Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
new project, not a name yet
Posted by: SpoofGhost
Date: July 15, 2008 09:41AM

hi there,

well basicly i want to start and create some sort of shell. this shell will be made out of just one or 2 html file's provided with javascript. the idea might not work that's why i want to know your opionon about it.

the basic idea is to send/upload the html document on a victim's computer

this html document will has some sort off connection with an site online useing an endless loop and xhr to download the commands from my own site this way i can brows site true "his" connection. the thing is if you use XHR from you desk top you can alway's get the content of every site well in most cases this works!!

so basicly i typ in www.google.nl and the html document grabs the site adres i gived in with xhr then it will preform another xhr to get the content of www.google.nl with and pas it on to my site so i can see the site. then if i click on a link in my it will send another command and it does again a xhr request with the link i was following so basicly i'm browsing on the internet with his computer and his cookie's etc so i go into there gmail account as an example if he is logged in i can read his mail etc etc.


it's all based on XHR that is never blocked becouse it is runned from the desktop.

the idea is already there now i want to know your opionon and things that might be a problem etc if i got some feedback i will start to work on it. also i will make a dropper in c++ wich will download the file from the net and start it up every time the pc reboots hidden ofcourse. this isn't hard i already have made something like this befor. but i really want to create a POC out of this.

Options: ReplyQuote
Re: new project, not a name yet
Date: July 16, 2008 06:06PM

Based upon personal experiences manipulating the XMLHTTPRequest object I believe you will be limiting yourself to Microsoft Internet Explorer 5 and 6, and Firefox. Internet Explorer 7 supports two different instances or types of the XMLHTTPRequest object: ActiveX, and native (similar to Firefox, Opera, Safari, et cetera). Using the ActiveX control and running the application from the trusted zone (such as the desktop) will produce a warning at the top of the screen in MSIE 7 about how there is potentially a dangerous action looking to occur while the native object should produce a similar (if not the exact same) message. So if the goal of this project is to create a some-what stealth shell then such a prompt should act as an immediate red flag for the user.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: new project, not a name yet
Posted by: SpoofGhost
Date: July 16, 2008 07:34PM

i know what you mean, that's why i will create a small c++ aplication wich run's the html file hidden and also make it start up everytime the pc reboots.

but the start is all about social engeneering. so in most cases some one will just accept it, especialy people who don't know alot about pc's and related stuff.


i'm already started on a small POC

but that's for later!

Options: ReplyQuote
Re: new project, not a name yet
Posted by: DoctorDan
Date: July 17, 2008 11:38AM

If you can get a C++ app to run on someone's computer, then why are you bothering with the limitations of JS? Maybe I don't completely understand what you're doing.

Options: ReplyQuote
Re: new project, not a name yet
Date: July 17, 2008 06:55PM

Dan, that's exactly what I foresaw him mentioning when I first replied to this thread. If you can manage to get a remote administration tool onto the victim's computer then there is no reason to bother implementing anything with the browser as one could easily hook the keystrokes, or forward anything being transmitted through the sockets.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: new project, not a name yet
Posted by: SpoofGhost
Date: July 18, 2008 07:34PM

that's right but it's just to show what is possible this way and maybe there is a way how this could be used in some way. most of this is just to learn more about xhr and javascript as i'm quite new to this.

Options: ReplyQuote


Sorry, only registered users may post in this forum.