So, it’s several years on and another exploit has been detected targeting the Tor Browser Bundle. It’s purpose? to send your MAC and IP address to a server operated by OVH and it was presumably made available on criminally orientated dark websites. Whilst the shellcode is not exactly the same, it is largely so – therefore, I give a brief overview here largely as an addendum to my 2013 post about the original exploit.
If you want to analyse it , then it uses the same function resolver as the 2013 shell code and you can find a list of hashes above. You can quickly find the connect call and following the instructions through you can see the sockaddr structure is placed on the stack this time via the first two pushes. 0x5000 is in network byte order and reversing the bytes reveals 0x50 or port 80. The 0xE21B2705 is the IP address made up of four bytes. Again, the bytes are in reverse order revealing the IP of 126.96.36.199 (0x05, 0x27, 0x1B, 0x E2).
What’s sent? Pretty much the same as last time:
- Host header contains the the computer name
- Cookie contains the user’s mac address (MC=xxxxxxxxx)
- The URL in the GET request is presumably to link the user to a request and tie up all the dots for court.