Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Myspace cookie theft not working
Date: April 19, 2007 09:41PM

I managed to get an IE user's cookie with a Momby idea.
http://momby.livejournal.com/4922.html
Unfortunately, unlike Firefox, I cannot simulate being the user. It just prompts me for the E-Mail and password. There is no MYUSERINFO variable in the cookie.
Has anyone tried this bug out or know what the problem is?
ty

Options: ReplyQuote
Re: Myspace cookie theft not working
Date: April 19, 2007 10:19PM

I don't actually use their shitty services so I can only speculate. Is their IP address inside of the cookie still, and possibly causing a problem?


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Myspace cookie theft not working
Date: April 20, 2007 10:02PM

> I don't actually use their shitty services so I can only speculate.
Nor do I, but I think we both enjoy playing with their security.

> Is their IP address inside of the cookie still, and possibly causing a problem?
The IP addresses mismatched for Firefox and it worked, so I don't think that's the reason. Unfortunately, I can't test to be sure. The cookie is now days old (expired) and the bug has been patched.

I'm on a new mission. I want to get this working. It is easy to copy/paste and see the results, but I cannot figure out how to write anything of my own. I wrote
<script>alert('hi')</script>
in base64 format and made it the value for the variable __VIEWSTATE. It only told me there was an error every time I tried submitting.
Quote

Sorry! an unexpected error has occurred.

This error has been forwarded to MySpace's technical group.

Will anyone explain the process it requires to get this working? That would be excellent.
Thank you.

Options: ReplyQuote
Re: Myspace cookie theft not working
Posted by: digi7al64
Date: April 22, 2007 08:47PM

Quote

In order to modify the vulnerable parameter, some base64 encoding and decoding is required. This is easily accomplished with many b64 encoders, one of the easiest to use being the online encoder at http://www.motobit.com/util/base64-decoder-encoder.asp. An attacker may take the __VIEWSTATE value, decode and save the binary, and edit the section at offset 0xdb using his favorite hex editor. This is a standard TLV (type-length-value) node, which supplies the text displayed in the Friends header box, such as |05 10|Tom's Friends... (|05| being type, |10| being length decimal 16, the length of "Tom's Friends...")

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Myspace cookie theft not working
Date: April 23, 2007 10:13AM

That's the part I don't get. I see no part in the example that resembles the structure of the string "0xdb" in the example. I know "0x" denotes the beginning of a memory address but I don't see how that has anything to do getting this functional. It looks like the octal address encoding on the XSS Cheat Sheet but that's only for IP addresses. My text editor (Notepad++) has only five character encoding options.

- ANSI
- UTF-8
- UCS-2 Big Endian
- UCS-2 Little Endian
- UTF-8 without BOM

None of these resemble a mode called "offset 0xdb". I've decoded what Momby had, edited the <script> part to have an alert, and converted back to base64. I still received the same error message.
Quote

Sorry! an unexpected error has occurred.
This error has been forwarded to MySpace's technical group.



Edited 1 time(s). Last edit at 04/23/2007 12:25PM by digitalIllusionism.

Options: ReplyQuote
Re: Myspace cookie theft not working
Posted by: hasse
Date: April 24, 2007 12:45PM

digitalIllusionism Wrote:
-------------------------------------------------------
> That's the part I don't get. I see no part in the
> example that resembles the structure of the string
> "0xdb" in the example. I know "0x" denotes the
> beginning of a memory address but I don't see how
> that has anything to do getting this functional.
> It looks like the octal address encoding on the
> XSS Cheat Sheet but that's only for IP addresses.
> My text editor (Notepad++) has only five character
> encoding options.
>
> - ANSI
> - UTF-8
> - UCS-2 Big Endian
> - UCS-2 Little Endian
> - UTF-8 without BOM
>
> None of these resemble a mode called "offset
> 0xdb". I've decoded what Momby had, edited the
> part to have an alert, and converted back to
> base64. I still received the same error message.
> Sorry! an unexpected error has occurred.
> This error has been forwarded to MySpace's
> technical group.


Use a hex editor to edit the file and go to byte number 219 (the first byte being byte 0).

Options: ReplyQuote
Re: Myspace cookie theft not working
Posted by: jungsonn
Date: April 24, 2007 05:18PM

Haha wow I never thought MySpace would use base64, That's a classic security through wrong obscurity example. I thought they would be smarter and generate random tokens.

They say they MySpace cannot detect it, but that is a false statement, ofcorse they can detect it by decoding it back which they probably already do to fetch content based upon the parameters in it. - I'm not sure because I never had a mySpace account but that's what i'm guessing.-

Options: ReplyQuote
Re: Myspace cookie theft not working
Date: April 24, 2007 06:26PM

> Use a hex editor to edit the file and go to byte number 219 (the first byte being
> byte 0)."

I thought a hex editor was any text editor designed for coding. I've made progress by learning what a hex editor is. Thank you. I haven't been successful at using this exploit, but I'm happy to learn anything, even if I don't get it functional. The 219th byte was the character "t" in the string "Text", a couple characters before the string "<script>"

Did you maybe miscount and mean the 222nd byte, which is the "<" in the string "<script>"? I did modify that JavaScript using the XVI32 hex editor. I converted back to base64, tried again, and received that same error message.
Quote

Sorry! an unexpected error has occurred.
This error has been forwarded to MySpace's technical group.

Where have I went wrong?

Options: ReplyQuote
Re: Myspace cookie theft not working
Posted by: kogir
Date: April 25, 2007 02:26AM

I don't use MySpace at all so I can't day for sure, but:

__VIEWSTATE is the ASP.Net viewstate. It might be base64 encoded, but since MySpace uses ASP.Net 2.0, it's more likely encoded with the ObjectStateFormatter [http://msdn2.microsoft.com/en-us/library/system.web.ui.objectstateformatter.aspx ]. Also, ASP.Net has a built in option to use an HMAC to verify the validity of the viewstate. If HMAC verification is enabled, you'll need to guess the private key the use.

-kogir

Options: ReplyQuote
Re: Myspace cookie theft not working
Posted by: hasse
Date: April 25, 2007 06:48AM

digitalIllusionism Wrote:
-------------------------------------------------------
> > Use a hex editor to edit the file and go to byte
> number 219 (the first byte being
> > byte 0)."
>
> I thought a hex editor was any text editor
> designed for coding. I've made progress by
> learning what a hex editor is. Thank you. I
> haven't been successful at using this exploit, but
> I'm happy to learn anything, even if I don't get
> it functional. The 219th byte was the character
> "t" in the string "Text", a couple characters
> before the string ""
>
> Did you maybe miscount and mean the 222nd byte,
> which is the "<" in the string ""? I did modify
> that JavaScript using the XVI32 hex editor. I
> converted back to base64, tried again, and
> received that same error message.
> Sorry! an unexpected error has occurred.
> This error has been forwarded to MySpace's
> technical group.
>
> Where have I went wrong?


Well offset 0xdb should be at byte 219. It's possible that you also have to edit the length value.

Like they say in the page:
Quote

This is a standard TLV (type-length-value) node, which supplies the text displayed in the Friends header box, such as |05 10|Tom's Friends... (|05| being type, |10| being length decimal 16, the length of "Tom's Friends...")

So I guess it should be:
[Text][05][Length in hex][Script code]



Edited 2 time(s). Last edit at 04/25/2007 06:49AM by hasse.

Options: ReplyQuote
Re: Myspace cookie theft not working
Date: May 14, 2007 11:07AM

@hasse:
Isn't this byte 219?
Momby's example is functional. I'm not certain where I would specify a length value, but I only overwrote between "<script>" and "</script>", rather than changing the length. In other words: My string is precisely the same size as Momby's, so I'd imagine there's no need to claim a different length.
Thanks for replying.

kogir said:
"Also, ASP.Net has a built in option to use an HMAC to verify the validity of the viewstate. If HMAC verification is enabled, you'll need to guess the private key the use."
Which portion of my my screenshot represents the data you are suggesting to edit?
Thanks for replying.



Edited 1 time(s). Last edit at 05/14/2007 11:13AM by digitalIllusionism.

Options: ReplyQuote
Re: Myspace cookie theft not working
Posted by: hasse
Date: May 14, 2007 12:29PM

digitalIllusionism Wrote:
-------------------------------------------------------
> @hasse:
> Isn't this byte 219?
> Momby's example is functional. I'm not certain
> where I would specify a length value, but I only
> overwrote between "" and "", rather than changing
> the length. In other words: My string is
> precisely the same size as Momby's, so I'd imagine
> there's no need to claim a different length.
> Thanks for replying.

Well it seems like you should just start the edit from the < in the first <script>-tag. Offset 0xDB should be the length value just before the actual data.
As it can look in a hex-editor:
Text.}<script>docu
So the }-sign is the length of the data-section that follows. But if you preserved the length that shouldn't be an issue like you said.



Edited 2 time(s). Last edit at 05/14/2007 12:30PM by hasse.

Options: ReplyQuote
Re: Myspace cookie theft not working
Date: May 15, 2007 10:04AM

How can I get this to work?

Options: ReplyQuote


Sorry, only registered users may post in this forum.