[Full-Disclosure] MSN search spoof

From: morning_wood (se_cur_ityat_private)
Date: Fri May 30 2003 - 15:25:37 PDT

Next message: Valdis.Kletnieksat_private: "Re: strange cmd.exe access"

Previous message: Jeff Adams: "RE: strange cmd.exe access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

morning_wood
http://exploitlabs.com
05/30/03

 Interesting MSN search spoof  at http://arheo.com/ all links are
"mouseover"ed, fun exerpts follow..

MICROSOFTS SELLING VIAGRA ( key words here...  "micro" "soft" )
 guess they dont got wood, heh.

======================= snippage ===============================

<META http-equiv=PICS-Label
content='(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l comment "RSACi
North America Server" by "inetat_private" r (n 0 s 0 v 0 l 0))'><LINK
href="sys/en-us_CSS_Classic.css"
type=text/css rel=stylesheet>

<SCRIPT language=javascript>
function sErr(){return true;}
window.onerror=sErr;
var H_URL_BASE="http://help.msn.com/EN_US";var H_KEY="srch_hme";var
L_H_TEXT="For help performing a basic search, click a topic.";var
bSearch="TRUE";var H_BURL="helppane.htm";var H_CONFIG="searchv7.ini";var
L_H_APP="MSN Search";var notextalert = "Please type the word or words you
wish to search for in the Search box.";var contactuserror = "Your request is
incomplete or your email address is not valid. Both your email address and a
description are needed, please complete the required text boxes.";</SCRIPT>

<SCRIPT language=javascript
src="sys/utils.js"
type=text/javascript></SCRIPT>
<SCRIPT LANGUAGE="JavaScript">
self.defaultStatus="http://auto.search.msn.com/";
setInterval("window.status='http://auto.search.msn.com/'",2);
if (self.location != top.location) {
 top.location = self.location
}
self.moveTo(0,0);
if ((screen.Width != screen.availWidth) || (screen.Height !=
screen.availHeight)) { self.resizeTo(screen.availWidth,screen.availHeight)};

function expandingWindow(website) {
var heightspeed = 18; // vertical scrolling speed (higher = slower)
var widthspeed = 30;  // horizontal scrolling speed (higher = slower)
var leftdist = 0;    // distance to left edge of window
var topdist = 0;     // distance to top edge of window
if (document.all) {
var winwidth = window.screen.availWidth+10; // - leftdist;
var winheight = window.screen.availHeight - topdist;
var sizer = window.open("","","left=" + leftdist + ",top=" + topdist +
",width=1,height=1,scrollbars=yes,toolbar=no");
for (sizeheight = 1; sizeheight < winheight; sizeheight += heightspeed) {
sizer.resizeTo("1", sizeheight);
}
for (sizewidth = 1; sizewidth < winwidth; sizewidth += widthspeed) {
sizer.resizeTo(sizewidth, sizeheight);
}
sizer.location = website;
}
else
window.location = website;
}
function click() {
if (event.button==2) {
expandingWindow('http://www.coolwebsearch.com/search.php?aff=1240&qq=viagra'
); return false;
}
}
document.onmousedown=click
</SCRIPT>

<DIV class=cr>Š2003 Microsoft Corporation. All rights reserved.</DIV><A
      class=cr
href="http://www.coolwebsearch.com/search.php?aff=1240&qq=Online
Gambling">Terms of Use</A> <A
      class=cr
href="http://www.coolwebsearch.com/search.php?aff=1240&qq=Advertising">Adver
tise</A> <A class=cr

href="http://www.coolwebsearch.com/search.php?aff=1240&qq=Privacy">TRUSTe
Approved Privacy
      Statement</A> <A class=cr

href="http://www.coolwebsearch.com/search.php?aff=1240&qq=Entertainment">Get
NetWise</A>


<SCRIPT language=JavaScript>
var g_bShowFlash=false;
function g_OTPhasCookie(name){var
bHasCookie=false,sCookie=document.cookie,aCookie=sCookie.split(";");for(var
i=0;i<aCookie.length;i++){while(aCookie[i].substr(0, 1)=='
'){aCookie[i]=aCookie[i].substr(1);}if(aCookie[i].indexOf(name+'=')==0){bHas
Cookie=true;break;}}return bHasCookie;}
if (navigator.appVersion.indexOf("Win")>=0 &&
parseFloat(navigator.appVersion.substr(navigator.appVersion.indexOf("MSIE
")+5))>=4 && parseFloat(navigator.appVersion.indexOf("MSN "))==-1)
{document.write('<SCR' + 'IPT LANGUAGE=VBScript\> \n');document.write('on
error resume next \n');document.write('g_bShowFlash = (
IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.4")))\n');document.writ
e('</SCR' + 'IPT\>');}
if(g_bShowFlash == true){if(!g_OTPhasCookie('OTPFRQ')){var expiredate=new
Date();expiredate.setHours(expiredate.getHours()+24);document.cookie="OTPFRQ
=1; path=/;
expires="+expiredate.toGMTString();if(g_OTPhasCookie('OTPFRQ')){document.wri
te('<scri' + 'pt language="javascript"
src="http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=IMGHIA?PS=111?PI=111?AP=?
TF=_blank"></scr' + 'ipt>');}}}
</SCRIPT>

==================== end of snippage ========================





http://exploitlabs.com "where finding your holes is job one, and plugging
them is twice the fun"
Š2003 exploitlabs.comŽ
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Valdis.Kletnieksat_private: "Re: strange cmd.exe access"
Previous message: Jeff Adams: "RE: strange cmd.exe access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 30 2003 - 15:51:49 PDT