likely to be helpful. There's a lot of Array, Int32Array, and ArrayBuffer allocation and retrieval. It's possible one of the larger strings is for injecting code into memory. It doesn't look at the guid stored in the cookie or the query param. If it is a memory injection, your guess is as good as mine.[2]
Just my sense for staring at this for an hour. I know JavaScript, but I'm not a security expert.
Original iframe w/ ?requestID=<guid>: http://pastebin.com/HcGRQk2N (with HTML)
content_1.html: <connection reset> (only used for versions of Firefox less than 17)
content_2.html: http://pastebin.com/7sTk8bgx
content_2.html?????: http://pastebin.com/t9x4GHr1 (same as content_2.html)
content_3.html: http://pastebin.com/GGCny4Vb
error.html: <connection reset> (it's likely meant to fail)
It includes a hexdump of the shell code, showing it's building an HTTP request to somewhere. So it's likely identifying Tor users through non-Tor connections.
Based on my poking around, the guid provided is included in the shell code to be loaded into memory. I'm not sure if it is a windows only exploit or not. There is an ID of ws2_32IPHLPAPIPA6 that is also included as part of the shellcode.
Could the kind intelligence that decodes this post a play-by-play for us regular folk? Is the first step trying to trace the logic mentally? Building some kind of graph-based representation of the code and its calling behavior...? When I read var77, var78, var79... well, yea.
It would take a long time to walk through what's being done, and even that isn't likely to be helpful. There's a lot of Array, Int32Array, and ArrayBuffer allocation and retrieval. It's possible one of the larger strings is for injecting code into memory. It doesn't look at the guid stored in the cookie or the query param. If it is a memory injection, your guess is as good as mine.[2]
Just my sense for staring at this for an hour. I know JavaScript, but I'm not a security expert.
[1] https://www.torproject.org/projects/torbrowser.html.en https://www.mozilla.org/en-US/firefox/organizations/faq/[2] http://pastebin.com/gVna4pi2 (NB: it gets modified before used)