Targets Firefox version 17 and lower. This is the version (17.0.7) that you're required to use for TOR on Windows.
It would take a long time to walk through what's being done, and even that isn't likely to be helpful. There's a lot of Array, Int32Array, and ArrayBuffer allocation and retrieval. It's possible one of the larger strings is for injecting code into memory. It doesn't look at the guid stored in the cookie or the query param. If it is a memory injection, your guess is as good as mine.
Original iframe w/ ?requestID=<guid>: http://pastebin.com/HcGRQk2N (with HTML)
content_1.html: <connection reset> (only used for versions of Firefox less than 17)
content_2.html?????: http://pastebin.com/t9x4GHr1 (same as content_2.html)
error.html: <connection reset> (it's likely meant to fail)
Based on my poking around, the guid provided is included in the shell code to be loaded into memory. I'm not sure if it is a windows only exploit or not. There is an ID of ws2_32IPHLPAPIPA6 that is also included as part of the shellcode.
Could the kind intelligence that decodes this post a play-by-play for us regular folk? Is the first step trying to trace the logic mentally? Building some kind of graph-based representation of the code and its calling behavior...? When I read var77, var78, var79... well, yea.
The IP that's hosting the iframe is a Verizon Business one. The JS also looks to be setting a cookie, probably for identification purposes (reading the cookie from another site to confirm the user?). I'm not sure that's the case because once the Tor Bundle is closed, cookies are automatically deleted.
So the founder of Tor Freedom is arrested and now this. Quite a coincidence. Maybe not NSA, but probably some kind of government agency. I think the best bet people can make these days is to assume that government is guilty and means to do nasty things - until proven otherwise.
Realistically though, if the NSA were going to penetrate TOR, they would just own exit nodes and do social engineering. Bear in mind that the American government had a hand in building TOR to begin with.
That this appears to be so blatant suggests to me that it has nothing to do with surveillance at a state level.
Even if it isn't outside the realm of possibility, I don't think it's plausible for an organization that's supposedly powerful enough to monitor and archive all domestic and incoming electronic communication, when there's an entire ecosystem of hackers and skiddies out there anyway who do this kind of thing elsewhere all the time. JS in an iframe? XSS? Why would they even bother?
It is NSA. No implication needed. FBI nabs host owner and suddenly code is injected to exploit all end users? Rather tired of people downplaying these events at every attempt. What does your comment add? At least the parent comment you are responding hinted at a potential suspect.
Perhaps he doesn't want to be hunted either directly implicating the US for the US's work.
Seriously, bring something to the discussion if you are going to be asking others to do the same.
By the way the person who started the site linked is being prosecuted by the DoJ, no doubt with others involved being hunted down as well. I'm sure there is no implications to any of this.
FBI, who happens to work as a conduit for the NSA, along with any number of the other acronym boys? Or the corporations they hire while handing out legal immunity for the actions they are hired for? Or Google and others who also accept payoffs and immunity for helping monitor the acronym boy's targets?
How is the various crony corporations publicizing these deeds as services not relevant? This is the subject of exploits being used on users of a host whose owner was arrested, correct?
I am readily awaiting a more logical answer than another contracted service like Endgame and their pool of exploits they are so ready to use on the non legally immune citizens of the world. Or companies like Google for going along with the dragnet monitoring and exploitation of dissidents.
All of them are connected by virtue of payoffs, insider trading, market manipulation. None of it is irrelevant.
I've referenced Endgame Systems before, exploiting end users for-profit via for figures like the NSA is their type of game.
"There are even target packs for democratic countries in Europe and other U.S. allies. Maui (product names tend toward alluring warm-weather locales) is a package of 25 zero-day exploits that runs clients $2.5 million a year."
Endgame's product list was not marked classified, a product meant for distribution only to the likes of the NSA but peddled amongst fellow for-profit "whitehat" in arms. Yet another company with immunity to laws others are hunted and imprisoned for.