lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 9 Apr 2011 13:41:05 +0530
From: satyam pujari <satyamhax@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Google Search Feature Exploitation Scenario

Hello List,

Here is a simple Google's "I'm Feeling Lucky" search feature exploitation
scenario.

============================================================================================================================================
1. The attacker hosts a malicious page/Script (eg. an Exploit Kit) in a free
3rd party hosting provider. The Site is 0x.t35.com in this example.

2. The attacker creates a free blog in blogger.com and selects an 'odd' /
'Unique' name. Yes, by selecting an odd name the chances are more that your
blog will be listed in the first page of Google search when a visitor
queries the name of your blog. It also depends on hits & geographical
locations I believe .But Practically it's not very difficult to get your
blog listed on the first page/first link of the search results. There're
many ways to achieve this.

For Example: esploit.blogspot.com

3.Now, the attacker uses a feature of Google Search "I'm Feeling Lucky" to
redirect the Victim to his blog using the below URL.

http://www.google.com/search?q=esploit&btnI
OR
http://www.google.co.in/search?hl=en&source=hp&biw=&bih=&q=esploit&btnI=I%27m+Feeling+Lucky&aq=f&aqi=&aql=&oq=

So, the attacker confirms that he/she can successfully redirect the victim
to his/her blog by using the feature "I'm Feeling Lucky" which basically
does nothing but redirects the user to first page of the search results.

4. Now the attacker puts Iframe on the latest post of the blog linking to
the 3rd party site where the malicious page/script is hosted.

5. The attacker now makes the victim click the link (many ways of doing it)

It's very simple but can be effectively used in a real phishing attack
scenario .

============================================================================================================================================

Gr33tz  @blackhatlinux @alchemist16
Regards,
satyamhax
http://esploit.blogspot.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ