Chinese hackers changed the face of Internet forever by taking the wrong step — trying to hack the search giant and several other giants.
So what does this code do ?
In Easy Words: Basically, the script creates a blank element on the page. This element has an “address” like a house. Then the element “moves out” and something else takes up the space of the house (it might even move the house around, or be larger than the house and contain it). But the script still knows where the house was, and can put things in there and if another bit of the program happens to overlap, some code put in that place might get executed maliciously.
Technical Language: It is essentially a mixture of Buffer Overflow and brute forcing the following passwords: Love, Secret, Sex, and sometimes God. The possible mechanism goes here:
- Script creates objects within the rendered page, specifically the “comment” HTML element which isn’t rendered
- Script retains a pointer to the element. (Saves a way of accessing the element)
- Script deletes the element it created, but holds on the the pointer.
- Script then tries to update the memory of the element, which it has since deleted, via the pointer
- Seeing as the element no longer exists, its memory is used for other things
- By updating the memory with a command, whatever the memory is NOW being used by, executes what’s in the bit of memory that the pointer points to.
It actually builds that string 200 times, so as to fill 100 MBs of heap space with 200 copies of the exploit, before discarding it all. Presumably this gives a high probability that a random future allocation will land somewhere that, should the instruction pointer end up there, will likely lead to execution of shellcode.
More on this, Even Metasploit has detailed on how to reproduce this bug in IE.
All in all, the code is quiet complex and hard to understand at first look. Let me know if you feel it’s something more than what is explained above. Truly, a high profile attack.