THP Wisec USH DigitalBullets TheHackersPlace network
The WIse SECurity
.italian
.english
Wisec Home SecSearch Projects Papers Security Thoughts
 
News
Flash Application Testing: A New Vector for XSS and Cross Site Flashing.
IE and Firefox Digest Authentication Request Splitting.
Php import_req_var globals overwrite Advisory.
Subverting Ajax - The Paper.
Adobe Plugin Multiple Vulnerabilities.
Wisec@23rd.CCC Congress in Berlin - 29th Dec. 2006 - Subverting Ajax.
SecSearch. Search Engine for Security Community.
Mysql COM_TABLE_DUMP Flaws.
Mysql Anonymous login Flaw.
A new project to stop embed passwords in Php scripts: PassBroker.
MySQL new three vulnerabilities unleashed
PHP shmop safemode bypass
PHP RFC1867 Vuln - POC Released!
Search on Wisec
Google

Security Thoughts

[ Back ]

Tuesday, November 04, 2008, 20:25

All-In-One MultiStage Js/Html Payload

I'm a bit lazy sometime.
For instance, when I have to create two files in order to exploit^N^N^N^N^N^Nshow some kind of multi stage vulnerability,
and I'd need to write two files, one for the Html and one for the Js.
So I thought, how could I overcome with all this (incredible) effort?

Let's think about my previous post , when I released the Opera historysearch q=*Xss proof of concept.
Maybe (or maybe not) someone noticed some difference between standard Pocs and the Poc itself.

It is a self contained Html/Js Poc, even if it is a two stage exploit.

Let's see a simpler empty example:


<!--
// Js payload starts here
JsPayload
// Js payload ends here
/* Html payload Starts here
-->
<html>
[Html Here]
</html>
<!--
Html payload Ends here */
-->

As it could be seen it uses comments in order to be interpreted in different contexts, the Js one when loaded by
<script src='self.html'></script>
and the Html context when loaded from the browser.

The first comment is for Html:


<!--
// Js payload starts here
JsPayload
// Js payload ends here
/* Html payload Starts here
-->


that will prevent the Html interpreter to display junk allowing to write Html in a straight forward style.

The second comment is for the JavaScript one:


/* Html payload Starts here
-->
<html>
<body style='background-color: rgb(220,220,220)'>
...
<!--
Html payload Ends here */


which will prevent the Js interpreter to raise an exception.
It's multiple browser compliant, and it doesn't need to be a E4X browser compliant.

Q: So...when I am supposed to use it?
A:It could be used for milworm p0cs or instead of publishing/posting on FD/BGTQ/SEC_ML those boring multiple files.
Q:Why are you so lazy?
A:Hey...Too many questions.

Yes, it's probably useless, but it reminds me some of those multilanguage/multiprocessor/multi_O-S shellcodes (with all due respect) that has been published on phrack.
Finally, that's more an excercise in style than a real groundbreaking new way of doing POCs, but I thought it was worth posting about it.
However any comments will be appreciated.

Comments:

No comments yet.

 
Comments are disabled

Admin login | This weblog is from www.mylittlehomepage.net

Wisec is brought to you by...

Wisec is written and mantained by Stefano Di Paola.

Wisec uses open standards, including XHTML, CSS2, and XML-RPC.

All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.