Skip to content

Doctor-love/xs_exploits

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
exploits
exploits
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

xs_exploits

Gently packaged Cross-Site exploits

WORK IN PROGRESS

Introduction

"xs_exploits" is an attempt to develop a standardized format for packaging Cross-Site exploits/attacks, such as XSS, CSRF, CSWSH and similar.

The packaged exploits, called exploit modules, could be be used by an attack tool such as kkross.

The purpose of this repository is to document the packaging format and act as collaborative collection of exploit modules.

Note: The module structure definiton is not yet stable and all feedback is appreciated.

TL;DR example

---
# ** xs_exploits module definition **
#
# Version of module structure, in order to enable future changes and backwards compatibility
structure_version: 0
data:
  module_type: csrf_get
  name: barfoo_app-add_user 
  description: Exploits functionality to add user

  metadata:
    # Arbitrary metadata for module (could be presented in a interface/be searchable)
    vendor: Barfoo Enterprises
    affected_versions: 4.3.0 > 5.9.1
    links:
      - http://seclists.org/2049/01/02

    exploit_version: 1
    developers:
      - Beta Provberg <beta@example.com>
      - Test Alphasson <test@example.com>

  # Options that can/must be configured by user before rendering of module
  options:
    - name: EMAIL
      description: Desired e-mail address of added user
      # option_type could be "string", "boolean" or "payload"
      option_type: string
      default: ""
      required: true

      # Specifies different types of limitations for the module option
      constraints:
        - constraint_type: length
          options:
            max: 25

  # Standard options that are inherited by the module
  inherited_options:
    - PROTO
    - HOST
    - PORT

  # Template for module redering (based on Jinja2)
  template: '<iframe src="{{ PROTO }}://{{ HOST }}:{{ PORT }}/actions/adduser.php?role=admin&email={{ EMAIL | urlencode }}"></iframe>'
  
  # Template for generating instance ID of module (based on Jinja2)
  # Defines the unique name of configured module in instance, in order to allow multiple use
  instance_id: '{{ PROTO }}://{{ HOST }}:{{ PORT }} - E: {{ EMAIL }}'

Package format

Exploit modules are defined in a YAML structure/document.
The following sub-sections describes the various module properties:

Top level properties

"structure_version"

Type: Integer

Version of module structure definition. Used to allow future changes to the structure and backwards compatibility.

Current value is "0", as the structure is not yet stable.

"data"

Type: Dictionary

Contains all other properties. Used to allow "clean" parsing with regards to future changes and backwards compatibility.

Data level properties

"module_type"

Type: String

Describes the type of exploit the module contains. Could be an arbitrary value.
Examples: "xss_get", "csrf_post", "cswsh".

"name"

Type: String

Name of exploit module. Could be an arbitrary value.
Used together with the "module_typ" property to define a unique ID of the exploit module. Examples: "confluence-update_post_permissions", "boot2docker-deploy_container".

"description"

Type: String

Describes what the exploit does. Could be an arbitrary value.
Example: "Deploys a user specified container by exploiting lacking authentication for the Docker daemon TCP socket".

"metadata"

Type: Dictionary containing arbitrary sub-properties

Property containing arbitrary metadata. Could contain things like CVE identifiers, links, exploit authors and similar.
The metadata sub-properties could for example be displayed in a user interface or be searchable.

Example:

[...]
metadata:
  cve: CVE-2014-5280
  affected_applications:
    - Docker CE
    - boot2docker

  affected_versions: "< 1.2"
  links:
    - "https://groups.google.com/forum/#!msg/docker-announce/aQoVmQlcE0A/smPuBNYf8VwJ"
    - "https://vuldb.com/?id.112867"

  developers:
    - Beta Provberg <beta@example.com>
    - Test Alphasson <test@example.com>

[...]

"options"

Type: List containing dictionaries with "option" level properties

Contains zero or more "option" level properties. For more information, see "Option level properties".
If no user configurable options are required, set value to a empty list ("[]").

"inherited_options"

Type: List containing strings

Contains zero or more strings that specifies names of standard options that should be inherited by the module.
For more information, see "Inheritable options".

If no options should be inherited, set value to a empty list ("[]").

"template"

Type: String

Jinja2 template string containg HTML code for the exploit.
During the exploit rendering process, the configured options for the exploit are available as variables for the templating engine.

Once rendered, the resulting string should produce a working exploit.

Example:

[...]
  # Simple CSRF exploit
  template: '<iframe src="{{ PROTO }}://{{ HOST }}:{{ PORT }}/actions/adduser.php?role=admin&email={{ EMAIL | urlencode }}"></iframe>'

[...]

For more information about the templating engine, see Jinja2's official documentation

Note:
While work has been done to implement Jinja2 in other languages besides Python, it is not designed to be cross-platform. If you know of a better templating engine that has wide support in different languages and is not completly logicless, please let me know.

"instance_id"

Type: String

Jinja2 template string used to construct a unique ID for the configured exploit.
During the exploit rendering process, the configured options for the exploit are available as variables for the templating engine.

Example:

[...]
  instance_id: '{{ PROTO }}://{{ HOST }}:{{ PORT }} - E: {{ EMAIL }}'

[...]

For more information about the templating engine, see Jinja2's official documentation

Note:
While work has been done to implement Jinja2 in other languages besides Python, it is not designed to be cross-platform. If you know of a better templating engine that has wide support in different languages and is not completely logicless, please let me know.

Option level properties

Options provides the user the ability to configure and customize the behavior of the exploit.
The configured options are provided as variables to the templating engine and can be used during the rendering of exploit a template and instance ID.

Some options may be required, such as "HOST" or "PROTO", while other could be voluntary, such as "SUBPATH" or "NO_REFER".

"name"

Type: String

Name of option. Should be unique within the module and defined in uppercase characters.
Examples: "HOST", "USER_ROLE", "EMAIL".

The value of the configured option is accessible during the rendering process by the specified name.

"description"

Type: String

Description of the option. Could be presented in a user interface.

"option_type"

Type: String

Defines what datatype the option value should contain.
The property could be set to "string", "boolean" or "payload".

The "payload" option type is effectively the same as "string", but it provides an indicator to the consuming application that the option value is suppose to contain a "payload".
An example use-case of this exist in "kkross", which allows it's users to configure different XSS payloads and auto-suggest them if a option type is set to "payload".

"default"

Type: String or boolean

Default value of the option if none other is specified by the user.
The property value must match the specified "option_type".

If no default value should be defined, set the property value to an empty string ("").

"required"

Type: Boolean

Defines if the option value must be set before successful rendering of the exploit module.

"constraints"

Type: List containing dictionaries with "constraint" level properties

Contains zero or more "constraint" level properties. For more information, see "Constraint level properties".
If no constraints apply to the option value, set property value to a empty list ("[]").

Constraint level properties

Constraints allow the module author to restrict which values are acceptable for an option.
These constraints could restrict things such as a length, allowed characters or a specific white-list of valid values (enum).

The purpose of option constraints is to increase the chances that a exploit module behaves as expected once rendered.

"constraint_type"

Type: String

Name of constraint type. For more information, see "Available constraint types".

"options"

Type: Dictionary containing arbitrary sub-properties (defined by constraint type)

Options for specified constraint type. For more information, see "Available constraint types".

Inheritable options

Commonly used options, such "PROTO", "HOST" and "PORT", could be automatically added to a module by including their name in the option level property "inherited_options".

Usage of inheritable options eases the module developers work effort and provides some level of consistency between modules.

Developers of tools that consumes exploit modules should implement these options.

The sub-sections below contains YAML representations of the inheritable options available in structure version 0:

"PROTO"

---
name: PROTO
description: Protocol scheme of target application
option_type: string
default: ""
required: true

constraints:
  - constraint_type: enum
    options:
      acceptable_values: ['http', 'https', 'ws', 'wss']

"HOST"

---
name: HOST
description: Hostname or IP address of target host
option_type: string
default: ""
required: true

constraints: []

"PORT"

---
name: PORT
description: Port of target application
option_type: string
default: ""
required: true

constraints:
  - constraint_type: char_class
    options:
      acceptable_classes: ['integer']

"SUBPATH"

---
name: SUBPATH
description: Subpath of target application 
option_type: string
default: ""
required: true

constraints: []

Constraints

Constraints allow the module author to restrict which values are acceptable for an option.
These constraints could restrict things such as a length, allowed characters or a specific white-list of valid values (enum).

The purpose of option constraints is to increase the chances that a exploit module behaves as expected once rendered.

The sub-sections below contains descriptions of available constraints in structure version 0:

"enum"

The "enum" constraint allows module authors to specify a list of acceptable values for the option.

Constraint options

"acceptable_values"

Type: List containing strings
Description: Acceptable values for option
Required: Yes

Expected results (pseudo code)

acceptable_values = ['user', 'power_user', 'admin']

enum(acceptable_values, 'admin') => True
enum(acceptable_values, 'user') => True
enum(acceptable_values, 'accountant') => False

"length"

The "length" constraint allows module authors limit the minimum and maximum number of characters in option value.

Constraint options

"min"

Type: Integer
Description: Minimum length for option
Required: No (if "max" option is used)

"max"

Type: Integer
Description: Maximum length for option
Required: No (if "min" option is used)

Expected results (pseudo code)

length(max=50, '<script>alert(42)</script>') => True
length(max=4, 'admin') => False

length(min=20, 'A long string required to trigger the vulnerable error message') => True
length(min=10, 'meh') => False

length(min=4, max=50, 'Watch of for crackers!') => True
length(min=10, max=15, 'niet') => False

About

Gently packaged Cross-Site exploits

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published