New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the JSObfu mixin to Firefox exploits #3844
Conversation
cc @todb-r7 so he's aware of this PR makes changes to the android module. |
There is something wrong w/ the post/firefox/gather/cookies module when obfuscation is used:
|
It looks like the new changes aren't very friendly for webview_addjavascriptinterface, either. It seems to hang forever:
The one in master still works fine:
|
All the Firefox exploits work with JsObfuscate, except for post/firefox/gather/cookies and exploit/android/browser/webview_addjavascriptinterface |
@wchen-r7 okay thanks for writing these up, I will take a look at these this evening. |
ok |
Didn't have time last night, but I'll get back around to this today before EOB sometime. |
I'll wait. |
Taking another look now. |
Argh, this won't work in |
One way would be to have an option in jsobfu, |
A better way is to attach send to |
@wchen-r7 not sure what went wrong with the Android exploit. Make sure to set (edit: oh nvm, I see you have it set correctly up there. hrm. i ran it 4 times in a row and it seemed to work. maybe it was fixed as a side effect of the global-rewriting stuff i put in jsobfu 0.2.0.) |
Okay, this is reviewable again. |
Not sure why everytime I set JsObfuscate 1, I don't get a shell. But when 0, it does:
|
That exploit does have a massive payload string embedded in it, it might just be too much work to interpret. I'll give 4.0.2 a shot in a bit. |
I'll let it run for awhile.... with obfuscation. |
Almost 30 minutes. Definitely not getting a shell w/ obfuscation on. |
What's the browser doing, still "chewing" on the page? When I converted the hieroglyphy js obfu into ruby and started obfuing entire exploits, IE would just sit there. However in that case the overhead in that obfu can be like 4000% so a typical spray could end up being 1-4 megs, and tho I couldn't find a ref, it felt like there was an upper limit to how big the is could get b4 "weird things happen" (tm) -Josh
|
It looks like it's chewing on the page. @jvennix-r7 says it works for him on a newer android, and takes no longer than 5 seconds. So I dunno. |
@wchen-r7 argh. Okay, well I have to assume something I am doing is screwing up my testing. jsobfu is really really a nice-to-have here, i dont know of any android av that will hook javascript. So I think I will just deregister it here and we can move on with our lives (also related: I really hate debugging android's old stock browser, I just put alert() everywhere like a moron). |
heh, ok. |
I will come back to this tomorrow. |
Congrats. They all work for me now. |
Verification
Get a shell from any of the following Firefox exploits, making sure to
set JsObfuscate 1
:exploit/multi/browser/firefox_proto_crmfrequest
exploit/multi/browser/firefox_tostring_console_injection
exploit/multi/browser/firefox_webidl_injection
Run the post modules following on the session, making sure to
set JsObfuscate 1
.specs pass